Skip to content

Cloud-init

Summary cloud-init is the Ubuntu package that handles early initialization of a cloud instance. It is installed in the Ubuntu Cloud Images and also in the official Ubuntu images available on EC2.

Some of the things it configures are:

  • setting a default locale
  • setting hostname
  • generate ssh private keys
  • adding ssh keys to user's .ssh/authorized_keys so they can log in
  • setting up ephemeral mount points

cloud-init's behavior can be configured via user-data. User-data can be given by the user at instance launch time. This is done via the --user-data or --user-data-file argument to ec2-run-instances

VM 이미지에 보편적으로 설치되어있는 패키지로써 부팅 이후에 SSH 공개키와 사용자 데이터들과 같은 정보들을 metadata 서비스로부터 받아와 인스턴스의 초기화를 수행합니다.

Example

호스트명 변경 

#cloud-config
hostname: exampleServerName

새로운 사용자 추가

Ubuntu는 sudo그룹으로 수정하면 된다: 

#cloud-config
users:
  - name: yourname
    groups: sudo
    shell: /bin/bash
    sudo: ['ALL=(ALL) NOPASSWD:ALL']
    ssh-authorized-keys:
      - ssh-rsa ...
      - ssh-rsa ...
      - ssh-rsa ...
      - ssh-rsa ...

CentOS는 wheel그룹으로 수정하면 된다: 

#cloud-config
users:
  - name: yourname
    groups: wheel
    shell: /bin/bash
    sudo: ['ALL=(ALL) NOPASSWD:ALL']
    ssh-authorized-keys:
      - ssh-rsa ...
      - ssh-rsa ...

CoreOS: 

#cloud-config

users:
  - name: "yourname"
    passwd: "$6$rounds=4096$pah7.... {password hash}"
    groups:
      - "sudo"
      - "docker"
    ssh-authorized-keys:
      - ssh-rsa ...
      - ssh-rsa ...
      - ssh-rsa ...
      - ssh-rsa ...

Generating a password hash

If you choose to use a password instead of an SSH key, generating a safe hash is extremely important to the security of your system. Simplified hashes like md5crypt are trivial to crack on modern GPU hardware. Here are a few ways to generate secure hashes: 

# On Debian/Ubuntu (via the package "whois")
mkpasswd --method=SHA-512 --rounds=4096

# OpenSSL (note: this will only make md5crypt.  While better than plantext it should not be considered fully secure)
openssl passwd -1

# Python (change password and salt values)
python -c "import crypt, getpass, pwd; print crypt.crypt('password', '\$6\$SALT\$')"

# Perl (change password and salt values)
perl -e 'print crypt("password","\$6\$SALT\$") . "\n"'

Using a higher number of rounds will help create more secure passwords, but given enough time, password hashes can be reversed. On most RPM based distributions there is a tool called mkpasswd available in the expect package, but this does not handle "rounds" nor advanced hashing algorithms.

See also

Favorite site