Cloud-Init Fails to Set Up Local Admin Account on Debian/Ubuntu Images After "vl up" #330
Description
Summary
When deploying virtual machines using virt-lightning and Ubuntu or Debian cloud images, cloud-init fails to properly configure the local admin account. This results in:
- Incorrect default shell (
/bin/shinstead of/bin/bash) - Locked user password
- Incomplete cloud-init execution (schema errors)
This impacts login over the serial console (vl console / virsh console) because password-based login and shell functionality are broken.
Environment
- Tool: virt-lightning
- Command:
vl up - Example virt-lightning.yaml:
- name: ubuntu24-test distro: ubuntu-24.04 memory: 4192 root_disk_size: 15 vcpus: 2 groups: ['testnodes']
- Image Used: https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img
Problem Details
1. Cloud-Init Schema Validation Fails
Cloud-init reports schema validation errors during boot:
[ 6.953827] cloud-init[897]: Deprecated cloud-config provided: chpasswd.list: Deprecated in version 22.2. Use "users" instead.
[ 6.955886] cloud-init[897]: cloud-config failed schema validation!
[ 6.980093] cloud-init[897]: usermod: no changes
Checking the user_data file inside the VM shows:
cloud-init schema --config-file user_data
Cloud config schema deprecations: chpasswd.list: Deprecated in version 22.2. Use users instead.
Error: Cloud config schema errors: bootcmd: [] is too short, runcmd: [] is too short
Error: Invalid schema: user-dataIssues found in user_data:
bootcmd: []is invalid (must be removed or populated)runcmd: []is invalid (must be removed or populated)chpasswd.listis deprecated and should not be used- Bad formatting of
ssh_authorized_keys
2. Resulting Problems in VM
After login via SSH:
$ id
uid=1000(lnxadmin) gid=1000(lnxadmin) groups=1000(lnxadmin)
$ grep lnxadmin /etc/passwd
lnxadmin:x:1000:1000:virt-bootstrap user:/home/lnxadmin:/bin/sh
$ sudo -l
User lnxadmin may run the following commands on lnxtest:
(ALL) NOPASSWD: ALL
$ passwd -S lnxadmin
lnxadmin L 2025-04-28 0 99999 7 -1Findings:
- Shell is
/bin/shinstead of/bin/bash - Password is locked (
Lstatus inpasswd -S)
SSH public key authentication works, but console access (vl console) fails because the account has no usable password.
Analysis
The user_data cloud-config provided by virt-lightning is invalid according to cloud-init schema.
This invalid configuration causes cloud-init to skip or improperly configure the user account.
Specific Issues:
| Issue | Cause | Correction |
|---|---|---|
bootcmd empty |
Invalid empty list | Remove or add a placeholder command (- true) |
runcmd empty |
Invalid empty list | Remove or add a placeholder command (- true) |
chpasswd.list deprecated |
Deprecated field | Move password configuration to users: with passwd: |
| Bad SSH key formatting | YAML syntax error | Clean up ssh_authorized_keys to a single-line string |
Affected OS Images
| Distribution | Affected | Cloud-Init Version |
|---|---|---|
| Ubuntu 24.04 | Yes | 24.4.1-0ubuntu0~24.04.1 |
| Ubuntu 25.04 | Yes | 25.1.1-0ubuntu2 |
| Debian 13 | Yes | 25.1.1-1 |
| Ubuntu 20.04 | Yes | 24.4.1-0ubuntu0~20.04.2 |
| Ubuntu 18.04 | Yes | 23.1.2-0ubuntu0~18.04.1 |
| AlmaLinux 9 | No | 23.4-19.el9.alma.1 |
Note: CentOS Stream, Fedora, FreeBSD, OpenBSD, NetBSD, and Gentoo are not affected.
Proposed Fixes
- Update the
user_datacloud-config generation logic inside virt-lightning:- Remove
bootcmdandruncmdif empty. - Migrate password configuration into the
users:section. - Ensure clean formatting for
ssh_authorized_keys.
- Remove
- Ensure cloud-config compatibility with cloud-init >= 22.2, considering the deprecations.
- Regenerate ISO images for NoCloud metadata accordingly.
Conclusion
The issue is caused by invalid schema in the user_data file generated during vl up.
Fixing the configuration generation should resolve the problem and allow full functionality of admin accounts during first boot.