Do not cache IAM instance profile credentials on disk
https://bugs.launchpad.net/cloud-init/+bug/1638312 https://git.launchpad.net/cloud-init/commit/?id=b71592ce0e0a9f9f9f225315015ca57b312ad30d
This commit is contained in:
parent
7c131a37b4
commit
115ce31543
67
cloud-init-0.7.8-credcache.patch
Normal file
67
cloud-init-0.7.8-credcache.patch
Normal file
@ -0,0 +1,67 @@
|
||||
Index: cloud-init-0.7.8/cloudinit/ec2_utils.py
|
||||
===================================================================
|
||||
--- cloud-init-0.7.8.orig/cloudinit/ec2_utils.py
|
||||
+++ cloud-init-0.7.8/cloudinit/ec2_utils.py
|
||||
@@ -94,6 +94,9 @@ class MetadataMaterializer(object):
|
||||
field_name = get_name(field)
|
||||
if not field or not field_name:
|
||||
continue
|
||||
+ # Don't materialize credentials
|
||||
+ if field_name == 'security-credentials':
|
||||
+ continue
|
||||
if has_children(field):
|
||||
if field_name not in children:
|
||||
children.append(field_name)
|
||||
Index: cloud-init-0.7.8/tests/unittests/test_ec2_util.py
|
||||
===================================================================
|
||||
--- cloud-init-0.7.8.orig/tests/unittests/test_ec2_util.py
|
||||
+++ cloud-init-0.7.8/tests/unittests/test_ec2_util.py
|
||||
@@ -137,3 +137,48 @@ class TestEc2Util(helpers.HttprettyTestC
|
||||
self.assertEqual(2, len(bdm))
|
||||
self.assertEqual(bdm['ami'], 'sdb')
|
||||
self.assertEqual(bdm['ephemeral0'], 'sdc')
|
||||
+
|
||||
+ @hp.activate
|
||||
+ def test_metadata_no_security_credentials(self):
|
||||
+ base_url = 'http://169.254.169.254/%s/meta-data/' % (self.VERSION)
|
||||
+ hp.register_uri(hp.GET, base_url, status=200,
|
||||
+ body="\n".join(['instance-id',
|
||||
+ 'iam/']))
|
||||
+ hp.register_uri(hp.GET, uh.combine_url(base_url, 'instance-id'),
|
||||
+ status=200, body='i-0123451689abcdef0')
|
||||
+ hp.register_uri(hp.GET,
|
||||
+ uh.combine_url(base_url, 'iam/'),
|
||||
+ status=200,
|
||||
+ body="\n".join(['info/', 'security-credentials/']))
|
||||
+ hp.register_uri(hp.GET,
|
||||
+ uh.combine_url(base_url, 'iam/info/'),
|
||||
+ status=200,
|
||||
+ body='LastUpdated')
|
||||
+ hp.register_uri(hp.GET,
|
||||
+ uh.combine_url(base_url, 'iam/info/LastUpdated'),
|
||||
+ status=200, body='2016-10-27T17:29:39Z')
|
||||
+ hp.register_uri(hp.GET,
|
||||
+ uh.combine_url(base_url, 'iam/security-credentials/'),
|
||||
+ status=200,
|
||||
+ body='ReadOnly/')
|
||||
+ hp.register_uri(hp.GET,
|
||||
+ uh.combine_url(base_url,
|
||||
+ 'iam/security-credentials/ReadOnly/'),
|
||||
+ status=200,
|
||||
+ body="\n".join(['LastUpdated', 'Expiration']))
|
||||
+ hp.register_uri(hp.GET,
|
||||
+ uh.combine_url(
|
||||
+ base_url,
|
||||
+ 'iam/security-credentials/ReadOnly/LastUpdated'),
|
||||
+ status=200, body='2016-10-27T17:28:17Z')
|
||||
+ hp.register_uri(hp.GET,
|
||||
+ uh.combine_url(
|
||||
+ base_url,
|
||||
+ 'iam/security-credentials/ReadOnly/Expiration'),
|
||||
+ status=200, body='2016-10-28T00:00:34Z')
|
||||
+ md = eu.get_instance_metadata(self.VERSION, retries=0, timeout=0.1)
|
||||
+ self.assertEqual(md['instance-id'], 'i-0123451689abcdef0')
|
||||
+ iam = md['iam']
|
||||
+ self.assertEqual(1, len(iam))
|
||||
+ self.assertEqual(iam['info']['LastUpdated'], '2016-10-27T17:29:39Z')
|
||||
+ self.assertNotIn('security-credentials', iam)
|
@ -66,6 +66,11 @@ Patch14: cloud-init-0.7.8-systemd-loop.target
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1400249
|
||||
Patch15: cloud-init-0.7.8-before-network-target.patch
|
||||
|
||||
# Do not cache IAM instance profile credentials on disk
|
||||
# https://bugs.launchpad.net/cloud-init/+bug/1638312
|
||||
# https://git.launchpad.net/cloud-init/commit/?id=b71592ce0e0a9f9f9f225315015ca57b312ad30d
|
||||
Patch16: cloud-init-0.7.8-credcache.patch
|
||||
|
||||
BuildArch: noarch
|
||||
|
||||
BuildRequires: pkgconfig
|
||||
@ -209,6 +214,7 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%changelog
|
||||
* Tue Mar 14 2017 Garrett Holmstrom <gholms@fedoraproject.org> - 0.7.8-5
|
||||
- Ordered cloud-init.service after network.service and NetworkManager.service [RH:1400249]
|
||||
- Stopped caching IAM instance profile credentials on disk [LP:1638312]
|
||||
|
||||
* Fri Jan 27 2017 Garrett Holmstrom <gholms@fedoraproject.org> - 0.7.8-5
|
||||
- Re-applied rsyslog configuration fixes
|
||||
|
Loading…
Reference in New Issue
Block a user