From e6412be62079bbec5d67d178711ea42f21cafab8 Mon Sep 17 00:00:00 2001 From: Emanuele Giuseppe Esposito Date: Tue, 12 Oct 2021 16:35:00 +0200 Subject: [PATCH 1/2] Inhibit sshd-keygen@.service if cloud-init is active (#1028) RH-Author: Emanuele Giuseppe Esposito RH-MergeRequest: 11: Add drop-in to prevent race with sshd-keygen service RH-Commit: [1/2] 77ba3f167e71c43847aa5b38e1833d84568ed5a7 (eesposit/cloud-init-centos-) RH-Bugzilla: 2002492 RH-Acked-by: Eduardo Otubo RH-Acked-by: Mohamed Gamal Morsy TESTED: by me and QA BREW: 40286693 commit 02c71f097bca455a0f87d3e0a2af4d04b1cbd727 Author: Ryan Harper Date: Tue Oct 12 09:31:36 2021 -0500 Inhibit sshd-keygen@.service if cloud-init is active (#1028) In some cloud-init enabled images the sshd-keygen@.service may race with cloud-init and prevent ssh host keys from being generated or generating host keys twice slowing boot and consuming additional entropy during boot. This drop-in unit adds a condition to the sshd-keygen@.service which prevents running if cloud-init is active. Signed-off-by: Emanuele Giuseppe Esposito Conflicts: minor conflict in setup.py (line 253), where we still use "/usr/lib/" instead of LIB --- packages/redhat/cloud-init.spec.in | 1 + packages/suse/cloud-init.spec.in | 1 + setup.py | 5 ++++- systemd/disable-sshd-keygen-if-cloud-init-active.conf | 8 ++++++++ 4 files changed, 14 insertions(+), 1 deletion(-) create mode 100644 systemd/disable-sshd-keygen-if-cloud-init-active.conf diff --git a/packages/redhat/cloud-init.spec.in b/packages/redhat/cloud-init.spec.in index 16138012..1491822b 100644 --- a/packages/redhat/cloud-init.spec.in +++ b/packages/redhat/cloud-init.spec.in @@ -175,6 +175,7 @@ fi %if "%{init_system}" == "systemd" /usr/lib/systemd/system-generators/cloud-init-generator +%{_sysconfdir}/systemd/system/sshd-keygen@.service.d/disable-sshd-keygen-if-cloud-init-active.conf %{_unitdir}/cloud-* %else %attr(0755, root, root) %{_initddir}/cloud-config diff --git a/packages/suse/cloud-init.spec.in b/packages/suse/cloud-init.spec.in index 004b875f..da8107b4 100644 --- a/packages/suse/cloud-init.spec.in +++ b/packages/suse/cloud-init.spec.in @@ -126,6 +126,7 @@ version_pys=$(cd "%{buildroot}" && find . -name version.py -type f) %{_sysconfdir}/dhcp/dhclient-exit-hooks.d/hook-dhclient %{_sysconfdir}/NetworkManager/dispatcher.d/hook-network-manager +%{_sysconfdir}/systemd/system/sshd-keygen@.service.d/disable-sshd-keygen-if-cloud-init-active.conf # Python code is here... %{python_sitelib}/* diff --git a/setup.py b/setup.py index d5cd01a4..ec03fa27 100755 --- a/setup.py +++ b/setup.py @@ -38,6 +38,7 @@ def is_generator(p): def pkg_config_read(library, var): fallbacks = { 'systemd': { + 'systemdsystemconfdir': '/etc/systemd/system', 'systemdsystemunitdir': '/lib/systemd/system', 'systemdsystemgeneratordir': '/lib/systemd/system-generators', } @@ -249,7 +250,9 @@ if not platform.system().endswith('BSD'): data_files.extend([ (ETC + '/NetworkManager/dispatcher.d/', ['tools/hook-network-manager']), - ('/usr/lib/udev/rules.d', [f for f in glob('udev/*.rules')]) + ('/usr/lib/udev/rules.d', [f for f in glob('udev/*.rules')]), + (ETC + '/systemd/system/sshd-keygen@.service.d/', + ['systemd/disable-sshd-keygen-if-cloud-init-active.conf']), ]) # Use a subclass for install that handles # adding on the right init system configuration files diff --git a/systemd/disable-sshd-keygen-if-cloud-init-active.conf b/systemd/disable-sshd-keygen-if-cloud-init-active.conf new file mode 100644 index 00000000..71e35876 --- /dev/null +++ b/systemd/disable-sshd-keygen-if-cloud-init-active.conf @@ -0,0 +1,8 @@ +# In some cloud-init enabled images the sshd-keygen template service may race +# with cloud-init during boot causing issues with host key generation. This +# drop-in config adds a condition to sshd-keygen@.service if it exists and +# prevents the sshd-keygen units from running *if* cloud-init is going to run. +# +[Unit] +ConditionPathExists=!/run/systemd/generator.early/multi-user.target.wants/cloud-init.target +EOF -- 2.27.0