Please test autoinstalls for 20.04!

noobient · May 3, 2021, 11:46am

Thanks for your response. So you mean there’s absolutely no means to securely autoinstall Ubuntu on an encrypted volume? To be honest, I don’t quite understand the priorities here, I don’t think FDE is a negligible aspect in 2021. We don’t even allow unencrypted workstations at our company. And it’s been like this since 2016 I think. I’m not willing to put disk encryption passwords on a non-authenticated web server, where the autoinstall file resides. Nor on a thumb drive. No one should, it kinda defeats the purpose of encryption.

I’ve tried to look up early-command user input, but couldn’t find much. Do you have any pointers by any chance?

I can file bug reports, but where’s the place for that? In any case, I’m not sure all of those are bugs. It’s more of a design thing. If you designate a section as interactive, but also specify some answers for that section in the autoinstall file, there’s a conflict which autoinstall has to resolve. As of right now, autoinstall does that by simply ignoring any predefined answers for a section if it’s interactive. There’s at least 2 obvious solutions to this:

you should be able to select single fields as interactive, not just whole sections, or
autoinstall should pre-fill the fields specified in the autoinstall file for interactive sections

Neither happens right now. The 2nd option could be further expanded, because that one you could approach in at least 2 ways:

you could just offer defaults which can be overridden interactively, or
the predefined fields could be immutable so that the person doing the install could observe those values but couldn’t change them, they’d be “greyed out”.

This can be again either a design choice of autoinstall, or an option in the autoinstall file, like being able to define “soft interactive” and “hard interactive” sections, the former of which has mutable defaults and the latter immutable.

For the record, this is not limited to storage, the same happens with other sections, like identity. I do want to specify the user, because I don’t wanna risk helpdesk messing up the username and or password every now and then. But I do not want to specify the hostname, since that’s obviously machine-specific. And I can’t do that as of now. I either specify all or none of them. If I set identity interactive, my defaults are ignored completely.

It gets even worse if I need more than one user: if I specify one user in user-data/users, and also fill in the identity section with a user and hostname, the users under user-data/users are completely ignored. So in essence, you can’t specify the hostname AND have 2 users at the same time.

Not being able to interactively set hostname during install is particularly painful, because it’s too confusing to change afterwards. You can use hostnamectl set-hostname, but it’s worthless, because all it does is dump your input into /etc/hostname, but that’s not enough, you still need to manually adjust /etc/hosts too, otherwise su/sudo operations will keep throwing name resolution errors. So why bother with hostnamectl in the first place, you just substitute vi/echo/cat with a different command. You might as well just manually edit both files.

mwhudson · May 3, 2021, 10:17pm

I’m not sure what you expect a solution to this to look like for a fully automated installation. Creating the encrypted volume requires the passphrase, thus the passphrase must be provided to the installer. If having it on the media or the network are both out, what is left?

There are things that can be done with the TPM and secure boot and so on to make this smoother, like ubuntu core 20 does (Full disk encryption | Ubuntu), but bringing that to more generic systems like arbitrary server installers vs ubuntu core is a lot of engineering work.

No I don’t. I think you could put something like

early-commands:
 - |
 sh -c "bash myscript.sh < /dev/tty1 >& /dev/tty1"

and it would run myscript.sh interactively on tty1. But it might not work very well at all, as there will be other stuff running on tty1. Perhaps we need to design some kind of protocol for an early-command to ask for input.

FWIW, this isn’t the intent. The intent is that the autoinstall-provided values become defaults for the interactive screen. But I can well believe there are bugs around this.

Yeah so option 2 is the intent. Option 1 sounds … challenging to implement, although that’s not really a good argument for not doing it.

nvatvani · May 8, 2021, 8:25pm

Are there any plans to make autoinstall work completely offline as described here?

I am also interested in this line of inquiry because I am currently trying to figure out how to bake an ISO with the following packages configured in user-data simply to avoid the need to fetch them from the repos online during the autoinstallation process:

  packages:
    - ntpdate
    - htpdate
    - gcc
    - make
    - perl
    - easy-rsa

mwhudson · May 9, 2021, 10:24pm

Hm, it already should work with no network. Where things might go a bit awry is where there is a network, but there is no archive mirror on it. In these cases it’s probably better to not configure the network during install and put the desired config into place in a late-command.

nvatvani:

I am also interested in this line of inquiry because I am currently trying to figure out how to bake an ISO with the following packages configured in user-data simply to avoid the need to fetch them from the repos online during the autoinstallation process:
  packages:
    - ntpdate
    - htpdate
    - gcc
    - make
    - perl
    - easy-rsa

Good timing, just a few days ago I put together a thing for doing pretty much exactly this: A tool to modify live server ISOs. It’s still a work in progress (it seems something isn’t quite right yet in the process of regenerating the apt indices for the pool on the ISO) but it’s definitely something you should look at

mwhudson · May 9, 2021, 11:41pm

I’ve fixed this bug, I think, and I used the version of livefs-edit in current git to bake a config like yours and the necessary packages into an ISO and used it to install a VM with no network access.

nvatvani · May 10, 2021, 12:07am

The only word that comes to mind is - Champion!

Will give your livefs-editor a whirl.

Off the bat I can say with certainty that I will have to combine livefs-editor with convertsh’s ubuntu-autoinstall-generator (https://github.com/covertsh/ubuntu-autoinstall-generator) because I already use ubuntu-autoinstall-generator to explode and repack the VirtualBox Guest Additions ISO within Ubuntu Live Server and have autoinstall late-commands to successfully install it.

mwhudson · May 10, 2021, 12:17am

Oh right, I’d forgotten about that. I think livefs-edit mostly subsumes its functionality fwiw with its --add-autoinstall-config action.

strawhead7 · May 26, 2021, 7:03am

Hi all,
I’m coming from CentOS with Anaconda Kickstart installs. There it is possible to have so called post-scripts. I need this post-script to automatically configure something in the installed system.
With the Ubuntu Server Installer, the only way I know to issue commands in the target system is a late-command curtin in-target -- command. But with this I can issue single commands only. I need to conditionally execute commands depending on the return value of previous commands, like this:

command -v postconf && postconf -e 'relayhost = [mail.$mydomain]' && postconf -e 'mydestination = ' && postconf -e 'masquerade_exceptions = root' && postconf -e 'mynetworks_style = host'

If I write this as a late command:

late-commands:
    - curtin in-target -- command -v postconf && postconf -e 'relayhost = [mail.$mydomain]' && postconf -e 'mydestination = ' && postconf -e 'masquerade_exceptions = root' && postconf -e 'mynetworks_style = host'

then only command -v postconf will be executed with curtin in-target. The rest will be executed in the install system, not in the target system, causing the auto installation to stop with an error.

How can I execute multiple shell commands conditionally as late-commands, or, even better, execute complete shell scripts as late-command?

strawhead7 · May 28, 2021, 10:17am

One additional issue: The final installation of security updates takes very long. I installed from 20.04.1 server media on a VMware VM with SSD storage, and the installation of security updates took 12 minutes. This is the far majority of the whole install time. If I would install the updates with “apt upgrade”, it would not only install security updates, but take only 4 minutes and 30 seconds. Maybe the code used by the installer to install the security updates (/usr/bin/unattended-upgrade, /usr/lib/update-notifier/apt_check.py) is inefficient and should be improved.

strawhead7 · May 28, 2021, 1:47pm

OK, I found that calling unattended-upgrade with --no-minimal-upgrade-steps takes only 3 minutes. The default is --minimal-upgrade-steps, which took 14 minutes. Maybe it’s possible to change the installer behaviour to call unattended-upgrade with --no-minimal-upgrade-steps? Or make this configurable in user-data?

markdegroot · May 28, 2021, 1:51pm

Would be great if this is included. The automatic updates in the installer take forever to complete!

After the system is installed we run automated setup scripts which would also install all the security updates.
And no we don’t want a system with known security vulnerabilities but we would like to have the possibility if needed.

sarthur · June 6, 2021, 3:24pm

seriously… how to get rid of the swap file?

In this thread here a more people trieing to achive this…

no mater what i try i end up with:

cat /proc/swaps
Filename                                Type            Size    Used    Priority
/swap.img                               file            4027388 1292    -2

config

  storage:
    grub:
      reorder_uefi: false
    swap:
      filename: swap.img
      size: 0
    layout:
        name: lvm

also tried

  storage:
    grub:
      reorder_uefi: false
    swap:
      size: 0
    layout:
        name: lvm

or

  storage:
    grub:
      reorder_uefi: false
    swap: {swap: 0}
    layout:
        name: lvm

seems bugged for me ?! Anyone has a workarround?

kokoye2007 · June 14, 2021, 5:00pm

curtin in-target --target=/target – bash /target/root/advanced_bash.sh

will be work ?
bash script in any variable is need to configure with target prefix ?

brsolomon · June 16, 2021, 11:59pm

Late to the party here but have a few suggestions for docs and elsewhere.

Advertise at https://ubuntu.com/server/docs/install/autoinstall-reference more prominently that the #cloud-config shebang is required as first line.
Create an autoinstall tag on https://askubuntu.com/ (must have 300+ reputation to create) to help group usage questions around autoinstall that are posted there.
Offer better ways to debug and understand failed late-commands.

I realize that last suggestion is quite nebulous. It stems from a failing late-command using modprobe and my lack of ability to see into the error. To make some concrete suggestions around this, perhaps the documentation could:

Better explain conceptually and more prominently that curtin in-target is effectively a way to run chroot’d commands in the target
What factors are “different” about this environment from e.g. a normal login to the box after it’s fully spun up
Usage of something like /usr/bin/tail -n 250 /var/log/syslog in error-commands to get hopefully some more debugging detail on failed commands since they are executed through systemd-cat vis a vis curtin

misopo · June 27, 2021, 8:13pm

could you please focus to implement possibility to run autoinstall fully offline, even if the network is configured, preffered for IoT/Edge devices with wwan connection

most of us are rebuilding the official iso to our needs and not only applying latest patches, but also including security hardenings

it would be great to have it as optional section

ogra · June 28, 2021, 8:10am

if you have the need of an IoT/Edge tailored OS with WWAN support (and adapted data-handling behaviour for WWAN), special security hardening and a rolling release model, have you taken a look at Ubuntu Core yet ? It is designed for particulary this use case and used a lot in IoT/Edge, PLCs, Industrial gateways, Digital Signage and POS systems around the world …

creatldd1 · June 30, 2021, 11:01pm

Pre-installing the package ifenslave seems to break the installer.

I’ve been working on a solution to preinstall some packages to make it possible to setup offline targets.

I’ve come up with a script that mounts casper/filesystem.squashfs, chroot-install some packages, configures my autoinstall script (nocloud) and repacking everything into a new filesystem.squashfs. It’s heavily inspired on inject-subiquity-snap.sh following mwhudson’s suggestions : Automated Server Install Quickstart.

But preinstalling ifenslave makes the installer to crash.

Script to reproduce the issue : https://gist.github.com/creatldd1/99db8d68e2a97e2737c5bb488be67328.

Check especially the “PARAMETERS” section before running it.

exm1110b · July 13, 2021, 9:14pm

is it possible to run ansible playbook in late command? i’ve tried it, and it doesnt’ seem work ,possibly due to it being run as chroot…

lohithblaze · July 16, 2021, 5:15pm

Does autoinstall support ext3 format type because when I set the format type as ext3, ubuntu crashes?

Also is there a way we can set the root password in the user-data section?

alexhaydock · July 22, 2021, 12:46pm

I’m trying to get this to work with a more complex LVM setup, but I get a general error during installation. The user-data file parses and validates correctly it would seem, since I’m offered the chance to type “yes” and begin the autoinstall, but I just get an install_fail error from Subiquity after it sets up the partitions.

I’ve tried to reduce this down to what I think is the simplest version of this possible, so I can get it to work before I set up a much more complex layout with more LVM volumes, but I can’t work out what I’m doing wrong here to have it fail:

Edit: I worked out what i was doing wrong and have replaced my storage: section below with a working one. For reference, if anyone faces similar issues in the future, make sure that the device: keys in your mount: stanzas reference the id field from your format stanza, and don’t reference the partition or LVM volume directly.

  storage:
    version: 1
    config:
      - id: disk_sda
        grub_device: true
        name: main_disk
        path: /dev/sda
        ptable: gpt
        type: disk
        wipe: superblock
      - id: part_esp
        type: partition
        size: 600M
        device: disk_sda
        flag: esp
      - id: part_boot
        type: partition
        size: 1GB
        device: disk_sda
        flag: boot
      - id: part_lvm
        device: disk_sda
        size: 20G
        type: partition
      - id: vg_ubuntu
        name: vg_ubuntu
        type: lvm_volgroup
        devices:
          - part_lvm
      - id: lv_root
        name: lv_root
        size: 16G
        type: lvm_partition
        volgroup: vg_ubuntu
      - id: fs_esp
        type: format
        fstype: fat32
        volume: part_esp
      - id: fs_boot
        type: format
        fstype: ext4
        volume: part_boot
      - id: fs_root
        type: format
        fstype: ext4
        volume: lv_root
      - id: mount_root
        type: mount
        path: /
        device: fs_root
      - id: mount_boot
        type: mount
        path: /boot
        device: fs_boot
      - id: mount_esp
        type: mount
        path: /boot/efi
        device: fs_esp