diff --git a/cloud-init-0.7.8-credcache.patch b/cloud-init-0.7.8-credcache.patch new file mode 100644 index 0000000..2cb46b1 --- /dev/null +++ b/cloud-init-0.7.8-credcache.patch @@ -0,0 +1,67 @@ +Index: cloud-init-0.7.8/cloudinit/ec2_utils.py +=================================================================== +--- cloud-init-0.7.8.orig/cloudinit/ec2_utils.py ++++ cloud-init-0.7.8/cloudinit/ec2_utils.py +@@ -94,6 +94,9 @@ class MetadataMaterializer(object): + field_name = get_name(field) + if not field or not field_name: + continue ++ # Don't materialize credentials ++ if field_name == 'security-credentials': ++ continue + if has_children(field): + if field_name not in children: + children.append(field_name) +Index: cloud-init-0.7.8/tests/unittests/test_ec2_util.py +=================================================================== +--- cloud-init-0.7.8.orig/tests/unittests/test_ec2_util.py ++++ cloud-init-0.7.8/tests/unittests/test_ec2_util.py +@@ -137,3 +137,48 @@ class TestEc2Util(helpers.HttprettyTestC + self.assertEqual(2, len(bdm)) + self.assertEqual(bdm['ami'], 'sdb') + self.assertEqual(bdm['ephemeral0'], 'sdc') ++ ++ @hp.activate ++ def test_metadata_no_security_credentials(self): ++ base_url = 'http://169.254.169.254/%s/meta-data/' % (self.VERSION) ++ hp.register_uri(hp.GET, base_url, status=200, ++ body="\n".join(['instance-id', ++ 'iam/'])) ++ hp.register_uri(hp.GET, uh.combine_url(base_url, 'instance-id'), ++ status=200, body='i-0123451689abcdef0') ++ hp.register_uri(hp.GET, ++ uh.combine_url(base_url, 'iam/'), ++ status=200, ++ body="\n".join(['info/', 'security-credentials/'])) ++ hp.register_uri(hp.GET, ++ uh.combine_url(base_url, 'iam/info/'), ++ status=200, ++ body='LastUpdated') ++ hp.register_uri(hp.GET, ++ uh.combine_url(base_url, 'iam/info/LastUpdated'), ++ status=200, body='2016-10-27T17:29:39Z') ++ hp.register_uri(hp.GET, ++ uh.combine_url(base_url, 'iam/security-credentials/'), ++ status=200, ++ body='ReadOnly/') ++ hp.register_uri(hp.GET, ++ uh.combine_url(base_url, ++ 'iam/security-credentials/ReadOnly/'), ++ status=200, ++ body="\n".join(['LastUpdated', 'Expiration'])) ++ hp.register_uri(hp.GET, ++ uh.combine_url( ++ base_url, ++ 'iam/security-credentials/ReadOnly/LastUpdated'), ++ status=200, body='2016-10-27T17:28:17Z') ++ hp.register_uri(hp.GET, ++ uh.combine_url( ++ base_url, ++ 'iam/security-credentials/ReadOnly/Expiration'), ++ status=200, body='2016-10-28T00:00:34Z') ++ md = eu.get_instance_metadata(self.VERSION, retries=0, timeout=0.1) ++ self.assertEqual(md['instance-id'], 'i-0123451689abcdef0') ++ iam = md['iam'] ++ self.assertEqual(1, len(iam)) ++ self.assertEqual(iam['info']['LastUpdated'], '2016-10-27T17:29:39Z') ++ self.assertNotIn('security-credentials', iam) diff --git a/cloud-init.spec b/cloud-init.spec index b87546b..bb27262 100644 --- a/cloud-init.spec +++ b/cloud-init.spec @@ -66,6 +66,11 @@ Patch14: cloud-init-0.7.8-systemd-loop.target # https://bugzilla.redhat.com/show_bug.cgi?id=1400249 Patch15: cloud-init-0.7.8-before-network-target.patch +# Do not cache IAM instance profile credentials on disk +# https://bugs.launchpad.net/cloud-init/+bug/1638312 +# https://git.launchpad.net/cloud-init/commit/?id=b71592ce0e0a9f9f9f225315015ca57b312ad30d +Patch16: cloud-init-0.7.8-credcache.patch + BuildArch: noarch BuildRequires: pkgconfig @@ -209,6 +214,7 @@ rm -rf $RPM_BUILD_ROOT %changelog * Tue Mar 14 2017 Garrett Holmstrom - 0.7.8-5 - Ordered cloud-init.service after network.service and NetworkManager.service [RH:1400249] +- Stopped caching IAM instance profile credentials on disk [LP:1638312] * Fri Jan 27 2017 Garrett Holmstrom - 0.7.8-5 - Re-applied rsyslog configuration fixes