RE: Cloud-init success

@VGerris

Sure, I have several configs in production depending on the use-case/role for the node.

Here is a sanitized version of one of the more basic configs for Ubuntu images for reference:

#cloud-config
hostname: {name}%
users:
## Add users
  - name: user1
    groups: sudo
    lock_passwd: false
    passwd: $6$xxxx.......
    ssh_authorized_keys:
      - ssh-ed25519 <my-key-ed25519>
    shell: /bin/bash
## Add ansible acct & key
  - name: ansible
    groups: sudo
    lock_passwd: false
    passwd: $6$xxxxxx736363535353.8ahdVT625S/
    ssh_authorized_keys:
      - ssh-ed25519 <somekey>
    shell: /bin/bash
package_update: true
package_upgrade: true
packages:
  - build-essential
  - htop
  - nano
  - nfs-common
  - git
locale: en_US.UTF-8
timezone: America/New_York
runcmd:
  - mkdir /mnt/v-nas
  - date > /etc/birth_certificate
  - mount /dev/cdrom /mnt
  - bash /mnt/Linux/install.sh
  - umount /dev/cdrom

Just add your pw hashes and key strings and tweak what you need for your config. This one is pretty basic so it runs through fairly quick and loads the xen-tools.

I have a very large "universal" one for Debian, Redhat, Centos, Rocky, Ubuntu with jinja templating and all the snazzy features I can sanitize and share if you like that I use for both VM's and containers.

@julien-f said in % characters in cloud-init configs render as 0 in instance:

@dj423 It should be fixed in the master branch: https://github.com/vatesfr/xen-orchestra/commit/30e6d4b4f14ddbb6ee34cd456e4ca707486df2db

• {index} is now used in place of %
• % is still working when Multiple VMs is enabled
• % and \% will be replaced by % when Multiple VMs is disabled

Wow! First of all big Thank you for getting that in place so fast. I updated, and for grins provisioned an Oracle 9.4 VM in XO using the same templated config (without the escaped /%) and it worked flawless.

snippet:
{% if distro == 'rocky' or distro == 'centos' or distro == 'ol' or distro == 'almalinux' or distro == 'fedora' or distro == 'redhat' %}
{% set group = 'wheel' %}

Thanks again Julien!

Hello, I am a systems engineer for a mid sized ISP. I have been mostly a VMware/Vsphere admin going back to 2007 back in my enterprise days. Even played with XEN project a bit prior to jumping into ESX. I started using xcp-ng in my personal lab to prototype cloud-init scripts, Ansible playbooks and other IaC toolstacks, and to have a solid reliable virtualization stack to run my hosted apps, email, and websites. Thanks to the xcp-ng team for such a stable and easy to use system! The support is top notch!
Dj

Re: Cloud-init success

Had a chance to "refresh" some cloud-init configs for some later distros (Debian 12, Ubuntu 24.04, Rocky Linux 9.3, etc.) so thought I would share some example configs that are used mainly for bootstrapping new VM's and or containers.

This first one is targeted at deb based distros and sets up an Incus container host. Like most configs I use this one is pretty specific pulling key files and configs from an NFS share, rsyslog target, etc., but gives an idea what can be done for detailed provisioning of instances, aside from just slapping your SSH keys on and letting ansible take over. With this I can have a fresh VM provisioned in about 5 minutes.

I always like to run a status check after init:

root@IncusTEST20:~# cloud-init status --long
status: done
boot_status_code: enabled-by-generator
last_update: Sat, 26 Jul 2024 17:29:50 +0000
detail:
DataSourceNoCloud [seed=/dev/xvdc][dsmode=net]

Then we can query the user-data to see how it rendered from the config injected into the nocloud datasource:
root@IncusTEST20:~# cloud-init query userdata

#cloud-config
    hostname: IncusTEST20
    users:
      - name: foo
        groups: sudo
        lock_passwd: false
        passwd: $6$10023$EKz8eWTDXQO3x7.4ff0ZNJLsl9q6RB.l8pZN9nq8BzT42zzOn7O4r./ybHeVa/l0W0/FARK/2Ttg177ywAP0Z1
        ssh_authorized_keys:
          - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEqTfKkUKEGxOi62A9tCWMslqF5i9xm0aMN+ZxWgHuR6 foobar-ed25519-20240725
        shell: /bin/bash
      - name: bar
        groups: sudo
        lock_passwd: false
        passwd: $6$10023$EKz8eWTDXQO3x7.4ff0ZNJLsl9q6RB.l8pZN9nq8BzT42zzOn7O4r./ybHeVa/l0W0/FARK/2Ttg177ywAP0Z1
        ssh_authorized_keys:
          - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEqTfKkUKEGxOi62A9tCWMslqF5i9xm0aMN+ZxWgHuR6 foobar-ed25519-20240725
        shell: /bin/bash
    locale: en_US.UTF-8
    timezone: America/New_York
    resize_rootfs: true
    mounts:
      - ["192.168.99.2:/mnt/Vault/lxd", "/mnt/lxd", "nfs", "auto,nofail,noatime,nolock,intr,tcp,actimeo=1800,user,suid", "0", "0"]
      - ["192.168.0.54:/mnt/raid/backup", "/mnt/nas", "nfs", "auto,nofail,noatime,nolock,intr,tcp,actimeo=1800,user,suid", "0", "0"]
    rsyslog:
      remotes:
        log_serv: "192.168.50.35:5140"
    write_files:
      - path: /etc/init.d/incus.sh
        owner: root:root
        permissions: 0o755
        defer: true
        content: |
          #!/bin/bash
          curl -fsSL https://pkgs.zabbly.com/key.asc -o /etc/apt/keyrings/zabbly.asc
          sh -c 'cat <<EOF > /etc/apt/sources.list.d/zabbly-incus-lts-6.0.sources
          Enabled: yes
          Types: deb
          URIs: https://pkgs.zabbly.com/incus/lts-6.0
          Suites: $(. /etc/os-release && echo ${VERSION_CODENAME})
          Components: main
          Architectures: $(dpkg --print-architecture)
          Signed-By: /etc/apt/keyrings/zabbly.asc
          EOF'
          apt update -y
          dpkg --configure -a
          apt install incus incus-ui-canonical -y
          mkdir -p /root/.config
          mkdir -p /root/.config/rclone
          mount -a
          cp /mnt/lxd/.config/.encode /root/.encode
          cp /mnt/lxd/.config/rclone.conf /root/.config/rclone/rclone.conf
          chmod 600 /root/.config/rclone/rclone.conf
          # Delete self
          rm "${0}"
    runcmd:
      - mkdir /mnt/lxd
      - mkdir /mnt/nas
      - date > /etc/birth_certificate
      - [ mount /dev/cdrom /mnt ]
      - [ bash /mnt/Linux/install.sh ]
      - [ umount /dev/cdrom ]
      - [ sh, /etc/init.d/incus.sh ]
    package_update: true
    package_upgrade: true
    packages:
      - htop
      - nano
      - curl
      - wget
      - nfs-common
      - btrfs-progs
      - bridge-utils
      - build-essential
      - rclone

Here is a more universal config with jinja templating syntax that can be targeted at many distros and using an 'if distro' will configure the instance based on the distro value in metadata:

This one targets debian, ubuntu, centos, redhat and rocky linux 8 and up - notice the ##template: jinja at the top, this allows jinja to render and process:

## template: jinja
#cloud-config
{% set u1 = 'foobar' %}
{% set u1pass = '$6$10023$EKz8eWTDXQO3x7.4ff0ZNJLsl9q6RB.l8pZN9nq8BzT42zzOn7O4r./ybHeVa/l0W0/FARK/2Ttg177ywAP0Z1' %}
{% set u1key = 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEqTfKkUKEGxOi62A9tCWMslqF5i9xm0aMN+ZxWgHuR6 foobar-ed25519-20240725' %}
{% set u2 = 'ansible' %}
{% set u2pass = '$6$10023$EKz8eWTDXQO3x7.4ff0ZNJLsl9q6RB.l8pZN9nq8BzT42zzOn7O4r./ybHeVa/l0W0/FARK/2Ttg177ywAP0Z1' %}
{% set u2key = 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEqTfKkUKEGxOi62A9tCWMslqF5i9xm0aMN+ZxWgHuR6 foobar-ed25519-20240725' %}
locale: en_US.UTF-8
timezone: America/New_York
runcmd:
  - mkdir /mnt/v-nas
  - mkdir /mnt/home
  - date > /etc/birth_certificate
rsyslog:
  remotes:
    log_serv: "192.168.50.35:5140"
{% if distro == 'rocky' or distro == 'centos' or distro == 'redhat' %}
{% set group = 'wheel' %}
repo_update: true
repo_upgrade: all
yum_repos:
  epel-release:
    name: Extra Packages for Enterprise Linux 9 - Release
    baseurl: http://download.fedoraproject.org/pub/epel/9/Everything/$basearch
    enabled: true
    failovermethod: priority
    gpgcheck: true
    gpgkey: http://download.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-9
package_upgrade: true
packages:
  - htop
  - nano
{% elif distro == 'ubuntu' or distro == 'debian' %}
{% set group = 'sudo' %}
package_update: true
package_upgrade: true
packages:
  - htop
  - nano
  - build-essential
users:
  - name: {{ u1 }}
    groups: {{ group }}
    lock_passwd: false
    passwd: {{ u1pass }}
    ssh_authorized_keys:
      - {{ u1key }}
    shell: /bin/bash
  - name: {{ u2 }}
    groups: {{ group }}
    lock_passwd: false
    passwd: {{ u2pass }}
    ssh_authorized_keys:
      - {{ u2key }}
    shell: /bin/bash
{%- endif %}

Just a note, to consume jinja templating, you need cloud-init 22.x or higher, with the jinja package installed in your template/image.

For anyone wanting to tinker with these, (these are not my keys or password hashes, these I just threw in for demonstration purposes and for the wiki page). The password for the accounts is "foobar" and the matching private key is:

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACBKk3ypFChBsToutgPbQljLJaheYvcZtGjDfmcVoB7kegAAAKADtgJ2A7YC
dgAAAAtzc2gtZWQyNTUxOQAAACBKk3ypFChBsToutgPbQljLJaheYvcZtGjDfmcVoB7keg
AAAEC1DHPxJPEU3Ywf14x7k7IMXt1nKPvwBmG6vAXsZceiVUqTfKkUKEGxOi62A9tCWMsl
qF5i9xm0aMN+ZxWgHuR6AAAAF2Zvb2Jhci1lZDI1NTE5LTIwMjQwNzI1AQIDBAUG
-----END OPENSSH PRIVATE KEY-----

Enjoy!

I thought I would share some success with cloud-init. I know it has been a pain for others to get working. Please disregard if this is old news.

Just for fun, I wanted to see if I could just use the stock/prebuilt Ubuntu 22.04-LTS cloud ready images I have used in production. Almost like magic it worked fantastic. I expected hours of pain and debugging like others have had to suffer. However to it took me about 2 minutes to spin up a fully configured Ubuntu VM with all my PKI keys, users, updates, packages, configs, etc.

So here is what I did, just in case this is helpful for any other noobies like myself getting acquainted with XO and using cloud-init.

So I used the prebuilt cloud image for Ubuntu found here: https://cloud-images.ubuntu.com/jammy/current/

Step 1:
I selected the "jammy-server-cloudimg-amd64.ova" stock file for vmware/virtual box and downloaded.

Step 2:
Then in XO, I imported the file as a VM - import - VM.

Step 3:
Then I went into settings, and created a new cloud config with my usual user, ssh, packages, and other custom settings as I normally use in the lab for testing prior to rolling into production. I just copy/pasted my full config, and saved it.

Step 4:
Then I converted the cloud image VM I imported in step 2 into a template.

Step 5:
Then I created a fresh VM, using this new template, making sure to select my cloud-init config by checking the "Custom config" selection under Install settings.

Step 6:
Then I opened the console to watch for FAIL errors. Everything looked good. Then I logged in with my ansible account configured in the cloud-init. Then I tested from my ansible control node, and logged in. I inspected /var/log/cloud-init.log for any errors, and finally I ran "cloud-init query userdata" to see how it rendered the config settings. Everything works as it should.

Next I will try the cloud-init config with jinja2 template directives and see if the jinja engine works as well, so I can use one config for all distros I will be using. Then test network config settings. Then test on Centos, Rocky, RHEL cloud-ready images and report back if I run into any snags on those.

@olivierlambert
Yes. It should be said, that XCP-ng FAR exceeds my expectations! No matter what I throw at it, it just works fantastic.

@dj423

Update: In case anyone runs across this OVA/app, It imported fine, with no issues at all. I did not end up running it since the apps fell short of my expectations, but the process of importing it worked flawlessly.

Have a great day!

@olivierlambert
Ok thanks Oliver! I will report back how it goes.

@encryptblockr

FWIW: I know I have done this from cli using xo-cli in a bash script.

I don't have all that code handy at the moment, but here is a hack from memory as an example:

#! /bin/bash

while IFS=',' read -r name_c1 ip_c2
do
    file=v1-$ip_c2.yaml

    cat >> "$file" << EOF
network:
  version: 1
  config:
    - type: physical
      name: eth0
      subnets:
        - type: static
          address: $ip_c2/24
          gateway: 192.168.0.1
    - type: nameserver
      address:
        - 192.168.0.10
        - 192.168.23.50
      search:
        - example.tld
EOF

xo-cli vm.create bootAfterCreate=true cloudConfig="$(cat /root/user.yaml)" networkConfig="$(cat $file)" clone=true name_label="$name_c1" template=0856a8d6-7761-f39d-f968-290b18a1bd42 VIFs='json:[{"network":"ca96456f-3843-26f5-7075-1e54xxxx121xxf97"}]' hvmBootFirmware=bios copyHostBiosStrings=true

rm $file
done <  prov-list
exit

prov-list example:

Bookworm,192.168.0.217
Noble1,192.168.0.218
Jammy1,192.168.0.219
Oracle9,192.168.0.222
Rocky9,192.168.0.223
Fedora40,192.168.0.224

If you wanted to do different networks, that is a bit more complicated, but just need a variable to render.

Sorry on my tablet and I don't have a better example handy. But this should get you close, and can be handy when you need to stand up a few dozen VM's.

@encryptblockr said in Ubuntu 24.04 Cloud Image Template Not Working:

did you mount the guest tools cdrom to the cloud image before you created a template from it?

No, I just make my base images (for the end template) as generic as possible, and I do all mounts, package installs, accounts, keys, including the xe-guest utils package all in the user-data config for cloud-init. Makes the configurations more uniform across all stacks I have to maintain and scales really well with jinja templates.

also what is point of {name}% in below? can you explain? where does it get {name} from and what is % use?

That pulls the hostname from metadata that is provided by the nocloud datasource.

If you ever want to see all the metadata available (for example, say your provisioning plane does dynamic configuration from some backend IAS platform, and you need logic that renders metadata to run different configurations; run the following after login:

cloud-init query -a

For example, I run different configurations based on what the 'distro' value is -
example:

cloud-init query -f {{v1.distro}}

{% if distro in ['rocky', 'ol', 'centos', 'fedora', 'redhat', 'almalinux'] -%}
//do the rpm things//

This allows us to run completely different configuration settings based on what distro its being run in, or even what virtualization platform it is running on. Some platforms won't use the hostname, or fqdn meta values, so I have some if logic that only adds it when vendordata is null, example;

{% if vendordata == '' %}
fqdn: {name}
{% endif %}

Probably more than you wanted to know, but that's a brief summary of cloud-init metadata.

@julien-f

Would that be something like this for a dynamic network config as an example?

network:
  version: 1
  config:
    - type: physical
      name: enX0
      subnets:
        - type: static
          address: 192.168.99.{index}/24
          gateway: 192.168.99.1
    - type: nameserver
      address:
        - 172.31.31.1
        - 192.168.45.11
      search:
        - example.tld

I plan to test this at some point, but I don't do a whole lot of bulk provisioning myself. Just curious.

@encryptblockr

FWIW: I know I have done this from cli using xo-cli in a bash script.

I don't have all that code handy at the moment, but here is a hack from memory as an example:

#! /bin/bash

while IFS=',' read -r name_c1 ip_c2
do
    file=v1-$ip_c2.yaml

    cat >> "$file" << EOF
network:
  version: 1
  config:
    - type: physical
      name: eth0
      subnets:
        - type: static
          address: $ip_c2/24
          gateway: 192.168.0.1
    - type: nameserver
      address:
        - 192.168.0.10
        - 192.168.23.50
      search:
        - example.tld
EOF

xo-cli vm.create bootAfterCreate=true cloudConfig="$(cat /root/user.yaml)" networkConfig="$(cat $file)" clone=true name_label="$name_c1" template=0856a8d6-7761-f39d-f968-290b18a1bd42 VIFs='json:[{"network":"ca96456f-3843-26f5-7075-1e54xxxx121xxf97"}]' hvmBootFirmware=bios copyHostBiosStrings=true

rm $file
done <  prov-list
exit

prov-list example:

Bookworm,192.168.0.217
Noble1,192.168.0.218
Jammy1,192.168.0.219
Oracle9,192.168.0.222
Rocky9,192.168.0.223
Fedora40,192.168.0.224

If you wanted to do different networks, that is a bit more complicated, but just need a variable to render.

Sorry on my tablet and I don't have a better example handy. But this should get you close, and can be handy when you need to stand up a few dozen VM's.

@encryptblockr said in Ubuntu 24.04 Cloud Image Template Not Working:

did you mount the guest tools cdrom to the cloud image before you created a template from it?

No, I just make my base images (for the end template) as generic as possible, and I do all mounts, package installs, accounts, keys, including the xe-guest utils package all in the user-data config for cloud-init. Makes the configurations more uniform across all stacks I have to maintain and scales really well with jinja templates.

also what is point of {name}% in below? can you explain? where does it get {name} from and what is % use?

That pulls the hostname from metadata that is provided by the nocloud datasource.

If you ever want to see all the metadata available (for example, say your provisioning plane does dynamic configuration from some backend IAS platform, and you need logic that renders metadata to run different configurations; run the following after login:

cloud-init query -a

For example, I run different configurations based on what the 'distro' value is -
example:

cloud-init query -f {{v1.distro}}

{% if distro in ['rocky', 'ol', 'centos', 'fedora', 'redhat', 'almalinux'] -%}
//do the rpm things//

This allows us to run completely different configuration settings based on what distro its being run in, or even what virtualization platform it is running on. Some platforms won't use the hostname, or fqdn meta values, so I have some if logic that only adds it when vendordata is null, example;

{% if vendordata == '' %}
fqdn: {name}
{% endif %}

Probably more than you wanted to know, but that's a brief summary of cloud-init metadata.

@encryptblockr

For reference, if you are testing network configs, here is a basic static ip v1 example I use to configure all distros, debian, ubuntu, RHEL, Rocky, Alma, Oracle linux, etc.

network:
  version: 1
  config:
    - type: physical
      name: enX0
      subnets:
        - type: static
          address: 192.168.0.xx/24
          gateway: 192.168.0.1
    - type: nameserver
      address:
        - 192.168.0.1
        - 192.168.90.50
      search:
        - example.tld

Works very well for me, as I am lazy and want to do as little manual configuration as possible, and XCP-ng and XO make that so easy. Most ENI, network-manager, systemd-networkd, netplan network stacks render this config fine. FYI

@encryptblockr
Oh good! Glad you got it working.

Keep in mind for those 'public' cloud images, (for anyone that uses them) you can have cloud-init install the xe guest utils at initialization as long as you have the guest-tools.iso mounted at bootup in the console within xo;

Sounds like you are getting the hang of it. Best of luck!

@encryptblockr

Just add the commands to your cloud config in user-data;

runcmd:
  - mount /dev/cdrom /mnt
  - bash /mnt/Linux/install.sh
  - umount /dev/cdrom

@encryptblockr

You are using version 2 of your network config, did you happen to install netplanio package to consume your version 2 config, and is it enabled in the image you created? Otherwise, I have better luck with the version 1 network configs.

@encryptblockr

Pretty sure you want the 'nocloud' data source as well. You can have cloud-init mount and install the xe guest tools if the virtual cd is attached at bootup.

@encryptblockr

I don't see your users block in that config

Example:

users:
## Add users
  - name: user1
    groups: sudo
    lock_passwd: false
    passwd: $6$xxxx.......
    ssh_authorized_keys:
      - ssh-ed25519 <my-key-ed25519>

So that may be an issue. See my examples for a guide.

@encryptblockr

That guide may be a bit outdated. I would suggest following the guide I have posted over at https://xcp-ng.org/forum/topic/6821/cloud-init-success/3 for more recent noble/jammy cloud images.

and if you can, use the cloud images provided by ubuntu/canonical as the base. Over here: https://cloud-images.ubuntu.com/noble/current/

Can you provide any details on what didn't work? If you need to generate the base image from scratch, I can help but that is a bit more involved and challenging. Much better to go with the pre-canned cloud images when possible.