Canonical Juju

  1. Bug #2002841
  2. Comment #18

Comment 18 for bug 2002841

Revision history for this message
John A Meinel (jameinel) wrote :

So I found a trick to actually cause cloud-init to run again after rebooting.

$ cat config.yaml
vpc-id: vpc-5aaf123f
cloudinit-userdata: |
  preruncmd:
    - date --rfc-3339=ns
    - pro refresh config
    - pro attach MYSECRET
    - pro enable usg --assume-yes
    - pro enable fips-updates --assume-yes
    - date --rfc-3339=ns
    - if [ -e /var/lib/restarted ]; then echo already restarted; else touch /var/lib/restarted; echo resetting cloud init and restarting; cloud-init clean; reboot now; sleep 30; fi

It does mean that the machine ends up regenerating its SSH key twice. But at least now I'm sure that by the time the script runs, fips really is enabled.

Fetching Juju agent version 3.1.5 for amd64
+ n=1
+ true
+ echo Attempt 1 to download agent binaries from 'https://172.30.2.226:17070/model/4076c43f-10e8-458d-8362-6141da95feb0/tools/3.1.5-ubuntu-amd64'...\n
Attempt 1 to download agent binaries from 'https://172.30.2.226:17070/model/4076c43f-10e8-458d-8362-6141da95feb0/tools/3.1.5-ubuntu-amd64'...

+ curl -sSf --connect-timeout 20 --noproxy * --insecure -o /var/lib/juju/tools/3.1.5-ubuntu-amd64/tools.tar.gz https://172.30.2.226:17070/model/4076c43f-10e8-458d-8362-6141da95feb0/tools/3.1.5-ubuntu-amd64
uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),118(netdev)
+ echo Agent binaries downloaded successfully.

And then post reboot I see:

Building dependency tree...
Reading state information...
cpu-checker is already the newest version (0.7-1.1).
curl is already the newest version (7.68.0-1ubuntu2.19).
tmux is already the newest version (3.0a-2ubuntu0.4).
ubuntu-fan is already the newest version (0.12.13ubuntu0.1).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
2023-10-06 23:18:25.060138285+00:00
Successfully processed your pro configuration.
This machine is already attached to 'Canonical - staff'
To use a different subscription first run: sudo pro detach.
One moment, checking your subscription first
Ubuntu Security Guide is already enabled.
See: sudo pro status
One moment, checking your subscription first
FIPS Updates is already enabled.
See: sudo pro status
2023-10-06 23:18:35.286029430+00:00
already restarted
+ install -D -m 644 /dev/null /var/lib/juju/nonce.txt

so it is clear that it *did* restart and came up with pro enabled. But the later line (in the container):

+ curl -sSf --connect-timeout 20 --noproxy * --insecure -o /var/lib/juju/tools/3.1.5-ubuntu-amd64/tools.tar.gz https://172.30.2.226:17070/model/4076c43f-10e8-458d-8362-6141da95feb0/tools/3.1.5-ubuntu-amd64
uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),118(netdev)
+ echo Agent binaries downloaded successfully.
Agent binaries downloaded successfully.