Merge branch 'c8' into a8
This commit is contained in:
commit
70d9bad6a5
@ -0,0 +1,97 @@
|
||||
From 8dc357c036e393ae7d869d3074377f5447fa9b77 Mon Sep 17 00:00:00 2001
|
||||
From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||
Date: Tue, 26 Oct 2021 22:18:06 +0200
|
||||
Subject: [PATCH] cc_ssh.py: fix private key group owner and permissions
|
||||
(#1070)
|
||||
|
||||
RH-Author: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||
RH-MergeRequest: 34: cc_ssh.py: fix private key group owner and permissions (#1070)
|
||||
RH-Commit: [1/1] 6dfd47416dd2cb7ed3822199c43cbd2fdada7aa1 (eesposit/cloud-init)
|
||||
RH-Bugzilla: 2017697
|
||||
RH-Acked-by: Eduardo Otubo <otubo@redhat.com>
|
||||
RH-Acked-by: Mohamed Gamal Morsy <mmorsy@redhat.com>
|
||||
|
||||
commit ee296ced9c0a61b1484d850b807c601bcd670ec1
|
||||
Author: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||
Date: Tue Oct 19 21:32:10 2021 +0200
|
||||
|
||||
cc_ssh.py: fix private key group owner and permissions (#1070)
|
||||
|
||||
When default host keys are created by sshd-keygen (/etc/ssh/ssh_host_*_key)
|
||||
in RHEL/CentOS/Fedora, openssh it performs the following:
|
||||
|
||||
# create new keys
|
||||
if ! $KEYGEN -q -t $KEYTYPE -f $KEY -C '' -N '' >&/dev/null; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# sanitize permissions
|
||||
/usr/bin/chgrp ssh_keys $KEY
|
||||
/usr/bin/chmod 640 $KEY
|
||||
/usr/bin/chmod 644 $KEY.pub
|
||||
Note that the group ssh_keys exists only in RHEL/CentOS/Fedora.
|
||||
|
||||
Now that we disable sshd-keygen to allow only cloud-init to create
|
||||
them, we miss the "sanitize permissions" part, where we set the group
|
||||
owner as ssh_keys and the private key mode to 640.
|
||||
|
||||
According to https://bugzilla.redhat.com/show_bug.cgi?id=2013644#c8, failing
|
||||
to set group ownership and permissions like openssh does makes the RHEL openscap
|
||||
tool generate an error.
|
||||
|
||||
Signed-off-by: Emanuele Giuseppe Esposito eesposit@redhat.com
|
||||
|
||||
RHBZ: 2013644
|
||||
|
||||
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||
---
|
||||
cloudinit/config/cc_ssh.py | 7 +++++++
|
||||
cloudinit/util.py | 14 ++++++++++++++
|
||||
2 files changed, 21 insertions(+)
|
||||
|
||||
diff --git a/cloudinit/config/cc_ssh.py b/cloudinit/config/cc_ssh.py
|
||||
index 05a16dbc..4e986c55 100755
|
||||
--- a/cloudinit/config/cc_ssh.py
|
||||
+++ b/cloudinit/config/cc_ssh.py
|
||||
@@ -240,6 +240,13 @@ def handle(_name, cfg, cloud, log, _args):
|
||||
try:
|
||||
out, err = subp.subp(cmd, capture=True, env=lang_c)
|
||||
sys.stdout.write(util.decode_binary(out))
|
||||
+
|
||||
+ gid = util.get_group_id("ssh_keys")
|
||||
+ if gid != -1:
|
||||
+ # perform same "sanitize permissions" as sshd-keygen
|
||||
+ os.chown(keyfile, -1, gid)
|
||||
+ os.chmod(keyfile, 0o640)
|
||||
+ os.chmod(keyfile + ".pub", 0o644)
|
||||
except subp.ProcessExecutionError as e:
|
||||
err = util.decode_binary(e.stderr).lower()
|
||||
if (e.exit_code == 1 and
|
||||
diff --git a/cloudinit/util.py b/cloudinit/util.py
|
||||
index 343976ad..fe37ae89 100644
|
||||
--- a/cloudinit/util.py
|
||||
+++ b/cloudinit/util.py
|
||||
@@ -1831,6 +1831,20 @@ def chmod(path, mode):
|
||||
os.chmod(path, real_mode)
|
||||
|
||||
|
||||
+def get_group_id(grp_name: str) -> int:
|
||||
+ """
|
||||
+ Returns the group id of a group name, or -1 if no group exists
|
||||
+
|
||||
+ @param grp_name: the name of the group
|
||||
+ """
|
||||
+ gid = -1
|
||||
+ try:
|
||||
+ gid = grp.getgrnam(grp_name).gr_gid
|
||||
+ except KeyError:
|
||||
+ LOG.debug("Group %s is not a valid group name", grp_name)
|
||||
+ return gid
|
||||
+
|
||||
+
|
||||
def get_permissions(path: str) -> int:
|
||||
"""
|
||||
Returns the octal permissions of the file/folder pointed by the path,
|
||||
--
|
||||
2.27.0
|
||||
|
@ -0,0 +1,87 @@
|
||||
From 0a6a89e6b243e587daf8ce356fccb5d6a6acf089 Mon Sep 17 00:00:00 2001
|
||||
From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||
Date: Tue, 7 Dec 2021 09:56:58 +0100
|
||||
Subject: [PATCH] cloudinit/net: handle two different routes for the same ip
|
||||
(#1124)
|
||||
|
||||
RH-Author: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||
RH-MergeRequest: 37: cloudinit/net: handle two different routes for the same ip (#1124)
|
||||
RH-Commit: [1/1] 9cd9c38606bfe2395d808a48ac986dce7624e147
|
||||
RH-Bugzilla: 2028756
|
||||
RH-Acked-by: Mohamed Gamal Morsy <mmorsy@redhat.com>
|
||||
RH-Acked-by: Eduardo Otubo <otubo@redhat.com>
|
||||
|
||||
commit 0e25076b34fa995161b83996e866c0974cee431f
|
||||
Author: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||
Date: Mon Dec 6 18:34:26 2021 +0100
|
||||
|
||||
cloudinit/net: handle two different routes for the same ip (#1124)
|
||||
|
||||
If we set a dhcp server side like this:
|
||||
$ cat /var/tmp/cloud-init/cloud-init-dhcp-f0rie5tm/dhcp.leases
|
||||
lease {
|
||||
...
|
||||
option classless-static-routes 31.169.254.169.254 0.0.0.0,31.169.254.169.254
|
||||
10.112.143.127,22.10.112.140 0.0.0.0,0 10.112.140.1;
|
||||
...
|
||||
}
|
||||
cloud-init fails to configure the routes via 'ip route add' because to there are
|
||||
two different routes for 169.254.169.254:
|
||||
|
||||
$ ip -4 route add 192.168.1.1/32 via 0.0.0.0 dev eth0
|
||||
$ ip -4 route add 192.168.1.1/32 via 10.112.140.248 dev eth0
|
||||
|
||||
But NetworkManager can handle such scenario successfully as it uses "ip route append".
|
||||
So change cloud-init to also use "ip route append" to fix the issue:
|
||||
|
||||
$ ip -4 route append 192.168.1.1/32 via 0.0.0.0 dev eth0
|
||||
$ ip -4 route append 192.168.1.1/32 via 10.112.140.248 dev eth0
|
||||
|
||||
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||
|
||||
RHBZ: #2003231
|
||||
|
||||
Conflicts:
|
||||
cloudinit/net/tests/test_init.py: a mock call in
|
||||
test_ephemeral_ipv4_network_with_rfc3442_static_routes is not
|
||||
present downstream.
|
||||
|
||||
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||
---
|
||||
cloudinit/net/__init__.py | 2 +-
|
||||
cloudinit/net/tests/test_init.py | 4 ++--
|
||||
2 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/cloudinit/net/__init__.py b/cloudinit/net/__init__.py
|
||||
index 385b7bcc..003efa2a 100644
|
||||
--- a/cloudinit/net/__init__.py
|
||||
+++ b/cloudinit/net/__init__.py
|
||||
@@ -1138,7 +1138,7 @@ class EphemeralIPv4Network(object):
|
||||
if gateway != "0.0.0.0/0":
|
||||
via_arg = ['via', gateway]
|
||||
subp.subp(
|
||||
- ['ip', '-4', 'route', 'add', net_address] + via_arg +
|
||||
+ ['ip', '-4', 'route', 'append', net_address] + via_arg +
|
||||
['dev', self.interface], capture=True)
|
||||
self.cleanup_cmds.insert(
|
||||
0, ['ip', '-4', 'route', 'del', net_address] + via_arg +
|
||||
diff --git a/cloudinit/net/tests/test_init.py b/cloudinit/net/tests/test_init.py
|
||||
index 946f8ee2..2350837b 100644
|
||||
--- a/cloudinit/net/tests/test_init.py
|
||||
+++ b/cloudinit/net/tests/test_init.py
|
||||
@@ -719,10 +719,10 @@ class TestEphemeralIPV4Network(CiTestCase):
|
||||
['ip', '-family', 'inet', 'link', 'set', 'dev', 'eth0', 'up'],
|
||||
capture=True),
|
||||
mock.call(
|
||||
- ['ip', '-4', 'route', 'add', '169.254.169.254/32',
|
||||
+ ['ip', '-4', 'route', 'append', '169.254.169.254/32',
|
||||
'via', '192.168.2.1', 'dev', 'eth0'], capture=True),
|
||||
mock.call(
|
||||
- ['ip', '-4', 'route', 'add', '0.0.0.0/0',
|
||||
+ ['ip', '-4', 'route', 'append', '0.0.0.0/0',
|
||||
'via', '192.168.2.1', 'dev', 'eth0'], capture=True)]
|
||||
expected_teardown_calls = [
|
||||
mock.call(
|
||||
--
|
||||
2.27.0
|
||||
|
@ -0,0 +1,173 @@
|
||||
From 3636c2284132dbcd1cc505fb9f81ab722f4f99f0 Mon Sep 17 00:00:00 2001
|
||||
From: Amy Chen <xiachen@redhat.com>
|
||||
Date: Fri, 3 Dec 2021 14:38:16 +0800
|
||||
Subject: [PATCH] fix error on upgrade caused by new vendordata2 attributes
|
||||
|
||||
RH-Author: xiachen <None>
|
||||
RH-MergeRequest: 36: fix error on upgrade caused by new vendordata2 attributes
|
||||
RH-Commit: [1/1] c16351924d4220a719380f12c2e8c03185f53c01
|
||||
RH-Bugzilla: 2028738
|
||||
RH-Acked-by: Mohamed Gamal Morsy <mmorsy@redhat.com>
|
||||
RH-Acked-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||
RH-Acked-by: Eduardo Otubo <otubo@redhat.com>
|
||||
|
||||
commit d132356cc361abef2d90d4073438f3ab759d5964
|
||||
Author: James Falcon <TheRealFalcon@users.noreply.github.com>
|
||||
Date: Mon Apr 19 11:31:28 2021 -0500
|
||||
|
||||
fix error on upgrade caused by new vendordata2 attributes (#869)
|
||||
|
||||
In #777, we added 'vendordata2' and 'vendordata2_raw' attributes to
|
||||
the DataSource class, but didn't use the upgrade framework to deal
|
||||
with an unpickle after upgrade. This commit adds the necessary
|
||||
upgrade code.
|
||||
|
||||
Additionally, added a smaller-scope upgrade test to our integration
|
||||
tests that will be run on every CI run so we catch these issues
|
||||
immediately in the future.
|
||||
|
||||
LP: #1922739
|
||||
|
||||
Signed-off-by: Amy Chen <xiachen@redhat.com>
|
||||
---
|
||||
cloudinit/sources/__init__.py | 12 +++++++++++-
|
||||
cloudinit/tests/test_upgrade.py | 4 ++++
|
||||
tests/integration_tests/clouds.py | 4 ++--
|
||||
tests/integration_tests/test_upgrade.py | 25 ++++++++++++++++++++++++-
|
||||
4 files changed, 41 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/cloudinit/sources/__init__.py b/cloudinit/sources/__init__.py
|
||||
index 1ad1880d..7d74f8d9 100644
|
||||
--- a/cloudinit/sources/__init__.py
|
||||
+++ b/cloudinit/sources/__init__.py
|
||||
@@ -24,6 +24,7 @@ from cloudinit import util
|
||||
from cloudinit.atomic_helper import write_json
|
||||
from cloudinit.event import EventType
|
||||
from cloudinit.filters import launch_index
|
||||
+from cloudinit.persistence import CloudInitPickleMixin
|
||||
from cloudinit.reporting import events
|
||||
|
||||
DSMODE_DISABLED = "disabled"
|
||||
@@ -134,7 +135,7 @@ URLParams = namedtuple(
|
||||
'URLParms', ['max_wait_seconds', 'timeout_seconds', 'num_retries'])
|
||||
|
||||
|
||||
-class DataSource(metaclass=abc.ABCMeta):
|
||||
+class DataSource(CloudInitPickleMixin, metaclass=abc.ABCMeta):
|
||||
|
||||
dsmode = DSMODE_NETWORK
|
||||
default_locale = 'en_US.UTF-8'
|
||||
@@ -196,6 +197,8 @@ class DataSource(metaclass=abc.ABCMeta):
|
||||
# non-root users
|
||||
sensitive_metadata_keys = ('merged_cfg', 'security-credentials',)
|
||||
|
||||
+ _ci_pkl_version = 1
|
||||
+
|
||||
def __init__(self, sys_cfg, distro, paths, ud_proc=None):
|
||||
self.sys_cfg = sys_cfg
|
||||
self.distro = distro
|
||||
@@ -218,6 +221,13 @@ class DataSource(metaclass=abc.ABCMeta):
|
||||
else:
|
||||
self.ud_proc = ud_proc
|
||||
|
||||
+ def _unpickle(self, ci_pkl_version: int) -> None:
|
||||
+ """Perform deserialization fixes for Paths."""
|
||||
+ if not hasattr(self, 'vendordata2'):
|
||||
+ self.vendordata2 = None
|
||||
+ if not hasattr(self, 'vendordata2_raw'):
|
||||
+ self.vendordata2_raw = None
|
||||
+
|
||||
def __str__(self):
|
||||
return type_utils.obj_name(self)
|
||||
|
||||
diff --git a/cloudinit/tests/test_upgrade.py b/cloudinit/tests/test_upgrade.py
|
||||
index f79a2536..fd3c5812 100644
|
||||
--- a/cloudinit/tests/test_upgrade.py
|
||||
+++ b/cloudinit/tests/test_upgrade.py
|
||||
@@ -43,3 +43,7 @@ class TestUpgrade:
|
||||
def test_blacklist_drivers_set_on_networking(self, previous_obj_pkl):
|
||||
"""We always expect Networking.blacklist_drivers to be initialised."""
|
||||
assert previous_obj_pkl.distro.networking.blacklist_drivers is None
|
||||
+
|
||||
+ def test_vendordata_exists(self, previous_obj_pkl):
|
||||
+ assert previous_obj_pkl.vendordata2 is None
|
||||
+ assert previous_obj_pkl.vendordata2_raw is None
|
||||
diff --git a/tests/integration_tests/clouds.py b/tests/integration_tests/clouds.py
|
||||
index 9527a413..1d0b9d83 100644
|
||||
--- a/tests/integration_tests/clouds.py
|
||||
+++ b/tests/integration_tests/clouds.py
|
||||
@@ -100,14 +100,14 @@ class IntegrationCloud(ABC):
|
||||
# Even if we're using the default key, it may still have a
|
||||
# different name in the clouds, so we need to set it separately.
|
||||
self.cloud_instance.key_pair.name = settings.KEYPAIR_NAME
|
||||
- self._released_image_id = self._get_initial_image()
|
||||
+ self.released_image_id = self._get_initial_image()
|
||||
self.snapshot_id = None
|
||||
|
||||
@property
|
||||
def image_id(self):
|
||||
if self.snapshot_id:
|
||||
return self.snapshot_id
|
||||
- return self._released_image_id
|
||||
+ return self.released_image_id
|
||||
|
||||
def emit_settings_to_log(self) -> None:
|
||||
log.info(
|
||||
diff --git a/tests/integration_tests/test_upgrade.py b/tests/integration_tests/test_upgrade.py
|
||||
index c20cb3c1..48e0691b 100644
|
||||
--- a/tests/integration_tests/test_upgrade.py
|
||||
+++ b/tests/integration_tests/test_upgrade.py
|
||||
@@ -1,4 +1,5 @@
|
||||
import logging
|
||||
+import os
|
||||
import pytest
|
||||
import time
|
||||
from pathlib import Path
|
||||
@@ -8,6 +9,8 @@ from tests.integration_tests.conftest import (
|
||||
get_validated_source,
|
||||
session_start_time,
|
||||
)
|
||||
+from tests.integration_tests.instances import CloudInitSource
|
||||
+
|
||||
|
||||
log = logging.getLogger('integration_testing')
|
||||
|
||||
@@ -63,7 +66,7 @@ def test_upgrade(session_cloud: IntegrationCloud):
|
||||
return # type checking doesn't understand that skip raises
|
||||
|
||||
launch_kwargs = {
|
||||
- 'image_id': session_cloud._get_initial_image(),
|
||||
+ 'image_id': session_cloud.released_image_id,
|
||||
}
|
||||
|
||||
image = ImageSpecification.from_os_image()
|
||||
@@ -93,6 +96,26 @@ def test_upgrade(session_cloud: IntegrationCloud):
|
||||
instance.install_new_cloud_init(source, take_snapshot=False)
|
||||
instance.execute('hostname something-else')
|
||||
_restart(instance)
|
||||
+ assert instance.execute('cloud-init status --wait --long').ok
|
||||
_output_to_compare(instance, after_path, netcfg_path)
|
||||
|
||||
log.info('Wrote upgrade test logs to %s and %s', before_path, after_path)
|
||||
+
|
||||
+
|
||||
+@pytest.mark.ci
|
||||
+@pytest.mark.ubuntu
|
||||
+def test_upgrade_package(session_cloud: IntegrationCloud):
|
||||
+ if get_validated_source(session_cloud) != CloudInitSource.DEB_PACKAGE:
|
||||
+ not_run_message = 'Test only supports upgrading to build deb'
|
||||
+ if os.environ.get('TRAVIS'):
|
||||
+ # If this isn't running on CI, we should know
|
||||
+ pytest.fail(not_run_message)
|
||||
+ else:
|
||||
+ pytest.skip(not_run_message)
|
||||
+
|
||||
+ launch_kwargs = {'image_id': session_cloud.released_image_id}
|
||||
+
|
||||
+ with session_cloud.launch(launch_kwargs=launch_kwargs) as instance:
|
||||
+ instance.install_deb()
|
||||
+ instance.restart()
|
||||
+ assert instance.execute('cloud-init status --wait --long').ok
|
||||
--
|
||||
2.27.0
|
||||
|
@ -6,7 +6,7 @@
|
||||
|
||||
Name: cloud-init
|
||||
Version: 21.1
|
||||
Release: 7%{?dist}.alma
|
||||
Release: 7%{?dist}.3.alma
|
||||
Summary: Cloud instance init scripts
|
||||
|
||||
Group: System Environment/Base
|
||||
@ -34,6 +34,12 @@ Patch12: ci-ssh-util-allow-cloudinit-to-merge-all-ssh-keys-into-.patch
|
||||
Patch13: ci-Stop-copying-ssh-system-keys-and-check-folder-permis.patch
|
||||
# For bz#1995840 - [cloudinit] Fix home permissions modified by ssh module
|
||||
Patch14: ci-Fix-home-permissions-modified-by-ssh-module-SC-338-9.patch
|
||||
# For bz#2017697 - cloud-init fails to set host key permissions correctly [rhel-8.5.0.z]
|
||||
Patch15: ci-cc_ssh.py-fix-private-key-group-owner-and-permission.patch
|
||||
# For bz#2028738 - cloud-init.service fails to start after package update [rhel-8.5.0.z]
|
||||
Patch16: ci-fix-error-on-upgrade-caused-by-new-vendordata2-attri.patch
|
||||
# For bz#2028756 - [RHEL-8] Above 19.2 of cloud-init fails to configure routes when configuring static and default routes to the same destination IP [rhel-8.5.0.z]
|
||||
Patch17: ci-cloudinit-net-handle-two-different-routes-for-the-sa.patch
|
||||
|
||||
# AlmaLinux patches
|
||||
Patch100: cloud-init-20.3-add_almalinux.patch
|
||||
@ -228,9 +234,24 @@ fi
|
||||
%config(noreplace) %{_sysconfdir}/rsyslog.d/21-cloudinit.conf
|
||||
|
||||
%changelog
|
||||
* Fri Oct 08 2021 Andrew Lukoshko <alukoshko@almalinux.org> - 21.1-7.alma
|
||||
* Fri Dec 24 2021 Andrew Lukoshko <alukoshko@almalinux.org> - 21.1-7.el8_5.3.alma
|
||||
- AlmaLinux support
|
||||
|
||||
* Wed Dec 08 2021 Jon Maloy <jmaloy@redhat.com> - 21.1-7.el8_5.3
|
||||
- ci-cloudinit-net-handle-two-different-routes-for-the-sa.patch [bz#2028756]
|
||||
- Resolves: bz#2028756
|
||||
([RHEL-8] Above 19.2 of cloud-init fails to configure routes when configuring static and default routes to the same destination IP [rhel-8.5.0.z])
|
||||
|
||||
* Mon Dec 06 2021 Jon Maloy <jmaloy@redhat.com> - 21.1-7.el8_5.2
|
||||
- ci-fix-error-on-upgrade-caused-by-new-vendordata2-attri.patch [bz#2028738]
|
||||
- Resolves: bz#2028738
|
||||
(cloud-init.service fails to start after package update [rhel-8.5.0.z])
|
||||
|
||||
* Tue Nov 02 2021 Miroslav Rezanina <mrezanin@redhat.com> - 21.1-7.el8_5.1
|
||||
- ci-cc_ssh.py-fix-private-key-group-owner-and-permission.patch [bz#2017697]
|
||||
- Resolves: bz#2017697
|
||||
(cloud-init fails to set host key permissions correctly [rhel-8.5.0.z])
|
||||
|
||||
* Fri Aug 27 2021 Miroslav Rezanina <mrezanin@redhat.com> - 21.1-7
|
||||
- ci-Fix-home-permissions-modified-by-ssh-module-SC-338-9.patch [bz#1995840]
|
||||
- Resolves: bz#1995840
|
||||
|
Loading…
Reference in New Issue
Block a user