Month: August 2015

One approach to updating (and making PCI DSS-compliant…) Ubuntu cloud images would be to start a stock instance with an unmodified image, customise this VM, and then either snapshot or save and convert the resulting filesystem. The two drawbacks of this methodology are that the resulting image isn’t necessarily pristine – the commands run to migrate its state and and temporary files will still be present – and the image will be much larger than the original compressed/deduplicated source. This latter aspect is important when there is a need to spin-up a large number of VMs quickly, and the smaller the source image the faster this can occur.

I’ve recently been working on upgrading the stock Ubuntu cloud image(*) to meet the requirements for PCI DSS compliance – and a hugely non-obvious issue I ran into went as follows:

# passwd newuser
passwd: Module is unknown
passwd: password unchanged

It’s not uncommon, especially when using chroot() gaols, to find that “modern” systemd-equipped Linux distributions seem to get a bit possessive when it comes to mounting filesystems such as devtmpfs on /dev or tmpfs on /run, and when you want to remove the gaol this filesystems can show as still in use – although lsof/fuser -m output suggests that everything using root-dev and nothing respectively are actually using these mount-points.