diff --git a/SOURCES/ci-Change-from-redhat-to-rhel-in-systemd-generator-tmpl.patch b/SOURCES/ci-Change-from-redhat-to-rhel-in-systemd-generator-tmpl.patch index ebc2d05..32e26bd 100644 --- a/SOURCES/ci-Change-from-redhat-to-rhel-in-systemd-generator-tmpl.patch +++ b/SOURCES/ci-Change-from-redhat-to-rhel-in-systemd-generator-tmpl.patch @@ -1,14 +1,14 @@ -From f9cc7310eccee8076aea069e86ca137eb1002d19 Mon Sep 17 00:00:00 2001 +From 65b26a20b550ae301ca33eafe062a873f53969de Mon Sep 17 00:00:00 2001 From: Eduardo Otubo -Date: Wed, 24 Jun 2020 07:55:01 +0200 -Subject: [PATCH 2/3] Change from redhat to rhel in systemd generator tmpl +Date: Wed, 24 Jun 2020 07:34:32 +0200 +Subject: [PATCH 3/4] Change from redhat to rhel in systemd generator tmpl (#450) RH-Author: Eduardo Otubo Message-id: <20200623154034.28563-3-otubo@redhat.com> Patchwork-id: 97783 O-Subject: [RHEL-8.3.0/RHEL-8.2.1 cloud-init PATCH 2/3] Change from redhat to rhel in systemd generator tmpl (#450) -Bugzilla: 1844366 +Bugzilla: 1834173 RH-Acked-by: Cathy Avery RH-Acked-by: Mohammed Gamal diff --git a/SOURCES/ci-Changing-notation-of-subp-call.patch b/SOURCES/ci-Changing-notation-of-subp-call.patch new file mode 100644 index 0000000..68e7819 --- /dev/null +++ b/SOURCES/ci-Changing-notation-of-subp-call.patch @@ -0,0 +1,47 @@ +From d210f4b6c23d2739f76f9ab348090bcf350c5177 Mon Sep 17 00:00:00 2001 +From: Eduardo Otubo +Date: Mon, 31 Aug 2020 09:44:05 +0200 +Subject: [PATCH] Changing notation of subp call + +RH-Author: Eduardo Otubo +Message-id: <20200824142252.16298-1-otubo@redhat.com> +Patchwork-id: 98215 +O-Subject: [RHEL-7.9.z/RHEL-8.2.1/RHEL-8.3.0 cloud-init PATCH] Changing notation of subp call +Bugzilla: 1839662 +RH-Acked-by: Cathy Avery +RH-Acked-by: Mohammed Gamal + +The previous patch was applied upstream on top of a refactoring that moves subp +to its own module (3c551f6e, Move subp into its own module. (#416), release +20.2). + +Downstream we're not there yet, in order to avoid applying the above +commit and add a huge refactoring, I'll just change this call and we can +benefit of this changes in a future rebase. + +x-downstream-only: yes + +Signed-off-by: Eduardo Otubo +Signed-off-by: Miroslav Rezanina +--- + cloudinit/sources/helpers/vmware/imc/guestcust_util.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/cloudinit/sources/helpers/vmware/imc/guestcust_util.py b/cloudinit/sources/helpers/vmware/imc/guestcust_util.py +index a270d9f..816f52e 100644 +--- a/cloudinit/sources/helpers/vmware/imc/guestcust_util.py ++++ b/cloudinit/sources/helpers/vmware/imc/guestcust_util.py +@@ -136,8 +136,8 @@ def get_tools_config(section, key, defaultVal): + cmd = ['vmware-toolbox-cmd', 'config', 'get', section, key] + + try: +- (outText, _) = subp.subp(cmd) +- except subp.ProcessExecutionError as e: ++ (outText, _) = util.subp(cmd) ++ except util.ProcessExecutionError as e: + if e.exit_code == 69: + logger.debug( + "vmware-toolbox-cmd returned 69 (unavailable) for cmd: %s." +-- +1.8.3.1 + diff --git a/SOURCES/ci-Detect-kernel-version-before-swap-file-creation-428.patch b/SOURCES/ci-Detect-kernel-version-before-swap-file-creation-428.patch new file mode 100644 index 0000000..341d29e --- /dev/null +++ b/SOURCES/ci-Detect-kernel-version-before-swap-file-creation-428.patch @@ -0,0 +1,230 @@ +From 17f972b6fb172fe19d6e115a20664eefdbd3838d Mon Sep 17 00:00:00 2001 +From: Eduardo Otubo +Date: Mon, 24 Aug 2020 15:25:38 +0200 +Subject: [PATCH 3/3] Detect kernel version before swap file creation (#428) + +RH-Author: Eduardo Otubo +Message-id: <20200820092042.5418-4-otubo@redhat.com> +Patchwork-id: 98191 +O-Subject: [RHEL-8.3.0 cloud-init PATCH 3/3] Detect kernel version before swap file creation (#428) +Bugzilla: 1794664 +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Mohammed Gamal + +commit b749548a9eb43b34cce64f8688107645411abc8c +Author: Eduardo Otubo +Date: Tue Aug 18 23:12:02 2020 +0200 + + Detect kernel version before swap file creation (#428) + + According to man page `man 8 swapon', "Preallocated swap files are + supported on XFS since Linux 4.18". This patch checks for kernel version + before attepting to create swapfile, using dd for XFS only on kernel + versions <= 4.18 or btrfs. + + Add new func util.kernel_version which returns a tuple of ints (major, minor) + + Signed-off-by: Eduardo Otubo otubo@redhat.com + +Signed-off-by: Eduardo Otubo otubo@redhat.com +Signed-off-by: Miroslav Rezanina +--- + cloudinit/config/cc_mounts.py | 8 +- + cloudinit/util.py | 4 + + .../unittests/test_handler/test_handler_mounts.py | 107 +++++++++++++++++++++ + tests/unittests/test_util.py | 15 +++ + 4 files changed, 131 insertions(+), 3 deletions(-) + +diff --git a/cloudinit/config/cc_mounts.py b/cloudinit/config/cc_mounts.py +index 0573026..e1c43e3 100644 +--- a/cloudinit/config/cc_mounts.py ++++ b/cloudinit/config/cc_mounts.py +@@ -65,7 +65,7 @@ swap file is created. + from string import whitespace + + import logging +-import os.path ++import os + import re + + from cloudinit import type_utils +@@ -249,7 +249,8 @@ def create_swapfile(fname, size): + + fstype = util.get_mount_info(swap_dir)[1] + +- if fstype in ("xfs", "btrfs"): ++ if (fstype == "xfs" and ++ util.kernel_version() < (4, 18)) or fstype == "btrfs": + create_swap(fname, size, "dd") + else: + try: +@@ -259,7 +260,8 @@ def create_swapfile(fname, size): + LOG.warning("Will attempt with dd.") + create_swap(fname, size, "dd") + +- util.chmod(fname, 0o600) ++ if os.path.exists(fname): ++ util.chmod(fname, 0o600) + try: + util.subp(['mkswap', fname]) + except util.ProcessExecutionError: +diff --git a/cloudinit/util.py b/cloudinit/util.py +index 5d51ba8..ad89376 100644 +--- a/cloudinit/util.py ++++ b/cloudinit/util.py +@@ -79,6 +79,10 @@ CONTAINER_TESTS = (['systemd-detect-virt', '--quiet', '--container'], + ['lxc-is-container']) + + ++def kernel_version(): ++ return tuple(map(int, os.uname().release.split('.')[:2])) ++ ++ + @lru_cache() + def get_architecture(target=None): + out, _ = subp(['dpkg', '--print-architecture'], capture=True, +diff --git a/tests/unittests/test_handler/test_handler_mounts.py b/tests/unittests/test_handler/test_handler_mounts.py +index 7bcefa0..27bcc6f 100644 +--- a/tests/unittests/test_handler/test_handler_mounts.py ++++ b/tests/unittests/test_handler/test_handler_mounts.py +@@ -132,6 +132,113 @@ class TestSanitizeDevname(test_helpers.FilesystemMockingTestCase): + 'ephemeral0.1', lambda x: disk_path, mock.Mock())) + + ++class TestSwapFileCreation(test_helpers.FilesystemMockingTestCase): ++ ++ def setUp(self): ++ super(TestSwapFileCreation, self).setUp() ++ self.new_root = self.tmp_dir() ++ self.patchOS(self.new_root) ++ ++ self.fstab_path = os.path.join(self.new_root, 'etc/fstab') ++ self.swap_path = os.path.join(self.new_root, 'swap.img') ++ self._makedirs('/etc') ++ ++ self.add_patch('cloudinit.config.cc_mounts.FSTAB_PATH', ++ 'mock_fstab_path', ++ self.fstab_path, ++ autospec=False) ++ ++ self.add_patch('cloudinit.config.cc_mounts.subp.subp', ++ 'm_subp_subp') ++ ++ self.add_patch('cloudinit.config.cc_mounts.util.mounts', ++ 'mock_util_mounts', ++ return_value={ ++ '/dev/sda1': {'fstype': 'ext4', ++ 'mountpoint': '/', ++ 'opts': 'rw,relatime,discard' ++ }}) ++ ++ self.mock_cloud = mock.Mock() ++ self.mock_log = mock.Mock() ++ self.mock_cloud.device_name_to_device = self.device_name_to_device ++ ++ self.cc = { ++ 'swap': { ++ 'filename': self.swap_path, ++ 'size': '512', ++ 'maxsize': '512'}} ++ ++ def _makedirs(self, directory): ++ directory = os.path.join(self.new_root, directory.lstrip('/')) ++ if not os.path.exists(directory): ++ os.makedirs(directory) ++ ++ def device_name_to_device(self, path): ++ if path == 'swap': ++ return self.swap_path ++ else: ++ dev = None ++ ++ return dev ++ ++ @mock.patch('cloudinit.util.get_mount_info') ++ @mock.patch('cloudinit.util.kernel_version') ++ def test_swap_creation_method_fallocate_on_xfs(self, m_kernel_version, ++ m_get_mount_info): ++ m_kernel_version.return_value = (4, 20) ++ m_get_mount_info.return_value = ["", "xfs"] ++ ++ cc_mounts.handle(None, self.cc, self.mock_cloud, self.mock_log, []) ++ self.m_subp_subp.assert_has_calls([ ++ mock.call(['fallocate', '-l', '0M', self.swap_path], capture=True), ++ mock.call(['mkswap', self.swap_path]), ++ mock.call(['swapon', '-a'])]) ++ ++ @mock.patch('cloudinit.util.get_mount_info') ++ @mock.patch('cloudinit.util.kernel_version') ++ def test_swap_creation_method_xfs(self, m_kernel_version, ++ m_get_mount_info): ++ m_kernel_version.return_value = (3, 18) ++ m_get_mount_info.return_value = ["", "xfs"] ++ ++ cc_mounts.handle(None, self.cc, self.mock_cloud, self.mock_log, []) ++ self.m_subp_subp.assert_has_calls([ ++ mock.call(['dd', 'if=/dev/zero', ++ 'of=' + self.swap_path, ++ 'bs=1M', 'count=0'], capture=True), ++ mock.call(['mkswap', self.swap_path]), ++ mock.call(['swapon', '-a'])]) ++ ++ @mock.patch('cloudinit.util.get_mount_info') ++ @mock.patch('cloudinit.util.kernel_version') ++ def test_swap_creation_method_btrfs(self, m_kernel_version, ++ m_get_mount_info): ++ m_kernel_version.return_value = (4, 20) ++ m_get_mount_info.return_value = ["", "btrfs"] ++ ++ cc_mounts.handle(None, self.cc, self.mock_cloud, self.mock_log, []) ++ self.m_subp_subp.assert_has_calls([ ++ mock.call(['dd', 'if=/dev/zero', ++ 'of=' + self.swap_path, ++ 'bs=1M', 'count=0'], capture=True), ++ mock.call(['mkswap', self.swap_path]), ++ mock.call(['swapon', '-a'])]) ++ ++ @mock.patch('cloudinit.util.get_mount_info') ++ @mock.patch('cloudinit.util.kernel_version') ++ def test_swap_creation_method_ext4(self, m_kernel_version, ++ m_get_mount_info): ++ m_kernel_version.return_value = (5, 14) ++ m_get_mount_info.return_value = ["", "ext4"] ++ ++ cc_mounts.handle(None, self.cc, self.mock_cloud, self.mock_log, []) ++ self.m_subp_subp.assert_has_calls([ ++ mock.call(['fallocate', '-l', '0M', self.swap_path], capture=True), ++ mock.call(['mkswap', self.swap_path]), ++ mock.call(['swapon', '-a'])]) ++ ++ + class TestFstabHandling(test_helpers.FilesystemMockingTestCase): + + swap_path = '/dev/sdb1' +diff --git a/tests/unittests/test_util.py b/tests/unittests/test_util.py +index 0e71db8..87dc8dd 100644 +--- a/tests/unittests/test_util.py ++++ b/tests/unittests/test_util.py +@@ -1177,4 +1177,19 @@ class TestGetProcEnv(helpers.TestCase): + my_ppid = os.getppid() + self.assertEqual(my_ppid, util.get_proc_ppid(my_pid)) + ++ ++class TestKernelVersion(): ++ """test kernel version function""" ++ ++ params = [ ++ ('5.6.19-300.fc32.x86_64', (5, 6)), ++ ('4.15.0-101-generic', (4, 15)), ++ ('3.10.0-1062.12.1.vz7.131.10', (3, 10)), ++ ('4.18.0-144.el8.x86_64', (4, 18))] ++ ++ @mock.patch('os.uname') ++ @pytest.mark.parametrize("uname_release,expected", params) ++ def test_kernel_version(self, m_uname, uname_release, expected): ++ m_uname.return_value.release = uname_release ++ assert expected == util.kernel_version() + # vi: ts=4 expandtab +-- +1.8.3.1 + diff --git a/SOURCES/ci-Do-not-use-fallocate-in-swap-file-creation-on-xfs.-7.patch b/SOURCES/ci-Do-not-use-fallocate-in-swap-file-creation-on-xfs.-7.patch new file mode 100644 index 0000000..046ef0c --- /dev/null +++ b/SOURCES/ci-Do-not-use-fallocate-in-swap-file-creation-on-xfs.-7.patch @@ -0,0 +1,164 @@ +From 49e5a49cc007b2a751eea212b4052e92837ebc8a Mon Sep 17 00:00:00 2001 +From: Eduardo Otubo +Date: Mon, 24 Aug 2020 15:25:34 +0200 +Subject: [PATCH 1/3] Do not use fallocate in swap file creation on xfs. (#70) + +RH-Author: Eduardo Otubo +Message-id: <20200820092042.5418-2-otubo@redhat.com> +Patchwork-id: 98194 +O-Subject: [RHEL-8.3.0 cloud-init PATCH 1/3] Do not use fallocate in swap file creation on xfs. (#70) +Bugzilla: 1794664 +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Mohammed Gamal + +commit 6603706eec1c39d9d591c8ffa0ef7171b74d84d6 +Author: Eduardo Otubo +Date: Thu Jan 23 17:41:48 2020 +0100 + + Do not use fallocate in swap file creation on xfs. (#70) + + When creating a swap file on an xfs filesystem, fallocate cannot be used. + Doing so results in failure of swapon and a message like: + swapon: swapfile has holes + + The solution here is to maintain a list (currently containing only XFS) + of filesystems where fallocate cannot be used. The, on those fileystems + use the slower but functional 'dd' method. + + Signed-off-by: Eduardo Otubo + Co-authored-by: Adam Dobrawy + Co-authored-by: Scott Moser + Co-authored-by: Daniel Watkins + + LP: #1781781 + +Signed-off-by: Eduardo Otubo +Signed-off-by: Miroslav Rezanina +--- + cloudinit/config/cc_mounts.py | 67 ++++++++++++++++------ + .../unittests/test_handler/test_handler_mounts.py | 12 ++++ + 2 files changed, 62 insertions(+), 17 deletions(-) + +diff --git a/cloudinit/config/cc_mounts.py b/cloudinit/config/cc_mounts.py +index c741c74..4293844 100644 +--- a/cloudinit/config/cc_mounts.py ++++ b/cloudinit/config/cc_mounts.py +@@ -223,13 +223,58 @@ def suggested_swapsize(memsize=None, maxsize=None, fsys=None): + return size + + ++def create_swapfile(fname, size): ++ """Size is in MiB.""" ++ ++ errmsg = "Failed to create swapfile '%s' of size %dMB via %s: %s" ++ ++ def create_swap(fname, size, method): ++ LOG.debug("Creating swapfile in '%s' on fstype '%s' using '%s'", ++ fname, fstype, method) ++ ++ if method == "fallocate": ++ cmd = ['fallocate', '-l', '%dM' % size, fname] ++ elif method == "dd": ++ cmd = ['dd', 'if=/dev/zero', 'of=%s' % fname, 'bs=1M', ++ 'count=%d' % size] ++ ++ try: ++ util.subp(cmd, capture=True) ++ except util.ProcessExecutionError as e: ++ LOG.warning(errmsg, fname, size, method, e) ++ util.del_file(fname) ++ ++ swap_dir = os.path.dirname(fname) ++ util.ensure_dir(swap_dir) ++ ++ fstype = util.get_mount_info(swap_dir)[1] ++ ++ if fstype in ("xfs", "btrfs"): ++ create_swap(fname, size, "dd") ++ else: ++ try: ++ create_swap(fname, size, "fallocate") ++ except util.ProcessExecutionError as e: ++ LOG.warning(errmsg, fname, size, "dd", e) ++ LOG.warning("Will attempt with dd.") ++ create_swap(fname, size, "dd") ++ ++ util.chmod(fname, 0o600) ++ try: ++ util.subp(['mkswap', fname]) ++ except util.ProcessExecutionError: ++ util.del_file(fname) ++ raise ++ ++ + def setup_swapfile(fname, size=None, maxsize=None): + """ + fname: full path string of filename to setup + size: the size to create. set to "auto" for recommended + maxsize: the maximum size + """ +- tdir = os.path.dirname(fname) ++ swap_dir = os.path.dirname(fname) ++ mibsize = str(int(size / (2 ** 20))) + if str(size).lower() == "auto": + try: + memsize = util.read_meminfo()['total'] +@@ -237,28 +282,16 @@ def setup_swapfile(fname, size=None, maxsize=None): + LOG.debug("Not creating swap: failed to read meminfo") + return + +- util.ensure_dir(tdir) +- size = suggested_swapsize(fsys=tdir, maxsize=maxsize, ++ util.ensure_dir(swap_dir) ++ size = suggested_swapsize(fsys=swap_dir, maxsize=maxsize, + memsize=memsize) + + if not size: + LOG.debug("Not creating swap: suggested size was 0") + return + +- mbsize = str(int(size / (2 ** 20))) +- msg = "creating swap file '%s' of %sMB" % (fname, mbsize) +- try: +- util.ensure_dir(tdir) +- util.log_time(LOG.debug, msg, func=util.subp, +- args=[['sh', '-c', +- ('rm -f "$1" && umask 0066 && ' +- '{ fallocate -l "${2}M" "$1" || ' +- 'dd if=/dev/zero "of=$1" bs=1M "count=$2"; } && ' +- 'mkswap "$1" || { r=$?; rm -f "$1"; exit $r; }'), +- 'setup_swap', fname, mbsize]]) +- +- except Exception as e: +- raise IOError("Failed %s: %s" % (msg, e)) ++ util.log_time(LOG.debug, msg="Setting up swap file", func=create_swapfile, ++ args=[fname, mibsize]) + + return fname + +diff --git a/tests/unittests/test_handler/test_handler_mounts.py b/tests/unittests/test_handler/test_handler_mounts.py +index 0fb160b..7bcefa0 100644 +--- a/tests/unittests/test_handler/test_handler_mounts.py ++++ b/tests/unittests/test_handler/test_handler_mounts.py +@@ -181,6 +181,18 @@ class TestFstabHandling(test_helpers.FilesystemMockingTestCase): + + return dev + ++ def test_swap_integrity(self): ++ '''Ensure that the swap file is correctly created and can ++ swapon successfully. Fixing the corner case of: ++ kernel: swapon: swapfile has holes''' ++ ++ fstab = '/swap.img swap swap defaults 0 0\n' ++ ++ with open(cc_mounts.FSTAB_PATH, 'w') as fd: ++ fd.write(fstab) ++ cc = {'swap': ['filename: /swap.img', 'size: 512', 'maxsize: 512']} ++ cc_mounts.handle(None, cc, self.mock_cloud, self.mock_log, []) ++ + def test_fstab_no_swap_device(self): + '''Ensure that cloud-init adds a discovered swap partition + to /etc/fstab.''' +-- +1.8.3.1 + diff --git a/SOURCES/ci-Enable-ssh_deletekeys-by-default.patch b/SOURCES/ci-Enable-ssh_deletekeys-by-default.patch index 9b7dcd4..866fdb6 100644 --- a/SOURCES/ci-Enable-ssh_deletekeys-by-default.patch +++ b/SOURCES/ci-Enable-ssh_deletekeys-by-default.patch @@ -1,14 +1,15 @@ -From be355ece2812bb19ac5af4262bcf84a2b758eefd Mon Sep 17 00:00:00 2001 +From 251836a62eb3061b8d26177fd5997a96dccec21b Mon Sep 17 00:00:00 2001 From: Eduardo Otubo -Date: Mon, 13 Jul 2020 10:19:40 +0200 -Subject: [PATCH] Enable ssh_deletekeys by default +Date: Thu, 28 May 2020 08:44:06 +0200 +Subject: [PATCH 3/4] Enable ssh_deletekeys by default RH-Author: Eduardo Otubo -Message-id: <20200710085556.6993-1-otubo@redhat.com> -Patchwork-id: 97933 -O-Subject: [RHEL-8.2.1 cloud-init PATCH] Enable ssh_deletekeys by default -Bugzilla: 1855595 -Acked-by: Miroslav Rezanina +Message-id: <20200317091705.15715-1-otubo@redhat.com> +Patchwork-id: 94365 +O-Subject: [RHEL-7.9/RHEL-8.2.0 cloud-init PATCH] Enable ssh_deletekeys by default +Bugzilla: 1814152 +RH-Acked-by: Mohammed Gamal +RH-Acked-by: Vitaly Kuznetsov The configuration option ssh_deletekeys will trigger the generation of new ssh keys for every new instance deployed. diff --git a/SOURCES/ci-Make-cloud-init.service-execute-after-network-is-up.patch b/SOURCES/ci-Make-cloud-init.service-execute-after-network-is-up.patch index f9d9b73..74bb8ac 100644 --- a/SOURCES/ci-Make-cloud-init.service-execute-after-network-is-up.patch +++ b/SOURCES/ci-Make-cloud-init.service-execute-after-network-is-up.patch @@ -1,13 +1,13 @@ -From dd95ebb925d4f74ffdcae50bb5eabc715d893cb2 Mon Sep 17 00:00:00 2001 +From 301b1770d3e2580c3ee168261a9a97d143cc5f59 Mon Sep 17 00:00:00 2001 From: Eduardo Otubo -Date: Mon, 1 Jun 2020 13:59:06 +0200 +Date: Mon, 1 Jun 2020 11:58:06 +0200 Subject: [PATCH] Make cloud-init.service execute after network is up RH-Author: Eduardo Otubo Message-id: <20200526090804.2047-1-otubo@redhat.com> Patchwork-id: 96809 O-Subject: [RHEL-8.2.1 cloud-init PATCH] Make cloud-init.service execute after network is up -Bugzilla: 1831646 +Bugzilla: 1803928 RH-Acked-by: Vitaly Kuznetsov RH-Acked-by: Miroslav Rezanina diff --git a/SOURCES/ci-Remove-race-condition-between-cloud-init-and-Network.patch b/SOURCES/ci-Remove-race-condition-between-cloud-init-and-Network.patch new file mode 100644 index 0000000..d8c99fd --- /dev/null +++ b/SOURCES/ci-Remove-race-condition-between-cloud-init-and-Network.patch @@ -0,0 +1,52 @@ +From 0422ba0e773d1a8257a3f2bf3db05f3bc7917eb7 Mon Sep 17 00:00:00 2001 +From: Eduardo Otubo +Date: Thu, 28 May 2020 08:44:08 +0200 +Subject: [PATCH 4/4] Remove race condition between cloud-init and + NetworkManager + +RH-Author: Eduardo Otubo +Message-id: <20200327121911.17699-1-otubo@redhat.com> +Patchwork-id: 94453 +O-Subject: [RHEL-7.9/RHEL-8.2.0 cloud-init PATCHv2] Remove race condition between cloud-init and NetworkManager +Bugzilla: 1840648 +RH-Acked-by: Vitaly Kuznetsov +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Cathy Avery + +cloud-init service is set to start before NetworkManager service starts, +but this does not avoid a race condition between them. NetworkManager +starts before cloud-init can write `dns=none' to the file: +/etc/NetworkManager/conf.d/99-cloud-init.conf. This way NetworkManager +doesn't read the configuration and erases all resolv.conf values upon +shutdown. On the next reboot neither cloud-init or NetworkManager will +write anything to resolv.conf, leaving it blank. + +This patch introduces a NM reload (try-reload-or-restart) at the end of cloud-init +start up so it won't erase resolv.conf upon first shutdown. + +x-downstream-only: yes + +Signed-off-by: Eduardo Otubo otubo@redhat.com +Signed-off-by: Miroslav Rezanina +--- + rhel/systemd/cloud-final.service | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/rhel/systemd/cloud-final.service b/rhel/systemd/cloud-final.service +index f303483..05add07 100644 +--- a/rhel/systemd/cloud-final.service ++++ b/rhel/systemd/cloud-final.service +@@ -11,8 +11,8 @@ ExecStart=/usr/bin/cloud-init modules --mode=final + RemainAfterExit=yes + TimeoutSec=0 + KillMode=process +-ExecStartPost=/bin/echo "try restart NetworkManager.service" +-ExecStartPost=/usr/bin/systemctl try-restart NetworkManager.service ++ExecStartPost=/bin/echo "trying to reload or restart NetworkManager.service" ++ExecStartPost=/usr/bin/systemctl try-reload-or-restart NetworkManager.service + + # Output needs to appear in instance console output + StandardOutput=journal+console +-- +1.8.3.1 + diff --git a/SOURCES/ci-When-tools.conf-does-not-exist-running-cmd-vmware-to.patch b/SOURCES/ci-When-tools.conf-does-not-exist-running-cmd-vmware-to.patch new file mode 100644 index 0000000..d12df6d --- /dev/null +++ b/SOURCES/ci-When-tools.conf-does-not-exist-running-cmd-vmware-to.patch @@ -0,0 +1,89 @@ +From 07755100b11abd4d429577f9f3f57a2c43592089 Mon Sep 17 00:00:00 2001 +From: Eduardo Otubo +Date: Mon, 17 Aug 2020 11:14:45 +0200 +Subject: [PATCH 1/2] When tools.conf does not exist, running cmd + "vmware-toolbox-cmd config get deployPkg enable-custom-scripts", the return + code will be EX_UNAVAILABLE(69), on this condition, it should not take it as + error. (#413) + +RH-Author: Eduardo Otubo +Message-id: <20200710094434.9711-1-otubo@redhat.com> +Patchwork-id: 97934 +O-Subject: [RHEL-7.9.z/RHEL-8.2.1/RHEL-8.3.0 cloud-init PATCH] When tools.conf does not exist, running cmd "vmware-toolbox-cmd config get deployPkg enable-custom-scripts", the return code will be EX_UNAVAILABLE(69), on this condition, it should not take it as error. (#413) +Bugzilla: 1839662 +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Mohammed Gamal + +From: chengcheng-chcheng <63850735+chengcheng-chcheng@users.noreply.github.com> + +The diff seems slightly different from upstream because of some parts +being in different positions. But the final result is the file patched +guestcust_util.py (within this block) exactly identical to the one +upstream. + +Also: Sorry for the commit message being just a Subject and this being +enormous. I kept the original from upstream. + +commit c6d09af67626c2f2241c64c10c9e27e8752ba87b +Author: chengcheng-chcheng <63850735+chengcheng-chcheng@users.noreply.github.com> +Date: Wed Jun 10 00:20:47 2020 +0800 + + When tools.conf does not exist, running cmd "vmware-toolbox-cmd config get deployPkg enable-custom-scripts", the return code will be EX_UNAVAILABLE(69), on this condition, it should not take it as error. (#413) + +Signed-off-by: Eduardo Otubo +Signed-off-by: Miroslav Rezanina +--- + .../sources/helpers/vmware/imc/guestcust_util.py | 33 +++++++++++++--------- + 1 file changed, 20 insertions(+), 13 deletions(-) + +diff --git a/cloudinit/sources/helpers/vmware/imc/guestcust_util.py b/cloudinit/sources/helpers/vmware/imc/guestcust_util.py +index 3d369d0..a270d9f 100644 +--- a/cloudinit/sources/helpers/vmware/imc/guestcust_util.py ++++ b/cloudinit/sources/helpers/vmware/imc/guestcust_util.py +@@ -133,23 +133,30 @@ def get_tools_config(section, key, defaultVal): + 'vmware-toolbox-cmd not installed, returning default value') + return defaultVal + +- retValue = defaultVal + cmd = ['vmware-toolbox-cmd', 'config', 'get', section, key] + + try: +- (outText, _) = util.subp(cmd) +- m = re.match(r'([^=]+)=(.*)', outText) +- if m: +- retValue = m.group(2).strip() +- logger.debug("Get tools config: [%s] %s = %s", +- section, key, retValue) +- else: ++ (outText, _) = subp.subp(cmd) ++ except subp.ProcessExecutionError as e: ++ if e.exit_code == 69: + logger.debug( +- "Tools config: [%s] %s is not found, return default value: %s", +- section, key, retValue) +- except util.ProcessExecutionError as e: +- logger.error("Failed running %s[%s]", cmd, e.exit_code) +- logger.exception(e) ++ "vmware-toolbox-cmd returned 69 (unavailable) for cmd: %s." ++ " Return default value: %s", " ".join(cmd), defaultVal) ++ else: ++ logger.error("Failed running %s[%s]", cmd, e.exit_code) ++ logger.exception(e) ++ return defaultVal ++ ++ retValue = defaultVal ++ m = re.match(r'([^=]+)=(.*)', outText) ++ if m: ++ retValue = m.group(2).strip() ++ logger.debug("Get tools config: [%s] %s = %s", ++ section, key, retValue) ++ else: ++ logger.debug( ++ "Tools config: [%s] %s is not found, return default value: %s", ++ section, key, retValue) + + return retValue + +-- +1.8.3.1 + diff --git a/SOURCES/ci-cc_mounts-fix-incorrect-format-specifiers-316.patch b/SOURCES/ci-cc_mounts-fix-incorrect-format-specifiers-316.patch new file mode 100644 index 0000000..9498e0a --- /dev/null +++ b/SOURCES/ci-cc_mounts-fix-incorrect-format-specifiers-316.patch @@ -0,0 +1,90 @@ +From c3a019b57cade8e6c3963f6bd2c7c15cd67e561c Mon Sep 17 00:00:00 2001 +From: Eduardo Otubo +Date: Wed, 2 Sep 2020 14:59:06 +0200 +Subject: [PATCH] cc_mounts: fix incorrect format specifiers (#316) + +RH-Author: Eduardo Otubo +Message-id: <20200825131749.4989-1-otubo@redhat.com> +Patchwork-id: 98217 +O-Subject: [RHEL-8.3.0 cloud-init PATCH] cc_mounts: fix incorrect format specifiers (#316) +Bugzilla: 1794664 +RH-Acked-by: Mohammed Gamal +RH-Acked-by: Cathy Avery + +Conflicts: Not exactly a conflict, but removed optional notations +"variable: type" and "-> type" from function header create_swapfile() as +it is only available on Python >= 3.5 and this patch is for RHEL-7.9 +only (Python 2.*). The rest of the cherry-pick was clean. + +commit 9d7b35ce23aaf8741dd49b16e359c96591be3c76 +Author: Daniel Watkins +Date: Wed Apr 15 16:53:08 2020 -0400 + + cc_mounts: fix incorrect format specifiers (#316) + + LP: #1872836 + +Signed-off-by: Eduardo Otubo +Signed-off-by: Miroslav Rezanina +--- + cloudinit/config/cc_mounts.py | 6 +++--- + cloudinit/config/tests/test_mounts.py | 22 ++++++++++++++++++++++ + 2 files changed, 25 insertions(+), 3 deletions(-) + create mode 100644 cloudinit/config/tests/test_mounts.py + +diff --git a/cloudinit/config/cc_mounts.py b/cloudinit/config/cc_mounts.py +index e1c43e3..55b6770 100644 +--- a/cloudinit/config/cc_mounts.py ++++ b/cloudinit/config/cc_mounts.py +@@ -226,17 +226,17 @@ def suggested_swapsize(memsize=None, maxsize=None, fsys=None): + def create_swapfile(fname, size): + """Size is in MiB.""" + +- errmsg = "Failed to create swapfile '%s' of size %dMB via %s: %s" ++ errmsg = "Failed to create swapfile '%s' of size %sMB via %s: %s" + + def create_swap(fname, size, method): + LOG.debug("Creating swapfile in '%s' on fstype '%s' using '%s'", + fname, fstype, method) + + if method == "fallocate": +- cmd = ['fallocate', '-l', '%dM' % size, fname] ++ cmd = ['fallocate', '-l', '%sM' % size, fname] + elif method == "dd": + cmd = ['dd', 'if=/dev/zero', 'of=%s' % fname, 'bs=1M', +- 'count=%d' % size] ++ 'count=%s' % size] + + try: + util.subp(cmd, capture=True) +diff --git a/cloudinit/config/tests/test_mounts.py b/cloudinit/config/tests/test_mounts.py +new file mode 100644 +index 0000000..c7dad61 +--- /dev/null ++++ b/cloudinit/config/tests/test_mounts.py +@@ -0,0 +1,22 @@ ++# This file is part of cloud-init. See LICENSE file for license information. ++from unittest import mock ++ ++from cloudinit.config.cc_mounts import create_swapfile ++ ++ ++M_PATH = 'cloudinit.config.cc_mounts.' ++ ++ ++class TestCreateSwapfile: ++ ++ @mock.patch(M_PATH + 'util.subp') ++ def test_happy_path(self, m_subp, tmpdir): ++ swap_file = tmpdir.join("swap-file") ++ fname = str(swap_file) ++ ++ # Some of the calls to util.subp should create the swap file; this ++ # roughly approximates that ++ m_subp.side_effect = lambda *args, **kwargs: swap_file.write('') ++ ++ create_swapfile(fname, '') ++ assert mock.call(['mkswap', fname]) in m_subp.call_args_list +-- +1.8.3.1 + diff --git a/SOURCES/ci-cc_set_password-increase-random-pwlength-from-9-to-2.patch b/SOURCES/ci-cc_set_password-increase-random-pwlength-from-9-to-2.patch new file mode 100644 index 0000000..a49ca1e --- /dev/null +++ b/SOURCES/ci-cc_set_password-increase-random-pwlength-from-9-to-2.patch @@ -0,0 +1,42 @@ +From e7a0cd9aa71dfd7715eca4b393db0aa348e05f8f Mon Sep 17 00:00:00 2001 +From: jmaloy +Date: Thu, 28 May 2020 08:43:58 +0200 +Subject: [PATCH 1/4] cc_set_password: increase random pwlength from 9 to 20 + (#189) + +RH-Author: jmaloy +Message-id: <20200313015002.3297-2-jmaloy@redhat.com> +Patchwork-id: 94253 +O-Subject: [RHEL-8.2 cloud-init PATCH 1/1] cc_set_password: increase random pwlength from 9 to 20 (#189) +Bugzilla: 1812171 +RH-Acked-by: Eduardo Otubo +RH-Acked-by: Miroslav Rezanina + +From: Ryan Harper + +Increasing the bits of security from 52 to 115. + +LP: #1860795 +(cherry picked from commit 42788bf24a1a0a5421a2d00a7f59b59e38ba1a14) +Signed-off-by: Jon Maloy +Signed-off-by: Miroslav Rezanina +--- + cloudinit/config/cc_set_passwords.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/cloudinit/config/cc_set_passwords.py b/cloudinit/config/cc_set_passwords.py +index c3c5b0f..0742234 100755 +--- a/cloudinit/config/cc_set_passwords.py ++++ b/cloudinit/config/cc_set_passwords.py +@@ -236,7 +236,7 @@ def handle(_name, cfg, cloud, log, args): + raise errors[-1] + + +-def rand_user_password(pwlen=9): ++def rand_user_password(pwlen=20): + return util.rand_str(pwlen, select_from=PW_SET) + + +-- +1.8.3.1 + diff --git a/SOURCES/ci-cloud-init.service.tmpl-use-rhel-instead-of-redhat-4.patch b/SOURCES/ci-cloud-init.service.tmpl-use-rhel-instead-of-redhat-4.patch index f4ec784..f339ffd 100644 --- a/SOURCES/ci-cloud-init.service.tmpl-use-rhel-instead-of-redhat-4.patch +++ b/SOURCES/ci-cloud-init.service.tmpl-use-rhel-instead-of-redhat-4.patch @@ -1,14 +1,14 @@ -From 344b8c150479547f48a30a8edab3717d00fb0fca Mon Sep 17 00:00:00 2001 +From f67f56e85c0fdb1c94527a6a1795bbacd2e6fdb0 Mon Sep 17 00:00:00 2001 From: Eduardo Otubo -Date: Wed, 24 Jun 2020 07:55:03 +0200 -Subject: [PATCH 3/3] cloud-init.service.tmpl: use "rhel" instead of "redhat" +Date: Wed, 24 Jun 2020 07:34:34 +0200 +Subject: [PATCH 4/4] cloud-init.service.tmpl: use "rhel" instead of "redhat" (#452) RH-Author: Eduardo Otubo Message-id: <20200623154034.28563-4-otubo@redhat.com> Patchwork-id: 97784 O-Subject: [RHEL-8.3.0/RHEL-8.2.1 cloud-init PATCH 3/3] cloud-init.service.tmpl: use "rhel" instead of "redhat" (#452) -Bugzilla: 1844366 +Bugzilla: 1834173 RH-Acked-by: Cathy Avery RH-Acked-by: Mohammed Gamal diff --git a/SOURCES/ci-ec2-Do-not-log-IMDSv2-token-values-instead-use-REDAC.patch b/SOURCES/ci-ec2-Do-not-log-IMDSv2-token-values-instead-use-REDAC.patch index bff4133..44e8e45 100644 --- a/SOURCES/ci-ec2-Do-not-log-IMDSv2-token-values-instead-use-REDAC.patch +++ b/SOURCES/ci-ec2-Do-not-log-IMDSv2-token-values-instead-use-REDAC.patch @@ -1,16 +1,20 @@ -From 5e15faadff409327a8d47db1f23910e7174a20a4 Mon Sep 17 00:00:00 2001 +From f6dc3cf39a4884657478a47894ce8a76ec9a72c5 Mon Sep 17 00:00:00 2001 From: Eduardo Otubo -Date: Fri, 26 Jun 2020 09:51:05 +0200 -Subject: [PATCH 1/2] ec2: Do not log IMDSv2 token values, instead use REDACTED +Date: Wed, 24 Jun 2020 07:34:29 +0200 +Subject: [PATCH 1/4] ec2: Do not log IMDSv2 token values, instead use REDACTED (#219) RH-Author: Eduardo Otubo -Message-id: <20200624114403.2164-2-otubo@redhat.com> -Patchwork-id: 97796 -O-Subject: [RHEL-8.2.1 cloud-init PATCH 1/2] ec2: Do not log IMDSv2 token values, instead use REDACTED (#219) -Bugzilla: 1850456 -RH-Acked-by: Vitaly Kuznetsov +Message-id: <20200505082940.18316-1-otubo@redhat.com> +Patchwork-id: 96264 +O-Subject: [RHEL-7.9/RHEL-8.3 cloud-init PATCH] ec2: Do not log IMDSv2 token values, instead use REDACTED (#219) +Bugzilla: 1822343 +RH-Acked-by: Cathy Avery RH-Acked-by: Mohammed Gamal +RH-Acked-by: Vitaly Kuznetsov + +Note: There's no RHEL-8.3/cloud-init-19.4 branch yet, but it should be +queued to be applied on top of it when it's created. commit 87cd040ed8fe7195cbb357ed3bbf53cd2a81436c Author: Ryan Harper diff --git a/SOURCES/ci-ec2-only-redact-token-request-headers-in-logs-avoid-.patch b/SOURCES/ci-ec2-only-redact-token-request-headers-in-logs-avoid-.patch index 1e10436..619d8dc 100644 --- a/SOURCES/ci-ec2-only-redact-token-request-headers-in-logs-avoid-.patch +++ b/SOURCES/ci-ec2-only-redact-token-request-headers-in-logs-avoid-.patch @@ -1,16 +1,19 @@ -From 7715b4ac2a105298e8b7ca5e13761646d0844471 Mon Sep 17 00:00:00 2001 +From dc9460f161efce6770f66bb95d60cea6d27df722 Mon Sep 17 00:00:00 2001 From: Eduardo Otubo -Date: Fri, 26 Jun 2020 09:51:07 +0200 -Subject: [PATCH 2/2] ec2: only redact token request headers in logs, avoid +Date: Thu, 25 Jun 2020 08:03:59 +0200 +Subject: [PATCH] ec2: only redact token request headers in logs, avoid altering request (#230) RH-Author: Eduardo Otubo -Message-id: <20200624114403.2164-3-otubo@redhat.com> -Patchwork-id: 97795 -O-Subject: [RHEL-8.2.1 cloud-init PATCH 2/2] ec2: only redact token request headers in logs, avoid altering request (#230) -Bugzilla: 1850456 +Message-id: <20200624112104.376-1-otubo@redhat.com> +Patchwork-id: 97793 +O-Subject: [RHEL-8.3.0 cloud-init PATCH] ec2: only redact token request headers in logs, avoid altering request (#230) +Bugzilla: 1822343 RH-Acked-by: Vitaly Kuznetsov RH-Acked-by: Mohammed Gamal +RH-Acked-by: Cathy Avery + +From: Chad Smith commit fa1abfec27050a4fb71cad950a17e42f9b43b478 Author: Chad Smith diff --git a/SOURCES/ci-ssh-exit-with-non-zero-status-on-disabled-user-472.patch b/SOURCES/ci-ssh-exit-with-non-zero-status-on-disabled-user-472.patch new file mode 100644 index 0000000..cb3a8a0 --- /dev/null +++ b/SOURCES/ci-ssh-exit-with-non-zero-status-on-disabled-user-472.patch @@ -0,0 +1,74 @@ +From 44b6004ee17cd2ae5930c7d8fd3ecafd7485a4d6 Mon Sep 17 00:00:00 2001 +From: Eduardo Otubo +Date: Mon, 17 Aug 2020 11:14:47 +0200 +Subject: [PATCH 2/2] ssh exit with non-zero status on disabled user (#472) + +RH-Author: Eduardo Otubo +Message-id: <20200729074459.16096-1-otubo@redhat.com> +Patchwork-id: 98071 +O-Subject: [RHEL-8.3.0 cloud-init PATCH] ssh exit with non-zero status on disabled user (#472) +Bugzilla: 1833874 +RH-Acked-by: Mohammed Gamal +RH-Acked-by: Vitaly Kuznetsov + +commit e161059a18173e2b61c54dba9eab774401fb5f1f +Author: Eduardo Otubo +Date: Wed Jul 15 20:21:02 2020 +0200 + + ssh exit with non-zero status on disabled user (#472) + + It is confusing for scripts, where a disabled user has been specified, + that ssh exits with a zero status by default without indication anything + failed. + + I think exitting with a non-zero status would make more clear in scripts + and automated setups where things failed, thus making noticing the issue + and debugging easier. + + Signed-off-by: Eduardo Otubo + Signed-off-by: Aleksandar Kostadinov + + LP: #1170059 + +Signed-off-by: Eduardo Otubo +Signed-off-by: Miroslav Rezanina +--- + cloudinit/ssh_util.py | 4 +++- + doc/examples/cloud-config.txt | 2 +- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/cloudinit/ssh_util.py b/cloudinit/ssh_util.py +index bcb23a5..8ff61a2 100644 +--- a/cloudinit/ssh_util.py ++++ b/cloudinit/ssh_util.py +@@ -40,11 +40,13 @@ VALID_KEY_TYPES = ( + "ssh-rsa-cert-v01@openssh.com", + ) + ++_DISABLE_USER_SSH_EXIT = 142 + + DISABLE_USER_OPTS = ( + "no-port-forwarding,no-agent-forwarding," + "no-X11-forwarding,command=\"echo \'Please login as the user \\\"$USER\\\"" +- " rather than the user \\\"$DISABLE_USER\\\".\';echo;sleep 10\"") ++ " rather than the user \\\"$DISABLE_USER\\\".\';echo;sleep 10;" ++ "exit " + str(_DISABLE_USER_SSH_EXIT) + "\"") + + + class AuthKeyLine(object): +diff --git a/doc/examples/cloud-config.txt b/doc/examples/cloud-config.txt +index 0e82b83..f00db68 100644 +--- a/doc/examples/cloud-config.txt ++++ b/doc/examples/cloud-config.txt +@@ -235,7 +235,7 @@ disable_root: false + # The string '$USER' will be replaced with the username of the default user. + # The string '$DISABLE_USER' will be replaced with the username to disable. + # +-# disable_root_opts: no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"$USER\" rather than the user \"$DISABLE_USER\".';echo;sleep 10" ++# disable_root_opts: no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"$USER\" rather than the user \"$DISABLE_USER\".';echo;sleep 10;exit 142" + + # disable ssh access for non-root-users + # To disable ssh access for non-root users, ssh_redirect_user: true can be +-- +1.8.3.1 + diff --git a/SOURCES/ci-swap-file-size-being-used-before-checked-if-str-315.patch b/SOURCES/ci-swap-file-size-being-used-before-checked-if-str-315.patch new file mode 100644 index 0000000..bf1cc08 --- /dev/null +++ b/SOURCES/ci-swap-file-size-being-used-before-checked-if-str-315.patch @@ -0,0 +1,55 @@ +From 4f177d3363a0efb2ee67b8a46efaca7707c2437f Mon Sep 17 00:00:00 2001 +From: Eduardo Otubo +Date: Mon, 24 Aug 2020 15:25:36 +0200 +Subject: [PATCH 2/3] swap file "size" being used before checked if str (#315) + +RH-Author: Eduardo Otubo +Message-id: <20200820092042.5418-3-otubo@redhat.com> +Patchwork-id: 98192 +O-Subject: [RHEL-8.3.0 cloud-init PATCH 2/3] swap file "size" being used before checked if str (#315) +Bugzilla: 1794664 +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Mohammed Gamal + +commit 46cf23c28812d3e3ba0c570defd9a05628af5556 +Author: Eduardo Otubo +Date: Tue Apr 14 17:45:14 2020 +0200 + + swap file "size" being used before checked if str + + Swap file size variable was being used before checked if it's set to str + "auto". If set to "auto", it will break with: + + failed to setup swap: unsupported operand type(s) for /: 'str' and 'int' + + Signed-off-by: Eduardo Otubo + +Signed-off-by: Eduardo Otubo +Signed-off-by: Miroslav Rezanina +--- + cloudinit/config/cc_mounts.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/cloudinit/config/cc_mounts.py b/cloudinit/config/cc_mounts.py +index 4293844..0573026 100644 +--- a/cloudinit/config/cc_mounts.py ++++ b/cloudinit/config/cc_mounts.py +@@ -274,7 +274,6 @@ def setup_swapfile(fname, size=None, maxsize=None): + maxsize: the maximum size + """ + swap_dir = os.path.dirname(fname) +- mibsize = str(int(size / (2 ** 20))) + if str(size).lower() == "auto": + try: + memsize = util.read_meminfo()['total'] +@@ -286,6 +285,7 @@ def setup_swapfile(fname, size=None, maxsize=None): + size = suggested_swapsize(fsys=swap_dir, maxsize=maxsize, + memsize=memsize) + ++ mibsize = str(int(size / (2 ** 20))) + if not size: + LOG.debug("Not creating swap: suggested size was 0") + return +-- +1.8.3.1 + diff --git a/SOURCES/ci-utils-use-SystemRandom-when-generating-random-passwo.patch b/SOURCES/ci-utils-use-SystemRandom-when-generating-random-passwo.patch new file mode 100644 index 0000000..6f75385 --- /dev/null +++ b/SOURCES/ci-utils-use-SystemRandom-when-generating-random-passwo.patch @@ -0,0 +1,46 @@ +From ebbc83c1ca52620179d94dc1d92c44883273e4ef Mon Sep 17 00:00:00 2001 +From: jmaloy +Date: Thu, 28 May 2020 08:44:02 +0200 +Subject: [PATCH 2/4] utils: use SystemRandom when generating random password. + (#204) + +RH-Author: jmaloy +Message-id: <20200313184329.16696-2-jmaloy@redhat.com> +Patchwork-id: 94294 +O-Subject: [RHEL-8.2 cloud-init PATCH 1/1] utils: use SystemRandom when generating random password. (#204) +Bugzilla: 1812174 +RH-Acked-by: Eduardo Otubo +RH-Acked-by: Vitaly Kuznetsov +RH-Acked-by: Mohammed Gamal + +From: Dimitri John Ledkov + +As noticed by Seth Arnold, non-deterministic SystemRandom should be +used when creating security sensitive random strings. + +(cherry picked from commit 3e2f7356effc9e9cccc5ae945846279804eedc46) +Signed-off-by: Jon Maloy +Signed-off-by: Miroslav Rezanina +--- + cloudinit/util.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/cloudinit/util.py b/cloudinit/util.py +index 9d9d5c7..5d51ba8 100644 +--- a/cloudinit/util.py ++++ b/cloudinit/util.py +@@ -401,9 +401,10 @@ def translate_bool(val, addons=None): + + + def rand_str(strlen=32, select_from=None): ++ r = random.SystemRandom() + if not select_from: + select_from = string.ascii_letters + string.digits +- return "".join([random.choice(select_from) for _x in range(0, strlen)]) ++ return "".join([r.choice(select_from) for _x in range(0, strlen)]) + + + def rand_dict_key(dictionary, postfix=None): +-- +1.8.3.1 + diff --git a/SPECS/cloud-init.spec b/SPECS/cloud-init.spec index c933ba7..4648182 100644 --- a/SPECS/cloud-init.spec +++ b/SPECS/cloud-init.spec @@ -6,7 +6,7 @@ Name: cloud-init Version: 19.4 -Release: 1%{?dist}.7 +Release: 11%{?dist} Summary: Cloud instance init scripts Group: System Environment/Base @@ -22,18 +22,38 @@ Patch0004: 0004-sysconfig-Don-t-write-BOOTPROTO-dhcp-for-ipv6-dhcp.patch Patch0005: 0005-DataSourceAzure.py-use-hostnamectl-to-set-hostname.patch Patch0006: 0006-include-NOZEROCONF-yes-in-etc-sysconfig-network.patch Patch0007: 0007-Remove-race-condition-between-cloud-init-and-Network.patch -# For bz#1831646 - [RHEL8.2.1] Race condition of starting cloud-init and NetworkManager -Patch8: ci-Make-cloud-init.service-execute-after-network-is-up.patch -# For bz#1844366 - [rhel-8.2.1]Incorrect ds-identify check in cloud-init-generator -Patch9: ci-Change-from-redhat-to-rhel-in-systemd-generator-tmpl.patch -# For bz#1844366 - [rhel-8.2.1]Incorrect ds-identify check in cloud-init-generator -Patch10: ci-cloud-init.service.tmpl-use-rhel-instead-of-redhat-4.patch -# For bz#1850456 - [RHEL8.2.1] Do not log IMDSv2 token values into cloud-init.log -Patch11: ci-ec2-Do-not-log-IMDSv2-token-values-instead-use-REDAC.patch -# For bz#1850456 - [RHEL8.2.1] Do not log IMDSv2 token values into cloud-init.log -Patch12: ci-ec2-only-redact-token-request-headers-in-logs-avoid-.patch -# For bz#1855595 - CVE-2018-10896 cloud-init: default configuration disabled deletion of SSH host keys [rhel-8] [rhel-8.2.1] -Patch13: ci-Enable-ssh_deletekeys-by-default.patch +# For bz#1812171 - CVE-2020-8632 cloud-init: Too short random password length in cc_set_password in config/cc_set_passwords.py [rhel-8] +Patch8: ci-cc_set_password-increase-random-pwlength-from-9-to-2.patch +# For bz#1812174 - CVE-2020-8631 cloud-init: Use of random.choice when generating random password [rhel-8] +Patch9: ci-utils-use-SystemRandom-when-generating-random-passwo.patch +# For bz#1814152 - CVE-2018-10896 cloud-init: default configuration disabled deletion of SSH host keys [rhel-8] +Patch10: ci-Enable-ssh_deletekeys-by-default.patch +# For bz#1840648 - [cloud-init][RHEL-8.2.0] /etc/resolv.conf lose config after reboot (initial instance is ok) +Patch11: ci-Remove-race-condition-between-cloud-init-and-Network.patch +# For bz#1803928 - [RHEL8.3] Race condition of starting cloud-init and NetworkManager +Patch12: ci-Make-cloud-init.service-execute-after-network-is-up.patch +# For bz#1822343 - [RHEL8.3] Do not log IMDSv2 token values into cloud-init.log +Patch13: ci-ec2-Do-not-log-IMDSv2-token-values-instead-use-REDAC.patch +# For bz#1834173 - [rhel-8.3]Incorrect ds-identify check in cloud-init-generator +Patch14: ci-Change-from-redhat-to-rhel-in-systemd-generator-tmpl.patch +# For bz#1834173 - [rhel-8.3]Incorrect ds-identify check in cloud-init-generator +Patch15: ci-cloud-init.service.tmpl-use-rhel-instead-of-redhat-4.patch +# For bz#1822343 - [RHEL8.3] Do not log IMDSv2 token values into cloud-init.log +Patch16: ci-ec2-only-redact-token-request-headers-in-logs-avoid-.patch +# For bz#1839662 - [ESXi][RHEL8.3][cloud-init]ERROR log in cloud-init.log after clone VM on ESXi platform +Patch17: ci-When-tools.conf-does-not-exist-running-cmd-vmware-to.patch +# For bz#1833874 - [rhel-8.3]using root user error should cause a non-zero exit code +Patch18: ci-ssh-exit-with-non-zero-status-on-disabled-user-472.patch +# For bz#1794664 - [RHEL8] swapon fails with "swapfile has holes" when created on a xfs filesystem by cloud-init +Patch19: ci-Do-not-use-fallocate-in-swap-file-creation-on-xfs.-7.patch +# For bz#1794664 - [RHEL8] swapon fails with "swapfile has holes" when created on a xfs filesystem by cloud-init +Patch20: ci-swap-file-size-being-used-before-checked-if-str-315.patch +# For bz#1794664 - [RHEL8] swapon fails with "swapfile has holes" when created on a xfs filesystem by cloud-init +Patch21: ci-Detect-kernel-version-before-swap-file-creation-428.patch +# For bz#1839662 - [ESXi][RHEL8.3][cloud-init]ERROR log in cloud-init.log after clone VM on ESXi platform +Patch22: ci-Changing-notation-of-subp-call.patch +# For bz#1794664 - [RHEL8] swapon fails with "swapfile has holes" when created on a xfs filesystem by cloud-init +Patch23: ci-cc_mounts-fix-incorrect-format-specifiers-316.patch BuildArch: noarch @@ -217,43 +237,79 @@ fi %config(noreplace) %{_sysconfdir}/rsyslog.d/21-cloudinit.conf %changelog -* Mon Jul 13 2020 Miroslav Rezanina - 19.4-1.el8.7 -- ci-Enable-ssh_deletekeys-by-default.patch [bz#1855595] -- Resolves: bz#1855595 - (CVE-2018-10896 cloud-init: default configuration disabled deletion of SSH host keys [rhel-8] [rhel-8.2.1]) - -* Fri Jun 26 2020 Miroslav Rezanina - 19.4-1.el8.6 -- Fixing cloud-init-generator permissions [bz#1844366] -- Resolves: bz#1844366 - ([rhel-8.2.1]Incorrect ds-identify check in cloud-init-generator) - -* Fri Jun 26 2020 Miroslav Rezanina - 19.4-1.el8.5 -- ci-ec2-Do-not-log-IMDSv2-token-values-instead-use-REDAC.patch [bz#1850456] -- ci-ec2-only-redact-token-request-headers-in-logs-avoid-.patch [bz#1850456] -- Resolves: bz#1850456 - ([RHEL8.2.1] Do not log IMDSv2 token values into cloud-init.log) - -* Wed Jun 24 2020 Miroslav Rezanina - 19.4-1.el8.4 -- ci-Render-the-generator-from-template-instead-of-cp.patch [bz#1844366] -- ci-Change-from-redhat-to-rhel-in-systemd-generator-tmpl.patch [bz#1844366] -- ci-cloud-init.service.tmpl-use-rhel-instead-of-redhat-4.patch [bz#1844366] -- Resolves: bz#1844366 - ([rhel-8.2.1]Incorrect ds-identify check in cloud-init-generator) - -* Tue Jun 09 2020 Miroslav Rezanina - 19.4-1.el8.3 -- ci-changing-ds-identify-patch-from-usr-lib-to-usr-libex.patch [bz#1844366] -- Resolves: bz#1844366 - ([rhel-8.2.1]Incorrect ds-identify check in cloud-init-generator) - -* Mon Jun 01 2020 Miroslav Rezanina - 19.4-1.el8.2 -- ci-Make-cloud-init.service-execute-after-network-is-up.patch [bz#1831646] -- Resolves: bz#1831646 - ([RHEL8.2.1] Race condition of starting cloud-init and NetworkManager) - -* Mon Apr 20 2020 Miroslav Rezanina - 19.4-1.el8.1 -- Rebase to cloud-init 19.4 [bz#1811912] -- Resolves: bz#1811912 - ([RHEL-8.2.1] cloud-init rebase to 19.4) +* Wed Sep 02 2020 Miroslav Rezanina - 19.4-11.el8 +- ci-cc_mounts-fix-incorrect-format-specifiers-316.patch [bz#1794664] +- Resolves: bz#1794664 + ([RHEL8] swapon fails with "swapfile has holes" when created on a xfs filesystem by cloud-init) + +* Mon Aug 31 2020 Miroslav Rezanina - 19.4-10.el8 +- ci-Changing-notation-of-subp-call.patch [bz#1839662] +- Resolves: bz#1839662 + ([ESXi][RHEL8.3][cloud-init]ERROR log in cloud-init.log after clone VM on ESXi platform) + +* Mon Aug 24 2020 Miroslav Rezanina - 19.4-9.el8 +- ci-Do-not-use-fallocate-in-swap-file-creation-on-xfs.-7.patch [bz#1794664] +- ci-swap-file-size-being-used-before-checked-if-str-315.patch [bz#1794664] +- ci-Detect-kernel-version-before-swap-file-creation-428.patch [bz#1794664] +- Resolves: bz#1794664 + ([RHEL8] swapon fails with "swapfile has holes" when created on a xfs filesystem by cloud-init) + +* Mon Aug 17 2020 Miroslav Rezanina - 19.4-8.el8 +- ci-When-tools.conf-does-not-exist-running-cmd-vmware-to.patch [bz#1839662] +- ci-ssh-exit-with-non-zero-status-on-disabled-user-472.patch [bz#1833874] +- Resolves: bz#1833874 + ([rhel-8.3]using root user error should cause a non-zero exit code) +- Resolves: bz#1839662 + ([ESXi][RHEL8.3][cloud-init]ERROR log in cloud-init.log after clone VM on ESXi platform) + +* Fri Jun 26 2020 Miroslav Rezanina - 19.4-7.el8 +- Fixing cloud-init-generator permissions [bz#1834173] +- Resolves: bz#1834173 + ([rhel-8.3]Incorrect ds-identify check in cloud-init-generator) + +* Thu Jun 25 2020 Miroslav Rezanina - 19.4-6.el8 +- ci-ec2-only-redact-token-request-headers-in-logs-avoid-.patch [bz#1822343] +- Resolves: bz#1822343 + ([RHEL8.3] Do not log IMDSv2 token values into cloud-init.log) + +* Wed Jun 24 2020 Miroslav Rezanina - 19.4-5.el8 +- ci-ec2-Do-not-log-IMDSv2-token-values-instead-use-REDAC.patch [bz#1822343] +- ci-Render-the-generator-from-template-instead-of-cp.patch [bz#1834173] +- ci-Change-from-redhat-to-rhel-in-systemd-generator-tmpl.patch [bz#1834173] +- ci-cloud-init.service.tmpl-use-rhel-instead-of-redhat-4.patch [bz#1834173] +- Resolves: bz#1822343 + ([RHEL8.3] Do not log IMDSv2 token values into cloud-init.log) +- Resolves: bz#1834173 + ([rhel-8.3]Incorrect ds-identify check in cloud-init-generator) + +* Tue Jun 09 2020 Miroslav Rezanina - 19.4-4.el8 +- ci-changing-ds-identify-patch-from-usr-lib-to-usr-libex.patch [bz#1834173] +- Resolves: bz#1834173 + ([rhel-8.3]Incorrect ds-identify check in cloud-init-generator) + +* Mon Jun 01 2020 Miroslav Rezanina - 19.4-3.el8 +- ci-Make-cloud-init.service-execute-after-network-is-up.patch [bz#1803928] +- Resolves: bz#1803928 + ([RHEL8.3] Race condition of starting cloud-init and NetworkManager) + +* Thu May 28 2020 Miroslav Rezanina - 19.4-2.el8 +- ci-cc_set_password-increase-random-pwlength-from-9-to-2.patch [bz#1812171] +- ci-utils-use-SystemRandom-when-generating-random-passwo.patch [bz#1812174] +- ci-Enable-ssh_deletekeys-by-default.patch [bz#1814152] +- ci-Remove-race-condition-between-cloud-init-and-Network.patch [bz#1840648] +- Resolves: bz#1812171 + (CVE-2020-8632 cloud-init: Too short random password length in cc_set_password in config/cc_set_passwords.py [rhel-8]) +- Resolves: bz#1812174 + (CVE-2020-8631 cloud-init: Use of random.choice when generating random password [rhel-8]) +- Resolves: bz#1814152 + (CVE-2018-10896 cloud-init: default configuration disabled deletion of SSH host keys [rhel-8]) +- Resolves: bz#1840648 + ([cloud-init][RHEL-8.2.0] /etc/resolv.conf lose config after reboot (initial instance is ok)) + +* Mon Apr 20 2020 Miroslav Rezanina - 19.4-1.el8 +- Rebase to cloud-init 19.4 [bz#1803095] +- Resolves: bz#1803095 + ([RHEL-8.3.0] cloud-init rebase to 19.4) * Tue Mar 10 2020 Miroslav Rezanina - 18.5-12.el8 - ci-Remove-race-condition-between-cloud-init-and-Network.patch [bz#1807797]