Cannot Create Droplet With CloudInit Config

December 10, 2017 1k views
DigitalOcean Ubuntu 16.04

Hi,

I'm trying to create a DO droplet and provision it using a quite long 64 line long cloud-init file. I would like to end up with a LEMP environment which could be used as a target for a Capistrano deployment of a Bedrock-based WordPress installation. And it's working great, except that [this config}[douserscripts/lemp.yml] leaves MySQL with the single and password-less root user.

Now I would like to tighten the security of MySQL with mysql_secure_installation. It appears that running this wit the runcmd module is not possible, because mysql_secure_installation is interactive. Therefore, the best way appears to be by running the SQL directly, However, when I merge the command(s) into the YAML document, I get the following message:

Sorry! We've encountered an error creating your Droplet.

Below please find the relevant section. Please note that as soon as I remove the lines starting with "mysql", I am able to create the droplet.

---
runcmd:
  - mkdir -p /var/www/html/current
  - sed -i -e "s/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/" /etc/php/7.0/fpm/php.ini
  # Ensure backwards compatible with 14.04
  - file=/etc/nginx/fastcgi.conf; if [ ! -f "$file" ]; then ln -s /etc/nginx/fastcgi_params "$file"; fi
  - service nginx restart
  - "mysql -u root -e \"CREATE DATABASE wordpress;\""
  - "mysql -u root -e \"GRANT ALL PRIVILEGES ON wordpress.* TO 'wordpress'@'localhost' IDENTIFIED BY 'wordpresspassword'; FLUSH PRIVILEGES;\""

I have tried arranging the above into different formats. I've tried putting it on into one mysql command used several kinds of YAML multiline syntax, bash HEREDOC to split the query into lines, and every time made sure that it gets validated by the YAML validator. Alas, I get the pesky message every time, and it pops out immediately after I hit the "Create" button. This means that the problem happens somewhere on the front-end, and could be with YAML validation. Which is weird, because "User data" isn't even required to be valid YAML. And also, my YAML is valid. So, could somebody please explain what's going on?

4 comments
  • I was not allowed to submit or preview the original question, until I removed 4 lines, which were the first four mysql commands.

      - "mysql -u root -e \"UPDATE mysql.user SET Password=PASSWORD('$rootpass') WHERE User=''\"";
      - "mysql -u root -e \"DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');\""
      - "mysql -u root -e \"DELETE FROM mysql.user WHERE User='';\""
      - "mysql -u root -e \"DELETE FROM mysql.db WHERE Db='test' OR Db='test_%';\""
    
  • And now, I was not allowed to submit or preview the previous comment, until I edited the first line to remove the value "root" from between the single quotes in the WHERE clause.

  • When trying to preview the "wrong" message, it tries to render the Markup by going to https://www.digitalocean.com/community/markdown/preview. This URL returns a 403, and says the following:

    Sorry, you have been blocked
    You are unable to access digitalocean.com
    Why have I been blocked?
    This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.

    Same result when trying to submit a "wrong" comment, when the request goes to https://www.digitalocean.com/community/questions/cannot-create-droplet-with-cloudinit-config/comments/66420

  • Now I went back to the "Create Droplets" page, and tried to submit the "wrong" user data again. This time the "Sorry, you have been blocked" 403 response comes from https://cloud.digitalocean.com/api/v1/droplets.

    It would appear that there's some protection in place at DO, which scans the POST content for suspicious words, and denies the resource if it thinks that the request is dangerous. At the same time, it would appear that this filter is way overzealous. DO, please dial it down, so that I can get on with my work! The cloud-config YAML is supposed to contain things that may look suspicions: it's system configuration!

2 Answers

TL;DR

There's a filter, and nothing can be done about it. Use the API instead.

Full Answer

DO support acknowledges the problem, admits the existence of a filter. Please find their final reply below.

I believe the filtering is in place on the front-end to avoid injection attempts. Unfortunately, we aren't able to loosen the current grips of that filtering. As a solution to the issue without reconfiguring the scripts, we'd recommend utilizing the API instead of the web panel for this creation

Have another answer? Share your knowledge.