2

I am trying to write a script to automate deployment of VMs. So I am testing configurations for various platforms.

Problem

Creating virtual machines in KVM/libvirt/QEMU using the cloud images from Ubuntu (or Fedora) fails when secure-boot is enabled.

System Info

  • Host: Debian Bookworm

Steps to reproduce

  1. Create cloud-init's user-data file with the contents below, (uncomment plain text password and lock for testing).
sudo nano /home/VMs/cloud-init/user-data

#cloud-config
hostname: ubuntutest


users:


    

  • name: testuser
    

    plain_text_passwd: testpwd
    

    lock-passwd: false
    

    groups: sudo
sudo: "ALL=(ALL) NOPASSWD: ALL"
shell: /bin/bash
ssh_authorized_keys: <REDACTED>
  1. Download an Ubuntu (or Fedora) cloud image https://cloud-images.ubuntu.com/<codename>/current/<codename>-server-cloudimg-amd64.img (Tried 24.04, 24.10, and 25.04 so far).
  2. (optional) Make a copy, so one is not downloading the image every time
sudo cp <codename>-server-cloudimg-amd64.img /home/VMs/volumes/test.qcow2
  1. Install system using virt-install
virt-install \
  --name ubuntutest \
  --ram 2048 \
  --vcpus 2 \
  --disk path=/home/VMs/volumes/test.qcow2 \
  --cloud-init user-data=/home/VMs/cloud-init/user-data \
  --os-variant ubuntu22.04 \
  --network network=default,model=virtio \
  --boot uefi,loader_secure=yes \
  --tpm emulator \
  --machine q35 \
  --import

Errors

When I run the command above, I get the output below.

BdsDxe: loading Boot0002 "UEFI Misc Device" from PciRoot(0x0)/Pci(0x2,0x3)/Pci(0x0,0x0)
BdsDxe: starting Boot0002 "UEFI Misc Device" from PciRoot(0x0)/Pci(0x2,0x3)/Pci(0x0,0x0)
Reset System


Domain creation completed.

Then the VM shuts down, really fast!.

I can turn it on afterwards, but it is a VM with all the default configurations. Clearly cloud-init did not run upon creation.

Comments

The 4 steps work perfectly if the only thing you change is:

  • Disable secure boot, i.e. delete the line --boot uefi,loader_secure=yes.

Or

  • Download Debian instead of Ubuntu. (Tried Debian 12 and 13).

Questions

how to make secure boot work with cloud images? Why is Debian working with no problems but other distributions like Ubuntu and Fedora don't seem to work here?

Any help is appreciated. Happy to provide more context if needed.

MetalMathician
  • 208

1 Answers1

2

I'm not going to select this as an answer.

But I think I got a workarround to deploy all VMs.

What is going wrong

  1. Ubuntu (and Fedora) seems to immediataly restart when it notices that secure boot is enabled. Still don't know why.
  2. The --cloud-init flag for virt-install creates a temporary iso file that is mounted as a cdrom only during the first boot. (See docs)

This explains why Ubuntu is not getting the cloud-init configuration upon boot.

Workaround

  1. Create the iso image manually.
sudo xorriso -as genisoimage -output cloud-init.iso -volid cidata -joliet -rock user-data meta-data

Don't forget the meta-data file even if it is empty.

  1. Mount it as a cdrom.
virt-install \
  --name ubuntutest \
  --ram 2048 \
  --vcpus 2 \
  --disk path=/home/VMs/volumes/test.qcow2 \
  --disk path=/home/VMs/cloud-init/cloud-init.iso,device=cdrom \
  --os-variant ubuntu22.04 \
  --network network=default,model=virtio \
  --boot uefi,loader_secure=yes \
  --tpm emulator \
  --machine q35 \
  --import
  1. Unmount manually after first boot.
virsh shutdown ubuntutest

virsh change-media ubuntutest sdb --eject

This last step is not as easy to automate, as there needs to be checks on whether or not the machine finished booting up before shutting it down, or ejecting the media. Also, sdb might not always be the media device.

MetalMathician
  • 208