From dde7ba5961b6d61f883e03445c5508106eededc5 Mon Sep 17 00:00:00 2001 From: Miroslav Rezanina Date: Thu, 3 Jul 2025 02:35:52 -0400 Subject: [PATCH] * Thu Jul 03 2025 Miroslav Rezanina - 24.4-7 - ci-fix-Don-t-attempt-to-identify-non-x86-OpenStack-inst.patch [RHEL-100615] - ci-fix-strict-disable-in-ds-identify-on-no-datasources-.patch [RHEL-100615] - Fix missing patch [RHEL-101692] - Resolves: RHEL-100615 (CVE-2024-6174 cloud-init: From CVEorg collector [rhel-9.7]) - Resolves: RHEL-101692 (c9s dist-git missing patch "downstream: Retain exit code in cloud-init status for recoverable errors") --- ...n-exit-code-in-cloud-init-status-for.patch | 68 +++++++ ...t-to-identify-non-x86-OpenStack-inst.patch | 177 ++++++++++++++++++ ...le-in-ds-identify-on-no-datasources-.patch | 90 +++++++++ cloud-init.spec | 16 +- 4 files changed, 350 insertions(+), 1 deletion(-) create mode 100644 0003-downstream-Retain-exit-code-in-cloud-init-status-for.patch create mode 100644 ci-fix-Don-t-attempt-to-identify-non-x86-OpenStack-inst.patch create mode 100644 ci-fix-strict-disable-in-ds-identify-on-no-datasources-.patch diff --git a/0003-downstream-Retain-exit-code-in-cloud-init-status-for.patch b/0003-downstream-Retain-exit-code-in-cloud-init-status-for.patch new file mode 100644 index 0000000..264715a --- /dev/null +++ b/0003-downstream-Retain-exit-code-in-cloud-init-status-for.patch @@ -0,0 +1,68 @@ +From d211a3a03b548a759c4a64e63044b2ea034f2999 Mon Sep 17 00:00:00 2001 +From: Ani Sinha +Date: Tue, 12 Mar 2024 12:52:10 +0530 +Subject: [PATCH] downstream: Retain exit code in cloud-init status for + recoverable errors + +RH-Author: Ani Sinha +RH-MergeRequest: 71: Retain exit code in cloud-init status for recoverable errors +RH-Jira: RHEL-28549 +RH-Acked-by: Emanuele Giuseppe Esposito +RH-Acked-by: Cathy Avery +RH-Commit: [1/1] 00934ade88c481c012bc1947fa44e5ed59f82858 (anisinha/cloud-init) + +Version 23.4 of cloud-init changed the status code reported by cloud-init for +recoverable errors from 0 to 2. Please see the commit +70acb7f2a30d58 ("Add support for cloud-init "degraded" state (#4500)") + +This change has the potential to break customers who are expecting a 0 status +and where warnings can be expected. Hence, revert the status code from 2 to 0 +even in case of recoverable errors. This retains the old behavior and hence +avoids breaking scripts and software stack that expects 0 on the end user side. + +Cannonical has made a similar change downstream for similar reasons. Please see +https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/2048522 +and the corresponding downstream patch: +https://github.com/canonical/cloud-init/pull/4747/commits/adce34bfd214e4eecdf87329486f30f0898dd303 + +This patch has limited risk as it narrowly only restores the old status +code for recoverable errors and does not modify anything else. + +X-downstream-only: true +Signed-off-by: Ani Sinha + +Patch-name: ci-Retain-exit-code-in-cloud-init-status-for-recoverabl.patch +Patch-id: 12 +Patch-present-in-specfile: True +(cherry picked from commit 424eb97cff0bd97967c82214308693481f17a50a) +--- + cloudinit/cmd/status.py | 2 +- + tests/unittests/cmd/test_status.py | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/cloudinit/cmd/status.py b/cloudinit/cmd/status.py +index 98084a492..0dfb9b2f7 100644 +--- a/cloudinit/cmd/status.py ++++ b/cloudinit/cmd/status.py +@@ -251,7 +251,7 @@ def handle_status_args(name, args) -> int: + return 1 + # Recoverable error + elif details.condition_status == ConditionStatus.DEGRADED: +- return 2 ++ return 0 + return 0 + + +diff --git a/tests/unittests/cmd/test_status.py b/tests/unittests/cmd/test_status.py +index 022e4034c..da41fa98f 100644 +--- a/tests/unittests/cmd/test_status.py ++++ b/tests/unittests/cmd/test_status.py +@@ -664,7 +664,7 @@ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin + }, + None, + MyArgs(long=False, wait=False, format="json"), +- 2, ++ 0, + { + "boot_status_code": "enabled-by-kernel-command-line", + "datasource": "nocloud", diff --git a/ci-fix-Don-t-attempt-to-identify-non-x86-OpenStack-inst.patch b/ci-fix-Don-t-attempt-to-identify-non-x86-OpenStack-inst.patch new file mode 100644 index 0000000..c9622ea --- /dev/null +++ b/ci-fix-Don-t-attempt-to-identify-non-x86-OpenStack-inst.patch @@ -0,0 +1,177 @@ +From cce7faf49aeb3b53433b9b7bcc48ca2e7dbaee64 Mon Sep 17 00:00:00 2001 +From: Brett Holman +Date: Thu, 22 Aug 2024 16:54:53 -0600 +Subject: [PATCH 1/2] fix: Don't attempt to identify non-x86 OpenStack + instances + +RH-Author: Ani Sinha +RH-MergeRequest: 129: CVE-2024-6174: fix: Don't attempt to identify non-x86 OpenStack instances +RH-Jira: RHEL-100615 +RH-Acked-by: xiachen +RH-Acked-by: Miroslav Rezanina +RH-Commit: [1/2] 71a7a1b189d33ff43dc439ecf73c996a9cca3494 (anisinha/cloud-init) + +This causes cloud-init to attempt to reach out to the OpenStack Nova +datasource in non-Nova deployments on non-x86 architectures. + +Change default policy of ds-identify to disallow discovery of datasources +without strict identifiable artifacts in either kernel cmdline, DMI +platform information or system configuration files. This prevents +cloud-init from attempting to reach out to well-known hard-codded link-local +IP addresses for configuration information unless the platform strictly +identifies as a specific datasource. + +CVE-2024-6174 +LP: #2069607 +BREAKING_CHANGE: This may break non-x86 OpenStack Nova users. Affected users + may wish to use ConfigDrive as a workaround. + +(cherry picked from commit 8c3ae1bb9f1d80fbf217b41a222ee434e7f58900) +Signed-off-by: Ani Sinha +--- + doc/rtd/reference/breaking_changes.rst | 49 ++++++++++++++++++++++++++ + tests/unittests/test_ds_identify.py | 13 ++++--- + tools/ds-identify | 8 ++--- + 3 files changed, 59 insertions(+), 11 deletions(-) + +diff --git a/doc/rtd/reference/breaking_changes.rst b/doc/rtd/reference/breaking_changes.rst +index ce54e1c95..cd425a304 100644 +--- a/doc/rtd/reference/breaking_changes.rst ++++ b/doc/rtd/reference/breaking_changes.rst +@@ -11,6 +11,54 @@ releases. + many operating system vendors patch out breaking changes in + cloud-init to ensure consistent behavior on their platform. + ++25.1.3 ++====== ++ ++Strict datasource identity before network ++----------------------------------------- ++Affects detection of Ec2, OpenStack or AltCloud datasources for non-x86 ++architectures where DMI may not be accessible. ++ ++Datasource detection provided by ds-identify in cloud-init now requires strict ++identification based on DMI platform information, kernel command line or ++`datasource_list:` system configuration in /etc/cloud/cloud.cfg.d. ++ ++Prior to this change, ds-identify would allow non-x86 architectures without ++strict identifying platform information to run in a discovery mode which would ++attempt to reach out to well known static link-local IPs to attempt to ++retrieve configuration once system networking is up. ++ ++To mitigate the potential of a bad-actor in a local network responding ++to such provisioning requests from cloud-init clients, ds-identify will no ++longer allow this late discovery mode for platforms unable to expose clear ++identifying characteristics of a known cloud-init datasource. ++ ++The most likely affected cloud platforms are AltCloud, Ec2 and OpenStack for ++non-x86 architectures where DMI data is not exposed by the kernel. ++ ++If your non-x86 architecture or images no longer detect the proper datasource, ++any of the following steps can ensure proper detection of cloud-init config: ++ ++- Provide kernel commandline containing ``ds=`` ++ which forces ds-identify to discover a specific datasource. ++- Image creators: provide a config file part such as ++ :file:`/etc/cloud/cloud.cfg.d/*.cfg` containing the ++ case-sensitive ``datasource_list: [ ]`` to force cloud-init ++ to use a specific datasource without performing discovery. ++ ++For example, to force OpenStack discovery in cloud-init any of the following ++approaches work: ++ ++- OpenStack: `attach a ConfigDrive`_ as an alternative config source ++- Kernel command line containing ``ds=openstack`` ++- Custom images provide :file:`/etc/cloud/cloud.cfg.d/91-set-datasource.cfg` ++ containing: ++ ++.. code-block:: yaml ++ ++ datasource_list: [ OpenStack ] ++ ++ + 24.3 + ==== + +@@ -148,5 +196,6 @@ Workarounds include updating the kernel command line and optionally configuring + a ``datasource_list`` in ``/etc/cloud/cloud.cfg.d/*.cfg``. + + ++.. _attach a ConfigDrive: https://docs.openstack.org/nova/2024.1/admin/config-drive.html + .. _this patch: https://github.com/canonical/cloud-init/blob/ubuntu/noble/debian/patches/no-single-process.patch + .. _Python3 equivalent: https://github.com/canonical/cloud-init/pull/5489#issuecomment-2408210561 +diff --git a/tests/unittests/test_ds_identify.py b/tests/unittests/test_ds_identify.py +index 5d47e552b..9b3828ce6 100644 +--- a/tests/unittests/test_ds_identify.py ++++ b/tests/unittests/test_ds_identify.py +@@ -208,9 +208,9 @@ system_info: + """ + + POLICY_FOUND_ONLY = "search,found=all,maybe=none,notfound=disabled" +-POLICY_FOUND_OR_MAYBE = "search,found=all,maybe=all,notfound=disabled" +-DI_DEFAULT_POLICY = "search,found=all,maybe=all,notfound=disabled" +-DI_DEFAULT_POLICY_NO_DMI = "search,found=all,maybe=all,notfound=enabled" ++POLICY_FOUND_OR_MAYBE = "search,found=all,maybe=none,notfound=disabled" ++DI_DEFAULT_POLICY = "search,found=all,maybe=none,notfound=disabled" ++DI_DEFAULT_POLICY_NO_DMI = "search,found=all,maybe=none,notfound=enabled" + DI_EC2_STRICT_ID_DEFAULT = "true" + OVF_MATCH_STRING = "http://schemas.dmtf.org/ovf/environment/1" + +@@ -937,7 +937,7 @@ class TestDsIdentify(DsIdentifyBase): + self._test_ds_found("OpenStack-AssetTag-Compute") + + def test_openstack_on_non_intel_is_maybe(self): +- """On non-Intel, openstack without dmi info is maybe. ++ """On non-Intel, openstack without dmi info is none. + + nova does not identify itself on platforms other than intel. + https://bugs.launchpad.net/cloud-init/+bugs?field.tag=dsid-nova""" +@@ -957,10 +957,9 @@ class TestDsIdentify(DsIdentifyBase): + + # updating the uname to ppc64 though should get a maybe. + data.update({"mocks": [MOCK_VIRT_IS_KVM, MOCK_UNAME_IS_PPC64]}) +- (_, _, err, _, _) = self._check_via_dict( +- data, RC_FOUND, dslist=["OpenStack", "None"] +- ) ++ (_, _, err, _, _) = self._check_via_dict(data, RC_NOT_FOUND) + self.assertIn("check for 'OpenStack' returned maybe", err) ++ self.assertIn("No ds found", err) + + def test_default_ovf_is_found(self): + """OVF is identified found when ovf/ovf-env.xml seed file exists.""" +diff --git a/tools/ds-identify b/tools/ds-identify +index e00b05e80..5644b1e39 100755 +--- a/tools/ds-identify ++++ b/tools/ds-identify +@@ -14,7 +14,7 @@ + # The format is: + # ,found=value,maybe=value,notfound=value + # default setting is: +-# search,found=all,maybe=all,notfound=disabled ++# search,found=all,maybe=none,notfound=disabled + # + # kernel command line option: ci.di.policy= + # example line in /etc/cloud/ds-identify.cfg: +@@ -40,7 +40,7 @@ + # first: use the first found do no further checking + # all: enable all DS_FOUND + # +-# maybe: (default=all) ++# maybe: (default=none) + # if nothing returned 'found', then how to handle maybe. + # no network sources are allowed to return 'maybe'. + # all: enable all DS_MAYBE +@@ -100,8 +100,8 @@ DI_MAIN=${DI_MAIN:-main} + + DI_BLKID_EXPORT_OUT="" + DI_GEOM_LABEL_STATUS_OUT="" +-DI_DEFAULT_POLICY="search,found=all,maybe=all,notfound=${DI_DISABLED}" +-DI_DEFAULT_POLICY_NO_DMI="search,found=all,maybe=all,notfound=${DI_ENABLED}" ++DI_DEFAULT_POLICY="search,found=all,maybe=none,notfound=${DI_DISABLED}" ++DI_DEFAULT_POLICY_NO_DMI="search,found=all,maybe=none,notfound=${DI_ENABLED}" + DI_DMI_BOARD_NAME="" + DI_DMI_CHASSIS_ASSET_TAG="" + DI_DMI_PRODUCT_NAME="" +-- +2.39.3 + diff --git a/ci-fix-strict-disable-in-ds-identify-on-no-datasources-.patch b/ci-fix-strict-disable-in-ds-identify-on-no-datasources-.patch new file mode 100644 index 0000000..097b9cd --- /dev/null +++ b/ci-fix-strict-disable-in-ds-identify-on-no-datasources-.patch @@ -0,0 +1,90 @@ +From 9c2c1169ba2d11b22ff054583583cd4298a5ba81 Mon Sep 17 00:00:00 2001 +From: Chad Smith +Date: Tue, 24 Jun 2025 09:12:52 -0600 +Subject: [PATCH 2/2] fix: strict disable in ds-identify on no datasources + found + +RH-Author: Ani Sinha +RH-MergeRequest: 129: CVE-2024-6174: fix: Don't attempt to identify non-x86 OpenStack instances +RH-Jira: RHEL-100615 +RH-Acked-by: xiachen +RH-Acked-by: Miroslav Rezanina +RH-Commit: [2/2] f941ad029982aa5b1aecd569380ae47a6d727d9b (anisinha/cloud-init) + +Take the CVE-2024-6174 strict detection fix one step further. + +Commit 8c3ae1b took a step to ignore DS_MAYBE datasource discovery. +But, if no datasources are met the DS_FOUND conditions, ds-identify was +still leaving cloud-init enabled. This resulted in cloud-init python +code attempting to discover all datasources later in boot based on +the default datasource_list. + +ds-identify will now assert that at least one datasource is found. If +no datasources, ds-identify will exit 1 which disables cloud-init boot +stages and results in no boot configuration operations from cloud-init. + +OpenStack images which cannot identify a valid datasource with DMI-data +or kernel command line ci.ds=OpenStack parameter will need to either: +- provide image-based configuration in either /etc/cloud/cloud.cfg.* to set + datasource_list: [ OpenStack ] +- provide --config-drive true to openstack server create +- attach a nocloud disk labelled CIDATA containing user-data and + meta-data files + +CVE-2024-6174 +LP: #2069607 + +(cherry picked from commit e3f42adc2674a38fb29e414cfbf96f884934b2d2) +Signed-off-by: Ani Sinha +--- + tests/unittests/test_ds_identify.py | 6 ++++-- + tools/ds-identify | 2 +- + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/tests/unittests/test_ds_identify.py b/tests/unittests/test_ds_identify.py +index 9b3828ce6..2d6306c2f 100644 +--- a/tests/unittests/test_ds_identify.py ++++ b/tests/unittests/test_ds_identify.py +@@ -210,7 +210,7 @@ system_info: + POLICY_FOUND_ONLY = "search,found=all,maybe=none,notfound=disabled" + POLICY_FOUND_OR_MAYBE = "search,found=all,maybe=none,notfound=disabled" + DI_DEFAULT_POLICY = "search,found=all,maybe=none,notfound=disabled" +-DI_DEFAULT_POLICY_NO_DMI = "search,found=all,maybe=none,notfound=enabled" ++DI_DEFAULT_POLICY_NO_DMI = "search,found=all,maybe=none,notfound=disabled" + DI_EC2_STRICT_ID_DEFAULT = "true" + OVF_MATCH_STRING = "http://schemas.dmtf.org/ovf/environment/1" + +@@ -947,7 +947,7 @@ class TestDsIdentify(DsIdentifyBase): + data.update( + { + "policy_dmi": POLICY_FOUND_OR_MAYBE, +- "policy_no_dmi": POLICY_FOUND_OR_MAYBE, ++ "policy_no_dmi": DI_DEFAULT_POLICY_NO_DMI, + } + ) + +@@ -960,6 +960,8 @@ class TestDsIdentify(DsIdentifyBase): + (_, _, err, _, _) = self._check_via_dict(data, RC_NOT_FOUND) + self.assertIn("check for 'OpenStack' returned maybe", err) + self.assertIn("No ds found", err) ++ self.assertIn("Disabled cloud-init", err) ++ self.assertIn("returning 1", err) + + def test_default_ovf_is_found(self): + """OVF is identified found when ovf/ovf-env.xml seed file exists.""" +diff --git a/tools/ds-identify b/tools/ds-identify +index 5644b1e39..9bd9c9bbb 100755 +--- a/tools/ds-identify ++++ b/tools/ds-identify +@@ -101,7 +101,7 @@ DI_MAIN=${DI_MAIN:-main} + DI_BLKID_EXPORT_OUT="" + DI_GEOM_LABEL_STATUS_OUT="" + DI_DEFAULT_POLICY="search,found=all,maybe=none,notfound=${DI_DISABLED}" +-DI_DEFAULT_POLICY_NO_DMI="search,found=all,maybe=none,notfound=${DI_ENABLED}" ++DI_DEFAULT_POLICY_NO_DMI="search,found=all,maybe=none,notfound=${DI_DISABLED}" + DI_DMI_BOARD_NAME="" + DI_DMI_CHASSIS_ASSET_TAG="" + DI_DMI_PRODUCT_NAME="" +-- +2.39.3 + diff --git a/cloud-init.spec b/cloud-init.spec index df14346..d7ec486 100644 --- a/cloud-init.spec +++ b/cloud-init.spec @@ -1,6 +1,6 @@ Name: cloud-init Version: 24.4 -Release: 6%{?dist} +Release: 7%{?dist} Summary: Cloud instance init scripts License: ASL 2.0 or GPLv3 URL: http://launchpad.net/cloud-init @@ -25,6 +25,11 @@ Patch9: ci-net-sysconfig-do-not-remove-all-existing-settings-of.patch Patch10: ci-fix-NM-reload-and-bring-up-individual-network-conns-.patch # For RHEL-88658 - Cloud-Init Backport Optimization Features on Alibaba Cloud Patch11: ci-feat-aliyun-datasource-support-crawl-metadata-at-onc.patch +# For RHEL-100615 - CVE-2024-6174 cloud-init: From CVEorg collector [rhel-9.7] +Patch12: ci-fix-Don-t-attempt-to-identify-non-x86-OpenStack-inst.patch +# For RHEL-100615 - CVE-2024-6174 cloud-init: From CVEorg collector [rhel-9.7] +Patch13: ci-fix-strict-disable-in-ds-identify-on-no-datasources-.patch +Patch14: 0003-downstream-Retain-exit-code-in-cloud-init-status-for.patch BuildArch: noarch @@ -239,6 +244,15 @@ fi %config(noreplace) %{_sysconfdir}/rsyslog.d/21-cloudinit.conf %changelog +* Thu Jul 03 2025 Miroslav Rezanina - 24.4-7 +- ci-fix-Don-t-attempt-to-identify-non-x86-OpenStack-inst.patch [RHEL-100615] +- ci-fix-strict-disable-in-ds-identify-on-no-datasources-.patch [RHEL-100615] +- Fix missing patch [RHEL-101692] +- Resolves: RHEL-100615 + (CVE-2024-6174 cloud-init: From CVEorg collector [rhel-9.7]) +- Resolves: RHEL-101692 + (c9s dist-git missing patch "downstream: Retain exit code in cloud-init status for recoverable errors") + * Wed May 14 2025 Jon Maloy - 24.4-6 - ci-feat-aliyun-datasource-support-crawl-metadata-at-onc.patch [RHEL-88658] - Resolves: RHEL-88658