FilterHN

Cloud-Init on Raspberry Pi OS

60 points

by rcarmo

4 days ago

| past

| 6 comments

| raspberrypi.com

| HN

▲

alias_neo

47 minutes ago

[-]

I noticed this yesterday, I was digging around my uSD after I tried to use the Raspberry Pi Imager to pre-customise a flash for a Pi Zero 2W and it failed at everything including setting up the user, enabling SSH, adding my key, setting the hostname, and connecting to WiFi.

I was trying to avoid having to dig out the correct type of HDMI cable and the OTG adapter to plug in a Keyboard, and removing the Pi from the housing that doesn't allow plugging in anything, all in vain because the imager failed completely, not sure what that's all about.

It did allow me to notice the cloud-init and metadata files there though, I didn't realise cloud-init was new in Raspbian until seeing this post just now.

▲

cryptonector

5 hours ago

[-]

First I've heard of cloud-init. So I went looking to see how it does provisioning of SSH keys and... it doesn't really. Sure, it will add public keys to the authorized_keys file, but it won't do anything to register each provisioned hosts' public keys anywhere. And here was I hoping for something to do with TPMs or DICE or something. But sadly, no.

It would be a really good thing to integrate something like Safeboot (https://github.com/osresearch/safeboot), which does use TPMs. Safeboot is implemented as Bash scripts using tpm2-tools, which... I'm really not fond of. I'd rather implement the Safeboot protocol or similar from scratch in Rust or Go, or even maybe parts in C and parts in a safe language. But anyways, the idea is to enroll a host given its TPM's EKcert or the system's platform cert (if it has one), and in the process generate credentials for the host that it will be able to fetch upon attestation upon first boot and which only it can decrypt using its TPM, then after that the host can use those credentials as a root of trust with which to acquire any other necessary credentials (if any). E.g., client certificates, Kerberos keys ("keytabs"), TLS server certificates, etc.

▲

figmert

4 hours ago

[-]

Cloud-init isn't about boot process, it's about initial provisioning of a system.

If you need the host's public keys registered somewhere, you can do that using cloud-init, but there's not built-in mechanism. You'd have to write your own script to do so.

▲

pta2002

2 hours ago

[-]

Unfortunately the TPM story for the raspberry pi… isn’t, really. It doesn’t come with one, and while it does support secure boot, it’s incredibly limited and more akin to what you’d find in a microcontroller (you can burn vendor keys to EEPROM). So all that to say, it would be kind of pointless, unfortunately.

I’d you’re interested in this, I know systemd has been working pretty hard on getting TPM-provisioned credentials usable on Linux though!

▲

imtringued

1 hour ago

[-]

The point of cloud-init is to be a provider independent entry point that runs on first boot and lets you specify per node metadata. You use it to install a package or download a script which then does what you want. Before cloud-init, each cloud provider had their own way of running a bash script on first boot.

For the Raspberry Pi specifically, you would use cloud-init to program Raspberry Pis/compute modules.

Why can't you just simply build a VM image or SD card image and copy it to all the Raspberry Pis? Well you could, but then you need to build a unique image for each Raspberry Pi. Cloud-init lets you factor out the differences between the Raspberry Pis and reuse a single image for all of them. E.g. each Raspberry Pi can have a different hostname, account name, root password and all you have to do is put them in a single configuration file.

▲

synergy20

6 hours ago

[-]

i don't have fond memory about cloud-init from ubuntu install in the past, sometimes it got stuck there for good. I would like the installation can be done quickly offline, or, if network is live at least timeout the stuck cloud-init and proceed when it occurs.

▲

vbezhenar

4 hours ago

[-]

Cloud Init is used everywhere, probably in every cloud provider. It's very ubiquitous. I don't like it either, its syntax changed in an incompatible way between versions and simple things might require a lot of experimentation, like just creating user with password to log in. But once you're over this, it's pretty nice.

▲

bravetraveler

20 minutes ago

[-]

Where it isn't technically supported, there is 'NoCloud'. A generic mechanism for hosting the data elsewhere:

https://cloudinit.readthedocs.io/en/latest/reference/datasou...

Might think 'chicken/egg': not really. Resources usually come with some credentials -- use those to add more with this.

▲

rcarmo

4 days ago

[-]

At last, one of my uses for https://github.com/rcarmo/ground-init is gone.

▲

thedougd

6 hours ago

[-]

This was already in Ubuntu server for the RPi.

Works great.

▲

Jemm

1 hour ago

[-]

And now there are even more outdated tutorials. Not great for a 'beginner' platform

▲

alias_neo

43 minutes ago

[-]

I don't think the addition of cloud-init deprecates anything or creates any issues with existing tutorials.

What does concern me, is that the image I tried to customise and flash with RPi Imager yesterday to a Pi Zero 2 W, failed to perform all of the customisations and left me having to manually correct it all by finding the hardware and hookin g it up to a monitor and keyboard.