diff --git a/SOURCES/ci-cc_ssh.py-fix-private-key-group-owner-and-permission.patch b/SOURCES/ci-cc_ssh.py-fix-private-key-group-owner-and-permission.patch new file mode 100644 index 0000000..86899cc --- /dev/null +++ b/SOURCES/ci-cc_ssh.py-fix-private-key-group-owner-and-permission.patch @@ -0,0 +1,97 @@ +From 8dc357c036e393ae7d869d3074377f5447fa9b77 Mon Sep 17 00:00:00 2001 +From: Emanuele Giuseppe Esposito +Date: Tue, 26 Oct 2021 22:18:06 +0200 +Subject: [PATCH] cc_ssh.py: fix private key group owner and permissions + (#1070) + +RH-Author: Emanuele Giuseppe Esposito +RH-MergeRequest: 34: cc_ssh.py: fix private key group owner and permissions (#1070) +RH-Commit: [1/1] 6dfd47416dd2cb7ed3822199c43cbd2fdada7aa1 (eesposit/cloud-init) +RH-Bugzilla: 2017697 +RH-Acked-by: Eduardo Otubo +RH-Acked-by: Mohamed Gamal Morsy + +commit ee296ced9c0a61b1484d850b807c601bcd670ec1 +Author: Emanuele Giuseppe Esposito +Date: Tue Oct 19 21:32:10 2021 +0200 + + cc_ssh.py: fix private key group owner and permissions (#1070) + + When default host keys are created by sshd-keygen (/etc/ssh/ssh_host_*_key) + in RHEL/CentOS/Fedora, openssh it performs the following: + + # create new keys + if ! $KEYGEN -q -t $KEYTYPE -f $KEY -C '' -N '' >&/dev/null; then + exit 1 + fi + + # sanitize permissions + /usr/bin/chgrp ssh_keys $KEY + /usr/bin/chmod 640 $KEY + /usr/bin/chmod 644 $KEY.pub + Note that the group ssh_keys exists only in RHEL/CentOS/Fedora. + + Now that we disable sshd-keygen to allow only cloud-init to create + them, we miss the "sanitize permissions" part, where we set the group + owner as ssh_keys and the private key mode to 640. + + According to https://bugzilla.redhat.com/show_bug.cgi?id=2013644#c8, failing + to set group ownership and permissions like openssh does makes the RHEL openscap + tool generate an error. + + Signed-off-by: Emanuele Giuseppe Esposito eesposit@redhat.com + + RHBZ: 2013644 + +Signed-off-by: Emanuele Giuseppe Esposito +--- + cloudinit/config/cc_ssh.py | 7 +++++++ + cloudinit/util.py | 14 ++++++++++++++ + 2 files changed, 21 insertions(+) + +diff --git a/cloudinit/config/cc_ssh.py b/cloudinit/config/cc_ssh.py +index 05a16dbc..4e986c55 100755 +--- a/cloudinit/config/cc_ssh.py ++++ b/cloudinit/config/cc_ssh.py +@@ -240,6 +240,13 @@ def handle(_name, cfg, cloud, log, _args): + try: + out, err = subp.subp(cmd, capture=True, env=lang_c) + sys.stdout.write(util.decode_binary(out)) ++ ++ gid = util.get_group_id("ssh_keys") ++ if gid != -1: ++ # perform same "sanitize permissions" as sshd-keygen ++ os.chown(keyfile, -1, gid) ++ os.chmod(keyfile, 0o640) ++ os.chmod(keyfile + ".pub", 0o644) + except subp.ProcessExecutionError as e: + err = util.decode_binary(e.stderr).lower() + if (e.exit_code == 1 and +diff --git a/cloudinit/util.py b/cloudinit/util.py +index 343976ad..fe37ae89 100644 +--- a/cloudinit/util.py ++++ b/cloudinit/util.py +@@ -1831,6 +1831,20 @@ def chmod(path, mode): + os.chmod(path, real_mode) + + ++def get_group_id(grp_name: str) -> int: ++ """ ++ Returns the group id of a group name, or -1 if no group exists ++ ++ @param grp_name: the name of the group ++ """ ++ gid = -1 ++ try: ++ gid = grp.getgrnam(grp_name).gr_gid ++ except KeyError: ++ LOG.debug("Group %s is not a valid group name", grp_name) ++ return gid ++ ++ + def get_permissions(path: str) -> int: + """ + Returns the octal permissions of the file/folder pointed by the path, +-- +2.27.0 + diff --git a/SOURCES/ci-cloudinit-net-handle-two-different-routes-for-the-sa.patch b/SOURCES/ci-cloudinit-net-handle-two-different-routes-for-the-sa.patch new file mode 100644 index 0000000..5cd0ae9 --- /dev/null +++ b/SOURCES/ci-cloudinit-net-handle-two-different-routes-for-the-sa.patch @@ -0,0 +1,87 @@ +From 0a6a89e6b243e587daf8ce356fccb5d6a6acf089 Mon Sep 17 00:00:00 2001 +From: Emanuele Giuseppe Esposito +Date: Tue, 7 Dec 2021 09:56:58 +0100 +Subject: [PATCH] cloudinit/net: handle two different routes for the same ip + (#1124) + +RH-Author: Emanuele Giuseppe Esposito +RH-MergeRequest: 37: cloudinit/net: handle two different routes for the same ip (#1124) +RH-Commit: [1/1] 9cd9c38606bfe2395d808a48ac986dce7624e147 +RH-Bugzilla: 2028756 +RH-Acked-by: Mohamed Gamal Morsy +RH-Acked-by: Eduardo Otubo + +commit 0e25076b34fa995161b83996e866c0974cee431f +Author: Emanuele Giuseppe Esposito +Date: Mon Dec 6 18:34:26 2021 +0100 + + cloudinit/net: handle two different routes for the same ip (#1124) + + If we set a dhcp server side like this: + $ cat /var/tmp/cloud-init/cloud-init-dhcp-f0rie5tm/dhcp.leases + lease { + ... + option classless-static-routes 31.169.254.169.254 0.0.0.0,31.169.254.169.254 + 10.112.143.127,22.10.112.140 0.0.0.0,0 10.112.140.1; + ... + } + cloud-init fails to configure the routes via 'ip route add' because to there are + two different routes for 169.254.169.254: + + $ ip -4 route add 192.168.1.1/32 via 0.0.0.0 dev eth0 + $ ip -4 route add 192.168.1.1/32 via 10.112.140.248 dev eth0 + + But NetworkManager can handle such scenario successfully as it uses "ip route append". + So change cloud-init to also use "ip route append" to fix the issue: + + $ ip -4 route append 192.168.1.1/32 via 0.0.0.0 dev eth0 + $ ip -4 route append 192.168.1.1/32 via 10.112.140.248 dev eth0 + + Signed-off-by: Emanuele Giuseppe Esposito + + RHBZ: #2003231 + +Conflicts: + cloudinit/net/tests/test_init.py: a mock call in + test_ephemeral_ipv4_network_with_rfc3442_static_routes is not + present downstream. + +Signed-off-by: Emanuele Giuseppe Esposito +--- + cloudinit/net/__init__.py | 2 +- + cloudinit/net/tests/test_init.py | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/cloudinit/net/__init__.py b/cloudinit/net/__init__.py +index 385b7bcc..003efa2a 100644 +--- a/cloudinit/net/__init__.py ++++ b/cloudinit/net/__init__.py +@@ -1138,7 +1138,7 @@ class EphemeralIPv4Network(object): + if gateway != "0.0.0.0/0": + via_arg = ['via', gateway] + subp.subp( +- ['ip', '-4', 'route', 'add', net_address] + via_arg + ++ ['ip', '-4', 'route', 'append', net_address] + via_arg + + ['dev', self.interface], capture=True) + self.cleanup_cmds.insert( + 0, ['ip', '-4', 'route', 'del', net_address] + via_arg + +diff --git a/cloudinit/net/tests/test_init.py b/cloudinit/net/tests/test_init.py +index 946f8ee2..2350837b 100644 +--- a/cloudinit/net/tests/test_init.py ++++ b/cloudinit/net/tests/test_init.py +@@ -719,10 +719,10 @@ class TestEphemeralIPV4Network(CiTestCase): + ['ip', '-family', 'inet', 'link', 'set', 'dev', 'eth0', 'up'], + capture=True), + mock.call( +- ['ip', '-4', 'route', 'add', '169.254.169.254/32', ++ ['ip', '-4', 'route', 'append', '169.254.169.254/32', + 'via', '192.168.2.1', 'dev', 'eth0'], capture=True), + mock.call( +- ['ip', '-4', 'route', 'add', '0.0.0.0/0', ++ ['ip', '-4', 'route', 'append', '0.0.0.0/0', + 'via', '192.168.2.1', 'dev', 'eth0'], capture=True)] + expected_teardown_calls = [ + mock.call( +-- +2.27.0 + diff --git a/SOURCES/ci-fix-error-on-upgrade-caused-by-new-vendordata2-attri.patch b/SOURCES/ci-fix-error-on-upgrade-caused-by-new-vendordata2-attri.patch new file mode 100644 index 0000000..caa98ad --- /dev/null +++ b/SOURCES/ci-fix-error-on-upgrade-caused-by-new-vendordata2-attri.patch @@ -0,0 +1,173 @@ +From 3636c2284132dbcd1cc505fb9f81ab722f4f99f0 Mon Sep 17 00:00:00 2001 +From: Amy Chen +Date: Fri, 3 Dec 2021 14:38:16 +0800 +Subject: [PATCH] fix error on upgrade caused by new vendordata2 attributes + +RH-Author: xiachen +RH-MergeRequest: 36: fix error on upgrade caused by new vendordata2 attributes +RH-Commit: [1/1] c16351924d4220a719380f12c2e8c03185f53c01 +RH-Bugzilla: 2028738 +RH-Acked-by: Mohamed Gamal Morsy +RH-Acked-by: Emanuele Giuseppe Esposito +RH-Acked-by: Eduardo Otubo + +commit d132356cc361abef2d90d4073438f3ab759d5964 +Author: James Falcon +Date: Mon Apr 19 11:31:28 2021 -0500 + + fix error on upgrade caused by new vendordata2 attributes (#869) + + In #777, we added 'vendordata2' and 'vendordata2_raw' attributes to + the DataSource class, but didn't use the upgrade framework to deal + with an unpickle after upgrade. This commit adds the necessary + upgrade code. + + Additionally, added a smaller-scope upgrade test to our integration + tests that will be run on every CI run so we catch these issues + immediately in the future. + + LP: #1922739 + +Signed-off-by: Amy Chen +--- + cloudinit/sources/__init__.py | 12 +++++++++++- + cloudinit/tests/test_upgrade.py | 4 ++++ + tests/integration_tests/clouds.py | 4 ++-- + tests/integration_tests/test_upgrade.py | 25 ++++++++++++++++++++++++- + 4 files changed, 41 insertions(+), 4 deletions(-) + +diff --git a/cloudinit/sources/__init__.py b/cloudinit/sources/__init__.py +index 1ad1880d..7d74f8d9 100644 +--- a/cloudinit/sources/__init__.py ++++ b/cloudinit/sources/__init__.py +@@ -24,6 +24,7 @@ from cloudinit import util + from cloudinit.atomic_helper import write_json + from cloudinit.event import EventType + from cloudinit.filters import launch_index ++from cloudinit.persistence import CloudInitPickleMixin + from cloudinit.reporting import events + + DSMODE_DISABLED = "disabled" +@@ -134,7 +135,7 @@ URLParams = namedtuple( + 'URLParms', ['max_wait_seconds', 'timeout_seconds', 'num_retries']) + + +-class DataSource(metaclass=abc.ABCMeta): ++class DataSource(CloudInitPickleMixin, metaclass=abc.ABCMeta): + + dsmode = DSMODE_NETWORK + default_locale = 'en_US.UTF-8' +@@ -196,6 +197,8 @@ class DataSource(metaclass=abc.ABCMeta): + # non-root users + sensitive_metadata_keys = ('merged_cfg', 'security-credentials',) + ++ _ci_pkl_version = 1 ++ + def __init__(self, sys_cfg, distro, paths, ud_proc=None): + self.sys_cfg = sys_cfg + self.distro = distro +@@ -218,6 +221,13 @@ class DataSource(metaclass=abc.ABCMeta): + else: + self.ud_proc = ud_proc + ++ def _unpickle(self, ci_pkl_version: int) -> None: ++ """Perform deserialization fixes for Paths.""" ++ if not hasattr(self, 'vendordata2'): ++ self.vendordata2 = None ++ if not hasattr(self, 'vendordata2_raw'): ++ self.vendordata2_raw = None ++ + def __str__(self): + return type_utils.obj_name(self) + +diff --git a/cloudinit/tests/test_upgrade.py b/cloudinit/tests/test_upgrade.py +index f79a2536..fd3c5812 100644 +--- a/cloudinit/tests/test_upgrade.py ++++ b/cloudinit/tests/test_upgrade.py +@@ -43,3 +43,7 @@ class TestUpgrade: + def test_blacklist_drivers_set_on_networking(self, previous_obj_pkl): + """We always expect Networking.blacklist_drivers to be initialised.""" + assert previous_obj_pkl.distro.networking.blacklist_drivers is None ++ ++ def test_vendordata_exists(self, previous_obj_pkl): ++ assert previous_obj_pkl.vendordata2 is None ++ assert previous_obj_pkl.vendordata2_raw is None +diff --git a/tests/integration_tests/clouds.py b/tests/integration_tests/clouds.py +index 9527a413..1d0b9d83 100644 +--- a/tests/integration_tests/clouds.py ++++ b/tests/integration_tests/clouds.py +@@ -100,14 +100,14 @@ class IntegrationCloud(ABC): + # Even if we're using the default key, it may still have a + # different name in the clouds, so we need to set it separately. + self.cloud_instance.key_pair.name = settings.KEYPAIR_NAME +- self._released_image_id = self._get_initial_image() ++ self.released_image_id = self._get_initial_image() + self.snapshot_id = None + + @property + def image_id(self): + if self.snapshot_id: + return self.snapshot_id +- return self._released_image_id ++ return self.released_image_id + + def emit_settings_to_log(self) -> None: + log.info( +diff --git a/tests/integration_tests/test_upgrade.py b/tests/integration_tests/test_upgrade.py +index c20cb3c1..48e0691b 100644 +--- a/tests/integration_tests/test_upgrade.py ++++ b/tests/integration_tests/test_upgrade.py +@@ -1,4 +1,5 @@ + import logging ++import os + import pytest + import time + from pathlib import Path +@@ -8,6 +9,8 @@ from tests.integration_tests.conftest import ( + get_validated_source, + session_start_time, + ) ++from tests.integration_tests.instances import CloudInitSource ++ + + log = logging.getLogger('integration_testing') + +@@ -63,7 +66,7 @@ def test_upgrade(session_cloud: IntegrationCloud): + return # type checking doesn't understand that skip raises + + launch_kwargs = { +- 'image_id': session_cloud._get_initial_image(), ++ 'image_id': session_cloud.released_image_id, + } + + image = ImageSpecification.from_os_image() +@@ -93,6 +96,26 @@ def test_upgrade(session_cloud: IntegrationCloud): + instance.install_new_cloud_init(source, take_snapshot=False) + instance.execute('hostname something-else') + _restart(instance) ++ assert instance.execute('cloud-init status --wait --long').ok + _output_to_compare(instance, after_path, netcfg_path) + + log.info('Wrote upgrade test logs to %s and %s', before_path, after_path) ++ ++ ++@pytest.mark.ci ++@pytest.mark.ubuntu ++def test_upgrade_package(session_cloud: IntegrationCloud): ++ if get_validated_source(session_cloud) != CloudInitSource.DEB_PACKAGE: ++ not_run_message = 'Test only supports upgrading to build deb' ++ if os.environ.get('TRAVIS'): ++ # If this isn't running on CI, we should know ++ pytest.fail(not_run_message) ++ else: ++ pytest.skip(not_run_message) ++ ++ launch_kwargs = {'image_id': session_cloud.released_image_id} ++ ++ with session_cloud.launch(launch_kwargs=launch_kwargs) as instance: ++ instance.install_deb() ++ instance.restart() ++ assert instance.execute('cloud-init status --wait --long').ok +-- +2.27.0 + diff --git a/SPECS/cloud-init.spec b/SPECS/cloud-init.spec index 6671452..425df39 100644 --- a/SPECS/cloud-init.spec +++ b/SPECS/cloud-init.spec @@ -6,7 +6,7 @@ Name: cloud-init Version: 21.1 -Release: 7%{?dist} +Release: 7%{?dist}.3 Summary: Cloud instance init scripts Group: System Environment/Base @@ -34,6 +34,12 @@ Patch12: ci-ssh-util-allow-cloudinit-to-merge-all-ssh-keys-into-.patch Patch13: ci-Stop-copying-ssh-system-keys-and-check-folder-permis.patch # For bz#1995840 - [cloudinit] Fix home permissions modified by ssh module Patch14: ci-Fix-home-permissions-modified-by-ssh-module-SC-338-9.patch +# For bz#2017697 - cloud-init fails to set host key permissions correctly [rhel-8.5.0.z] +Patch15: ci-cc_ssh.py-fix-private-key-group-owner-and-permission.patch +# For bz#2028738 - cloud-init.service fails to start after package update [rhel-8.5.0.z] +Patch16: ci-fix-error-on-upgrade-caused-by-new-vendordata2-attri.patch +# For bz#2028756 - [RHEL-8] Above 19.2 of cloud-init fails to configure routes when configuring static and default routes to the same destination IP [rhel-8.5.0.z] +Patch17: ci-cloudinit-net-handle-two-different-routes-for-the-sa.patch BuildArch: noarch @@ -225,6 +231,21 @@ fi %config(noreplace) %{_sysconfdir}/rsyslog.d/21-cloudinit.conf %changelog +* Wed Dec 08 2021 Jon Maloy - 21.1-7.el8_5.3 +- ci-cloudinit-net-handle-two-different-routes-for-the-sa.patch [bz#2028756] +- Resolves: bz#2028756 + ([RHEL-8] Above 19.2 of cloud-init fails to configure routes when configuring static and default routes to the same destination IP [rhel-8.5.0.z]) + +* Mon Dec 06 2021 Jon Maloy - 21.1-7.el8_5.2 +- ci-fix-error-on-upgrade-caused-by-new-vendordata2-attri.patch [bz#2028738] +- Resolves: bz#2028738 + (cloud-init.service fails to start after package update [rhel-8.5.0.z]) + +* Tue Nov 02 2021 Miroslav Rezanina - 21.1-7.el8_5.1 +- ci-cc_ssh.py-fix-private-key-group-owner-and-permission.patch [bz#2017697] +- Resolves: bz#2017697 + (cloud-init fails to set host key permissions correctly [rhel-8.5.0.z]) + * Fri Aug 27 2021 Miroslav Rezanina - 21.1-7 - ci-Fix-home-permissions-modified-by-ssh-module-SC-338-9.patch [bz#1995840] - Resolves: bz#1995840