* Thu Jul 03 2025 Miroslav Rezanina <mrezanin@redhat.com> - 24.4-7

- ci-fix-Don-t-attempt-to-identify-non-x86-OpenStack-inst.patch [RHEL-100615] - ci-fix-strict-disable-in-ds-identify-on-no-datasources-.patch [RHEL-100615] - Fix missing patch [RHEL-101692] - Resolves: RHEL-100615 (CVE-2024-6174 cloud-init: From CVEorg collector [rhel-9.7]) - Resolves: RHEL-101692 (c9s dist-git missing patch "downstream: Retain exit code in cloud-init status for recoverable errors")
2025-07-03 02:35:52 -04:00 · 2025-07-03 02:35:52 -04:00 · dde7ba5961
commit dde7ba5961
parent 3bfe89a0bc
4 changed files with 350 additions and 1 deletions
--- a/0003-downstream-Retain-exit-code-in-cloud-init-status-for.patch
+++ b/0003-downstream-Retain-exit-code-in-cloud-init-status-for.patch
@ -0,0 +1,68 @@
 From d211a3a03b548a759c4a64e63044b2ea034f2999 Mon Sep 17 00:00:00 2001
 From: Ani Sinha <anisinha@redhat.com>
 Date: Tue, 12 Mar 2024 12:52:10 +0530
 Subject: [PATCH] downstream: Retain exit code in cloud-init status for
 recoverable errors
 RH-Author: Ani Sinha <None>
 RH-MergeRequest: 71: Retain exit code in cloud-init status for recoverable errors
 RH-Jira: RHEL-28549
 RH-Acked-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
 RH-Acked-by: Cathy Avery <cavery@redhat.com>
 RH-Commit: [1/1] 00934ade88c481c012bc1947fa44e5ed59f82858 (anisinha/cloud-init)
 Version 23.4 of cloud-init changed the status code reported by cloud-init for
 recoverable errors from 0 to 2. Please see the commit
 70acb7f2a30d58 ("Add support for cloud-init "degraded" state (#4500)")
 This change has the potential to break customers who are expecting a 0 status
 and where warnings can be expected. Hence, revert the status code from 2 to 0
 even in case of recoverable errors. This retains the old behavior and hence
 avoids breaking scripts and software stack that expects 0 on the end user side.
 Cannonical has made a similar change downstream for similar reasons. Please see
 https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/2048522
 and the corresponding downstream patch:
 https://github.com/canonical/cloud-init/pull/4747/commits/adce34bfd214e4eecdf87329486f30f0898dd303
 This patch has limited risk as it narrowly only restores the old status
 code for recoverable errors and does not modify anything else.
 X-downstream-only: true
 Signed-off-by: Ani Sinha <anisinha@redhat.com>
 Patch-name: ci-Retain-exit-code-in-cloud-init-status-for-recoverabl.patch
 Patch-id: 12
 Patch-present-in-specfile: True
 (cherry picked from commit 424eb97cff0bd97967c82214308693481f17a50a)
 ---
 cloudinit/cmd/status.py            | 2 +-
 tests/unittests/cmd/test_status.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
 diff --git a/cloudinit/cmd/status.py b/cloudinit/cmd/status.py
 index 98084a492..0dfb9b2f7 100644
 --- a/cloudinit/cmd/status.py
 +++ b/cloudinit/cmd/status.py
@@ -251,7 +251,7 @@ def handle_status_args(name, args) -> int:
         return 1
     # Recoverable error
     elif details.condition_status == ConditionStatus.DEGRADED:
 -        return 2
 +        return 0
     return 0
 diff --git a/tests/unittests/cmd/test_status.py b/tests/unittests/cmd/test_status.py
 index 022e4034c..da41fa98f 100644
 --- a/tests/unittests/cmd/test_status.py
 +++ b/tests/unittests/cmd/test_status.py
@@ -664,7 +664,7 @@ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
                 },
                 None,
                 MyArgs(long=False, wait=False, format="json"),
 -                2,
 +                0,
                 {
                     "boot_status_code": "enabled-by-kernel-command-line",
                     "datasource": "nocloud",
--- a/ci-fix-Don-t-attempt-to-identify-non-x86-OpenStack-inst.patch
+++ b/ci-fix-Don-t-attempt-to-identify-non-x86-OpenStack-inst.patch
@ -0,0 +1,177 @@
 From cce7faf49aeb3b53433b9b7bcc48ca2e7dbaee64 Mon Sep 17 00:00:00 2001
 From: Brett Holman <brett.holman@canonical.com>
 Date: Thu, 22 Aug 2024 16:54:53 -0600
 Subject: [PATCH 1/2] fix: Don't attempt to identify non-x86 OpenStack
 instances
 RH-Author: Ani Sinha <anisinha@redhat.com>
 RH-MergeRequest: 129: CVE-2024-6174:  fix: Don't attempt to identify non-x86 OpenStack instances
 RH-Jira: RHEL-100615
 RH-Acked-by: xiachen <xiachen@redhat.com>
 RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
 RH-Commit: [1/2] 71a7a1b189d33ff43dc439ecf73c996a9cca3494 (anisinha/cloud-init)
 This causes cloud-init to attempt to reach out to the OpenStack Nova
 datasource in non-Nova deployments on non-x86 architectures.
 Change default policy of ds-identify to disallow discovery of datasources
 without strict identifiable artifacts in either kernel cmdline, DMI
 platform information or system configuration files. This prevents
 cloud-init from attempting to reach out to well-known hard-codded link-local
 IP addresses for configuration information unless the platform strictly
 identifies as a specific datasource.
 CVE-2024-6174
 LP: #2069607
 BREAKING_CHANGE: This may break non-x86 OpenStack Nova users. Affected users
    may wish to use ConfigDrive as a workaround.
 (cherry picked from commit 8c3ae1bb9f1d80fbf217b41a222ee434e7f58900)
 Signed-off-by: Ani Sinha <anisinha@redhat.com>
 ---
 doc/rtd/reference/breaking_changes.rst | 49 ++++++++++++++++++++++++++
 tests/unittests/test_ds_identify.py    | 13 ++++---
 tools/ds-identify                      |  8 ++---
 3 files changed, 59 insertions(+), 11 deletions(-)
 diff --git a/doc/rtd/reference/breaking_changes.rst b/doc/rtd/reference/breaking_changes.rst
 index ce54e1c95..cd425a304 100644
 --- a/doc/rtd/reference/breaking_changes.rst
 +++ b/doc/rtd/reference/breaking_changes.rst
@@ -11,6 +11,54 @@ releases.
     many operating system vendors patch out breaking changes in
     cloud-init to ensure consistent behavior on their platform.
 +25.1.3
 +======
 +
 +Strict datasource identity before network
 +-----------------------------------------
 +Affects detection of Ec2, OpenStack or AltCloud datasources for non-x86
 +architectures where DMI may not be accessible.
 +
 +Datasource detection provided by ds-identify in cloud-init now requires strict
 +identification based on DMI platform information, kernel command line or
 +`datasource_list:` system configuration in /etc/cloud/cloud.cfg.d.
 +
 +Prior to this change, ds-identify would allow non-x86 architectures without
 +strict identifying platform information to run in a discovery mode which would
 +attempt to reach out to well known static link-local IPs to attempt to
 +retrieve configuration once system networking is up.
 +
 +To mitigate the potential of a bad-actor in a local network responding
 +to such provisioning requests from cloud-init clients, ds-identify will no
 +longer allow this late discovery mode for platforms unable to expose clear
 +identifying characteristics of a known cloud-init datasource.
 +
 +The most likely affected cloud platforms are AltCloud, Ec2 and OpenStack for
 +non-x86 architectures where DMI data is not exposed by the kernel.
 +
 +If your non-x86 architecture or images no longer detect the proper datasource,
 +any of the following steps can ensure proper detection of cloud-init config:
 +
 +- Provide kernel commandline containing ``ds=<lowercase_datasource_name>``
 +  which forces ds-identify to discover a specific datasource.
 +- Image creators: provide a config file part such as
 +  :file:`/etc/cloud/cloud.cfg.d/*.cfg` containing the
 +  case-sensitive ``datasource_list: [ <datasource_name> ]`` to force cloud-init
 +  to use a specific datasource without performing discovery.
 +
 +For example, to force OpenStack discovery in cloud-init any of the following
 +approaches work:
 +
 +- OpenStack: `attach a ConfigDrive`_ as an alternative config source
 +- Kernel command line containing ``ds=openstack``
 +- Custom images provide :file:`/etc/cloud/cloud.cfg.d/91-set-datasource.cfg`
 +  containing:
 +
 +.. code-block:: yaml
 +
 +   datasource_list: [ OpenStack ]
 +
 +
 24.3
 ====
@@ -148,5 +196,6 @@ Workarounds include updating the kernel command line and optionally configuring
 a ``datasource_list`` in ``/etc/cloud/cloud.cfg.d/*.cfg``.
 +.. _attach a ConfigDrive: https://docs.openstack.org/nova/2024.1/admin/config-drive.html
 .. _this patch: https://github.com/canonical/cloud-init/blob/ubuntu/noble/debian/patches/no-single-process.patch
 .. _Python3 equivalent:  https://github.com/canonical/cloud-init/pull/5489#issuecomment-2408210561
 diff --git a/tests/unittests/test_ds_identify.py b/tests/unittests/test_ds_identify.py
 index 5d47e552b..9b3828ce6 100644
 --- a/tests/unittests/test_ds_identify.py
 +++ b/tests/unittests/test_ds_identify.py
@@ -208,9 +208,9 @@ system_info:
 """
 POLICY_FOUND_ONLY = "search,found=all,maybe=none,notfound=disabled"
 -POLICY_FOUND_OR_MAYBE = "search,found=all,maybe=all,notfound=disabled"
 -DI_DEFAULT_POLICY = "search,found=all,maybe=all,notfound=disabled"
 -DI_DEFAULT_POLICY_NO_DMI = "search,found=all,maybe=all,notfound=enabled"
 +POLICY_FOUND_OR_MAYBE = "search,found=all,maybe=none,notfound=disabled"
 +DI_DEFAULT_POLICY = "search,found=all,maybe=none,notfound=disabled"
 +DI_DEFAULT_POLICY_NO_DMI = "search,found=all,maybe=none,notfound=enabled"
 DI_EC2_STRICT_ID_DEFAULT = "true"
 OVF_MATCH_STRING = "http://schemas.dmtf.org/ovf/environment/1"
@@ -937,7 +937,7 @@ class TestDsIdentify(DsIdentifyBase):
         self._test_ds_found("OpenStack-AssetTag-Compute")
     def test_openstack_on_non_intel_is_maybe(self):
 -        """On non-Intel, openstack without dmi info is maybe.
 +        """On non-Intel, openstack without dmi info is none.
         nova does not identify itself on platforms other than intel.
         https://bugs.launchpad.net/cloud-init/+bugs?field.tag=dsid-nova"""
@@ -957,10 +957,9 @@ class TestDsIdentify(DsIdentifyBase):
         # updating the uname to ppc64 though should get a maybe.
         data.update({"mocks": [MOCK_VIRT_IS_KVM, MOCK_UNAME_IS_PPC64]})
 -        (_, _, err, _, _) = self._check_via_dict(
 -            data, RC_FOUND, dslist=["OpenStack", "None"]
 -        )
 +        (_, _, err, _, _) = self._check_via_dict(data, RC_NOT_FOUND)
         self.assertIn("check for 'OpenStack' returned maybe", err)
 +        self.assertIn("No ds found", err)
     def test_default_ovf_is_found(self):
         """OVF is identified found when ovf/ovf-env.xml seed file exists."""
 diff --git a/tools/ds-identify b/tools/ds-identify
 index e00b05e80..5644b1e39 100755
 --- a/tools/ds-identify
 +++ b/tools/ds-identify
@@ -14,7 +14,7 @@
 #   The format is:
 #        <mode>,found=value,maybe=value,notfound=value
 #   default setting is:
 -#     search,found=all,maybe=all,notfound=disabled
 +#     search,found=all,maybe=none,notfound=disabled
 #
 #   kernel command line option: ci.di.policy=<policy>
 #   example line in /etc/cloud/ds-identify.cfg:
@@ -40,7 +40,7 @@
 #         first: use the first found do no further checking
 #         all: enable all DS_FOUND
 #
 -#      maybe: (default=all)
 +#      maybe: (default=none)
 #       if nothing returned 'found', then how to handle maybe.
 #       no network sources are allowed to return 'maybe'.
 #         all: enable all DS_MAYBE
@@ -100,8 +100,8 @@ DI_MAIN=${DI_MAIN:-main}
 DI_BLKID_EXPORT_OUT=""
 DI_GEOM_LABEL_STATUS_OUT=""
 -DI_DEFAULT_POLICY="search,found=all,maybe=all,notfound=${DI_DISABLED}"
 -DI_DEFAULT_POLICY_NO_DMI="search,found=all,maybe=all,notfound=${DI_ENABLED}"
 +DI_DEFAULT_POLICY="search,found=all,maybe=none,notfound=${DI_DISABLED}"
 +DI_DEFAULT_POLICY_NO_DMI="search,found=all,maybe=none,notfound=${DI_ENABLED}"
 DI_DMI_BOARD_NAME=""
 DI_DMI_CHASSIS_ASSET_TAG=""
 DI_DMI_PRODUCT_NAME=""
 -- 
 2.39.3
--- a/ci-fix-strict-disable-in-ds-identify-on-no-datasources-.patch
+++ b/ci-fix-strict-disable-in-ds-identify-on-no-datasources-.patch
@ -0,0 +1,90 @@
 From 9c2c1169ba2d11b22ff054583583cd4298a5ba81 Mon Sep 17 00:00:00 2001
 From: Chad Smith <chad.smith@canonical.com>
 Date: Tue, 24 Jun 2025 09:12:52 -0600
 Subject: [PATCH 2/2] fix: strict disable in ds-identify on no datasources
 found
 RH-Author: Ani Sinha <anisinha@redhat.com>
 RH-MergeRequest: 129: CVE-2024-6174:  fix: Don't attempt to identify non-x86 OpenStack instances
 RH-Jira: RHEL-100615
 RH-Acked-by: xiachen <xiachen@redhat.com>
 RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
 RH-Commit: [2/2] f941ad029982aa5b1aecd569380ae47a6d727d9b (anisinha/cloud-init)
 Take the CVE-2024-6174 strict detection fix one step further.
 Commit 8c3ae1b took a step to ignore DS_MAYBE datasource discovery.
 But, if no datasources are met the DS_FOUND conditions, ds-identify was
 still leaving cloud-init enabled. This resulted in cloud-init python
 code attempting to discover all datasources later in boot based on
 the default datasource_list.
 ds-identify will now assert that at least one datasource is found. If
 no datasources, ds-identify will exit 1 which disables cloud-init boot
 stages and results in no boot configuration operations from cloud-init.
 OpenStack images which cannot identify a valid datasource with DMI-data
 or kernel command line ci.ds=OpenStack parameter will need to either:
 - provide image-based configuration in either /etc/cloud/cloud.cfg.* to set
   datasource_list: [ OpenStack ]
 - provide --config-drive true to openstack server create
 - attach a nocloud disk labelled CIDATA containing user-data and
  meta-data files
 CVE-2024-6174
 LP: #2069607
 (cherry picked from commit e3f42adc2674a38fb29e414cfbf96f884934b2d2)
 Signed-off-by: Ani Sinha <anisinha@redhat.com>
 ---
 tests/unittests/test_ds_identify.py | 6 ++++--
 tools/ds-identify                   | 2 +-
 2 files changed, 5 insertions(+), 3 deletions(-)
 diff --git a/tests/unittests/test_ds_identify.py b/tests/unittests/test_ds_identify.py
 index 9b3828ce6..2d6306c2f 100644
 --- a/tests/unittests/test_ds_identify.py
 +++ b/tests/unittests/test_ds_identify.py
@@ -210,7 +210,7 @@ system_info:
 POLICY_FOUND_ONLY = "search,found=all,maybe=none,notfound=disabled"
 POLICY_FOUND_OR_MAYBE = "search,found=all,maybe=none,notfound=disabled"
 DI_DEFAULT_POLICY = "search,found=all,maybe=none,notfound=disabled"
 -DI_DEFAULT_POLICY_NO_DMI = "search,found=all,maybe=none,notfound=enabled"
 +DI_DEFAULT_POLICY_NO_DMI = "search,found=all,maybe=none,notfound=disabled"
 DI_EC2_STRICT_ID_DEFAULT = "true"
 OVF_MATCH_STRING = "http://schemas.dmtf.org/ovf/environment/1"
@@ -947,7 +947,7 @@ class TestDsIdentify(DsIdentifyBase):
         data.update(
             {
                 "policy_dmi": POLICY_FOUND_OR_MAYBE,
 -                "policy_no_dmi": POLICY_FOUND_OR_MAYBE,
 +                "policy_no_dmi": DI_DEFAULT_POLICY_NO_DMI,
             }
         )
@@ -960,6 +960,8 @@ class TestDsIdentify(DsIdentifyBase):
         (_, _, err, _, _) = self._check_via_dict(data, RC_NOT_FOUND)
         self.assertIn("check for 'OpenStack' returned maybe", err)
         self.assertIn("No ds found", err)
 +        self.assertIn("Disabled cloud-init", err)
 +        self.assertIn("returning 1", err)
     def test_default_ovf_is_found(self):
         """OVF is identified found when ovf/ovf-env.xml seed file exists."""
 diff --git a/tools/ds-identify b/tools/ds-identify
 index 5644b1e39..9bd9c9bbb 100755
 --- a/tools/ds-identify
 +++ b/tools/ds-identify
@@ -101,7 +101,7 @@ DI_MAIN=${DI_MAIN:-main}
 DI_BLKID_EXPORT_OUT=""
 DI_GEOM_LABEL_STATUS_OUT=""
 DI_DEFAULT_POLICY="search,found=all,maybe=none,notfound=${DI_DISABLED}"
 -DI_DEFAULT_POLICY_NO_DMI="search,found=all,maybe=none,notfound=${DI_ENABLED}"
 +DI_DEFAULT_POLICY_NO_DMI="search,found=all,maybe=none,notfound=${DI_DISABLED}"
 DI_DMI_BOARD_NAME=""
 DI_DMI_CHASSIS_ASSET_TAG=""
 DI_DMI_PRODUCT_NAME=""
 -- 
 2.39.3
--- a/cloud-init.spec
+++ b/cloud-init.spec
@ -1,6 +1,6 @@
 Name:           cloud-init
 Version:        24.4
-Release:        6%{?dist}
+Release:        7%{?dist}
 Summary:        Cloud instance init scripts
 License:        ASL 2.0 or GPLv3
 URL:            http://launchpad.net/cloud-init
@ -25,6 +25,11 @@ Patch9: ci-net-sysconfig-do-not-remove-all-existing-settings-of.patch
 Patch10: ci-fix-NM-reload-and-bring-up-individual-network-conns-.patch
 # For RHEL-88658 - Cloud-Init Backport Optimization Features on Alibaba Cloud
 Patch11: ci-feat-aliyun-datasource-support-crawl-metadata-at-onc.patch
 # For RHEL-100615 - CVE-2024-6174 cloud-init: From CVEorg collector [rhel-9.7]
 Patch12: ci-fix-Don-t-attempt-to-identify-non-x86-OpenStack-inst.patch
 # For RHEL-100615 - CVE-2024-6174 cloud-init: From CVEorg collector [rhel-9.7]
 Patch13: ci-fix-strict-disable-in-ds-identify-on-no-datasources-.patch
 Patch14: 0003-downstream-Retain-exit-code-in-cloud-init-status-for.patch
 BuildArch:      noarch
@ -239,6 +244,15 @@ fi
 %config(noreplace) %{_sysconfdir}/rsyslog.d/21-cloudinit.conf
 %changelog
 * Thu Jul 03 2025 Miroslav Rezanina <mrezanin@redhat.com> - 24.4-7
 - ci-fix-Don-t-attempt-to-identify-non-x86-OpenStack-inst.patch [RHEL-100615]
 - ci-fix-strict-disable-in-ds-identify-on-no-datasources-.patch [RHEL-100615]
 - Fix missing patch [RHEL-101692]
 - Resolves: RHEL-100615
  (CVE-2024-6174 cloud-init: From CVEorg collector [rhel-9.7])
 - Resolves: RHEL-101692
  (c9s dist-git missing patch "downstream: Retain exit code in cloud-init status for recoverable errors")
 * Wed May 14 2025 Jon Maloy <jmaloy@redhat.com> - 24.4-6
 - ci-feat-aliyun-datasource-support-crawl-metadata-at-onc.patch [RHEL-88658]
 - Resolves: RHEL-88658