diff --git a/SOURCES/ci-Changing-notation-of-subp-call.patch b/SOURCES/ci-Changing-notation-of-subp-call.patch new file mode 100644 index 0000000..fd28084 --- /dev/null +++ b/SOURCES/ci-Changing-notation-of-subp-call.patch @@ -0,0 +1,47 @@ +From 96aece42291332f9347a437fc7ed6d809c710bc9 Mon Sep 17 00:00:00 2001 +From: Eduardo Otubo +Date: Mon, 24 Aug 2020 14:22:52 -0400 +Subject: [PATCH 2/3] Changing notation of subp call + +RH-Author: Eduardo Otubo +Message-id: <20200824142252.16298-1-otubo@redhat.com> +Patchwork-id: 98215 +O-Subject: [RHEL-7.9.z/RHEL-8.2.1/RHEL-8.3.0 cloud-init PATCH] Changing notation of subp call +Bugzilla: 1839619 +RH-Acked-by: Cathy Avery +RH-Acked-by: Mohammed Gamal + +The previous patch was applied upstream on top of a refactoring that moves subp +to its own module (3c551f6e, Move subp into its own module. (#416), release +20.2). + +Downstream we're not there yet, in order to avoid applying the above +commit and add a huge refactoring, I'll just change this call and we can +benefit of this changes in a future rebase. + +x-downstream-only: yes + +Signed-off-by: Eduardo Otubo +Signed-off-by: Jon Maloy +--- + cloudinit/sources/helpers/vmware/imc/guestcust_util.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/cloudinit/sources/helpers/vmware/imc/guestcust_util.py b/cloudinit/sources/helpers/vmware/imc/guestcust_util.py +index a270d9fb..816f52e9 100644 +--- a/cloudinit/sources/helpers/vmware/imc/guestcust_util.py ++++ b/cloudinit/sources/helpers/vmware/imc/guestcust_util.py +@@ -136,8 +136,8 @@ def get_tools_config(section, key, defaultVal): + cmd = ['vmware-toolbox-cmd', 'config', 'get', section, key] + + try: +- (outText, _) = subp.subp(cmd) +- except subp.ProcessExecutionError as e: ++ (outText, _) = util.subp(cmd) ++ except util.ProcessExecutionError as e: + if e.exit_code == 69: + logger.debug( + "vmware-toolbox-cmd returned 69 (unavailable) for cmd: %s." +-- +2.18.2 + diff --git a/SOURCES/ci-DHCP-sandboxing-failing-on-noexec-mounted-var-tmp-52.patch b/SOURCES/ci-DHCP-sandboxing-failing-on-noexec-mounted-var-tmp-52.patch new file mode 100644 index 0000000..895398b --- /dev/null +++ b/SOURCES/ci-DHCP-sandboxing-failing-on-noexec-mounted-var-tmp-52.patch @@ -0,0 +1,119 @@ +From cfe79543cf7c96bb7598f43eabdcfd3ca011a51b Mon Sep 17 00:00:00 2001 +From: Eduardo Otubo +Date: Mon, 24 Aug 2020 16:03:42 -0400 +Subject: [PATCH 3/3] DHCP sandboxing failing on noexec mounted /var/tmp (#521) + +RH-Author: Eduardo Otubo +Message-id: <20200824160342.23626-1-otubo@redhat.com> +Patchwork-id: 98216 +O-Subject: [RHEL-8.2.0/RHEL-7.9/RHEL-8.2.1/RHEL-8.3.0 cloud-init PATCH] DHCP sandboxing failing on noexec mounted /var/tmp (#521) +Bugzilla: 1871916 +RH-Acked-by: Cathy Avery +RH-Acked-by: Mohammed Gamal + +commit db86753f81af73826158c9522f2521f210300e2b +Author: Eduardo Otubo +Date: Mon Aug 24 15:34:24 2020 +0200 + + DHCP sandboxing failing on noexec mounted /var/tmp (#521) + + * DHCP sandboxing failing on noexec mounted /var/tmp + + If /var/tmp is mounted with noexec option the DHCP sandboxing will fail + with Permission Denied. This patch simply avoids this error by checking + the exec permission updating the dhcp path in negative case. + + rhbz: https://bugzilla.redhat.com/show_bug.cgi?id=1857309 + + Signed-off-by: Eduardo Otubo + + * Replacing with os.* calls + + * Adding test and removing isfile() useless call. + + Co-authored-by: Rick Harding + +Signed-off-by: Eduardo Otubo +Signed-off-by: Jon Maloy +--- + cloudinit/net/dhcp.py | 6 +++++ + cloudinit/net/tests/test_dhcp.py | 46 ++++++++++++++++++++++++++++++++ + 2 files changed, 52 insertions(+) + +diff --git a/cloudinit/net/dhcp.py b/cloudinit/net/dhcp.py +index c033cc8e..841e72ee 100644 +--- a/cloudinit/net/dhcp.py ++++ b/cloudinit/net/dhcp.py +@@ -215,6 +215,12 @@ def dhcp_discovery(dhclient_cmd_path, interface, cleandir): + pid_file = os.path.join(cleandir, 'dhclient.pid') + lease_file = os.path.join(cleandir, 'dhcp.leases') + ++ # In some cases files in /var/tmp may not be executable, launching dhclient ++ # from there will certainly raise 'Permission denied' error. Try launching ++ # the original dhclient instead. ++ if not os.access(sandbox_dhclient_cmd, os.X_OK): ++ sandbox_dhclient_cmd = dhclient_cmd_path ++ + # ISC dhclient needs the interface up to send initial discovery packets. + # Generally dhclient relies on dhclient-script PREINIT action to bring the + # link up before attempting discovery. Since we are using -sf /bin/true, +diff --git a/cloudinit/net/tests/test_dhcp.py b/cloudinit/net/tests/test_dhcp.py +index c3fa1e04..08e2cfb5 100644 +--- a/cloudinit/net/tests/test_dhcp.py ++++ b/cloudinit/net/tests/test_dhcp.py +@@ -406,6 +406,52 @@ class TestDHCPDiscoveryClean(CiTestCase): + 'eth9', '-sf', '/bin/true'], capture=True)]) + m_kill.assert_has_calls([mock.call(my_pid, signal.SIGKILL)]) + ++ @mock.patch('cloudinit.net.dhcp.util.get_proc_ppid') ++ @mock.patch('cloudinit.net.dhcp.os.kill') ++ @mock.patch('cloudinit.net.dhcp.subp.subp') ++ def test_dhcp_discovery_outside_sandbox(self, m_subp, m_kill, m_getppid): ++ """dhcp_discovery brings up the interface and runs dhclient. ++ ++ It also returns the parsed dhcp.leases file generated in the sandbox. ++ """ ++ m_subp.return_value = ('', '') ++ tmpdir = self.tmp_dir() ++ dhclient_script = os.path.join(tmpdir, 'dhclient.orig') ++ script_content = '#!/bin/bash\necho fake-dhclient' ++ write_file(dhclient_script, script_content, mode=0o755) ++ lease_content = dedent(""" ++ lease { ++ interface "eth9"; ++ fixed-address 192.168.2.74; ++ option subnet-mask 255.255.255.0; ++ option routers 192.168.2.1; ++ } ++ """) ++ lease_file = os.path.join(tmpdir, 'dhcp.leases') ++ write_file(lease_file, lease_content) ++ pid_file = os.path.join(tmpdir, 'dhclient.pid') ++ my_pid = 1 ++ write_file(pid_file, "%d\n" % my_pid) ++ m_getppid.return_value = 1 # Indicate that dhclient has daemonized ++ ++ with mock.patch('os.access', return_value=False): ++ self.assertCountEqual( ++ [{'interface': 'eth9', 'fixed-address': '192.168.2.74', ++ 'subnet-mask': '255.255.255.0', 'routers': '192.168.2.1'}], ++ dhcp_discovery(dhclient_script, 'eth9', tmpdir)) ++ # dhclient script got copied ++ with open(os.path.join(tmpdir, 'dhclient.orig')) as stream: ++ self.assertEqual(script_content, stream.read()) ++ # Interface was brought up before dhclient called from sandbox ++ m_subp.assert_has_calls([ ++ mock.call( ++ ['ip', 'link', 'set', 'dev', 'eth9', 'up'], capture=True), ++ mock.call( ++ [os.path.join(tmpdir, 'dhclient.orig'), '-1', '-v', '-lf', ++ lease_file, '-pf', os.path.join(tmpdir, 'dhclient.pid'), ++ 'eth9', '-sf', '/bin/true'], capture=True)]) ++ m_kill.assert_has_calls([mock.call(my_pid, signal.SIGKILL)]) ++ + + class TestSystemdParseLeases(CiTestCase): + +-- +2.18.2 + diff --git a/SOURCES/ci-When-tools.conf-does-not-exist-running-cmd-vmware-to.patch b/SOURCES/ci-When-tools.conf-does-not-exist-running-cmd-vmware-to.patch new file mode 100644 index 0000000..d76f631 --- /dev/null +++ b/SOURCES/ci-When-tools.conf-does-not-exist-running-cmd-vmware-to.patch @@ -0,0 +1,89 @@ +From ad54d6d1c78d007c1ee35fe421d946a6def5ee18 Mon Sep 17 00:00:00 2001 +From: Eduardo Otubo +Date: Fri, 10 Jul 2020 09:44:34 -0400 +Subject: [PATCH 1/3] When tools.conf does not exist, running cmd + "vmware-toolbox-cmd config get deployPkg enable-custom-scripts", the return + code will be EX_UNAVAILABLE(69), on this condition, it should not take it as + error. (#413) + +RH-Author: Eduardo Otubo +Message-id: <20200710094434.9711-1-otubo@redhat.com> +Patchwork-id: 97934 +O-Subject: [RHEL-7.9.z/RHEL-8.2.1/RHEL-8.3.0 cloud-init PATCH] When tools.conf does not exist, running cmd "vmware-toolbox-cmd config get deployPkg enable-custom-scripts", the return code will be EX_UNAVAILABLE(69), on this condition, it should not take it as error. (#413) +Bugzilla: 1839619 +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Mohammed Gamal + +From: chengcheng-chcheng <63850735+chengcheng-chcheng@users.noreply.github.com> + +The diff seems slightly different from upstream because of some parts +being in different positions. But the final result is the file patched +guestcust_util.py (within this block) exactly identical to the one +upstream. + +Also: Sorry for the commit message being just a Subject and this being +enormous. I kept the original from upstream. + +commit c6d09af67626c2f2241c64c10c9e27e8752ba87b +Author: chengcheng-chcheng <63850735+chengcheng-chcheng@users.noreply.github.com> +Date: Wed Jun 10 00:20:47 2020 +0800 + + When tools.conf does not exist, running cmd "vmware-toolbox-cmd config get deployPkg enable-custom-scripts", the return code will be EX_UNAVAILABLE(69), on this condition, it should not take it as error. (#413) + +Signed-off-by: Eduardo Otubo +Signed-off-by: Jon Maloy +--- + .../helpers/vmware/imc/guestcust_util.py | 33 +++++++++++-------- + 1 file changed, 20 insertions(+), 13 deletions(-) + +diff --git a/cloudinit/sources/helpers/vmware/imc/guestcust_util.py b/cloudinit/sources/helpers/vmware/imc/guestcust_util.py +index 3d369d04..a270d9fb 100644 +--- a/cloudinit/sources/helpers/vmware/imc/guestcust_util.py ++++ b/cloudinit/sources/helpers/vmware/imc/guestcust_util.py +@@ -133,23 +133,30 @@ def get_tools_config(section, key, defaultVal): + 'vmware-toolbox-cmd not installed, returning default value') + return defaultVal + +- retValue = defaultVal + cmd = ['vmware-toolbox-cmd', 'config', 'get', section, key] + + try: +- (outText, _) = util.subp(cmd) +- m = re.match(r'([^=]+)=(.*)', outText) +- if m: +- retValue = m.group(2).strip() +- logger.debug("Get tools config: [%s] %s = %s", +- section, key, retValue) +- else: ++ (outText, _) = subp.subp(cmd) ++ except subp.ProcessExecutionError as e: ++ if e.exit_code == 69: + logger.debug( +- "Tools config: [%s] %s is not found, return default value: %s", +- section, key, retValue) +- except util.ProcessExecutionError as e: +- logger.error("Failed running %s[%s]", cmd, e.exit_code) +- logger.exception(e) ++ "vmware-toolbox-cmd returned 69 (unavailable) for cmd: %s." ++ " Return default value: %s", " ".join(cmd), defaultVal) ++ else: ++ logger.error("Failed running %s[%s]", cmd, e.exit_code) ++ logger.exception(e) ++ return defaultVal ++ ++ retValue = defaultVal ++ m = re.match(r'([^=]+)=(.*)', outText) ++ if m: ++ retValue = m.group(2).strip() ++ logger.debug("Get tools config: [%s] %s = %s", ++ section, key, retValue) ++ else: ++ logger.debug( ++ "Tools config: [%s] %s is not found, return default value: %s", ++ section, key, retValue) + + return retValue + +-- +2.18.2 + diff --git a/SOURCES/cloud-init-centos-user.patch b/SOURCES/cloud-init-centos-user.patch deleted file mode 100644 index 2f8118b..0000000 --- a/SOURCES/cloud-init-centos-user.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -uNrp cloud-init-19.4.orig/rhel/cloud.cfg cloud-init-19.4/rhel/cloud.cfg ---- cloud-init-19.4.orig/rhel/cloud.cfg 2020-10-13 14:40:36.353779891 +0000 -+++ cloud-init-19.4/rhel/cloud.cfg 2020-10-13 14:42:10.121982459 +0000 -@@ -54,7 +54,7 @@ cloud_final_modules: - - system_info: - default_user: -- name: cloud-user -+ name: centos - lock_passwd: true - gecos: Cloud User - groups: [adm, systemd-journal] diff --git a/SPECS/cloud-init.spec b/SPECS/cloud-init.spec index f8ac672..9be1569 100644 --- a/SPECS/cloud-init.spec +++ b/SPECS/cloud-init.spec @@ -13,7 +13,7 @@ Name: cloud-init Version: 19.4 -Release: 7%{?dist} +Release: 7%{?dist}.2 Summary: Cloud instance init scripts Group: System Environment/Base @@ -54,8 +54,12 @@ Patch18: ci-Use-reload-or-try-restart-instead-of-try-reload-or-r.patch Patch19: ci-ec2-Do-not-log-IMDSv2-token-values-instead-use-REDAC.patch # For bz#1821999 - [RHEL7.9] Do not log IMDSv2 token values into cloud-init.log Patch20: ci-ec2-only-redact-token-request-headers-in-logs-avoid-.patch - -Patch9999: cloud-init-centos-user.patch +# For bz#1839619 - [ESXi][RHEL7.9][cloud-init]ERROR log in cloud-init.log after clone VM on ESXi platform [rhel-7.9.z] +Patch21: ci-When-tools.conf-does-not-exist-running-cmd-vmware-to.patch +# For bz#1839619 - [ESXi][RHEL7.9][cloud-init]ERROR log in cloud-init.log after clone VM on ESXi platform [rhel-7.9.z] +Patch22: ci-Changing-notation-of-subp-call.patch +# For bz#1871916 - [Azure][RHEL 7.9] cloud-init Permission denied with the use of mount option noexec [rhel-7.9.z] +Patch23: ci-DHCP-sandboxing-failing-on-noexec-mounted-var-tmp-52.patch # Deal with noarch -> arch # https://bugzilla.redhat.com/show_bug.cgi?id=1067089 @@ -226,6 +230,15 @@ fi %config(noreplace) %{_sysconfdir}/rsyslog.d/21-cloudinit.conf %changelog +* Fri Oct 23 2020 Jon Maloy - 19.4-7.el7_9.2 +- ci-When-tools.conf-does-not-exist-running-cmd-vmware-to.patch [bz#1839619] +- ci-Changing-notation-of-subp-call.patch [bz#1839619] +- ci-DHCP-sandboxing-failing-on-noexec-mounted-var-tmp-52.patch [bz#1871916] +- Resolves: bz#1839619 + ([ESXi][RHEL7.9][cloud-init]ERROR log in cloud-init.log after clone VM on ESXi platform [rhel-7.9.z]) +- Resolves: bz#1871916 + ([Azure][RHEL 7.9] cloud-init Permission denied with the use of mount option noexec [rhel-7.9.z]) + * Wed May 20 2020 Miroslav Rezanina - 19.4-7.el7 - ci-ec2-only-redact-token-request-headers-in-logs-avoid-.patch [bz#1821999] - Resolves: bz#1821999