From b8d229c8e3cf6403f1c28e555774340294c4f51a Mon Sep 17 00:00:00 2001
From: Drew Malin <dmalin@nvidia.com>
Date: Fri, 6 Feb 2026 10:09:51 -0800
Subject: [PATCH 1/2] fix(BRE2-662): Ensure ufw is installed during nebius
 cloudinit

---
 v1/providers/nebius/instance.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/v1/providers/nebius/instance.go b/v1/providers/nebius/instance.go
index 6f43534..3460efd 100644
--- a/v1/providers/nebius/instance.go
+++ b/v1/providers/nebius/instance.go
@@ -1748,7 +1748,10 @@ func (c *NebiusClient) cleanupOrphanedBootDisks(ctx context.Context, testID stri
 // This is inspired by Shadeform's LaunchConfiguration approach but uses cloud-init instead of base64 scripts
 func generateCloudInitUserData(publicKey string, firewallRules v1.FirewallRules) string {
 	// Start with cloud-init header
-	script := "#cloud-config\n"
+	script := `#cloud-config
+packages:
+  - ufw
+`
 
 	// Add SSH key configuration if provided
 	if publicKey != "" {

From e8f9155592cbffe3c99c056fa85e2d2aba2dd35d Mon Sep 17 00:00:00 2001
From: Drew Malin <dmalin@nvidia.com>
Date: Fri, 6 Feb 2026 10:48:25 -0800
Subject: [PATCH 2/2] wait for cloud-init

---
 v1/image.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/v1/image.go b/v1/image.go
index 7ec4c49..57d21ee 100644
--- a/v1/image.go
+++ b/v1/image.go
@@ -40,6 +40,9 @@ func ValidateInstanceImage(ctx context.Context, instance Instance, privateKey st
 		}
 	}()
 
+	// If cloud-init is present, wait until it has finished (e.g. UFW/runcmd done).
+	_, _, _ = sshClient.RunCommand(ctx, "cloud-init status --wait 2>/dev/null || true")
+
 	arch, err := validateArchitecture(ctx, sshClient)
 	if err != nil {
 		return err