diff --git a/ci-Inhibit-sshd-keygen-.service-if-cloud-init-is-active.patch b/ci-Inhibit-sshd-keygen-.service-if-cloud-init-is-active.patch new file mode 100644 index 0000000..7535bda --- /dev/null +++ b/ci-Inhibit-sshd-keygen-.service-if-cloud-init-is-active.patch @@ -0,0 +1,104 @@ +From e6412be62079bbec5d67d178711ea42f21cafab8 Mon Sep 17 00:00:00 2001 +From: Emanuele Giuseppe Esposito +Date: Tue, 12 Oct 2021 16:35:00 +0200 +Subject: [PATCH 1/2] Inhibit sshd-keygen@.service if cloud-init is active + (#1028) + +RH-Author: Emanuele Giuseppe Esposito +RH-MergeRequest: 11: Add drop-in to prevent race with sshd-keygen service +RH-Commit: [1/2] 77ba3f167e71c43847aa5b38e1833d84568ed5a7 (eesposit/cloud-init-centos-) +RH-Bugzilla: 2002492 +RH-Acked-by: Eduardo Otubo +RH-Acked-by: Mohamed Gamal Morsy + +TESTED: by me and QA +BREW: 40286693 + +commit 02c71f097bca455a0f87d3e0a2af4d04b1cbd727 +Author: Ryan Harper +Date: Tue Oct 12 09:31:36 2021 -0500 + + Inhibit sshd-keygen@.service if cloud-init is active (#1028) + + In some cloud-init enabled images the sshd-keygen@.service + may race with cloud-init and prevent ssh host keys from being + generated or generating host keys twice slowing boot and consuming + additional entropy during boot. This drop-in unit adds a condition to + the sshd-keygen@.service which prevents running if cloud-init is active. + +Signed-off-by: Emanuele Giuseppe Esposito + +Conflicts: minor conflict in setup.py (line 253), where we still use +"/usr/lib/" instead of LIB +--- + packages/redhat/cloud-init.spec.in | 1 + + packages/suse/cloud-init.spec.in | 1 + + setup.py | 5 ++++- + systemd/disable-sshd-keygen-if-cloud-init-active.conf | 8 ++++++++ + 4 files changed, 14 insertions(+), 1 deletion(-) + create mode 100644 systemd/disable-sshd-keygen-if-cloud-init-active.conf + +diff --git a/packages/redhat/cloud-init.spec.in b/packages/redhat/cloud-init.spec.in +index 16138012..1491822b 100644 +--- a/packages/redhat/cloud-init.spec.in ++++ b/packages/redhat/cloud-init.spec.in +@@ -175,6 +175,7 @@ fi + + %if "%{init_system}" == "systemd" + /usr/lib/systemd/system-generators/cloud-init-generator ++%{_sysconfdir}/systemd/system/sshd-keygen@.service.d/disable-sshd-keygen-if-cloud-init-active.conf + %{_unitdir}/cloud-* + %else + %attr(0755, root, root) %{_initddir}/cloud-config +diff --git a/packages/suse/cloud-init.spec.in b/packages/suse/cloud-init.spec.in +index 004b875f..da8107b4 100644 +--- a/packages/suse/cloud-init.spec.in ++++ b/packages/suse/cloud-init.spec.in +@@ -126,6 +126,7 @@ version_pys=$(cd "%{buildroot}" && find . -name version.py -type f) + + %{_sysconfdir}/dhcp/dhclient-exit-hooks.d/hook-dhclient + %{_sysconfdir}/NetworkManager/dispatcher.d/hook-network-manager ++%{_sysconfdir}/systemd/system/sshd-keygen@.service.d/disable-sshd-keygen-if-cloud-init-active.conf + + # Python code is here... + %{python_sitelib}/* +diff --git a/setup.py b/setup.py +index d5cd01a4..ec03fa27 100755 +--- a/setup.py ++++ b/setup.py +@@ -38,6 +38,7 @@ def is_generator(p): + def pkg_config_read(library, var): + fallbacks = { + 'systemd': { ++ 'systemdsystemconfdir': '/etc/systemd/system', + 'systemdsystemunitdir': '/lib/systemd/system', + 'systemdsystemgeneratordir': '/lib/systemd/system-generators', + } +@@ -249,7 +250,9 @@ if not platform.system().endswith('BSD'): + data_files.extend([ + (ETC + '/NetworkManager/dispatcher.d/', + ['tools/hook-network-manager']), +- ('/usr/lib/udev/rules.d', [f for f in glob('udev/*.rules')]) ++ ('/usr/lib/udev/rules.d', [f for f in glob('udev/*.rules')]), ++ (ETC + '/systemd/system/sshd-keygen@.service.d/', ++ ['systemd/disable-sshd-keygen-if-cloud-init-active.conf']), + ]) + # Use a subclass for install that handles + # adding on the right init system configuration files +diff --git a/systemd/disable-sshd-keygen-if-cloud-init-active.conf b/systemd/disable-sshd-keygen-if-cloud-init-active.conf +new file mode 100644 +index 00000000..71e35876 +--- /dev/null ++++ b/systemd/disable-sshd-keygen-if-cloud-init-active.conf +@@ -0,0 +1,8 @@ ++# In some cloud-init enabled images the sshd-keygen template service may race ++# with cloud-init during boot causing issues with host key generation. This ++# drop-in config adds a condition to sshd-keygen@.service if it exists and ++# prevents the sshd-keygen units from running *if* cloud-init is going to run. ++# ++[Unit] ++ConditionPathExists=!/run/systemd/generator.early/multi-user.target.wants/cloud-init.target ++EOF +-- +2.27.0 + diff --git a/cloud-init.spec b/cloud-init.spec index b1ff965..222b07b 100644 --- a/cloud-init.spec +++ b/cloud-init.spec @@ -1,6 +1,6 @@ Name: cloud-init Version: 21.1 -Release: 9%{?dist} +Release: 10%{?dist} Summary: Cloud instance init scripts License: ASL 2.0 or GPLv3 URL: http://launchpad.net/cloud-init @@ -24,6 +24,8 @@ Patch8: ci-Stop-copying-ssh-system-keys-and-check-folder-permis.patch Patch9: ci-Fix-home-permissions-modified-by-ssh-module-SC-338-9.patch # For bz#2002302 - cloud-init fails with ValueError: need more than 1 value to unpack[rhel-9] Patch10: ci-ssh_utils.py-ignore-when-sshd_config-options-are-not.patch +# For bz#2002492 - util.py[WARNING]: Failed generating key type rsa to file /etc/ssh/ssh_host_rsa_key +Patch11: ci-Inhibit-sshd-keygen-.service-if-cloud-init-is-active.patch # Source-git patches @@ -215,12 +217,18 @@ fi %{_bindir}/cloud-id %{_libexecdir}/%{name}/ds-identify %{_systemdgeneratordir}/cloud-init-generator - +%{_sysconfdir}/systemd/system/sshd-keygen@.service.d/disable-sshd-keygen-if-cloud-init-active.conf %dir %{_sysconfdir}/rsyslog.d %config(noreplace) %{_sysconfdir}/rsyslog.d/21-cloudinit.conf %changelog +* Mon Oct 18 2021 Miroslav Rezanina - 21.1-10 +- ci-Inhibit-sshd-keygen-.service-if-cloud-init-is-active.patch [bz#2002492] +- ci-add-the-drop-in-also-in-the-files-section-of-cloud-i.patch [bz#2002492] +- Resolves: bz#2002492 + (util.py[WARNING]: Failed generating key type rsa to file /etc/ssh/ssh_host_rsa_key) + * Fri Sep 10 2021 Miroslav Rezanina - 21.1-9 - ci-ssh_utils.py-ignore-when-sshd_config-options-are-not.patch [bz#2002302] - Resolves: bz#2002302