Cloud-init with hashed passwd not work about terraform-provider-proxmox HOT 9 CLOSED

Hi @kevin1sMe 👋🏼

I'm not certain this issue is related to the provider itself. You've mentioned that SSH login with your configuration works, which indicates the cloud-config file was successfully delivered to the VM. At this point, it's up to the VM to apply the settings defined in that file.

Could it be possible that the template rendering via the template_file resource alters the hashed password, especially if it contains special characters? Could you check the file content on the PVE host to verify it rendered as expected? The file should be located in the /var/lib/vz/snippets/ folder.

from terraform-provider-proxmox.

Reading more on template_file, it seems like it may have a special treatment for $, which is present in the hashed passwords.

Also, the documentation recommends switching to templatefile() function for the newer provider versions.

from terraform-provider-proxmox.

Hi @kevin1sMe 👋🏼

I'm not certain this issue is related to the provider itself. You've mentioned that SSH login with your configuration works, which indicates the cloud-config file was successfully delivered to the VM. At this point, it's up to the VM to apply the settings defined in that file.

Could it be possible that the template rendering via the template_file resource alters the hashed password, especially if it contains special characters? Could you check the file content on the PVE host to verify it rendered as expected? The file should be located in the /var/lib/vz/snippets/ folder.

Thanks for your reply. I had check user-data in VM is correct. like this :

ssh_pwauth: yes
users:
  - default
  - name: kevin
    passwd: $6$rounds=4096$t18czZbdAEqLoyEA$9aEWZW62NwruJXyKAOqOASN/1pcjsHUE1ErW5linwXaJ0bFl5ynNIyokq4QE8dxd0JxU0fm2ZIwC.KfXo2GxX1
    lock_passwd: false
    groups:
      - sudo
    shell: /bin/bash
    ssh_authorized_keys:
      - ssh-ed25519 AAAAC3N...
    sudo: ALL=(ALL) NOPASSWD:ALL

And I check the file /var/lib/vz/snippets/user-data.yaml:

root@ser5:/var/lib/vz/snippets# cat user-data.yaml


ssh_pwauth: yes
users:
  - default
  - name: kevin
    passwd: $6$rounds=4096$t18czZbdAEqLoyEA$9aEWZW62NwruJXyKAOqOASN/1pcjsHUE1ErW5linwXaJ0bFl5ynNIyokq4QE8dxd0JxU0fm2ZIwC.KfXo2GxX1
    lock_passwd: false
    groups:
      - sudo
    shell: /bin/bash
    ssh_authorized_keys:
      - ssh-ed25519 AAAA...
    sudo: ALL=(ALL) NOPASSWD:ALL
    

I've confirmed the user-data in the VM appears correct and matches the expected configuration, including the hashed password. I also verified the /var/lib/vz/snippets/user-data.yaml file directly on the host, and it aligns with the VM's user-data. This leaves me at an impasse, especially since the password remains unchanged. Any further insights or suggestions would be greatly appreciated.

from terraform-provider-proxmox.

Reading more on template_file, it seems like it may have a special treatment for $, which is present in the hashed passwords.

Also, the documentation recommends switching to templatefile() function for the newer provider versions.

I find the user-data in VM is :

#cloud-config
hostname: dev
ssh_pwauth: yes
users:
  - default
  - name: kevin
    passwd: $6$rounds=4096$t18czZbdAEqLoyEA$9aEWZW62NwruJXyKAOqOASN/1pcjsHUE1ErW5linwXaJ0bFl5ynNIyokq4QE8dxd0JxU0fm2ZIwC.KfXo2GxX1
    lock_passwd: false
    groups:
      - sudo
    shell: /bin/bash

It renders as expected.But the /etc/shadow look like this:

ubuntu:!$y$j9T$1YbBqG1woUscymccTnvh..$zLf/VK30qwZ2giOgvqqo8S1gzsGIEZqooPUvlHDetNC:19791:0:99999:7:::
lxd:!:19791::::::
kevin:$y$j9T$EXtX/omvU7IUL1VWsKh9Q0$8BabNVmzffKeQFF2eYYDVpLxreT8rCEkNzhDeoLyAZ6:19791:0:99999:7::22889:

I don't know why the password is not set.
Equally strange, why hasn't the default shell been changed to bash and remains as sh?

from terraform-provider-proxmox.

Hello @kevin1sMe

Did you check cloud-init logs if available ?

Most of the time there are very usefull information there :)

from terraform-provider-proxmox.

Hi @Dr-Shadow ,
this is my user-data and cloud-init logs:
cloud-init.tgz

I have found :

2024-03-09 03:23:56,518 - subp.py[DEBUG]: Running hidden command to protect sensitive input/output logstring: ['useradd', 'kevin', '--expiredate', '2032-09-01', '--groups', 'users', '-m']
2024-03-09 03:23:56,583 - subp.py[DEBUG]: Running hidden command to protect sensitive input/output logstring: chpasswd for kevin

BUT Why wasn't the password set correctly?

BTW， I find:

• canonical/cloud-init#4946
• canonical/cloud-init#4977

I suspect it's not an issue with this provider, but I can't determine whether it's a problem with the cloud-init version or the Ubuntu image.

from terraform-provider-proxmox.

I change to use another image like https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2, It works, so maybe it's ubuntu cloud-init bug?

from terraform-provider-proxmox.

It looks very much like that.
I'm closing this ticket then. It's unlikely the provider can do anything to improve the situation.

from terraform-provider-proxmox.

OK， thanks

It looks very much like that. I'm closing this ticket then. It's unlikely the provider can do anything to improve the situation.

from terraform-provider-proxmox.