f25da3
From e6412be62079bbec5d67d178711ea42f21cafab8 Mon Sep 17 00:00:00 2001
f25da3
From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
f25da3
Date: Tue, 12 Oct 2021 16:35:00 +0200
f25da3
Subject: [PATCH 1/2] Inhibit sshd-keygen@.service if cloud-init is active
f25da3
 (#1028)
f25da3
f25da3
RH-Author: Emanuele Giuseppe Esposito <eesposit@redhat.com>
f25da3
RH-MergeRequest: 11: Add drop-in to prevent race with sshd-keygen service
f25da3
RH-Commit: [1/2] 77ba3f167e71c43847aa5b38e1833d84568ed5a7 (eesposit/cloud-init-centos-)
f25da3
RH-Bugzilla: 2002492
f25da3
RH-Acked-by: Eduardo Otubo <otubo@redhat.com>
f25da3
RH-Acked-by: Mohamed Gamal Morsy <mmorsy@redhat.com>
f25da3
f25da3
TESTED: by me and QA
f25da3
BREW: 40286693
f25da3
f25da3
commit 02c71f097bca455a0f87d3e0a2af4d04b1cbd727
f25da3
Author: Ryan Harper <ryan.harper@canonical.com>
f25da3
Date:   Tue Oct 12 09:31:36 2021 -0500
f25da3
f25da3
    Inhibit sshd-keygen@.service if cloud-init is active (#1028)
f25da3
f25da3
    In some cloud-init enabled images the sshd-keygen@.service
f25da3
    may race with cloud-init and prevent ssh host keys from being
f25da3
    generated or generating host keys twice slowing boot and  consuming
f25da3
    additional entropy during boot.  This drop-in unit adds a condition to
f25da3
    the sshd-keygen@.service which prevents running if cloud-init is active.
f25da3
f25da3
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
f25da3
f25da3
Conflicts: minor conflict in setup.py (line 253), where we still use
f25da3
"/usr/lib/" instead of LIB
f25da3
---
f25da3
 packages/redhat/cloud-init.spec.in                    | 1 +
f25da3
 packages/suse/cloud-init.spec.in                      | 1 +
f25da3
 setup.py                                              | 5 ++++-
f25da3
 systemd/disable-sshd-keygen-if-cloud-init-active.conf | 8 ++++++++
f25da3
 4 files changed, 14 insertions(+), 1 deletion(-)
f25da3
 create mode 100644 systemd/disable-sshd-keygen-if-cloud-init-active.conf
f25da3
f25da3
diff --git a/packages/redhat/cloud-init.spec.in b/packages/redhat/cloud-init.spec.in
f25da3
index 16138012..1491822b 100644
f25da3
--- a/packages/redhat/cloud-init.spec.in
f25da3
+++ b/packages/redhat/cloud-init.spec.in
f25da3
@@ -175,6 +175,7 @@ fi
f25da3
 
f25da3
 %if "%{init_system}" == "systemd"
f25da3
 /usr/lib/systemd/system-generators/cloud-init-generator
f25da3
+%{_sysconfdir}/systemd/system/sshd-keygen@.service.d/disable-sshd-keygen-if-cloud-init-active.conf
f25da3
 %{_unitdir}/cloud-*
f25da3
 %else
f25da3
 %attr(0755, root, root) %{_initddir}/cloud-config
f25da3
diff --git a/packages/suse/cloud-init.spec.in b/packages/suse/cloud-init.spec.in
f25da3
index 004b875f..da8107b4 100644
f25da3
--- a/packages/suse/cloud-init.spec.in
f25da3
+++ b/packages/suse/cloud-init.spec.in
f25da3
@@ -126,6 +126,7 @@ version_pys=$(cd "%{buildroot}" && find . -name version.py -type f)
f25da3
 
f25da3
 %{_sysconfdir}/dhcp/dhclient-exit-hooks.d/hook-dhclient
f25da3
 %{_sysconfdir}/NetworkManager/dispatcher.d/hook-network-manager
f25da3
+%{_sysconfdir}/systemd/system/sshd-keygen@.service.d/disable-sshd-keygen-if-cloud-init-active.conf
f25da3
 
f25da3
 # Python code is here...
f25da3
 %{python_sitelib}/*
f25da3
diff --git a/setup.py b/setup.py
f25da3
index d5cd01a4..ec03fa27 100755
f25da3
--- a/setup.py
f25da3
+++ b/setup.py
f25da3
@@ -38,6 +38,7 @@ def is_generator(p):
f25da3
 def pkg_config_read(library, var):
f25da3
     fallbacks = {
f25da3
         'systemd': {
f25da3
+            'systemdsystemconfdir': '/etc/systemd/system',
f25da3
             'systemdsystemunitdir': '/lib/systemd/system',
f25da3
             'systemdsystemgeneratordir': '/lib/systemd/system-generators',
f25da3
         }
f25da3
@@ -249,7 +250,9 @@ if not platform.system().endswith('BSD'):
f25da3
     data_files.extend([
f25da3
         (ETC + '/NetworkManager/dispatcher.d/',
f25da3
          ['tools/hook-network-manager']),
f25da3
-        ('/usr/lib/udev/rules.d', [f for f in glob('udev/*.rules')])
f25da3
+        ('/usr/lib/udev/rules.d', [f for f in glob('udev/*.rules')]),
f25da3
+        (ETC + '/systemd/system/sshd-keygen@.service.d/',
f25da3
+         ['systemd/disable-sshd-keygen-if-cloud-init-active.conf']),
f25da3
     ])
f25da3
 # Use a subclass for install that handles
f25da3
 # adding on the right init system configuration files
f25da3
diff --git a/systemd/disable-sshd-keygen-if-cloud-init-active.conf b/systemd/disable-sshd-keygen-if-cloud-init-active.conf
f25da3
new file mode 100644
f25da3
index 00000000..71e35876
f25da3
--- /dev/null
f25da3
+++ b/systemd/disable-sshd-keygen-if-cloud-init-active.conf
f25da3
@@ -0,0 +1,8 @@
f25da3
+# In some cloud-init enabled images the sshd-keygen template service may race
f25da3
+# with cloud-init during boot causing issues with host key generation.  This
f25da3
+# drop-in config adds a condition to sshd-keygen@.service if it exists and
f25da3
+# prevents the sshd-keygen units from running *if* cloud-init is going to run.
f25da3
+#
f25da3
+[Unit]
f25da3
+ConditionPathExists=!/run/systemd/generator.early/multi-user.target.wants/cloud-init.target
f25da3
+EOF
f25da3
-- 
f25da3
2.27.0
f25da3