Content differences:
--- /etc/nova/vendor_data.json.orig
+++ /etc/nova/vendor_data.json
@@ -1,4 +1,4 @@
{
"domain": "codfw1dev.wikimedia.cloud",
- "cloud-init": "MIME-Version: 1.0\nContent-Type: multipart/mixed; boundary=\"XXXXboundary text\"\n\nThis is a multipart config in MIME format.\nIt contains a cloud-init config followed by\na first boot script.\n\n--XXXXboundary text\nMIME-Version: 1.0\nContent-Type: text/jinja2; charset=\"us-ascii\"\n\n## template: jinja\n#cloud-config\n\ndatasource:\n OpenStack:\n timeout: 10\n max_wait: 120\n retries: 10\n\nhostname: {{ds.meta_data.name}}\nfqdn: {{ds.meta_data.name}}.{{ds.meta_data.project_id}}.codfw1dev.wikimedia.cloud\n\n# Prevent puppet from doing things before we're ready.\n# APT fails to acquire GPG keys if packages dirmngr or gpg are missing\nbootcmd:\n - [ cloud-init-per, once, disablepuppet, puppet, agent, --disable, \"prevent puppet runs during cloud-init\" ]\n - [ cloud-init-per, once, purgeresolved, /usr/bin/dpkg, --purge, systemd-resolved, libnss-resolve ]\n - [ cloud-init-per, once, dirmngr-aptupdate, apt-get, update ]\n - [ cloud-init-per, once, dirmngr-aptinstall, apt-get, install, \"-y\", dirmngr ]\n - [ cloud-init-per, once, gnupginstall, apt-get, install, \"-y\", gnupg ]\n\n\n# /etc/block-ldap-key-lookup:\n# Prevent non-root logins while the VM is being setup\n# The ssh-key-ldap-lookup script rejects non-root user logins if this file\n# is present.\n#\n# /etc/rsyslog.d/60-puppet.conf:\n# Enable console logging for puppet\n#\n# /etc/systemd/system/serial-getty@ttyS0.service.d/override.conf:\n# Enable root console on serial0\n# (cloud-init will create any needed parent dirs)\n#\n# /etc/apt/preferences.d/wikimedia.pref\n# Prefer packages from wikimedia repo\nwrite_files:\n - content: \"VM is work in progress\"\n path: /etc/block-ldap-key-lookup\n - content: \"daemon.* |/dev/console\"\n path: /etc/rsyslog.d/60-puppet.conf\n - content: {{ds.meta_data.project_id}}\n path: /etc/openstack/project_id\n - content: {{ds.ec2_metadata.local_ipv4}}\n path: /etc/openstack/host_ip\n - content: UNKNOWN\n path: /etc/openstack/project_name\n - content: |\n [Service]\n ExecStart=\n ExecStart=-/sbin/agetty --autologin root --noclear %I $TERM\n path: /etc/systemd/system/serial-getty@ttyS0.service.d/override.conf\n - content: |\n Package: *\n Pin: release o=Wikimedia\n Pin-Priority: 1001\n path: /etc/apt/preferences.d/wikimedia.pref\n - content: |\n clouds:\n novaobserver:\n auth:\n auth_url: https://openstack.codfw1dev.wikimediacloud.org:25000/v3\n username: novaobserver\n password: lt-RiBeyokCO81bVvcX\n project_id: observer\n user_domain_id: default\n project_domain_id: default\n region_name: codfw1dev-r\n identity_api_version: 3\n path: /etc/openstack/clouds.yaml\n{% if ds.meta_data.meta is defined %}\n{% if ds.meta_data.meta.image_build is defined %}\n - content: building\n path: /.base_image_is_building\n{% endif %}\n{% endif %}\n\n# resetting ttys0 so root is logged in\nruncmd:\n - [systemctl, enable, serial-getty@ttyS0.service]\n - [systemctl, restart, serial-getty@ttyS0.service]\n\nssh_pwauth: False\n\nmanage_etc_hosts: false\n\n\n# gpg: needed for apt to function properly\n# pciutils: used by puppet to determine is_virtual\n# python3-keystoneclient and openstackclient: used to look up project name\npackages:\n - gpg\n - pciutils\n - python3-keystoneclient\n - python3-openstackclient\n\n# Mark out ephemeral0 so that cloud-init leaves it alone;\n# we'll let puppet mount it later.\nmounts:\n - [ephemeral0]\n\n# You'll see that we're setting apt_preserve_sources_list twice here. That's\n# because there's a bug in cloud-init where it tries to reconcile the\n# two settings and if they're different the stage fails. That means that\n# if one of them is set differently from the default (True) then nothing\n# works.\n#\n# Setting preserve_sources_list avoids clobbering the pre-set repos\n# (T340814) but still lets us inject the mediawiki repos.\napt_preserve_sources_list: True\napt:\n preserve_sources_list: True\n sources:\n wikimedia.list:\n source: |\n deb http://apt.wikimedia.org/wikimedia $RELEASE-wikimedia main\n deb-src http://apt.wikimedia.org/wikimedia $RELEASE-wikimedia main\n filename: wikimedia.list\n keyid: 9D392D3FFADF18FB\n\npackage_update: true\npackage_upgrade: true\n\nfinal_message: cloud-init has finished\n\n{% if ds.meta_data.meta is defined %}\n{% if ds.meta_data.meta.install_puppet is defined %}\n# This configures puppet and starts the puppet agent (which we don't want).\n# When the boot script starts we'll kill the agent and run puppet synchronously.\npuppet:\n start_service: false\n exec: false\n package_name: puppet-agent\n conf:\n agent:\n server: 'puppet'\n certname: '%f'\n{% endif %}\n{% endif %}\n\n--XXXXboundary text\nMIME-Version: 1.0\nContent-Type: text/text/x-shellscript; charset=\"us-ascii\"\n#!/bin/bash\n\nset -x\n\n# Set fqdn with project name.\n# We have to do this here since project_name isn't available via metadata.\nhostname=`hostname`\nip=`cat /etc/openstack/host_ip`\nproject_id=`cat /etc/openstack/project_id`\nproject_name=`openstack project show --os-cloud novaobserver -c name $project_id -f value`\necho $project_name > /etc/openstack/project_name\nfqdn=$hostname.$project_name.codfw1dev.wikimedia.cloud\ncat > /etc/hosts<< EOF\n$ip $fqdn $hostname\n127.0.0.1 localhost\n\n# The following lines are desirable for IPv6 capable hosts\n::1 ip6-localhost ip6-loopback\nfe00::0 ip6-localnet\nff00::0 ip6-mcastprefix\nff02::1 ip6-allnodes\nff02::2 ip6-allrouters\nff02::3 ip6-allhosts\nEOF\n\nif ! command -v apt-get >/dev/null; then\n # If we don't have apt then none of our init script will\n # work so let's just get out of here\n\n rm /etc/block-ldap-key-lookup\n touch /.cloud-init-finished\n exit 0\nfi\n\n# Function to test if puppet is running or not\npuppet_is_running() {\n PUPPETLOCK=`puppet agent --configprint agent_catalog_run_lockfile`\n echo \"checking if puppet is running by looking at ${PUPPETLOCK}\"\n # If no lockfile is defined, we can't really tell what's happening.\n # Assume puppet is not running in this case\n test -n \"$PUPPETLOCK\" || return 1\n\n # If the lockfile is not present, puppet is not running\n test -e \"$PUPPETLOCK\" || return 1\n\n # Now let's see if the PID at $PUPPETLOCK is indeed present and running\n local puppetpid=$(cat \"$PUPPETLOCK\")\n local cmdline_file=\"/proc/${puppetpid}/cmdline\"\n if [ -f \"$cmdline_file\" ]; then\n # Puppet is indeed running\n grep -q puppet \"$cmdline_file\" && return 0\n fi\n\n # The lock file is stale, delete it so that we're all on the same page\n echo \"Clearing stale puppet agent lock for pid ${puppetpid}\"\n rm $PUPPETLOCK\n return 1\n}\n\n# loop function to wait for puppet to finish its execution\nwait_for_puppet() {\n local attempts=${1:-30}\n for _ in $(seq \"$attempts\"); do\n if ! puppet_is_running; then\n return 0\n fi\n echo \"Waiting for puppet run to complete\"\n sleep 10\n done\n # If puppet is still running at this point, report an error\n echo \"Tired of waiting for puppet run to complete; giving up\"\n return 1\n}\n\n# Upstream debian cloud base images come with chrony installed,\n# as well as a service user with an invalid (>499) ID. We can't\n# just uninstall chrony because systemd depends on it; installing\n# systemd-timesyncd uninstalls chrony but then runs afoul of the\n# user ID that was created by chrony. To work around all that,\n# we detect if chrony is installed and if it is, remove the\n# user it installed (without uninstalling chrony). That unblocks\n# us for a subsequent install of systemd-timesyncd (which /does/\n# uninstall chrony).\nif /usr/bin/dpkg -l chrony | grep -q ^ii; then\n /usr/sbin/userdel systemd-timesync\n /usr/sbin/userdel systemd-coredump\n apt install -y systemd-timesyncd\nfi\n\nsystemctl restart nscd.service\ndpkg-reconfigure -fnoninteractive -pcritical openssh-server\nsystemctl restart ssh.service\nnscd -i hosts\n\n# This VM might have puppet installed in its base image, or it\n# might have the metadata install_puppet flag set. If neither\n# of these is true then skip puppet entirely.\n#\n# Note that in Bookworm and after the puppet client\n# is in a package named puppet-agent; earlier it was\n# just named 'puppet'.\nif dpkg -s puppet || dpkg -s puppet-agent; then\n # Run puppet, twice. The second time is just to pick up packages\n # that may have been unavailable in apt before the first puppet run\n # updated sources.list\n puppet agent --enable\n\n # Just in case puppet is already running for some reason, wait\n # for it to finish.\n wait_for_puppet 120\n service puppet stop\n wait_for_puppet 120\n\n # Sometimes the previous --enable doesn't take. Don't know why but\n # it's harmless to try again\n puppet agent --enable\n puppet agent --onetime --verbose --no-daemonize --no-splay --show_diff --certname `hostname -f`\n # Refresh ldap now that puppet has updated our ldap.conf\n systemctl restart nslcd.service\n\n # Ensure all NFS mounts are mounted\n mount_attempts=1\n until [ $mount_attempts -gt 10 ]\n do\n echo \"Ensuring all NFS mounts are mounted, attempt ${mount_attempts}\"\n echo \"Ensuring all NFS mounts are mounted, attempt ${mount_attempts}\" >> /etc/block-ldap-key-lookup\n ((mount_attempts++))\n /usr/bin/timeout --preserve-status -k 10s 20s /bin/mount -a && break\n # Sleep for 10s before next attempt\n sleep 10\n done\n\n # Run puppet again post mounting NFS mounts (if all the mounts hadn't been mounted\n # before, the puppet code that ensures the symlinks are created, etc may not\n # have run)\n wait_for_puppet 10\n apt-get update\n puppet agent -t\n\n # The following will be a no-op on most distros, but\n # as of 08-2025 Trixie comes packaged with puppet 8\n # and the puppet manifests themselves seek to downgrade\n # to 7.\n apt install -y --allow-downgrades puppet-agent\n apt-get -y autoremove\n\n wait_for_puppet 10\n apt-get update\n puppet agent -t\n\n # sssd might be caching sudo rules and other ldap things from before puppet\n # finished setting up ldap integration. Restart sssd and clear its cache.\n # On some old images we won't have sssd installed; in that case this will\n # throw some harmless errors.\n systemctl stop sssd\n rm -rf /var/lib/sss/db/*\n systemctl restart sssd\nfi\n\nif test -f \"/.base_image_is_building\"; then\n # Now that puppet has configured apt properly, make sure\n # we have the right version of puppet installed.\n # The package may be named 'puppet' or may be named\n # 'puppet-agent' so one of these might fail.\n apt-get install --allow-downgrades -y puppet\n apt-get install --allow-downgrades -y puppet-agent\n\n # stop puppet runs, clean up log files, and generally get this ready\n # for another cloud-init run.\n echo Cleaning up files before base image creation\n rm -f /.base_image_is_building\n puppet agent --disable \"waiting for initial VM setup\"\n rm -f /lib/systemd/system/puppet-agent-timer.timer\n rm -f /etc/cron.d/puppet\n rm -rf /var/lib/cloud/instances\n rm -rf /var/lib/puppet/ssl\n rm -rf /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate\n cloud-init clean\n rm -f /.cloud-init-finished\n echo 'uninitialized' > etc/machine-id\n find /var/log -type f -exec rm '{}' \\;\nelse\n # Remove the non-root login restriction. If this is the\n # initial base image, we just leave logins disabled.\n rm /etc/block-ldap-key-lookup\n\n # mark the host as ready, from now on alerts and checks will send notifications (ex. puppet_alert.py)\n touch /.cloud-init-finished\nfi\n\nexit 0\n--XXXXboundary text\n"
+ "cloud-init": "MIME-Version: 1.0\nContent-Type: multipart/mixed; boundary=\"XXXXboundary text\"\n\nThis is a multipart config in MIME format.\nIt contains a cloud-init config followed by\na first boot script.\n\n--XXXXboundary text\nMIME-Version: 1.0\nContent-Type: text/jinja2; charset=\"us-ascii\"\n\n## template: jinja\n#cloud-config\n\ndatasource:\n OpenStack:\n timeout: 10\n max_wait: 120\n retries: 10\n\nhostname: {{ds.meta_data.name}}\nfqdn: {{ds.meta_data.name}}.{{ds.meta_data.project_id}}.codfw1dev.wikimedia.cloud\n\n# Prevent puppet from doing things before we're ready.\n# APT fails to acquire GPG keys if packages dirmngr or gpg are missing\nbootcmd:\n - [ cloud-init-per, once, disablepuppet, puppet, agent, --disable, \"prevent puppet runs during cloud-init\" ]\n - [ cloud-init-per, once, purgeresolved, /usr/bin/dpkg, --purge, systemd-resolved, libnss-resolve ]\n - [ cloud-init-per, once, dirmngr-aptupdate, apt-get, update ]\n - [ cloud-init-per, once, dirmngr-aptinstall, apt-get, install, \"-y\", dirmngr ]\n - [ cloud-init-per, once, gnupginstall, apt-get, install, \"-y\", gnupg ]\n\n\n# /etc/block-ldap-key-lookup:\n# Prevent non-root logins while the VM is being setup\n# The ssh-key-ldap-lookup script rejects non-root user logins if this file\n# is present.\n#\n# /etc/rsyslog.d/60-puppet.conf:\n# Enable console logging for puppet\n#\n# /etc/systemd/system/serial-getty@ttyS0.service.d/override.conf:\n# Enable root console on serial0\n# (cloud-init will create any needed parent dirs)\n#\n# /etc/apt/preferences.d/wikimedia.pref\n# Prefer packages from wikimedia repo\nwrite_files:\n - content: \"VM is work in progress\"\n path: /etc/block-ldap-key-lookup\n - content: \"daemon.* |/dev/console\"\n path: /etc/rsyslog.d/60-puppet.conf\n - content: {{ds.meta_data.project_id}}\n path: /etc/openstack/project_id\n - content: {{ds.ec2_metadata.local_ipv4}}\n path: /etc/openstack/host_ip\n - content: UNKNOWN\n path: /etc/openstack/project_name\n - content: |\n [Service]\n ExecStart=\n ExecStart=-/sbin/agetty --autologin root --noclear %I $TERM\n path: /etc/systemd/system/serial-getty@ttyS0.service.d/override.conf\n - content: |\n Package: *\n Pin: release o=Wikimedia\n Pin-Priority: 1001\n path: /etc/apt/preferences.d/wikimedia.pref\n - content: |\n # Cumin Controller.\n from=10.64.16.154,2620:0:861:102:10:64:16:154,10.192.32.49,2620:0:860:103:10:192:32:49,10.192.15.6,2620:0:860:110:10:192:15:6,no-agent-forwarding,no-port-forwarding,no-x11-forwarding,no-user-rc ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICcav+ECiF6hW2XRuP7R8nqDw4hPlD0OChsGvB6K27jK root@cloudinfra-internal-puppetmaster-02\n\n path: /etc/ssh/userkeys/root.d/cumin\n permissions: '0444'\n owner: root:root\n - content: |\n clouds:\n novaobserver:\n auth:\n auth_url: https://openstack.codfw1dev.wikimediacloud.org:25000/v3\n username: novaobserver\n password: lt-RiBeyokCO81bVvcX\n project_id: observer\n user_domain_id: default\n project_domain_id: default\n region_name: codfw1dev-r\n identity_api_version: 3\n path: /etc/openstack/clouds.yaml\n{% if ds.meta_data.meta is defined %}\n{% if ds.meta_data.meta.image_build is defined %}\n - content: building\n path: /.base_image_is_building\n{% endif %}\n{% endif %}\n\n# resetting ttys0 so root is logged in\nruncmd:\n - [systemctl, enable, serial-getty@ttyS0.service]\n - [systemctl, restart, serial-getty@ttyS0.service]\n\nssh_pwauth: False\n\nmanage_etc_hosts: false\n\n\n# gpg: needed for apt to function properly\n# pciutils: used by puppet to determine is_virtual\n# python3-keystoneclient and openstackclient: used to look up project name\npackages:\n - gpg\n - pciutils\n - python3-keystoneclient\n - python3-openstackclient\n\n# Mark out ephemeral0 so that cloud-init leaves it alone;\n# we'll let puppet mount it later.\nmounts:\n - [ephemeral0]\n\n# You'll see that we're setting apt_preserve_sources_list twice here. That's\n# because there's a bug in cloud-init where it tries to reconcile the\n# two settings and if they're different the stage fails. That means that\n# if one of them is set differently from the default (True) then nothing\n# works.\n#\n# Setting preserve_sources_list avoids clobbering the pre-set repos\n# (T340814) but still lets us inject the mediawiki repos.\napt_preserve_sources_list: True\napt:\n preserve_sources_list: True\n sources:\n wikimedia.list:\n source: |\n deb http://apt.wikimedia.org/wikimedia $RELEASE-wikimedia main\n deb-src http://apt.wikimedia.org/wikimedia $RELEASE-wikimedia main\n filename: wikimedia.list\n keyid: 9D392D3FFADF18FB\n\npackage_update: true\npackage_upgrade: true\n\nfinal_message: cloud-init has finished\n\n{% if ds.meta_data.meta is defined %}\n{% if ds.meta_data.meta.install_puppet is defined %}\n# This configures puppet and starts the puppet agent (which we don't want).\n# When the boot script starts we'll kill the agent and run puppet synchronously.\npuppet:\n start_service: false\n exec: false\n package_name: puppet-agent\n conf:\n agent:\n server: 'puppet'\n certname: '%f'\n{% endif %}\n{% endif %}\n\n--XXXXboundary text\nMIME-Version: 1.0\nContent-Type: text/text/x-shellscript; charset=\"us-ascii\"\n#!/bin/bash\n\nset -x\n\n# Set fqdn with project name.\n# We have to do this here since project_name isn't available via metadata.\nhostname=`hostname`\nip=`cat /etc/openstack/host_ip`\nproject_id=`cat /etc/openstack/project_id`\nproject_name=`openstack project show --os-cloud novaobserver -c name $project_id -f value`\necho $project_name > /etc/openstack/project_name\nfqdn=$hostname.$project_name.codfw1dev.wikimedia.cloud\ncat > /etc/hosts<< EOF\n$ip $fqdn $hostname\n127.0.0.1 localhost\n\n# The following lines are desirable for IPv6 capable hosts\n::1 ip6-localhost ip6-loopback\nfe00::0 ip6-localnet\nff00::0 ip6-mcastprefix\nff02::1 ip6-allnodes\nff02::2 ip6-allrouters\nff02::3 ip6-allhosts\nEOF\n\nif ! command -v apt-get >/dev/null; then\n # If we don't have apt then none of our init script will\n # work so let's just get out of here\n\n rm /etc/block-ldap-key-lookup\n touch /.cloud-init-finished\n exit 0\nfi\n\n# Function to test if puppet is running or not\npuppet_is_running() {\n PUPPETLOCK=`puppet agent --configprint agent_catalog_run_lockfile`\n echo \"checking if puppet is running by looking at ${PUPPETLOCK}\"\n # If no lockfile is defined, we can't really tell what's happening.\n # Assume puppet is not running in this case\n test -n \"$PUPPETLOCK\" || return 1\n\n # If the lockfile is not present, puppet is not running\n test -e \"$PUPPETLOCK\" || return 1\n\n # Now let's see if the PID at $PUPPETLOCK is indeed present and running\n local puppetpid=$(cat \"$PUPPETLOCK\")\n local cmdline_file=\"/proc/${puppetpid}/cmdline\"\n if [ -f \"$cmdline_file\" ]; then\n # Puppet is indeed running\n grep -q puppet \"$cmdline_file\" && return 0\n fi\n\n # The lock file is stale, delete it so that we're all on the same page\n echo \"Clearing stale puppet agent lock for pid ${puppetpid}\"\n rm $PUPPETLOCK\n return 1\n}\n\n# loop function to wait for puppet to finish its execution\nwait_for_puppet() {\n local attempts=${1:-30}\n for _ in $(seq \"$attempts\"); do\n if ! puppet_is_running; then\n return 0\n fi\n echo \"Waiting for puppet run to complete\"\n sleep 10\n done\n # If puppet is still running at this point, report an error\n echo \"Tired of waiting for puppet run to complete; giving up\"\n return 1\n}\n\n# Upstream debian cloud base images come with chrony installed,\n# as well as a service user with an invalid (>499) ID. We can't\n# just uninstall chrony because systemd depends on it; installing\n# systemd-timesyncd uninstalls chrony but then runs afoul of the\n# user ID that was created by chrony. To work around all that,\n# we detect if chrony is installed and if it is, remove the\n# user it installed (without uninstalling chrony). That unblocks\n# us for a subsequent install of systemd-timesyncd (which /does/\n# uninstall chrony).\nif /usr/bin/dpkg -l chrony | grep -q ^ii; then\n /usr/sbin/userdel systemd-timesync\n /usr/sbin/userdel systemd-coredump\n apt install -y systemd-timesyncd\nfi\n\nsystemctl restart nscd.service\ndpkg-reconfigure -fnoninteractive -pcritical openssh-server\nsystemctl restart ssh.service\nnscd -i hosts\n\n# This VM might have puppet installed in its base image, or it\n# might have the metadata install_puppet flag set. If neither\n# of these is true then skip puppet entirely.\n#\n# Note that in Bookworm and after the puppet client\n# is in a package named puppet-agent; earlier it was\n# just named 'puppet'.\nif dpkg -s puppet || dpkg -s puppet-agent; then\n # Run puppet, twice. The second time is just to pick up packages\n # that may have been unavailable in apt before the first puppet run\n # updated sources.list\n puppet agent --enable\n\n # Just in case puppet is already running for some reason, wait\n # for it to finish.\n wait_for_puppet 120\n service puppet stop\n wait_for_puppet 120\n\n # Sometimes the previous --enable doesn't take. Don't know why but\n # it's harmless to try again\n puppet agent --enable\n puppet agent --onetime --verbose --no-daemonize --no-splay --show_diff --certname `hostname -f`\n # Refresh ldap now that puppet has updated our ldap.conf\n systemctl restart nslcd.service\n\n # Ensure all NFS mounts are mounted\n mount_attempts=1\n until [ $mount_attempts -gt 10 ]\n do\n echo \"Ensuring all NFS mounts are mounted, attempt ${mount_attempts}\"\n echo \"Ensuring all NFS mounts are mounted, attempt ${mount_attempts}\" >> /etc/block-ldap-key-lookup\n ((mount_attempts++))\n /usr/bin/timeout --preserve-status -k 10s 20s /bin/mount -a && break\n # Sleep for 10s before next attempt\n sleep 10\n done\n\n # Run puppet again post mounting NFS mounts (if all the mounts hadn't been mounted\n # before, the puppet code that ensures the symlinks are created, etc may not\n # have run)\n wait_for_puppet 10\n apt-get update\n puppet agent -t\n\n # The following will be a no-op on most distros, but\n # as of 08-2025 Trixie comes packaged with puppet 8\n # and the puppet manifests themselves seek to downgrade\n # to 7.\n apt install -y --allow-downgrades puppet-agent\n apt-get -y autoremove\n\n wait_for_puppet 10\n apt-get update\n puppet agent -t\n\n # sssd might be caching sudo rules and other ldap things from before puppet\n # finished setting up ldap integration. Restart sssd and clear its cache.\n # On some old images we won't have sssd installed; in that case this will\n # throw some harmless errors.\n systemctl stop sssd\n rm -rf /var/lib/sss/db/*\n systemctl restart sssd\nfi\n\nif test -f \"/.base_image_is_building\"; then\n # Now that puppet has configured apt properly, make sure\n # we have the right version of puppet installed.\n # The package may be named 'puppet' or may be named\n # 'puppet-agent' so one of these might fail.\n apt-get install --allow-downgrades -y puppet\n apt-get install --allow-downgrades -y puppet-agent\n\n # stop puppet runs, clean up log files, and generally get this ready\n # for another cloud-init run.\n echo Cleaning up files before base image creation\n rm -f /.base_image_is_building\n puppet agent --disable \"waiting for initial VM setup\"\n rm -f /lib/systemd/system/puppet-agent-timer.timer\n rm -f /etc/cron.d/puppet\n rm -rf /var/lib/cloud/instances\n rm -rf /var/lib/puppet/ssl\n rm -rf /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate\n cloud-init clean\n rm -f /.cloud-init-finished\n echo 'uninitialized' > etc/machine-id\n find /var/log -type f -exec rm '{}' \\;\nelse\n # Remove the non-root login restriction. If this is the\n # initial base image, we just leave logins disabled.\n rm /etc/block-ldap-key-lookup\n\n # mark the host as ready, from now on alerts and checks will send notifications (ex. puppet_alert.py)\n touch /.cloud-init-finished\nfi\n\nexit 0\n--XXXXboundary text\n"
}