From 5f351c7ac8a9f0f827685ed446e4db8e0c192623 Mon Sep 17 00:00:00 2001 From: Miroslav Rezanina Date: Tue, 25 Jul 2023 03:47:52 -0400 Subject: [PATCH] * Tue Jul 25 2023 Miroslav Rezanina - 23.1.1-7 - ci-logging-keep-current-file-mode-of-log-file-if-its-st.patch [bz#2222501] - Resolves: bz#2222501 (Don't change log permissions if they are already more restrictive [rhel-8]) --- .gitignore | 2 + ...E-based-distros-for-ca-handling-2036.patch | 93 ++++++ ...istent-ca-cert-config-situation-2073.patch | 88 ++++++ ...rt-limit-permissions-on-def_log_file.patch | 63 ++++ ci-cosmetic-fix-tox-formatting.patch | 35 +++ ...rent-file-mode-of-log-file-if-its-st.patch | 183 +++++++++++ ...es-to-apply-RHEL-specific-config-set.patch | 47 +++ ...s-remove-NM_CONTROLLED-no-from-tests.patch | 286 ++++++++++++++++++ ...on-fix-the-tool-so-that-it-can-handl.patch | 117 +++++++ cloud-init.spec | 16 +- 10 files changed, 929 insertions(+), 1 deletion(-) create mode 100644 ci-Enable-SUSE-based-distros-for-ca-handling-2036.patch create mode 100644 ci-Handle-non-existent-ca-cert-config-situation-2073.patch create mode 100644 ci-Revert-limit-permissions-on-def_log_file.patch create mode 100644 ci-cosmetic-fix-tox-formatting.patch create mode 100644 ci-logging-keep-current-file-mode-of-log-file-if-its-st.patch create mode 100644 ci-test-fixes-changes-to-apply-RHEL-specific-config-set.patch create mode 100644 ci-test-fixes-remove-NM_CONTROLLED-no-from-tests.patch create mode 100644 ci-tools-read-version-fix-the-tool-so-that-it-can-handl.patch diff --git a/.gitignore b/.gitignore index 88387db..4679a99 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,5 @@ SOURCES/cloud-init-22.1.tar.gz /cloud-init-22.1.tar.gz /cloud-init-23.1.1.tar.gz +/*.tar.gz +/*.rpm diff --git a/ci-Enable-SUSE-based-distros-for-ca-handling-2036.patch b/ci-Enable-SUSE-based-distros-for-ca-handling-2036.patch new file mode 100644 index 0000000..d572afc --- /dev/null +++ b/ci-Enable-SUSE-based-distros-for-ca-handling-2036.patch @@ -0,0 +1,93 @@ +From e5d0944117fba5079de5452307f1bea89147f747 Mon Sep 17 00:00:00 2001 +From: Robert Schweikert +Date: Thu, 23 Feb 2023 16:43:56 -0500 +Subject: [PATCH 04/11] Enable SUSE based distros for ca handling (#2036) + +CA handling in the configuration module was previously not supported +for SUSE based distros. Enable this functionality by creating the +necessary configuration settings. + +Secondly update the test such that it does not bleed through to the +test system. + +(cherry picked from commit 46fcd03187d70f405c748f7a6cfdb02ecb8c6ee7) +Signed-off-by: Ani Sinha +--- + cloudinit/config/cc_ca_certs.py | 31 +++++++++++++++++++++- + tests/unittests/config/test_cc_ca_certs.py | 2 ++ + 2 files changed, 32 insertions(+), 1 deletion(-) + +diff --git a/cloudinit/config/cc_ca_certs.py b/cloudinit/config/cc_ca_certs.py +index 169b0e18..51b8577c 100644 +--- a/cloudinit/config/cc_ca_certs.py ++++ b/cloudinit/config/cc_ca_certs.py +@@ -32,8 +32,25 @@ DISTRO_OVERRIDES = { + "ca_cert_config": None, + "ca_cert_update_cmd": ["update-ca-trust"], + }, ++ "opensuse": { ++ "ca_cert_path": "/etc/pki/trust/", ++ "ca_cert_local_path": "/usr/share/pki/trust/", ++ "ca_cert_filename": "anchors/cloud-init-ca-cert-{cert_index}.crt", ++ "ca_cert_config": None, ++ "ca_cert_update_cmd": ["update-ca-certificates"], ++ }, + } + ++for distro in ( ++ "opensuse-microos", ++ "opensuse-tumbleweed", ++ "opensuse-leap", ++ "sle_hpc", ++ "sle-micro", ++ "sles", ++): ++ DISTRO_OVERRIDES[distro] = DISTRO_OVERRIDES["opensuse"] ++ + MODULE_DESCRIPTION = """\ + This module adds CA certificates to the system's CA store and updates any + related files using the appropriate OS-specific utility. The default CA +@@ -48,7 +65,19 @@ configuration option ``remove_defaults``. + Alpine Linux requires the ca-certificates package to be installed in + order to provide the ``update-ca-certificates`` command. + """ +-distros = ["alpine", "debian", "rhel", "ubuntu"] ++distros = [ ++ "alpine", ++ "debian", ++ "rhel", ++ "opensuse", ++ "opensuse-microos", ++ "opensuse-tumbleweed", ++ "opensuse-leap", ++ "sle_hpc", ++ "sle-micro", ++ "sles", ++ "ubuntu", ++] + + meta: MetaSchema = { + "id": "cc_ca_certs", +diff --git a/tests/unittests/config/test_cc_ca_certs.py b/tests/unittests/config/test_cc_ca_certs.py +index 19e5d422..6db17485 100644 +--- a/tests/unittests/config/test_cc_ca_certs.py ++++ b/tests/unittests/config/test_cc_ca_certs.py +@@ -311,6 +311,7 @@ class TestRemoveDefaultCaCerts(TestCase): + "cloud_dir": tmpdir, + } + ) ++ self.add_patch("cloudinit.config.cc_ca_certs.os.stat", "m_stat") + + def test_commands(self): + ca_certs_content = "# line1\nline2\nline3\n" +@@ -318,6 +319,7 @@ class TestRemoveDefaultCaCerts(TestCase): + "# line1\n# Modified by cloud-init to deselect certs due to" + " user-data\n!line2\n!line3\n" + ) ++ self.m_stat.return_value.st_size = 1 + + for distro_name in cc_ca_certs.distros: + conf = cc_ca_certs._distro_ca_certs_configs(distro_name) +-- +2.39.3 + diff --git a/ci-Handle-non-existent-ca-cert-config-situation-2073.patch b/ci-Handle-non-existent-ca-cert-config-situation-2073.patch new file mode 100644 index 0000000..3edfde9 --- /dev/null +++ b/ci-Handle-non-existent-ca-cert-config-situation-2073.patch @@ -0,0 +1,88 @@ +From 8b9627be7ed3e44c6890e52723cb86375f56a0e4 Mon Sep 17 00:00:00 2001 +From: Shreenidhi Shedi <53473811+sshedi@users.noreply.github.com> +Date: Fri, 17 Mar 2023 03:01:22 +0530 +Subject: [PATCH 05/11] Handle non existent ca-cert-config situation (#2073) + +Currently if a cert file doesn't exist, cc_ca_certs module crashes +This fix makes it possible to handle it gracefully. + +Also, out_lines variable may not be available if os.stat returns 0. +This issue is also taken care of. + +Added tests for the same. + +(cherry picked from commit 3634678465e7b8f8608bcb9a1f5773ae7837cbe9) +Signed-off-by: Ani Sinha +--- + cloudinit/config/cc_ca_certs.py | 19 +++++++++++++------ + tests/unittests/config/test_cc_ca_certs.py | 12 ++++++++++++ + 2 files changed, 25 insertions(+), 6 deletions(-) + +diff --git a/cloudinit/config/cc_ca_certs.py b/cloudinit/config/cc_ca_certs.py +index 51b8577c..4dc08681 100644 +--- a/cloudinit/config/cc_ca_certs.py ++++ b/cloudinit/config/cc_ca_certs.py +@@ -177,14 +177,20 @@ def disable_system_ca_certs(distro_cfg): + + @param distro_cfg: A hash providing _distro_ca_certs_configs function. + """ +- if distro_cfg["ca_cert_config"] is None: ++ ++ ca_cert_cfg_fn = distro_cfg["ca_cert_config"] ++ ++ if not ca_cert_cfg_fn or not os.path.exists(ca_cert_cfg_fn): + return ++ + header_comment = ( + "# Modified by cloud-init to deselect certs due to user-data" + ) ++ + added_header = False +- if os.stat(distro_cfg["ca_cert_config"]).st_size != 0: +- orig = util.load_file(distro_cfg["ca_cert_config"]) ++ ++ if os.stat(ca_cert_cfg_fn).st_size: ++ orig = util.load_file(ca_cert_cfg_fn) + out_lines = [] + for line in orig.splitlines(): + if line == header_comment: +@@ -197,9 +203,10 @@ def disable_system_ca_certs(distro_cfg): + out_lines.append(header_comment) + added_header = True + out_lines.append("!" + line) +- util.write_file( +- distro_cfg["ca_cert_config"], "\n".join(out_lines) + "\n", omode="wb" +- ) ++ ++ util.write_file( ++ ca_cert_cfg_fn, "\n".join(out_lines) + "\n", omode="wb" ++ ) + + + def remove_default_ca_certs(distro_cfg): +diff --git a/tests/unittests/config/test_cc_ca_certs.py b/tests/unittests/config/test_cc_ca_certs.py +index 6db17485..5f1894e7 100644 +--- a/tests/unittests/config/test_cc_ca_certs.py ++++ b/tests/unittests/config/test_cc_ca_certs.py +@@ -365,6 +365,18 @@ class TestRemoveDefaultCaCerts(TestCase): + else: + assert mock_subp.call_count == 0 + ++ def test_non_existent_cert_cfg(self): ++ self.m_stat.return_value.st_size = 0 ++ ++ for distro_name in cc_ca_certs.distros: ++ conf = cc_ca_certs._distro_ca_certs_configs(distro_name) ++ with ExitStack() as mocks: ++ mocks.enter_context( ++ mock.patch.object(util, "delete_dir_contents") ++ ) ++ mocks.enter_context(mock.patch.object(subp, "subp")) ++ cc_ca_certs.disable_default_ca_certs(distro_name, conf) ++ + + class TestCACertsSchema: + """Directly test schema rather than through handle.""" +-- +2.39.3 + diff --git a/ci-Revert-limit-permissions-on-def_log_file.patch b/ci-Revert-limit-permissions-on-def_log_file.patch new file mode 100644 index 0000000..f753861 --- /dev/null +++ b/ci-Revert-limit-permissions-on-def_log_file.patch @@ -0,0 +1,63 @@ +From fcd4f7c99e866abb93d0a56f5967b35dbec4088c Mon Sep 17 00:00:00 2001 +From: Ani Sinha +Date: Fri, 7 Jul 2023 16:05:48 +0530 +Subject: [PATCH 06/11] Revert "limit permissions on def_log_file" + +This reverts commit 1308991156950833f62ec1464b1aef3673864c02. +This patch seems to be not doing anythiing at all. + +X-downstream-only: true + +Signed-off-by: Ani Sinha +--- + cloudinit/settings.py | 1 - + cloudinit/stages.py | 1 - + doc/examples/cloud-config.txt | 4 ---- + 3 files changed, 6 deletions(-) + +diff --git a/cloudinit/settings.py b/cloudinit/settings.py +index 88aac6be..a36c518d 100644 +--- a/cloudinit/settings.py ++++ b/cloudinit/settings.py +@@ -52,7 +52,6 @@ CFG_BUILTIN = { + "None", + ], + "def_log_file": "/var/log/cloud-init.log", +- "def_log_file_mode": 0o600, + "log_cfgs": [], + "syslog_fix_perms": [], + "mount_default_fields": [None, None, "auto", "defaults,nofail", "0", "2"], +diff --git a/cloudinit/stages.py b/cloudinit/stages.py +index 1326d205..21f30a1f 100644 +--- a/cloudinit/stages.py ++++ b/cloudinit/stages.py +@@ -202,7 +202,6 @@ class Init: + def _initialize_filesystem(self): + util.ensure_dirs(self._initial_subdirs()) + log_file = util.get_cfg_option_str(self.cfg, "def_log_file") +- log_file_mode = util.get_cfg_option_int(self.cfg, "def_log_file_mode") + if log_file: + # At this point the log file should have already been created + # in the setupLogging function of log.py +diff --git a/doc/examples/cloud-config.txt b/doc/examples/cloud-config.txt +index b6d16c9c..15d788f3 100644 +--- a/doc/examples/cloud-config.txt ++++ b/doc/examples/cloud-config.txt +@@ -383,14 +383,10 @@ timezone: US/Eastern + # if syslog_fix_perms is a list, it will iterate through and use the + # first pair that does not raise error. + # +-# 'def_log_file' will be created with mode 'def_log_file_mode', which +-# is specified as a numeric value and defaults to 0600. +-# + # the default values are '/var/log/cloud-init.log' and 'syslog:adm' + # the value of 'def_log_file' should match what is configured in logging + # if either is empty, then no change of ownership will be done + def_log_file: /var/log/my-logging-file.log +-def_log_file_mode: 0600 + syslog_fix_perms: syslog:root + + # you can set passwords for a user or multiple users +-- +2.39.3 + diff --git a/ci-cosmetic-fix-tox-formatting.patch b/ci-cosmetic-fix-tox-formatting.patch new file mode 100644 index 0000000..ce1795c --- /dev/null +++ b/ci-cosmetic-fix-tox-formatting.patch @@ -0,0 +1,35 @@ +From 9f560fd70f64cbe1827e2e490206d245f3ac7812 Mon Sep 17 00:00:00 2001 +From: Ani Sinha +Date: Fri, 7 Jul 2023 15:38:14 +0530 +Subject: [PATCH 08/11] cosmetic: fix tox formatting + +This is a cosmetic formatting change that makes tox happy. + +X-downstream-only: true + +fixes: 06b2d8279628eb5d0 ("include 'NOZEROCONF=yes' in /etc/sysconfig/network") +Signed-off-by: Ani Sinha +--- + cloudinit/net/sysconfig.py | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/cloudinit/net/sysconfig.py b/cloudinit/net/sysconfig.py +index 5bf3e7ca..421564ee 100644 +--- a/cloudinit/net/sysconfig.py ++++ b/cloudinit/net/sysconfig.py +@@ -1028,9 +1028,9 @@ class Renderer(renderer.Renderer): + for line in util.load_file(sysconfig_path, quiet=True).split("\n"): + if "cloud-init" in line: + break +- if not line.startswith(("NETWORKING=", +- "IPV6_AUTOCONF=", +- "NETWORKING_IPV6=")): ++ if not line.startswith( ++ ("NETWORKING=", "IPV6_AUTOCONF=", "NETWORKING_IPV6=") ++ ): + netcfg.append(line) + # Now generate the cloud-init portion of sysconfig/network + netcfg.extend([_make_header(), "NETWORKING=yes"]) +-- +2.39.3 + diff --git a/ci-logging-keep-current-file-mode-of-log-file-if-its-st.patch b/ci-logging-keep-current-file-mode-of-log-file-if-its-st.patch new file mode 100644 index 0000000..10879be --- /dev/null +++ b/ci-logging-keep-current-file-mode-of-log-file-if-its-st.patch @@ -0,0 +1,183 @@ +From 0de2584f99c49b5d22bc7d1d08070d53b8fc1b3b Mon Sep 17 00:00:00 2001 +From: Ani Sinha +Date: Thu, 20 Jul 2023 23:56:01 +0530 +Subject: [PATCH 11/11] logging: keep current file mode of log file if its + stricter than the new mode (#4250) + +RH-Author: Ani Sinha +RH-MergeRequest: 105: [RHEL 8.9] logging: keep current file mode of log file if its stricter than the new mode (#4250) +RH-Bugzilla: 2222501 +RH-Acked-by: Emanuele Giuseppe Esposito +RH-Acked-by: Miroslav Rezanina +RH-Commit: [1/1] 2733073d4dd119e29d1cf227e787afa15c9f8991 + +By default, the cloud init log file is created with mode 0o644 with +`preserve_mode` parameter of `write_file()` set to False. This means that when +an existing log file is found, its mode will be unconditionally reset to the +mode 0o644. It is possible that this might cause the change of the mode of the +log file from the current more stricter mode to a less strict mode +(when the new mode 0o644 is less strict than the existing mode of the file). + +In order to mitigate the above issue, check the current mode of the log file +and if the current mode is stricter than the default new mode 0o644, then +preserve the current mode of the file. + +Fixes GH-4243 + +Signed-off-by: Ani Sinha +(cherry picked from commit a0e4ec15a1adffabd1c539879514eae4807c834c) +Signed-off-by: Ani Sinha + + Conflicts: + tests/unittests/test_util.py +--- + cloudinit/stages.py | 15 ++++++++++++++- + cloudinit/util.py | 23 +++++++++++++++++++++++ + tests/unittests/test_stages.py | 23 ++++++++++++++++------- + tests/unittests/test_util.py | 24 ++++++++++++++++++++++++ + 4 files changed, 77 insertions(+), 8 deletions(-) + +diff --git a/cloudinit/stages.py b/cloudinit/stages.py +index 21f30a1f..979179af 100644 +--- a/cloudinit/stages.py ++++ b/cloudinit/stages.py +@@ -200,12 +200,25 @@ class Init: + self._initialize_filesystem() + + def _initialize_filesystem(self): ++ mode = 0o640 ++ fmode = None ++ + util.ensure_dirs(self._initial_subdirs()) + log_file = util.get_cfg_option_str(self.cfg, "def_log_file") + if log_file: + # At this point the log file should have already been created + # in the setupLogging function of log.py +- util.ensure_file(log_file, mode=0o640, preserve_mode=False) ++ ++ try: ++ fmode = util.get_permissions(log_file) ++ except OSError: ++ pass ++ ++ # if existing file mode fmode is stricter, do not change it. ++ if fmode and util.compare_permission(fmode, mode) < 0: ++ mode = fmode ++ ++ util.ensure_file(log_file, mode, preserve_mode=False) + perms = self.cfg.get("syslog_fix_perms") + if not perms: + perms = {} +diff --git a/cloudinit/util.py b/cloudinit/util.py +index 8ba3e2b6..00892d6f 100644 +--- a/cloudinit/util.py ++++ b/cloudinit/util.py +@@ -2087,6 +2087,29 @@ def safe_int(possible_int): + return None + + ++def compare_permission(mode1, mode2): ++ """Compare two file modes in octal. ++ ++ If mode1 is less restrictive than mode2 return 1 ++ If mode1 is more restrictive than mode2 return -1 ++ If mode1 is same as mode2, return 0 ++ ++ The comparison starts from the permission of the ++ set of users in "others" and then works up to the ++ permission of "user" set. ++ """ ++ # Convert modes to octal and reverse the last 3 digits ++ # so 0o640 would be become 0o046 ++ mode1_oct = oct(mode1)[2:].rjust(3, "0") ++ mode2_oct = oct(mode2)[2:].rjust(3, "0") ++ m1 = int(mode1_oct[:-3] + mode1_oct[-3:][::-1], 8) ++ m2 = int(mode2_oct[:-3] + mode2_oct[-3:][::-1], 8) ++ ++ # Then do a traditional cmp() ++ # https://docs.python.org/3.0/whatsnew/3.0.html#ordering-comparisons ++ return (m1 > m2) - (m1 < m2) ++ ++ + def chmod(path, mode): + real_mode = safe_int(mode) + if path and real_mode: +diff --git a/tests/unittests/test_stages.py b/tests/unittests/test_stages.py +index a61f9df9..831ea9f2 100644 +--- a/tests/unittests/test_stages.py ++++ b/tests/unittests/test_stages.py +@@ -606,13 +606,22 @@ class TestInit_InitializeFilesystem: + # Assert we create it 0o640 by default if it doesn't already exist + assert 0o640 == stat.S_IMODE(log_file.stat().mode) + +- def test_existing_file_permissions(self, init, tmpdir): ++ @pytest.mark.parametrize( ++ "set_perms,expected_perms", ++ [ ++ (0o640, 0o640), ++ (0o606, 0o640), ++ (0o600, 0o600), ++ ], ++ ) ++ def test_existing_file_permissions( ++ self, init, tmpdir, set_perms, expected_perms ++ ): + """Test file permissions are set as expected. + +- CIS Hardening requires 640 permissions. These permissions are +- currently hardcoded on every boot, but if there's ever a reason +- to change this, we need to then ensure that they +- are *not* set every boot. ++ CIS Hardening requires 640 permissions. If the file has looser ++ permissions, then hard code 640. If the file has tighter ++ permissions, then leave them as they are + + See https://bugs.launchpad.net/cloud-init/+bug/1900837. + """ +@@ -620,9 +629,9 @@ class TestInit_InitializeFilesystem: + log_file.ensure() + # Use a mode that will never be made the default so this test will + # always be valid +- log_file.chmod(0o606) ++ log_file.chmod(set_perms) + init._cfg = {"def_log_file": str(log_file)} + + init._initialize_filesystem() + +- assert 0o640 == stat.S_IMODE(log_file.stat().mode) ++ assert expected_perms == stat.S_IMODE(log_file.stat().mode) +diff --git a/tests/unittests/test_util.py b/tests/unittests/test_util.py +index 07142a86..af96da05 100644 +--- a/tests/unittests/test_util.py ++++ b/tests/unittests/test_util.py +@@ -3026,3 +3026,27 @@ class TestVersion: + ) + def test_from_str(self, str_ver, cls_ver): + assert util.Version.from_str(str_ver) == cls_ver ++ ++ ++class TestComparePermissions: ++ @pytest.mark.parametrize( ++ "perm1,perm2,expected", ++ [ ++ (0o777, 0o777, 0), ++ (0o000, 0o000, 0), ++ (0o421, 0o421, 0), ++ (0o1640, 0o1640, 0), ++ (0o1407, 0o1600, 1), ++ (0o1600, 0o1407, -1), ++ (0o407, 0o600, 1), ++ (0o600, 0o407, -1), ++ (0o007, 0o700, 1), ++ (0o700, 0o007, -1), ++ (0o077, 0o100, 1), ++ (0o644, 0o640, 1), ++ (0o640, 0o600, 1), ++ (0o600, 0o400, 1), ++ ], ++ ) ++ def test_compare_permissions(self, perm1, perm2, expected): ++ assert util.compare_permission(perm1, perm2) == expected +-- +2.39.3 + diff --git a/ci-test-fixes-changes-to-apply-RHEL-specific-config-set.patch b/ci-test-fixes-changes-to-apply-RHEL-specific-config-set.patch new file mode 100644 index 0000000..c3a1042 --- /dev/null +++ b/ci-test-fixes-changes-to-apply-RHEL-specific-config-set.patch @@ -0,0 +1,47 @@ +From 866817455283619c706e837a77fb31adf3bdd3ce Mon Sep 17 00:00:00 2001 +From: Ani Sinha +Date: Fri, 23 Jun 2023 17:54:04 +0530 +Subject: [PATCH 07/11] test fixes: changes to apply RHEL specific config + settings to tests + +X-downstream-only: true + +fixes: c4d66915520554adedff9b ("Add initial redhat changes") +Signed-off-by: Ani Sinha +--- + tests/unittests/cmd/test_main.py | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/tests/unittests/cmd/test_main.py b/tests/unittests/cmd/test_main.py +index e9ad0bb8..435d3be3 100644 +--- a/tests/unittests/cmd/test_main.py ++++ b/tests/unittests/cmd/test_main.py +@@ -119,14 +119,19 @@ class TestMain(FilesystemMockingTestCase): + { + "def_log_file": "/var/log/cloud-init.log", + "log_cfgs": [], +- "syslog_fix_perms": [ +- "syslog:adm", +- "root:adm", +- "root:wheel", +- "root:root", +- ], + "vendor_data": {"enabled": True, "prefix": []}, + "vendor_data2": {"enabled": True, "prefix": []}, ++ "syslog_fix_perms": [], ++ "ssh_deletekeys": False, ++ "ssh_genkeytypes": [], ++ "mount_default_fields": [ ++ None, ++ None, ++ "auto", ++ "defaults,nofail", ++ "0", ++ "2", ++ ], + } + ) + updated_cfg.pop("system_info") +-- +2.39.3 + diff --git a/ci-test-fixes-remove-NM_CONTROLLED-no-from-tests.patch b/ci-test-fixes-remove-NM_CONTROLLED-no-from-tests.patch new file mode 100644 index 0000000..1b43058 --- /dev/null +++ b/ci-test-fixes-remove-NM_CONTROLLED-no-from-tests.patch @@ -0,0 +1,286 @@ +From 3a070f23440c9eb6e0e5fb3605e36285e8a5b727 Mon Sep 17 00:00:00 2001 +From: Ani Sinha +Date: Fri, 23 Jun 2023 16:54:24 +0530 +Subject: [PATCH 03/11] test fixes: remove NM_CONTROLLED=no from tests + +X-downstream-only: true +fixes: b3b96bff187e9 ("Do not write NM_CONTROLLED=no in generated interface config files") + +Signed-off-by: Ani Sinha +--- + tests/unittests/cmd/devel/test_net_convert.py | 1 - + tests/unittests/distros/test_netconfig.py | 8 ------- + tests/unittests/test_net.py | 23 ------------------- + 3 files changed, 32 deletions(-) + +diff --git a/tests/unittests/cmd/devel/test_net_convert.py b/tests/unittests/cmd/devel/test_net_convert.py +index 71654750..e0114a2e 100644 +--- a/tests/unittests/cmd/devel/test_net_convert.py ++++ b/tests/unittests/cmd/devel/test_net_convert.py +@@ -62,7 +62,6 @@ SAMPLE_SYSCONFIG_CONTENT = """\ + # + BOOTPROTO=dhcp + DEVICE=eth0 +-NM_CONTROLLED=no + ONBOOT=yes + TYPE=Ethernet + USERCTL=no +diff --git a/tests/unittests/distros/test_netconfig.py b/tests/unittests/distros/test_netconfig.py +index b1c89ce3..7f9ac054 100644 +--- a/tests/unittests/distros/test_netconfig.py ++++ b/tests/unittests/distros/test_netconfig.py +@@ -723,7 +723,6 @@ class TestNetCfgDistroRedhat(TestNetCfgDistroBase): + GATEWAY=192.168.1.254 + IPADDR=192.168.1.5 + NETMASK=255.255.255.0 +- NM_CONTROLLED=no + ONBOOT=yes + TYPE=Ethernet + USERCTL=no +@@ -733,7 +732,6 @@ class TestNetCfgDistroRedhat(TestNetCfgDistroBase): + """\ + BOOTPROTO=dhcp + DEVICE=eth1 +- NM_CONTROLLED=no + ONBOOT=yes + TYPE=Ethernet + USERCTL=no +@@ -764,7 +762,6 @@ class TestNetCfgDistroRedhat(TestNetCfgDistroBase): + IPV6_AUTOCONF=no + IPV6_DEFAULTGW=2607:f0d0:1002:0011::1 + IPV6_FORCE_ACCEPT_RA=no +- NM_CONTROLLED=no + ONBOOT=yes + TYPE=Ethernet + USERCTL=no +@@ -774,7 +771,6 @@ class TestNetCfgDistroRedhat(TestNetCfgDistroBase): + """\ + BOOTPROTO=dhcp + DEVICE=eth1 +- NM_CONTROLLED=no + ONBOOT=yes + TYPE=Ethernet + USERCTL=no +@@ -821,7 +817,6 @@ class TestNetCfgDistroRedhat(TestNetCfgDistroBase): + HWADDR=00:16:3e:60:7c:df + IPADDR=192.10.1.2 + NETMASK=255.255.255.0 +- NM_CONTROLLED=no + ONBOOT=yes + TYPE=Ethernet + USERCTL=no +@@ -833,7 +828,6 @@ class TestNetCfgDistroRedhat(TestNetCfgDistroBase): + DEVICE=infra0 + IPADDR=10.0.1.2 + NETMASK=255.255.0.0 +- NM_CONTROLLED=no + ONBOOT=yes + PHYSDEV=eth0 + USERCTL=no +@@ -869,7 +863,6 @@ class TestNetCfgDistroRedhat(TestNetCfgDistroBase): + DEVICE=eth0 + IPADDR=192.10.1.2 + NETMASK=255.255.255.0 +- NM_CONTROLLED=no + ONBOOT=yes + TYPE=Ethernet + USERCTL=no +@@ -881,7 +874,6 @@ class TestNetCfgDistroRedhat(TestNetCfgDistroBase): + DEVICE=eth0.1001 + IPADDR=10.0.1.2 + NETMASK=255.255.0.0 +- NM_CONTROLLED=no + ONBOOT=yes + PHYSDEV=eth0 + USERCTL=no +diff --git a/tests/unittests/test_net.py b/tests/unittests/test_net.py +index 7abe61b9..6274f12d 100644 +--- a/tests/unittests/test_net.py ++++ b/tests/unittests/test_net.py +@@ -1495,7 +1495,6 @@ NETWORK_CONFIGS = { + DHCPV6C=yes + IPV6INIT=yes + DEVICE=iface0 +- NM_CONTROLLED=no + ONBOOT=yes + TYPE=Ethernet + USERCTL=no +@@ -1586,7 +1585,6 @@ NETWORK_CONFIGS = { + IPV6INIT=yes + IPV6_FORCE_ACCEPT_RA=yes + DEVICE=iface0 +- NM_CONTROLLED=no + ONBOOT=yes + TYPE=Ethernet + USERCTL=no +@@ -1662,7 +1660,6 @@ NETWORK_CONFIGS = { + IPV6INIT=yes + IPV6_FORCE_ACCEPT_RA=no + DEVICE=iface0 +- NM_CONTROLLED=no + ONBOOT=yes + TYPE=Ethernet + USERCTL=no +@@ -1726,7 +1723,6 @@ NETWORK_CONFIGS = { + IPV6_AUTOCONF=yes + IPV6INIT=yes + DEVICE=iface0 +- NM_CONTROLLED=no + ONBOOT=yes + TYPE=Ethernet + USERCTL=no +@@ -1781,7 +1777,6 @@ NETWORK_CONFIGS = { + IPV6_AUTOCONF=no + IPV6_FORCE_ACCEPT_RA=no + DEVICE=iface0 +- NM_CONTROLLED=no + ONBOOT=yes + TYPE=Ethernet + USERCTL=no +@@ -1838,7 +1833,6 @@ NETWORK_CONFIGS = { + IPV6_AUTOCONF=yes + IPV6INIT=yes + DEVICE=iface0 +- NM_CONTROLLED=no + ONBOOT=yes + TYPE=Ethernet + USERCTL=no +@@ -1920,7 +1914,6 @@ NETWORK_CONFIGS = { + IPV6_AUTOCONF=no + IPV6_FORCE_ACCEPT_RA=yes + DEVICE=iface0 +- NM_CONTROLLED=no + ONBOOT=yes + TYPE=Ethernet + USERCTL=no +@@ -1961,7 +1954,6 @@ NETWORK_CONFIGS = { + """\ + BOOTPROTO=dhcp + DEVICE=iface0 +- NM_CONTROLLED=no + ONBOOT=yes + TYPE=Ethernet + USERCTL=no +@@ -2038,7 +2030,6 @@ NETWORK_CONFIGS = { + BOOTPROTO=dhcp + DEVICE=iface0 + ETHTOOL_OPTS="wol g" +- NM_CONTROLLED=no + ONBOOT=yes + TYPE=Ethernet + USERCTL=no +@@ -2504,7 +2495,6 @@ pre-down route del -net 10.0.0.0/8 gw 11.0.0.1 metric 3 || true + IPADDR=192.168.200.7 + MTU=9000 + NETMASK=255.255.255.0 +- NM_CONTROLLED=no + ONBOOT=yes + TYPE=InfiniBand + USERCTL=no""" +@@ -3576,7 +3566,6 @@ iface bond0 inet6 static + IPV6INIT=yes + IPV6_AUTOCONF=no + IPV6_FORCE_ACCEPT_RA=no +- NM_CONTROLLED=no + ONBOOT=yes + TYPE=Ethernet + USERCTL=no +@@ -3592,7 +3581,6 @@ iface bond0 inet6 static + IPV6INIT=yes + IPV6_AUTOCONF=no + IPV6_FORCE_ACCEPT_RA=no +- NM_CONTROLLED=no + ONBOOT=yes + TYPE=Ethernet + USERCTL=no +@@ -3882,7 +3870,6 @@ iface bond0 inet6 static + BOOTPROTO=none + DEVICE=eth0 + HWADDR=cf:d6:af:48:e8:80 +- NM_CONTROLLED=no + ONBOOT=yes + TYPE=Ethernet + USERCTL=no""" +@@ -4718,7 +4705,6 @@ HWADDR=fa:16:3e:25:b4:59 + IPADDR=51.68.89.122 + MTU=1500 + NETMASK=255.255.240.0 +-NM_CONTROLLED=no + ONBOOT=yes + TYPE=Ethernet + USERCTL=no +@@ -4732,7 +4718,6 @@ DEVICE=eth1 + DHCLIENT_SET_DEFAULT_ROUTE=no + HWADDR=fa:16:3e:b1:ca:29 + MTU=9000 +-NM_CONTROLLED=no + ONBOOT=yes + TYPE=Ethernet + USERCTL=no +@@ -4983,7 +4968,6 @@ USERCTL=no + IPV6_FORCE_ACCEPT_RA=no + IPV6_DEFAULTGW=2001:db8::1 + NETMASK=255.255.255.0 +- NM_CONTROLLED=no + ONBOOT=yes + TYPE=Ethernet + USERCTL=no +@@ -5015,7 +4999,6 @@ USERCTL=no + """\ + BOOTPROTO=none + DEVICE=eno1 +- NM_CONTROLLED=no + ONBOOT=yes + TYPE=Ethernet + USERCTL=no +@@ -5028,7 +5011,6 @@ USERCTL=no + IPADDR=192.6.1.9 + MTU=1495 + NETMASK=255.255.255.0 +- NM_CONTROLLED=no + ONBOOT=yes + PHYSDEV=eno1 + USERCTL=no +@@ -5064,7 +5046,6 @@ USERCTL=no + IPADDR=10.101.8.65 + MTU=1334 + NETMASK=255.255.255.192 +- NM_CONTROLLED=no + ONBOOT=yes + TYPE=Bond + USERCTL=no +@@ -5076,7 +5057,6 @@ USERCTL=no + BOOTPROTO=none + DEVICE=enp0s0 + MASTER=bond0 +- NM_CONTROLLED=no + ONBOOT=yes + SLAVE=yes + TYPE=Bond +@@ -5089,7 +5069,6 @@ USERCTL=no + BOOTPROTO=none + DEVICE=enp0s1 + MASTER=bond0 +- NM_CONTROLLED=no + ONBOOT=yes + SLAVE=yes + TYPE=Bond +@@ -5120,7 +5099,6 @@ USERCTL=no + DEVICE=eno1 + HWADDR=07-1c-c6-75-a4-be + METRIC=100 +- NM_CONTROLLED=no + ONBOOT=yes + TYPE=Ethernet + USERCTL=no +@@ -5211,7 +5189,6 @@ USERCTL=no + IPV6_FORCE_ACCEPT_RA=no + MTU=1400 + NETMASK=255.255.248.0 +- NM_CONTROLLED=no + ONBOOT=yes + TYPE=Ethernet + USERCTL=no +-- +2.39.3 + diff --git a/ci-tools-read-version-fix-the-tool-so-that-it-can-handl.patch b/ci-tools-read-version-fix-the-tool-so-that-it-can-handl.patch new file mode 100644 index 0000000..2fbe8d7 --- /dev/null +++ b/ci-tools-read-version-fix-the-tool-so-that-it-can-handl.patch @@ -0,0 +1,117 @@ +From 32d3430eb9e8ef5c354ee294ec6b8de61f05292a Mon Sep 17 00:00:00 2001 +From: Ani Sinha +Date: Thu, 20 Jul 2023 00:19:25 +0530 +Subject: [PATCH 02/11] tools/read-version: fix the tool so that it can handle + version parsing errors (#4234) + +git describe may not return version/tags in the format that the read-version +tool expects. Make the tool robust so that it can gracefully handle +version strings that are not in the regular format. +We use regex to capture the details we care about, but if we cannot find them, +we won't traceback and will continue to use version and version_long as +expected. + +Signed-off-by: Ani Sinha +(cherry picked from commit 6543c88e0781b3c2e170fdaffbe6ba9f268e986c) +--- + tools/read-version | 68 +++++++++++++++++++++++++++++----------------- + 1 file changed, 43 insertions(+), 25 deletions(-) + +diff --git a/tools/read-version b/tools/read-version +index 5a71e6c7..7575683c 100755 +--- a/tools/read-version ++++ b/tools/read-version +@@ -2,6 +2,7 @@ + + import os + import json ++import re + import subprocess + import sys + +@@ -50,6 +51,37 @@ def is_gitdir(path): + return False + + ++def get_version_details(version, version_long): ++ release = None ++ extra = None ++ commit = None ++ distance = None ++ ++ # Should match upstream version number. E.g., 23.1 or 23.1.2 ++ short_regex = r"(\d+\.\d+\.?\d*)" ++ # Should match version including upstream version, distance, and commit ++ # E.g., 23.1.2-10-g12ab34cd ++ long_regex = r"(\d+\.\d+\.?\d*){1}.*-(\d+)+-g([a-f0-9]{8}){1}.*" ++ ++ short_match = re.search(short_regex, version) ++ long_match = re.search(long_regex, version_long) ++ if long_match: ++ release, distance, commit = long_match.groups() ++ extra = f"-{distance}-g{commit}" ++ elif short_match: ++ release = short_match.groups()[0] ++ ++ return { ++ "release": release, ++ "version": version, ++ "version_long": version_long, ++ "extra": extra, ++ "commit": commit, ++ "distance": distance, ++ "is_release_branch_ci": is_release_branch_ci, ++ } ++ ++ + use_long = "--long" in sys.argv or os.environ.get("CI_RV_LONG") + use_tags = "--tags" in sys.argv or os.environ.get("CI_RV_TAGS") + output_json = "--json" in sys.argv +@@ -104,33 +136,19 @@ else: + version = src_version + version_long = "" + +-# version is X.Y.Z[+xxx.gHASH] +-# version_long is None or X.Y.Z-xxx-gHASH +-release = version.partition("-")[0] +-extra = None +-commit = None +-distance = None +- +-if version_long: +- info = version_long.partition("-")[2] +- extra = f"-{info}" +- distance, commit = info.split("-") +- # remove the 'g' from gHASH +- commit = commit[1:] +- +-data = { +- "release": release, +- "version": version, +- "version_long": version_long, +- "extra": extra, +- "commit": commit, +- "distance": distance, +- "is_release_branch_ci": is_release_branch_ci, +-} ++ ++details = get_version_details(version, version_long) + + if output_json: +- sys.stdout.write(json.dumps(data, indent=1) + "\n") ++ sys.stdout.write(json.dumps(details, indent=1) + "\n") + else: +- sys.stdout.write(version + "\n") ++ output = "" ++ if details["release"]: ++ output += details["release"] ++ if details["extra"]: ++ output += details["extra"] ++ if not output: ++ output = src_version ++ sys.stdout.write(output + "\n") + + sys.exit(0) +-- +2.39.3 + diff --git a/cloud-init.spec b/cloud-init.spec index 364be94..2ab05da 100644 --- a/cloud-init.spec +++ b/cloud-init.spec @@ -6,7 +6,7 @@ Name: cloud-init Version: 23.1.1 -Release: 6%{?dist} +Release: 7%{?dist} Summary: Cloud instance init scripts Group: System Environment/Base @@ -41,6 +41,15 @@ Patch15: ci-net-sysconfig-enable-sysconfig-renderer-if-network-m.patch Patch16: ci-network-manager-Set-higher-autoconnect-priority-for-.patch # For bz#2219528 - [RHEL8] Support configuring network by NM keyfiles Patch17: ci-Set-default-renderer-as-sysconfig-for-centos-rhel-41.patch +Patch19: ci-tools-read-version-fix-the-tool-so-that-it-can-handl.patch +Patch20: ci-test-fixes-remove-NM_CONTROLLED-no-from-tests.patch +Patch21: ci-Enable-SUSE-based-distros-for-ca-handling-2036.patch +Patch22: ci-Handle-non-existent-ca-cert-config-situation-2073.patch +Patch23: ci-Revert-limit-permissions-on-def_log_file.patch +Patch24: ci-test-fixes-changes-to-apply-RHEL-specific-config-set.patch +Patch25: ci-cosmetic-fix-tox-formatting.patch +# For bz#2222501 - Don't change log permissions if they are already more restrictive [rhel-8] +Patch28: ci-logging-keep-current-file-mode-of-log-file-if-its-st.patch BuildArch: noarch @@ -247,6 +256,11 @@ fi %config(noreplace) %{_sysconfdir}/rsyslog.d/21-cloudinit.conf %changelog +* Tue Jul 25 2023 Miroslav Rezanina - 23.1.1-7 +- ci-logging-keep-current-file-mode-of-log-file-if-its-st.patch [bz#2222501] +- Resolves: bz#2222501 + (Don't change log permissions if they are already more restrictive [rhel-8]) + * Mon Jul 10 2023 Miroslav Rezanina - 23.1.1-6 - ci-Revert-Manual-revert-Use-Network-Manager-and-Netplan.patch [bz#2219528] - ci-Revert-Revert-Add-native-NetworkManager-support-1224.patch [bz#2219528]