Compare commits
No commits in common. 'c8' and 'c9s' have entirely different histories.
@ -1 +0,0 @@
|
||||
830185bb5ce87ad86e4d1c0c62329bb255ec1648 SOURCES/cloud-init-22.1.tar.gz
|
||||
@ -1 +1,3 @@
|
||||
SOURCES/cloud-init-22.1.tar.gz
|
||||
*.rpm
|
||||
*.tar.gz
|
||||
results_cloud-init
|
||||
|
||||
@ -0,0 +1,61 @@
|
||||
From c4d66915520554adedff9be7396f877cd1a5525c Mon Sep 17 00:00:00 2001
|
||||
From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||
Date: Mon, 6 Mar 2023 16:37:20 +0100
|
||||
Subject: [PATCH] Add initial redhat changes
|
||||
|
||||
Adding minimal set of changes necessary for successful build of the package
|
||||
on RHEL/CentOS 9 Stream koji.
|
||||
|
||||
Merged patches (23.1.1):
|
||||
724a80ac Add TargetRelease
|
||||
967a4405b rhel/cloud.cfg: remove ssh_genkeytypes in settings.py and set in cloud.cfg
|
||||
^ Merged since it removes hunks added in this commit itself
|
||||
|
||||
Discarded because not needed anymore (packit):
|
||||
e3fd7ce12 Configure Packit to ignore the .gitignore file
|
||||
e18654e9 Fixes for packit support
|
||||
|
||||
Discarded because file does not exist anymore and templates are aligned with upstream:
|
||||
3576b12460bf18557857ee25df6bf530dab66612 Adding _netdev to the default mount configuration
|
||||
8092b57ab245856ff1fdde1469960608a489c95e Remove rhel specific files
|
||||
|
||||
Added the following entry to %files to keep track of the new README file in config/clean.d/README
|
||||
%doc %{_sysconfdir}/cloud/clean.d/README
|
||||
|
||||
ignored
|
||||
c75e509b0 Revert "Revert "Setting highest autoconnect priority for network-scripts""
|
||||
0eba5c619 Revert "Setting highest autoconnect priority for network-scripts"
|
||||
|
||||
ignored
|
||||
ba19343c0d9807d0c68a2d8e4ab274f3ca884247 Add Gitlab CI
|
||||
fe09305a5479a4814d6c46df07a906bafa29d637 Delete .gitlab-ci.yml
|
||||
|
||||
Conflicts:
|
||||
missing rhel/ static files and "" instead of '' in setup.py
|
||||
|
||||
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||
---
|
||||
cloudinit/settings.py | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/cloudinit/settings.py b/cloudinit/settings.py
|
||||
index 8684d003..edbb217d 100644
|
||||
--- a/cloudinit/settings.py
|
||||
+++ b/cloudinit/settings.py
|
||||
@@ -53,13 +53,14 @@ CFG_BUILTIN = {
|
||||
],
|
||||
"def_log_file": "/var/log/cloud-init.log",
|
||||
"log_cfgs": [],
|
||||
- "syslog_fix_perms": ["syslog:adm", "root:adm", "root:wheel", "root:root"],
|
||||
+ "mount_default_fields": [None, None, "auto", "defaults,nofail", "0", "2"],
|
||||
+ "syslog_fix_perms": [],
|
||||
"system_info": {
|
||||
"paths": {
|
||||
"cloud_dir": "/var/lib/cloud",
|
||||
"templates_dir": "/etc/cloud/templates/",
|
||||
},
|
||||
- "distro": "ubuntu",
|
||||
+ "distro": "rhel",
|
||||
"network": {"renderers": None},
|
||||
},
|
||||
"vendor_data": {"enabled": True, "prefix": []},
|
||||
@ -0,0 +1,42 @@
|
||||
From c589da20eb92231ef08e10c9724e3e6c663e6ce2 Mon Sep 17 00:00:00 2001
|
||||
From: Eduardo Otubo <otubo@redhat.com>
|
||||
Date: Thu, 17 Feb 2022 15:32:35 +0100
|
||||
Subject: [PATCH] Setting highest autoconnect priority for network-scripts
|
||||
|
||||
RH-Author: Eduardo Otubo <otubo@redhat.com>
|
||||
RH-MergeRequest: 22: Setting highest autoconnect priority for network-scripts
|
||||
RH-Commit: [1/1] 34f1d62f8934a983a124df95b861a1e448681d3b (otubo/cloud-init-src)
|
||||
RH-Bugzilla: 2036060
|
||||
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
|
||||
RH-Acked-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||
|
||||
Set the highest autoconnect priority for network-scripts which is
|
||||
loaded by NetworkManager ifcfg-rh plugin. Note that keyfile is the only
|
||||
and default existing plugin on RHEL9, by setting the highest autoconnect
|
||||
priority for network-scripts, NetworkManager will activate
|
||||
network-scripts but keyfile. Network-scripts path:
|
||||
|
||||
Since this is a blocking issue, we decided to have this one-liner
|
||||
downstream-only patch so we can move forward and have a better
|
||||
NetworkManager support later on the release.
|
||||
|
||||
rhbz: 2036060
|
||||
x-downstream-only: yes
|
||||
|
||||
Signed-off-by: Eduardo Otubo <otubo@redhat.com>
|
||||
---
|
||||
cloudinit/net/sysconfig.py | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/cloudinit/net/sysconfig.py b/cloudinit/net/sysconfig.py
|
||||
index a7dbe55b..4262cd48 100644
|
||||
--- a/cloudinit/net/sysconfig.py
|
||||
+++ b/cloudinit/net/sysconfig.py
|
||||
@@ -317,6 +317,7 @@ class Renderer(renderer.Renderer):
|
||||
"ONBOOT": True,
|
||||
"USERCTL": False,
|
||||
"BOOTPROTO": "none",
|
||||
+ "AUTOCONNECT_PRIORITY": 999
|
||||
},
|
||||
"suse": {"BOOTPROTO": "static", "STARTMODE": "auto"},
|
||||
}
|
||||
@ -0,0 +1,92 @@
|
||||
From ecae81f98ce230266eb99671b74534a4ede660f0 Mon Sep 17 00:00:00 2001
|
||||
From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||
Date: Fri, 10 Mar 2023 11:51:48 +0100
|
||||
Subject: [PATCH] Manual revert "Use Network-Manager and Netplan as default
|
||||
renderers for RHEL and Fedora (#1465)"
|
||||
|
||||
This reverts changes done in commit 7703aa98b.
|
||||
Done by hand because the doc file affected by that commit has changed.
|
||||
|
||||
X-downstream-only: true
|
||||
|
||||
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||
---
|
||||
cloudinit/net/renderers.py | 1 -
|
||||
config/cloud.cfg.tmpl | 3 ---
|
||||
doc/rtd/reference/network-config.rst | 16 ++--------------
|
||||
3 files changed, 2 insertions(+), 18 deletions(-)
|
||||
|
||||
diff --git a/cloudinit/net/renderers.py b/cloudinit/net/renderers.py
|
||||
index fcf7feba..b241683f 100644
|
||||
--- a/cloudinit/net/renderers.py
|
||||
+++ b/cloudinit/net/renderers.py
|
||||
@@ -30,7 +30,6 @@ DEFAULT_PRIORITY = [
|
||||
"eni",
|
||||
"sysconfig",
|
||||
"netplan",
|
||||
- "network-manager",
|
||||
"freebsd",
|
||||
"netbsd",
|
||||
"openbsd",
|
||||
diff --git a/config/cloud.cfg.tmpl b/config/cloud.cfg.tmpl
|
||||
index 7238c102..12f32c51 100644
|
||||
--- a/config/cloud.cfg.tmpl
|
||||
+++ b/config/cloud.cfg.tmpl
|
||||
@@ -381,9 +381,6 @@ system_info:
|
||||
{% elif variant in ["dragonfly"] %}
|
||||
network:
|
||||
renderers: ['freebsd']
|
||||
-{% elif variant in ["fedora"] or is_rhel %}
|
||||
- network:
|
||||
- renderers: ['netplan', 'network-manager', 'networkd', 'sysconfig', 'eni']
|
||||
{% elif variant == "openmandriva" %}
|
||||
network:
|
||||
renderers: ['network-manager', 'networkd']
|
||||
diff --git a/doc/rtd/reference/network-config.rst b/doc/rtd/reference/network-config.rst
|
||||
index ea331f1c..bc52afa5 100644
|
||||
--- a/doc/rtd/reference/network-config.rst
|
||||
+++ b/doc/rtd/reference/network-config.rst
|
||||
@@ -176,16 +176,6 @@ this state, ``cloud-init`` delegates rendering of the configuration to
|
||||
distro-supported formats. The following ``renderers`` are supported in
|
||||
``cloud-init``:
|
||||
|
||||
-NetworkManager
|
||||
---------------
|
||||
-
|
||||
-`NetworkManager`_ is the standard Linux network configuration tool suite. It
|
||||
-supports a wide range of networking setups. Configuration is typically stored
|
||||
-in :file:`/etc/NetworkManager`.
|
||||
-
|
||||
-It is the default for a number of Linux distributions; notably Fedora,
|
||||
-CentOS/RHEL, and their derivatives.
|
||||
-
|
||||
ENI
|
||||
---
|
||||
|
||||
@@ -223,7 +213,6 @@ preference) is as follows:
|
||||
- ENI
|
||||
- Sysconfig
|
||||
- Netplan
|
||||
-- NetworkManager
|
||||
- FreeBSD
|
||||
- NetBSD
|
||||
- OpenBSD
|
||||
@@ -234,7 +223,6 @@ preference) is as follows:
|
||||
|
||||
- **ENI**: using ``ifup``, ``ifdown`` to manage device setup/teardown
|
||||
- **Netplan**: using ``netplan apply`` to manage device setup/teardown
|
||||
-- **NetworkManager**: using ``nmcli`` to manage device setup/teardown
|
||||
- **Networkd**: using ``ip`` to manage device setup/teardown
|
||||
|
||||
When applying the policy, ``cloud-init`` checks if the current instance has the
|
||||
@@ -244,8 +232,8 @@ supplying an updated configuration in cloud-config. ::
|
||||
|
||||
system_info:
|
||||
network:
|
||||
- renderers: ['netplan', 'network-manager', 'eni', 'sysconfig', 'freebsd', 'netbsd', 'openbsd']
|
||||
- activators: ['eni', 'netplan', 'network-manager', 'networkd']
|
||||
+ renderers: ['netplan', 'eni', 'sysconfig', 'freebsd', 'netbsd', 'openbsd']
|
||||
+ activators: ['eni', 'netplan', 'networkd']
|
||||
|
||||
Network configuration tools
|
||||
===========================
|
||||
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,54 @@
|
||||
From ac0cf308318d423162ce3b7be32dcbf88f20ff50 Mon Sep 17 00:00:00 2001
|
||||
From: Ani Sinha <anisinha@redhat.com>
|
||||
Date: Tue, 4 Apr 2023 19:59:07 +0530
|
||||
Subject: [PATCH] rhel: make sure previous-hostname file ends with a new line
|
||||
(#2108)
|
||||
|
||||
cloud-init strips new line from "/etc/hostname" on rhel distro when processing
|
||||
"/var/lib/cloud/data/previous-hostname". Although this does not pose a serious
|
||||
issue, it is still better if the behavior is similar to other distros like
|
||||
Ubuntu where /previous-hostname does end with a new line. Fix this issue by
|
||||
using hostname parser in rhel similar to debian.
|
||||
|
||||
Signed-off-by: Ani Sinha <anisinha@redhat.com>
|
||||
(cherry picked from commit 6d42aa8e2c1a5454a658ab4e2b9cead2677c77cd)
|
||||
---
|
||||
cloudinit/distros/rhel.py | 5 ++++-
|
||||
tools/.github-cla-signers | 1 +
|
||||
2 files changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/cloudinit/distros/rhel.py b/cloudinit/distros/rhel.py
|
||||
index df7dc3d6..9625709e 100644
|
||||
--- a/cloudinit/distros/rhel.py
|
||||
+++ b/cloudinit/distros/rhel.py
|
||||
@@ -13,6 +13,7 @@ from cloudinit import distros, helpers
|
||||
from cloudinit import log as logging
|
||||
from cloudinit import subp, util
|
||||
from cloudinit.distros import rhel_util
|
||||
+from cloudinit.distros.parsers.hostname import HostnameConf
|
||||
from cloudinit.settings import PER_INSTANCE
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
@@ -111,7 +112,9 @@ class Distro(distros.Distro):
|
||||
# systemd will never update previous-hostname for us, so
|
||||
# we need to do it ourselves
|
||||
if self.uses_systemd() and filename.endswith("/previous-hostname"):
|
||||
- util.write_file(filename, hostname)
|
||||
+ conf = HostnameConf("")
|
||||
+ conf.set_hostname(hostname)
|
||||
+ util.write_file(filename, str(conf), 0o644)
|
||||
elif self.uses_systemd():
|
||||
subp.subp(["hostnamectl", "set-hostname", str(hostname)])
|
||||
else:
|
||||
diff --git a/tools/.github-cla-signers b/tools/.github-cla-signers
|
||||
index d8cca015..457dacf4 100644
|
||||
--- a/tools/.github-cla-signers
|
||||
+++ b/tools/.github-cla-signers
|
||||
@@ -9,6 +9,7 @@ andgein
|
||||
andrew-lee-metaswitch
|
||||
andrewbogott
|
||||
andrewlukoshko
|
||||
+ani-sinha
|
||||
antonyc
|
||||
aswinrajamannar
|
||||
beantaxi
|
||||
@ -0,0 +1,121 @@
|
||||
From 34ef256dc614c7dcf5b04a431d410030e333d82b Mon Sep 17 00:00:00 2001
|
||||
From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||
Date: Mon, 17 Apr 2023 10:20:16 +0200
|
||||
Subject: [PATCH] Don't change permissions of netrules target (#2076)
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2182948
|
||||
|
||||
commit 56c88cafd1b3606e814069a79f4ec265fc427c87
|
||||
Author: James Falcon <james.falcon@canonical.com>
|
||||
Date: Thu Mar 23 10:21:56 2023 -0500
|
||||
|
||||
Don't change permissions of netrules target (#2076)
|
||||
|
||||
Set permissions if file doesn't exist. Leave them if it does.
|
||||
|
||||
LP: #2011783
|
||||
|
||||
Co-authored-by: Chad Smith <chad.smith@canonical.com>
|
||||
|
||||
Conflicts:
|
||||
cloudinit/net/sysconfig.py: enable_ifcfg_rh missing upstream
|
||||
|
||||
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||
---
|
||||
cloudinit/net/eni.py | 4 +++-
|
||||
cloudinit/net/sysconfig.py | 7 ++++++-
|
||||
tests/unittests/distros/test_netconfig.py | 20 ++++++++++++++++++--
|
||||
3 files changed, 27 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/cloudinit/net/eni.py b/cloudinit/net/eni.py
|
||||
index 53bd35ca..1de3bec2 100644
|
||||
--- a/cloudinit/net/eni.py
|
||||
+++ b/cloudinit/net/eni.py
|
||||
@@ -576,7 +576,9 @@ class Renderer(renderer.Renderer):
|
||||
netrules = subp.target_path(target, self.netrules_path)
|
||||
util.ensure_dir(os.path.dirname(netrules))
|
||||
util.write_file(
|
||||
- netrules, self._render_persistent_net(network_state)
|
||||
+ netrules,
|
||||
+ content=self._render_persistent_net(network_state),
|
||||
+ preserve_mode=True,
|
||||
)
|
||||
|
||||
|
||||
diff --git a/cloudinit/net/sysconfig.py b/cloudinit/net/sysconfig.py
|
||||
index 765c248a..e08c0c69 100644
|
||||
--- a/cloudinit/net/sysconfig.py
|
||||
+++ b/cloudinit/net/sysconfig.py
|
||||
@@ -1034,7 +1034,12 @@ class Renderer(renderer.Renderer):
|
||||
if self.netrules_path:
|
||||
netrules_content = self._render_persistent_net(network_state)
|
||||
netrules_path = subp.target_path(target, self.netrules_path)
|
||||
- util.write_file(netrules_path, netrules_content, file_mode)
|
||||
+ util.write_file(
|
||||
+ netrules_path,
|
||||
+ content=netrules_content,
|
||||
+ mode=file_mode,
|
||||
+ preserve_mode=True,
|
||||
+ )
|
||||
if available_nm(target=target):
|
||||
enable_ifcfg_rh(subp.target_path(target, path=NM_CFG_FILE))
|
||||
|
||||
diff --git a/tests/unittests/distros/test_netconfig.py b/tests/unittests/distros/test_netconfig.py
|
||||
index e9fb0591..b1c89ce3 100644
|
||||
--- a/tests/unittests/distros/test_netconfig.py
|
||||
+++ b/tests/unittests/distros/test_netconfig.py
|
||||
@@ -458,8 +458,16 @@ class TestNetCfgDistroUbuntuEni(TestNetCfgDistroBase):
|
||||
def eni_path(self):
|
||||
return "/etc/network/interfaces.d/50-cloud-init.cfg"
|
||||
|
||||
+ def rules_path(self):
|
||||
+ return "/etc/udev/rules.d/70-persistent-net.rules"
|
||||
+
|
||||
def _apply_and_verify_eni(
|
||||
- self, apply_fn, config, expected_cfgs=None, bringup=False
|
||||
+ self,
|
||||
+ apply_fn,
|
||||
+ config,
|
||||
+ expected_cfgs=None,
|
||||
+ bringup=False,
|
||||
+ previous_files=(),
|
||||
):
|
||||
if not expected_cfgs:
|
||||
raise ValueError("expected_cfg must not be None")
|
||||
@@ -467,7 +475,11 @@ class TestNetCfgDistroUbuntuEni(TestNetCfgDistroBase):
|
||||
tmpd = None
|
||||
with mock.patch("cloudinit.net.eni.available") as m_avail:
|
||||
m_avail.return_value = True
|
||||
+ path_modes = {}
|
||||
with self.reRooted(tmpd) as tmpd:
|
||||
+ for previous_path, content, mode in previous_files:
|
||||
+ util.write_file(previous_path, content, mode=mode)
|
||||
+ path_modes[previous_path] = mode
|
||||
apply_fn(config, bringup)
|
||||
|
||||
results = dir2dict(tmpd)
|
||||
@@ -478,7 +490,9 @@ class TestNetCfgDistroUbuntuEni(TestNetCfgDistroBase):
|
||||
print(results[cfgpath])
|
||||
print("----------")
|
||||
self.assertEqual(expected, results[cfgpath])
|
||||
- self.assertEqual(0o644, get_mode(cfgpath, tmpd))
|
||||
+ self.assertEqual(
|
||||
+ path_modes.get(cfgpath, 0o644), get_mode(cfgpath, tmpd)
|
||||
+ )
|
||||
|
||||
def test_apply_network_config_and_bringup_filters_priority_eni_ub(self):
|
||||
"""Network activator search priority can be overridden from config."""
|
||||
@@ -527,11 +541,13 @@ class TestNetCfgDistroUbuntuEni(TestNetCfgDistroBase):
|
||||
def test_apply_network_config_eni_ub(self):
|
||||
expected_cfgs = {
|
||||
self.eni_path(): V1_NET_CFG_OUTPUT,
|
||||
+ self.rules_path(): "",
|
||||
}
|
||||
self._apply_and_verify_eni(
|
||||
self.distro.apply_network_config,
|
||||
V1_NET_CFG,
|
||||
expected_cfgs=expected_cfgs.copy(),
|
||||
+ previous_files=((self.rules_path(), "something", 0o660),),
|
||||
)
|
||||
|
||||
def test_apply_network_config_ipv6_ub(self):
|
||||
@ -0,0 +1,295 @@
|
||||
From d092efe0f437ad149f6d6e3a9f8b816c0f5c1c2a Mon Sep 17 00:00:00 2001
|
||||
From: James Falcon <james.falcon@canonical.com>
|
||||
Date: Wed, 26 Apr 2023 15:11:55 -0500
|
||||
Subject: [PATCH] Make user/vendor data sensitive and remove log permissions
|
||||
(#2144)
|
||||
|
||||
Because user data and vendor data may contain sensitive information,
|
||||
this commit ensures that any user data or vendor data written to
|
||||
instance-data.json gets redacted and is only available to root user.
|
||||
|
||||
Also, modify the permissions of cloud-init.log to be 640, so that
|
||||
sensitive data leaked to the log isn't world readable.
|
||||
Additionally, remove the logging of user data and vendor data to
|
||||
cloud-init.log from the Vultr datasource.
|
||||
|
||||
LP: #2013967
|
||||
CVE: CVE-2023-1786
|
||||
(cherry picked from commit a378b7e4f47375458651c0972e7cd813f6fe0a6b)
|
||||
Signed-off-by: Ani Sinha <anisinha@redhat.com>
|
||||
---
|
||||
cloudinit/sources/DataSourceLXD.py | 9 ++++++---
|
||||
cloudinit/sources/DataSourceVultr.py | 14 ++++++--------
|
||||
cloudinit/sources/__init__.py | 28 +++++++++++++++++++++++++---
|
||||
cloudinit/stages.py | 4 +++-
|
||||
tests/unittests/sources/test_init.py | 27 ++++++++++++++++++++++++++-
|
||||
tests/unittests/test_stages.py | 18 +++++++++++-------
|
||||
6 files changed, 77 insertions(+), 23 deletions(-)
|
||||
|
||||
diff --git a/cloudinit/sources/DataSourceLXD.py b/cloudinit/sources/DataSourceLXD.py
|
||||
index ab440cc8..e4cae91a 100644
|
||||
--- a/cloudinit/sources/DataSourceLXD.py
|
||||
+++ b/cloudinit/sources/DataSourceLXD.py
|
||||
@@ -14,7 +14,7 @@ import stat
|
||||
import time
|
||||
from enum import Flag, auto
|
||||
from json.decoder import JSONDecodeError
|
||||
-from typing import Any, Dict, List, Optional, Union, cast
|
||||
+from typing import Any, Dict, List, Optional, Tuple, Union, cast
|
||||
|
||||
import requests
|
||||
from requests.adapters import HTTPAdapter
|
||||
@@ -168,11 +168,14 @@ class DataSourceLXD(sources.DataSource):
|
||||
_network_config: Union[Dict, str] = sources.UNSET
|
||||
_crawled_metadata: Union[Dict, str] = sources.UNSET
|
||||
|
||||
- sensitive_metadata_keys = (
|
||||
- "merged_cfg",
|
||||
+ sensitive_metadata_keys: Tuple[
|
||||
+ str, ...
|
||||
+ ] = sources.DataSource.sensitive_metadata_keys + (
|
||||
"user.meta-data",
|
||||
"user.vendor-data",
|
||||
"user.user-data",
|
||||
+ "cloud-init.user-data",
|
||||
+ "cloud-init.vendor-data",
|
||||
)
|
||||
|
||||
skip_hotplug_detect = True
|
||||
diff --git a/cloudinit/sources/DataSourceVultr.py b/cloudinit/sources/DataSourceVultr.py
|
||||
index 9d7c84fb..660e9f14 100644
|
||||
--- a/cloudinit/sources/DataSourceVultr.py
|
||||
+++ b/cloudinit/sources/DataSourceVultr.py
|
||||
@@ -5,6 +5,8 @@
|
||||
# Vultr Metadata API:
|
||||
# https://www.vultr.com/metadata/
|
||||
|
||||
+from typing import Tuple
|
||||
+
|
||||
import cloudinit.sources.helpers.vultr as vultr
|
||||
from cloudinit import log as log
|
||||
from cloudinit import sources, util, version
|
||||
@@ -28,6 +30,10 @@ class DataSourceVultr(sources.DataSource):
|
||||
|
||||
dsname = "Vultr"
|
||||
|
||||
+ sensitive_metadata_keys: Tuple[
|
||||
+ str, ...
|
||||
+ ] = sources.DataSource.sensitive_metadata_keys + ("startup-script",)
|
||||
+
|
||||
def __init__(self, sys_cfg, distro, paths):
|
||||
super(DataSourceVultr, self).__init__(sys_cfg, distro, paths)
|
||||
self.ds_cfg = util.mergemanydict(
|
||||
@@ -54,13 +60,8 @@ class DataSourceVultr(sources.DataSource):
|
||||
self.get_datasource_data(self.metadata)
|
||||
|
||||
# Dump some data so diagnosing failures is manageable
|
||||
- LOG.debug("Vultr Vendor Config:")
|
||||
- LOG.debug(util.json_dumps(self.metadata["vendor-data"]))
|
||||
LOG.debug("SUBID: %s", self.metadata["instance-id"])
|
||||
LOG.debug("Hostname: %s", self.metadata["local-hostname"])
|
||||
- if self.userdata_raw is not None:
|
||||
- LOG.debug("User-Data:")
|
||||
- LOG.debug(self.userdata_raw)
|
||||
|
||||
return True
|
||||
|
||||
@@ -146,7 +147,4 @@ if __name__ == "__main__":
|
||||
config = md["vendor-data"]
|
||||
sysinfo = vultr.get_sysinfo()
|
||||
|
||||
- print(util.json_dumps(sysinfo))
|
||||
- print(util.json_dumps(config))
|
||||
-
|
||||
# vi: ts=4 expandtab
|
||||
diff --git a/cloudinit/sources/__init__.py b/cloudinit/sources/__init__.py
|
||||
index 565e1754..5c6ae8b1 100644
|
||||
--- a/cloudinit/sources/__init__.py
|
||||
+++ b/cloudinit/sources/__init__.py
|
||||
@@ -110,7 +110,10 @@ def process_instance_metadata(metadata, key_path="", sensitive_keys=()):
|
||||
sub_key_path = key_path + "/" + key
|
||||
else:
|
||||
sub_key_path = key
|
||||
- if key in sensitive_keys or sub_key_path in sensitive_keys:
|
||||
+ if (
|
||||
+ key.lower() in sensitive_keys
|
||||
+ or sub_key_path.lower() in sensitive_keys
|
||||
+ ):
|
||||
sens_keys.append(sub_key_path)
|
||||
if isinstance(val, str) and val.startswith("ci-b64:"):
|
||||
base64_encoded_keys.append(sub_key_path)
|
||||
@@ -132,6 +135,12 @@ def redact_sensitive_keys(metadata, redact_value=REDACT_SENSITIVE_VALUE):
|
||||
|
||||
Replace any keys values listed in 'sensitive_keys' with redact_value.
|
||||
"""
|
||||
+ # While 'sensitive_keys' should already sanitized to only include what
|
||||
+ # is in metadata, it is possible keys will overlap. For example, if
|
||||
+ # "merged_cfg" and "merged_cfg/ds/userdata" both match, it's possible that
|
||||
+ # "merged_cfg" will get replaced first, meaning "merged_cfg/ds/userdata"
|
||||
+ # no longer represents a valid key.
|
||||
+ # Thus, we still need to do membership checks in this function.
|
||||
if not metadata.get("sensitive_keys", []):
|
||||
return metadata
|
||||
md_copy = copy.deepcopy(metadata)
|
||||
@@ -139,9 +148,14 @@ def redact_sensitive_keys(metadata, redact_value=REDACT_SENSITIVE_VALUE):
|
||||
path_parts = key_path.split("/")
|
||||
obj = md_copy
|
||||
for path in path_parts:
|
||||
- if isinstance(obj[path], dict) and path != path_parts[-1]:
|
||||
+ if (
|
||||
+ path in obj
|
||||
+ and isinstance(obj[path], dict)
|
||||
+ and path != path_parts[-1]
|
||||
+ ):
|
||||
obj = obj[path]
|
||||
- obj[path] = redact_value
|
||||
+ if path in obj:
|
||||
+ obj[path] = redact_value
|
||||
return md_copy
|
||||
|
||||
|
||||
@@ -249,6 +263,14 @@ class DataSource(CloudInitPickleMixin, metaclass=abc.ABCMeta):
|
||||
sensitive_metadata_keys: Tuple[str, ...] = (
|
||||
"merged_cfg",
|
||||
"security-credentials",
|
||||
+ "userdata",
|
||||
+ "user-data",
|
||||
+ "user_data",
|
||||
+ "vendordata",
|
||||
+ "vendor-data",
|
||||
+ # Provide ds/vendor_data to avoid redacting top-level
|
||||
+ # "vendor_data": {enabled: True}
|
||||
+ "ds/vendor_data",
|
||||
)
|
||||
|
||||
# True on datasources that may not see hotplugged devices reflected
|
||||
diff --git a/cloudinit/stages.py b/cloudinit/stages.py
|
||||
index a624a6fb..1326d205 100644
|
||||
--- a/cloudinit/stages.py
|
||||
+++ b/cloudinit/stages.py
|
||||
@@ -204,7 +204,9 @@ class Init:
|
||||
log_file = util.get_cfg_option_str(self.cfg, "def_log_file")
|
||||
log_file_mode = util.get_cfg_option_int(self.cfg, "def_log_file_mode")
|
||||
if log_file:
|
||||
- util.ensure_file(log_file, mode=0o640, preserve_mode=True)
|
||||
+ # At this point the log file should have already been created
|
||||
+ # in the setupLogging function of log.py
|
||||
+ util.ensure_file(log_file, mode=0o640, preserve_mode=False)
|
||||
perms = self.cfg.get("syslog_fix_perms")
|
||||
if not perms:
|
||||
perms = {}
|
||||
diff --git a/tests/unittests/sources/test_init.py b/tests/unittests/sources/test_init.py
|
||||
index 0447e02c..eb27198f 100644
|
||||
--- a/tests/unittests/sources/test_init.py
|
||||
+++ b/tests/unittests/sources/test_init.py
|
||||
@@ -458,12 +458,24 @@ class TestDataSource(CiTestCase):
|
||||
"cred2": "othersekret",
|
||||
}
|
||||
},
|
||||
+ "someother": {
|
||||
+ "nested": {
|
||||
+ "userData": "HIDE ME",
|
||||
+ }
|
||||
+ },
|
||||
+ "VENDOR-DAta": "HIDE ME TOO",
|
||||
},
|
||||
)
|
||||
self.assertCountEqual(
|
||||
(
|
||||
"merged_cfg",
|
||||
"security-credentials",
|
||||
+ "userdata",
|
||||
+ "user-data",
|
||||
+ "user_data",
|
||||
+ "vendordata",
|
||||
+ "vendor-data",
|
||||
+ "ds/vendor_data",
|
||||
),
|
||||
datasource.sensitive_metadata_keys,
|
||||
)
|
||||
@@ -490,7 +502,9 @@ class TestDataSource(CiTestCase):
|
||||
"base64_encoded_keys": [],
|
||||
"merged_cfg": REDACT_SENSITIVE_VALUE,
|
||||
"sensitive_keys": [
|
||||
+ "ds/meta_data/VENDOR-DAta",
|
||||
"ds/meta_data/some/security-credentials",
|
||||
+ "ds/meta_data/someother/nested/userData",
|
||||
"merged_cfg",
|
||||
],
|
||||
"sys_info": sys_info,
|
||||
@@ -500,6 +514,7 @@ class TestDataSource(CiTestCase):
|
||||
"availability_zone": "myaz",
|
||||
"cloud-name": "subclasscloudname",
|
||||
"cloud_name": "subclasscloudname",
|
||||
+ "cloud_id": "subclasscloudname",
|
||||
"distro": "ubuntu",
|
||||
"distro_release": "focal",
|
||||
"distro_version": "20.04",
|
||||
@@ -522,14 +537,18 @@ class TestDataSource(CiTestCase):
|
||||
"ds": {
|
||||
"_doc": EXPERIMENTAL_TEXT,
|
||||
"meta_data": {
|
||||
+ "VENDOR-DAta": REDACT_SENSITIVE_VALUE,
|
||||
"availability_zone": "myaz",
|
||||
"local-hostname": "test-subclass-hostname",
|
||||
"region": "myregion",
|
||||
"some": {"security-credentials": REDACT_SENSITIVE_VALUE},
|
||||
+ "someother": {
|
||||
+ "nested": {"userData": REDACT_SENSITIVE_VALUE}
|
||||
+ },
|
||||
},
|
||||
},
|
||||
}
|
||||
- self.assertCountEqual(expected, redacted)
|
||||
+ self.assertEqual(expected, redacted)
|
||||
file_stat = os.stat(json_file)
|
||||
self.assertEqual(0o644, stat.S_IMODE(file_stat.st_mode))
|
||||
|
||||
@@ -574,6 +593,12 @@ class TestDataSource(CiTestCase):
|
||||
(
|
||||
"merged_cfg",
|
||||
"security-credentials",
|
||||
+ "userdata",
|
||||
+ "user-data",
|
||||
+ "user_data",
|
||||
+ "vendordata",
|
||||
+ "vendor-data",
|
||||
+ "ds/vendor_data",
|
||||
),
|
||||
datasource.sensitive_metadata_keys,
|
||||
)
|
||||
diff --git a/tests/unittests/test_stages.py b/tests/unittests/test_stages.py
|
||||
index 15a7e973..a61f9df9 100644
|
||||
--- a/tests/unittests/test_stages.py
|
||||
+++ b/tests/unittests/test_stages.py
|
||||
@@ -606,19 +606,23 @@ class TestInit_InitializeFilesystem:
|
||||
# Assert we create it 0o640 by default if it doesn't already exist
|
||||
assert 0o640 == stat.S_IMODE(log_file.stat().mode)
|
||||
|
||||
- def test_existing_file_permissions_are_not_modified(self, init, tmpdir):
|
||||
- """If the log file already exists, we should not modify its permissions
|
||||
+ def test_existing_file_permissions(self, init, tmpdir):
|
||||
+ """Test file permissions are set as expected.
|
||||
+
|
||||
+ CIS Hardening requires 640 permissions. These permissions are
|
||||
+ currently hardcoded on every boot, but if there's ever a reason
|
||||
+ to change this, we need to then ensure that they
|
||||
+ are *not* set every boot.
|
||||
|
||||
See https://bugs.launchpad.net/cloud-init/+bug/1900837.
|
||||
"""
|
||||
- # Use a mode that will never be made the default so this test will
|
||||
- # always be valid
|
||||
- mode = 0o606
|
||||
log_file = tmpdir.join("cloud-init.log")
|
||||
log_file.ensure()
|
||||
- log_file.chmod(mode)
|
||||
+ # Use a mode that will never be made the default so this test will
|
||||
+ # always be valid
|
||||
+ log_file.chmod(0o606)
|
||||
init._cfg = {"def_log_file": str(log_file)}
|
||||
|
||||
init._initialize_filesystem()
|
||||
|
||||
- assert mode == stat.S_IMODE(log_file.stat().mode)
|
||||
+ assert 0o640 == stat.S_IMODE(log_file.stat().mode)
|
||||
@ -0,0 +1,206 @@
|
||||
From 6bf6ceab79df97eb1c90b4df61f654bc0b2f598c Mon Sep 17 00:00:00 2001
|
||||
From: Ani Sinha <anisinha@redhat.com>
|
||||
Date: Tue, 2 May 2023 20:35:45 +0530
|
||||
Subject: [PATCH] Do not generate dsa and ed25519 key types when crypto FIPS
|
||||
mode is enabled (#2142)
|
||||
|
||||
DSA and ED25519 key types are not supported when FIPS is enabled in crypto.
|
||||
Check if FIPS has been enabled on the system and if so, do not generate those
|
||||
key types. Presently the check is only available on Linux systems.
|
||||
|
||||
LP: 2017761
|
||||
RHBZ: 2187164
|
||||
|
||||
Signed-off-by: Ani Sinha <anisinha@redhat.com>
|
||||
(cherry picked from commit c53f04aeb2acf9526a2ebf3d3320f149ac46caa6)
|
||||
---
|
||||
cloudinit/config/cc_ssh.py | 21 +++++++++++++++-
|
||||
cloudinit/util.py | 12 +++++++++
|
||||
tests/unittests/config/test_cc_ssh.py | 36 +++++++++++++++++++++------
|
||||
tests/unittests/test_util.py | 25 +++++++++++++++++++
|
||||
4 files changed, 85 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/cloudinit/config/cc_ssh.py b/cloudinit/config/cc_ssh.py
|
||||
index 1ec889f3..5578654a 100644
|
||||
--- a/cloudinit/config/cc_ssh.py
|
||||
+++ b/cloudinit/config/cc_ssh.py
|
||||
@@ -172,6 +172,8 @@ meta: MetaSchema = {
|
||||
__doc__ = get_meta_doc(meta)
|
||||
|
||||
GENERATE_KEY_NAMES = ["rsa", "dsa", "ecdsa", "ed25519"]
|
||||
+FIPS_UNSUPPORTED_KEY_NAMES = ["dsa", "ed25519"]
|
||||
+
|
||||
pattern_unsupported_config_keys = re.compile(
|
||||
"^(ecdsa-sk|ed25519-sk)_(private|public|certificate)$"
|
||||
)
|
||||
@@ -259,9 +261,26 @@ def handle(
|
||||
genkeys = util.get_cfg_option_list(
|
||||
cfg, "ssh_genkeytypes", GENERATE_KEY_NAMES
|
||||
)
|
||||
+ # remove keys that are not supported in fips mode if its enabled
|
||||
+ key_names = (
|
||||
+ genkeys
|
||||
+ if not util.fips_enabled()
|
||||
+ else [
|
||||
+ names
|
||||
+ for names in genkeys
|
||||
+ if names not in FIPS_UNSUPPORTED_KEY_NAMES
|
||||
+ ]
|
||||
+ )
|
||||
+ skipped_keys = set(genkeys).difference(key_names)
|
||||
+ if skipped_keys:
|
||||
+ log.debug(
|
||||
+ "skipping keys that are not supported in fips mode: %s",
|
||||
+ ",".join(skipped_keys),
|
||||
+ )
|
||||
+
|
||||
lang_c = os.environ.copy()
|
||||
lang_c["LANG"] = "C"
|
||||
- for keytype in genkeys:
|
||||
+ for keytype in key_names:
|
||||
keyfile = KEY_FILE_TPL % (keytype)
|
||||
if os.path.exists(keyfile):
|
||||
continue
|
||||
diff --git a/cloudinit/util.py b/cloudinit/util.py
|
||||
index 8ba3e2b6..4a8e3d3b 100644
|
||||
--- a/cloudinit/util.py
|
||||
+++ b/cloudinit/util.py
|
||||
@@ -1577,6 +1577,18 @@ def get_cmdline():
|
||||
return _get_cmdline()
|
||||
|
||||
|
||||
+def fips_enabled() -> bool:
|
||||
+ fips_proc = "/proc/sys/crypto/fips_enabled"
|
||||
+ try:
|
||||
+ contents = load_file(fips_proc).strip()
|
||||
+ return contents == "1"
|
||||
+ except (IOError, OSError):
|
||||
+ # for BSD systems and Linux systems where the proc entry is not
|
||||
+ # available, we assume FIPS is disabled to retain the old behavior
|
||||
+ # for now.
|
||||
+ return False
|
||||
+
|
||||
+
|
||||
def pipe_in_out(in_fh, out_fh, chunk_size=1024, chunk_cb=None):
|
||||
bytes_piped = 0
|
||||
while True:
|
||||
diff --git a/tests/unittests/config/test_cc_ssh.py b/tests/unittests/config/test_cc_ssh.py
|
||||
index 66368d0f..72941a95 100644
|
||||
--- a/tests/unittests/config/test_cc_ssh.py
|
||||
+++ b/tests/unittests/config/test_cc_ssh.py
|
||||
@@ -101,11 +101,16 @@ class TestHandleSsh:
|
||||
expected_calls = [mock.call(set(keys), user)] + expected_calls
|
||||
assert expected_calls == m_setup_keys.call_args_list
|
||||
|
||||
+ @pytest.mark.parametrize("fips_enabled", (True, False))
|
||||
@mock.patch(MODPATH + "glob.glob")
|
||||
@mock.patch(MODPATH + "ug_util.normalize_users_groups")
|
||||
@mock.patch(MODPATH + "os.path.exists")
|
||||
- def test_handle_no_cfg(self, m_path_exists, m_nug, m_glob, m_setup_keys):
|
||||
+ @mock.patch(MODPATH + "util.fips_enabled")
|
||||
+ def test_handle_no_cfg(
|
||||
+ self, m_fips, m_path_exists, m_nug, m_glob, m_setup_keys, fips_enabled
|
||||
+ ):
|
||||
"""Test handle with no config ignores generating existing keyfiles."""
|
||||
+ m_fips.return_value = fips_enabled
|
||||
cfg = {}
|
||||
keys = ["key1"]
|
||||
m_glob.return_value = [] # Return no matching keys to prevent removal
|
||||
@@ -118,12 +123,22 @@ class TestHandleSsh:
|
||||
options = ssh_util.DISABLE_USER_OPTS.replace("$USER", "NONE")
|
||||
options = options.replace("$DISABLE_USER", "root")
|
||||
m_glob.assert_called_once_with("/etc/ssh/ssh_host_*key*")
|
||||
- assert [
|
||||
- mock.call("/etc/ssh/ssh_host_rsa_key"),
|
||||
- mock.call("/etc/ssh/ssh_host_dsa_key"),
|
||||
- mock.call("/etc/ssh/ssh_host_ecdsa_key"),
|
||||
- mock.call("/etc/ssh/ssh_host_ed25519_key"),
|
||||
- ] in m_path_exists.call_args_list
|
||||
+ m_fips.assert_called_once()
|
||||
+
|
||||
+ if not m_fips():
|
||||
+ expected_calls = [
|
||||
+ mock.call("/etc/ssh/ssh_host_rsa_key"),
|
||||
+ mock.call("/etc/ssh/ssh_host_dsa_key"),
|
||||
+ mock.call("/etc/ssh/ssh_host_ecdsa_key"),
|
||||
+ mock.call("/etc/ssh/ssh_host_ed25519_key"),
|
||||
+ ]
|
||||
+ else:
|
||||
+ # Enabled fips doesn't generate dsa or ed25519
|
||||
+ expected_calls = [
|
||||
+ mock.call("/etc/ssh/ssh_host_rsa_key"),
|
||||
+ mock.call("/etc/ssh/ssh_host_ecdsa_key"),
|
||||
+ ]
|
||||
+ assert expected_calls in m_path_exists.call_args_list
|
||||
assert [
|
||||
mock.call(set(keys), "root", options=options)
|
||||
] == m_setup_keys.call_args_list
|
||||
@@ -131,8 +146,9 @@ class TestHandleSsh:
|
||||
@mock.patch(MODPATH + "glob.glob")
|
||||
@mock.patch(MODPATH + "ug_util.normalize_users_groups")
|
||||
@mock.patch(MODPATH + "os.path.exists")
|
||||
+ @mock.patch(MODPATH + "util.fips_enabled", return_value=False)
|
||||
def test_dont_allow_public_ssh_keys(
|
||||
- self, m_path_exists, m_nug, m_glob, m_setup_keys
|
||||
+ self, m_fips, m_path_exists, m_nug, m_glob, m_setup_keys
|
||||
):
|
||||
"""Test allow_public_ssh_keys=False ignores ssh public keys from
|
||||
platform.
|
||||
@@ -176,8 +192,10 @@ class TestHandleSsh:
|
||||
@mock.patch(MODPATH + "glob.glob")
|
||||
@mock.patch(MODPATH + "ug_util.normalize_users_groups")
|
||||
@mock.patch(MODPATH + "os.path.exists")
|
||||
+ @mock.patch(MODPATH + "util.fips_enabled", return_value=False)
|
||||
def test_handle_default_root(
|
||||
self,
|
||||
+ m_fips,
|
||||
m_path_exists,
|
||||
m_nug,
|
||||
m_glob,
|
||||
@@ -241,8 +259,10 @@ class TestHandleSsh:
|
||||
@mock.patch(MODPATH + "glob.glob")
|
||||
@mock.patch(MODPATH + "ug_util.normalize_users_groups")
|
||||
@mock.patch(MODPATH + "os.path.exists")
|
||||
+ @mock.patch(MODPATH + "util.fips_enabled", return_value=False)
|
||||
def test_handle_publish_hostkeys(
|
||||
self,
|
||||
+ m_fips,
|
||||
m_path_exists,
|
||||
m_nug,
|
||||
m_glob,
|
||||
diff --git a/tests/unittests/test_util.py b/tests/unittests/test_util.py
|
||||
index 07142a86..17182d06 100644
|
||||
--- a/tests/unittests/test_util.py
|
||||
+++ b/tests/unittests/test_util.py
|
||||
@@ -1945,6 +1945,31 @@ class TestGetCmdline(helpers.TestCase):
|
||||
self.assertEqual("abcd 123", ret)
|
||||
|
||||
|
||||
+class TestFipsEnabled:
|
||||
+ @pytest.mark.parametrize(
|
||||
+ "fips_enabled_content,expected",
|
||||
+ (
|
||||
+ pytest.param(None, False, id="false_when_no_fips_enabled_file"),
|
||||
+ pytest.param("0\n", False, id="false_when_fips_disabled"),
|
||||
+ pytest.param("1\n", True, id="true_when_fips_enabled"),
|
||||
+ pytest.param("1", True, id="true_when_fips_enabled_no_newline"),
|
||||
+ ),
|
||||
+ )
|
||||
+ @mock.patch(M_PATH + "load_file")
|
||||
+ def test_fips_enabled_based_on_proc_crypto(
|
||||
+ self, load_file, fips_enabled_content, expected, tmpdir
|
||||
+ ):
|
||||
+ def fake_load_file(path):
|
||||
+ assert path == "/proc/sys/crypto/fips_enabled"
|
||||
+ if fips_enabled_content is None:
|
||||
+ raise IOError("No file exists Bob")
|
||||
+ return fips_enabled_content
|
||||
+
|
||||
+ load_file.side_effect = fake_load_file
|
||||
+
|
||||
+ assert expected is util.fips_enabled()
|
||||
+
|
||||
+
|
||||
class TestLoadYaml(helpers.CiTestCase):
|
||||
mydefault = "7b03a8ebace993d806255121073fed52"
|
||||
with_logs = True
|
||||
@ -0,0 +1,93 @@
|
||||
From 0b0632f6c084a8ce95b53cb5125dc0f4107e6968 Mon Sep 17 00:00:00 2001
|
||||
From: Ani Sinha <anisinha@redhat.com>
|
||||
Date: Thu, 4 May 2023 15:34:43 +0530
|
||||
Subject: [PATCH] Revert "Manual revert "Use Network-Manager and Netplan as
|
||||
default renderers for RHEL and Fedora (#1465)""
|
||||
|
||||
This reverts commit ecae81f98ce230266eb99671b74534a4ede660f0.
|
||||
|
||||
This is patch 1 of the two patches that re-enables NM renderer. This change
|
||||
can be ignored while rebasing to latest upstream.
|
||||
|
||||
X-downstream-only: true
|
||||
Signed-off-by: Ani Sinha <anisinha@redhat.com>
|
||||
---
|
||||
cloudinit/net/renderers.py | 1 +
|
||||
config/cloud.cfg.tmpl | 3 +++
|
||||
doc/rtd/reference/network-config.rst | 16 ++++++++++++++--
|
||||
3 files changed, 18 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/cloudinit/net/renderers.py b/cloudinit/net/renderers.py
|
||||
index c92b9dcf..022ff938 100644
|
||||
--- a/cloudinit/net/renderers.py
|
||||
+++ b/cloudinit/net/renderers.py
|
||||
@@ -28,6 +28,7 @@ DEFAULT_PRIORITY = [
|
||||
"eni",
|
||||
"sysconfig",
|
||||
"netplan",
|
||||
+ "network-manager",
|
||||
"freebsd",
|
||||
"netbsd",
|
||||
"openbsd",
|
||||
diff --git a/config/cloud.cfg.tmpl b/config/cloud.cfg.tmpl
|
||||
index 12f32c51..7238c102 100644
|
||||
--- a/config/cloud.cfg.tmpl
|
||||
+++ b/config/cloud.cfg.tmpl
|
||||
@@ -381,6 +381,9 @@ system_info:
|
||||
{% elif variant in ["dragonfly"] %}
|
||||
network:
|
||||
renderers: ['freebsd']
|
||||
+{% elif variant in ["fedora"] or is_rhel %}
|
||||
+ network:
|
||||
+ renderers: ['netplan', 'network-manager', 'networkd', 'sysconfig', 'eni']
|
||||
{% elif variant == "openmandriva" %}
|
||||
network:
|
||||
renderers: ['network-manager', 'networkd']
|
||||
diff --git a/doc/rtd/reference/network-config.rst b/doc/rtd/reference/network-config.rst
|
||||
index bc52afa5..ea331f1c 100644
|
||||
--- a/doc/rtd/reference/network-config.rst
|
||||
+++ b/doc/rtd/reference/network-config.rst
|
||||
@@ -176,6 +176,16 @@ this state, ``cloud-init`` delegates rendering of the configuration to
|
||||
distro-supported formats. The following ``renderers`` are supported in
|
||||
``cloud-init``:
|
||||
|
||||
+NetworkManager
|
||||
+--------------
|
||||
+
|
||||
+`NetworkManager`_ is the standard Linux network configuration tool suite. It
|
||||
+supports a wide range of networking setups. Configuration is typically stored
|
||||
+in :file:`/etc/NetworkManager`.
|
||||
+
|
||||
+It is the default for a number of Linux distributions; notably Fedora,
|
||||
+CentOS/RHEL, and their derivatives.
|
||||
+
|
||||
ENI
|
||||
---
|
||||
|
||||
@@ -213,6 +223,7 @@ preference) is as follows:
|
||||
- ENI
|
||||
- Sysconfig
|
||||
- Netplan
|
||||
+- NetworkManager
|
||||
- FreeBSD
|
||||
- NetBSD
|
||||
- OpenBSD
|
||||
@@ -223,6 +234,7 @@ preference) is as follows:
|
||||
|
||||
- **ENI**: using ``ifup``, ``ifdown`` to manage device setup/teardown
|
||||
- **Netplan**: using ``netplan apply`` to manage device setup/teardown
|
||||
+- **NetworkManager**: using ``nmcli`` to manage device setup/teardown
|
||||
- **Networkd**: using ``ip`` to manage device setup/teardown
|
||||
|
||||
When applying the policy, ``cloud-init`` checks if the current instance has the
|
||||
@@ -232,8 +244,8 @@ supplying an updated configuration in cloud-config. ::
|
||||
|
||||
system_info:
|
||||
network:
|
||||
- renderers: ['netplan', 'eni', 'sysconfig', 'freebsd', 'netbsd', 'openbsd']
|
||||
- activators: ['eni', 'netplan', 'networkd']
|
||||
+ renderers: ['netplan', 'network-manager', 'eni', 'sysconfig', 'freebsd', 'netbsd', 'openbsd']
|
||||
+ activators: ['eni', 'netplan', 'network-manager', 'networkd']
|
||||
|
||||
Network configuration tools
|
||||
===========================
|
||||
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,33 @@
|
||||
From 0a2c6b6118ffaf29694b3a51aff3a33298419c50 Mon Sep 17 00:00:00 2001
|
||||
From: Ani Sinha <anisinha@redhat.com>
|
||||
Date: Mon, 15 May 2023 19:15:12 +0530
|
||||
Subject: [PATCH] net/sysconfig: do not use the highest autoconnect priority
|
||||
|
||||
Using the highest priority is a very big hammer that we may not want to use. We
|
||||
may want users to override the cloud init generated ifcfg files for custom
|
||||
configuration of interfaces. If cloud init uses the highest priority, nothing
|
||||
can beat it. Hence lower the priority to 120 allowing values from 121 to 999
|
||||
to be used by users if they want to use a custom interface nm keyfile.
|
||||
|
||||
X-downstream-only: true
|
||||
|
||||
Suggested-by: thaller@redhat.com
|
||||
fixes: c589da20eb92231 ("Setting highest autoconnect priority for network-scripts")
|
||||
Signed-off-by: Ani Sinha <anisinha@redhat.com>
|
||||
---
|
||||
cloudinit/net/sysconfig.py | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/cloudinit/net/sysconfig.py b/cloudinit/net/sysconfig.py
|
||||
index b8786fb7..1fe82412 100644
|
||||
--- a/cloudinit/net/sysconfig.py
|
||||
+++ b/cloudinit/net/sysconfig.py
|
||||
@@ -317,7 +317,7 @@ class Renderer(renderer.Renderer):
|
||||
"ONBOOT": True,
|
||||
"USERCTL": False,
|
||||
"BOOTPROTO": "none",
|
||||
- "AUTOCONNECT_PRIORITY": 999
|
||||
+ "AUTOCONNECT_PRIORITY": 120,
|
||||
},
|
||||
"suse": {"BOOTPROTO": "static", "STARTMODE": "auto"},
|
||||
}
|
||||
@ -0,0 +1,43 @@
|
||||
From 603ad38bca7735eeb72217b4f169a4b4c42ac092 Mon Sep 17 00:00:00 2001
|
||||
From: Ani Sinha <anisinha@redhat.com>
|
||||
Date: Tue, 16 May 2023 16:08:21 +0530
|
||||
Subject: [PATCH] net/sysconfig: cosmetic - fix tox formatting
|
||||
|
||||
recommended cloud-init code formatting was not enforced with an older downstream
|
||||
only change. This change fixes the formatting issue so that tox -e do_format
|
||||
does not complain. Changes are cosmetic.
|
||||
|
||||
X-downstream-only: true
|
||||
|
||||
fixes: b3b96bff187e9d ("Do not write NM_CONTROLLED=no in generated interface config files")
|
||||
Signed-off-by: Ani Sinha <anisinha@redhat.com>
|
||||
---
|
||||
cloudinit/net/sysconfig.py | 12 ++++++------
|
||||
1 file changed, 6 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/cloudinit/net/sysconfig.py b/cloudinit/net/sysconfig.py
|
||||
index 1fe82412..fcce3e99 100644
|
||||
--- a/cloudinit/net/sysconfig.py
|
||||
+++ b/cloudinit/net/sysconfig.py
|
||||
@@ -1025,15 +1025,15 @@ class Renderer(renderer.Renderer):
|
||||
if sysconfig_path.endswith("network"):
|
||||
util.ensure_dir(os.path.dirname(sysconfig_path))
|
||||
netcfg = []
|
||||
- for line in util.load_file(sysconfig_path, quiet=True).split('\n'):
|
||||
- if 'cloud-init' in line:
|
||||
+ for line in util.load_file(sysconfig_path, quiet=True).split("\n"):
|
||||
+ if "cloud-init" in line:
|
||||
break
|
||||
- if not line.startswith(('NETWORKING=',
|
||||
- 'IPV6_AUTOCONF=',
|
||||
- 'NETWORKING_IPV6=')):
|
||||
+ if not line.startswith(
|
||||
+ ("NETWORKING=", "IPV6_AUTOCONF=", "NETWORKING_IPV6=")
|
||||
+ ):
|
||||
netcfg.append(line)
|
||||
# Now generate the cloud-init portion of sysconfig/network
|
||||
- netcfg.extend([_make_header(), 'NETWORKING=yes'])
|
||||
+ netcfg.extend([_make_header(), "NETWORKING=yes"])
|
||||
if network_state.use_ipv6:
|
||||
netcfg.append("NETWORKING_IPV6=yes")
|
||||
netcfg.append("IPV6_AUTOCONF=no")
|
||||
@ -0,0 +1,49 @@
|
||||
From 58d7574bca2b00d05d090c180f1345a2408cc700 Mon Sep 17 00:00:00 2001
|
||||
From: Ani Sinha <anisinha@redhat.com>
|
||||
Date: Mon, 22 May 2023 21:30:01 +0530
|
||||
Subject: [PATCH] nm: generate ipv6 stateful dhcp config at par with sysconfig
|
||||
(#4115)
|
||||
|
||||
The sysconfig renderer sets the following in the ifcfg file for IPV6 stateful
|
||||
DHCP configuration:
|
||||
|
||||
BOOTPROTO = "dhcp"
|
||||
DHCPV6C = True
|
||||
IPV6INIT = True
|
||||
IPV6_AUTOCONF = False
|
||||
|
||||
This should result in
|
||||
[ipv6]
|
||||
method=dhcp
|
||||
|
||||
in the network manager generated keyfile as DHCPV6C is set and
|
||||
IPV6_AUTOCONF is not set. Unfortunately the network manager renderer
|
||||
deviates from this and generates:
|
||||
[ipv6]
|
||||
method=auto
|
||||
|
||||
in it's rendered keyfile. This change fixes this deviation and sets the
|
||||
IPV6 dhcp stateful configuration in alignment with what is generated by the
|
||||
sysconfig renderer.
|
||||
|
||||
RHBZ: 2207716
|
||||
|
||||
Signed-off-by: Ani Sinha <anisinha@redhat.com>
|
||||
(cherry picked from commit ea573ba6fc25fe49a6a1a322eeb5259b6238d78b)
|
||||
---
|
||||
cloudinit/net/network_manager.py | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/cloudinit/net/network_manager.py b/cloudinit/net/network_manager.py
|
||||
index 53763d15..744c0cbb 100644
|
||||
--- a/cloudinit/net/network_manager.py
|
||||
+++ b/cloudinit/net/network_manager.py
|
||||
@@ -72,7 +72,7 @@ class NMConnection:
|
||||
"dhcp6": "auto",
|
||||
"ipv6_slaac": "auto",
|
||||
"ipv6_dhcpv6-stateless": "auto",
|
||||
- "ipv6_dhcpv6-stateful": "auto",
|
||||
+ "ipv6_dhcpv6-stateful": "dhcp",
|
||||
"dhcp4": "auto",
|
||||
"dhcp": "auto",
|
||||
}
|
||||
@ -0,0 +1,31 @@
|
||||
From 018aa09f049791755dd746b533abb2464b08a92d Mon Sep 17 00:00:00 2001
|
||||
From: Ani Sinha <anisinha@redhat.com>
|
||||
Date: Mon, 22 May 2023 21:33:53 +0530
|
||||
Subject: [PATCH] network_manager: add a method for ipv6 static IP
|
||||
configuration (#4127)
|
||||
|
||||
The static IP configuration for IPv6 in the method_map is missing for
|
||||
network manager renderer. This is causing cloud-init to generate a keyfile with
|
||||
IPv6 method as "auto" instead of "manual". This fixes this issue.
|
||||
|
||||
fixes: #4126
|
||||
RHBZ: 2196284
|
||||
|
||||
Signed-off-by: Ani Sinha <anisinha@redhat.com>
|
||||
(cherry picked from commit 5d440856cb6d2b4c908015fe4eb7227615c17c8b)
|
||||
---
|
||||
cloudinit/net/network_manager.py | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/cloudinit/net/network_manager.py b/cloudinit/net/network_manager.py
|
||||
index 744c0cbb..2752f52f 100644
|
||||
--- a/cloudinit/net/network_manager.py
|
||||
+++ b/cloudinit/net/network_manager.py
|
||||
@@ -69,6 +69,7 @@ class NMConnection:
|
||||
|
||||
method_map = {
|
||||
"static": "manual",
|
||||
+ "static6": "manual",
|
||||
"dhcp6": "auto",
|
||||
"ipv6_slaac": "auto",
|
||||
"ipv6_dhcpv6-stateless": "auto",
|
||||
@ -0,0 +1,62 @@
|
||||
From 19adc5a0939fc1804b180333af5486e69d6af0ac Mon Sep 17 00:00:00 2001
|
||||
From: Ani Sinha <anisinha@redhat.com>
|
||||
Date: Mon, 22 May 2023 22:06:28 +0530
|
||||
Subject: [PATCH] net/sysconfig: enable sysconfig renderer if network manager
|
||||
has ifcfg-rh plugin (#4132)
|
||||
|
||||
Some distributions like RHEL does not have ifup and ifdown
|
||||
scripts that traditionally handled ifcfg-eth* files. Instead RHEL
|
||||
uses network manager with ifcfg-rh plugin to handle ifcfg
|
||||
scripts. Therefore, the sysconfig should check for the
|
||||
existence of ifcfg-rh plugin in addition to checking for the
|
||||
existence of ifup and ifdown scripts in order to determine if it
|
||||
can handle ifcfg files. If either the plugin or ifup/ifdown scripts
|
||||
are present, sysconfig renderer can be enabled.
|
||||
|
||||
fixes: #4131
|
||||
RHBZ: 2194050
|
||||
|
||||
Signed-off-by: Ani Sinha <anisinha@redhat.com>
|
||||
(cherry picked from commit 009dbf85a72a9077b2267d377b2ff46639fb3def)
|
||||
---
|
||||
cloudinit/net/sysconfig.py | 19 +++++++++++++++++++
|
||||
1 file changed, 19 insertions(+)
|
||||
|
||||
diff --git a/cloudinit/net/sysconfig.py b/cloudinit/net/sysconfig.py
|
||||
index fcce3e99..f2c7c92c 100644
|
||||
--- a/cloudinit/net/sysconfig.py
|
||||
+++ b/cloudinit/net/sysconfig.py
|
||||
@@ -1,6 +1,7 @@
|
||||
# This file is part of cloud-init. See LICENSE file for license information.
|
||||
|
||||
import copy
|
||||
+import glob
|
||||
import io
|
||||
import os
|
||||
import re
|
||||
@@ -1059,7 +1060,25 @@ def _supported_vlan_names(rdev, vid):
|
||||
def available(target=None):
|
||||
if not util.system_info()["variant"] in KNOWN_DISTROS:
|
||||
return False
|
||||
+ if available_sysconfig(target):
|
||||
+ return True
|
||||
+ if available_nm_ifcfg_rh(target):
|
||||
+ return True
|
||||
+ return False
|
||||
+
|
||||
+
|
||||
+def available_nm_ifcfg_rh(target=None):
|
||||
+ # The ifcfg-rh plugin of NetworkManager is installed.
|
||||
+ # NetworkManager can handle the ifcfg files.
|
||||
+ return glob.glob(
|
||||
+ subp.target_path(
|
||||
+ target,
|
||||
+ "usr/lib*/NetworkManager/*/libnm-settings-plugin-ifcfg-rh.so",
|
||||
+ )
|
||||
+ )
|
||||
+
|
||||
|
||||
+def available_sysconfig(target=None):
|
||||
expected = ["ifup", "ifdown"]
|
||||
search = ["/sbin", "/usr/sbin"]
|
||||
for p in expected:
|
||||
@ -0,0 +1,401 @@
|
||||
From f0cf9e52fd084c23f0552456e3b780b5c9c3313a Mon Sep 17 00:00:00 2001
|
||||
From: Ani Sinha <anisinha@redhat.com>
|
||||
Date: Tue, 23 May 2023 20:38:31 +0530
|
||||
Subject: [PATCH] network-manager: Set higher autoconnect priority for nm
|
||||
keyfiles (#3671)
|
||||
|
||||
cloud init generated keyfiles by network manager renderer for network
|
||||
interfaces can sometimes conflict with existing keyfiles that are left as an
|
||||
artifact of an upgrade process or are old user generated keyfiles. When two
|
||||
such keyfiles are present, the existing keyfile can take precedence over the
|
||||
cloud init generated keyfile making the later ineffective. Removing the old
|
||||
keyfile blindly by cloud init would also not be correct since there would be
|
||||
no way to enforce a different interface configuration if one needs it.
|
||||
|
||||
This change adds an autoconnect-priority value for cloud init generated keyfile
|
||||
so that the cloud init configuration takes precedence over the existing old
|
||||