5 files changed, 99 insertions, 50 deletions

diff --git a/cloudinit/config/cc_apt_configure.py b/cloudinit/config/cc_apt_configure.py
index 73d8719f..bb8a1278 100644
--- a/cloudinit/config/cc_apt_configure.py
+++ b/cloudinit/config/cc_apt_configure.py
@@ -389,7 +389,7 @@ PRIMARY_ARCH_MIRRORS = {"PRIMARY": "http://archive.ubuntu.com/ubuntu/",
 PORTS_MIRRORS = {"PRIMARY": "http://ports.ubuntu.com/ubuntu-ports",
                  "SECURITY": "http://ports.ubuntu.com/ubuntu-ports"}
 PRIMARY_ARCHES = ['amd64', 'i386']
-PORTS_ARCHES = ['s390x', 'arm64', 'armhf', 'powerpc', 'ppc64el']
+PORTS_ARCHES = ['s390x', 'arm64', 'armhf', 'powerpc', 'ppc64el', 'riscv64']
 
 
 def get_default_mirrors(arch=None, target=None):
diff --git a/cloudinit/config/cc_ca_certs.py b/cloudinit/config/cc_ca_certs.py
index 3c453d91..bd7bead9 100644
--- a/cloudinit/config/cc_ca_certs.py
+++ b/cloudinit/config/cc_ca_certs.py
@@ -25,7 +25,7 @@ can be removed from the system with the configuration option
 
 **Module frequency:** per instance
 
-**Supported distros:** alpine, debian, ubuntu
+**Supported distros:** alpine, debian, ubuntu, rhel
 
 **Config keys**::
 
@@ -44,60 +44,104 @@ import os
 from cloudinit import subp
 from cloudinit import util
 
-CA_CERT_PATH = "/usr/share/ca-certificates/"
-CA_CERT_FILENAME = "cloud-init-ca-certs.crt"
-CA_CERT_CONFIG = "/etc/ca-certificates.conf"
-CA_CERT_SYSTEM_PATH = "/etc/ssl/certs/"
-CA_CERT_FULL_PATH = os.path.join(CA_CERT_PATH, CA_CERT_FILENAME)
+DEFAULT_CONFIG = {
+    'ca_cert_path': '/usr/share/ca-certificates/',
+    'ca_cert_filename': 'cloud-init-ca-certs.crt',
+    'ca_cert_config': '/etc/ca-certificates.conf',
+    'ca_cert_system_path': '/etc/ssl/certs/',
+    'ca_cert_update_cmd': ['update-ca-certificates']
+}
+DISTRO_OVERRIDES = {
+    'rhel': {
+        'ca_cert_path': '/usr/share/pki/ca-trust-source/',
+        'ca_cert_filename': 'anchors/cloud-init-ca-certs.crt',
+        'ca_cert_config': None,
+        'ca_cert_system_path': '/etc/pki/ca-trust/',
+        'ca_cert_update_cmd': ['update-ca-trust']
+    }
+}
 
-distros = ['alpine', 'debian', 'ubuntu']
 
+distros = ['alpine', 'debian', 'ubuntu', 'rhel']
 
-def update_ca_certs():
+
+def _distro_ca_certs_configs(distro_name):
+    """Return a distro-specific ca_certs config dictionary
+
+    @param distro_name: String providing the distro class name.
+    @returns: Dict of distro configurations for ca-cert.
+    """
+    cfg = DISTRO_OVERRIDES.get(distro_name, DEFAULT_CONFIG)
+    cfg['ca_cert_full_path'] = os.path.join(cfg['ca_cert_path'],
+                                            cfg['ca_cert_filename'])
+    return cfg
+
+
+def update_ca_certs(distro_cfg):
     """
     Updates the CA certificate cache on the current machine.
+
+    @param distro_cfg: A hash providing _distro_ca_certs_configs function.
     """
-    subp.subp(["update-ca-certificates"], capture=False)
+    subp.subp(distro_cfg['ca_cert_update_cmd'], capture=False)
 
 
-def add_ca_certs(certs):
+def add_ca_certs(distro_cfg, certs):
     """
     Adds certificates to the system. To actually apply the new certificates
     you must also call L{update_ca_certs}.
 
+    @param distro_cfg: A hash providing _distro_ca_certs_configs function.
     @param certs: A list of certificate strings.
     """
-    if certs:
-        # First ensure they are strings...
-        cert_file_contents = "\n".join([str(c) for c in certs])
-        util.write_file(CA_CERT_FULL_PATH, cert_file_contents, mode=0o644)
-
-        if os.stat(CA_CERT_CONFIG).st_size == 0:
-            # If the CA_CERT_CONFIG file is empty (i.e. all existing
-            # CA certs have been deleted) then simply output a single
-            # line with the cloud-init cert filename.
-            out = "%s\n" % CA_CERT_FILENAME
-        else:
-            # Append cert filename to CA_CERT_CONFIG file.
-            # We have to strip the content because blank lines in the file
-            # causes subsequent entries to be ignored. (LP: #1077020)
-            orig = util.load_file(CA_CERT_CONFIG)
-            cur_cont = '\n'.join([line for line in orig.splitlines()
-                                  if line != CA_CERT_FILENAME])
-            out = "%s\n%s\n" % (cur_cont.rstrip(), CA_CERT_FILENAME)
-        util.write_file(CA_CERT_CONFIG, out, omode="wb")
-
-
-def remove_default_ca_certs(distro_name):
+    if not certs:
+        return
+    # First ensure they are strings...
+    cert_file_contents = "\n".join([str(c) for c in certs])
+    util.write_file(distro_cfg['ca_cert_full_path'],
+                    cert_file_contents,
+                    mode=0o644)
+    update_cert_config(distro_cfg)
+
+
+def update_cert_config(distro_cfg):
+    """
+    Update Certificate config file to add the file path managed cloud-init
+
+    @param distro_cfg: A hash providing _distro_ca_certs_configs function.
+    """
+    if distro_cfg['ca_cert_config'] is None:
+        return
+    if os.stat(distro_cfg['ca_cert_config']).st_size == 0:
+        # If the CA_CERT_CONFIG file is empty (i.e. all existing
+        # CA certs have been deleted) then simply output a single
+        # line with the cloud-init cert filename.
+        out = "%s\n" % distro_cfg['ca_cert_filename']
+    else:
+        # Append cert filename to CA_CERT_CONFIG file.
+        # We have to strip the content because blank lines in the file
+        # causes subsequent entries to be ignored. (LP: #1077020)
+        orig = util.load_file(distro_cfg['ca_cert_config'])
+        cr_cont = '\n'.join([line for line in orig.splitlines()
+                            if line != distro_cfg['ca_cert_filename']])
+        out = "%s\n%s\n" % (cr_cont.rstrip(),
+                            distro_cfg['ca_cert_filename'])
+    util.write_file(distro_cfg['ca_cert_config'], out, omode="wb")
+
+
+def remove_default_ca_certs(distro_name, distro_cfg):
     """
     Removes all default trusted CA certificates from the system. To actually
     apply the change you must also call L{update_ca_certs}.
+
+    @param distro_name: String providing the distro class name.
+    @param distro_cfg: A hash providing _distro_ca_certs_configs function.
     """
-    util.delete_dir_contents(CA_CERT_PATH)
-    util.delete_dir_contents(CA_CERT_SYSTEM_PATH)
-    util.write_file(CA_CERT_CONFIG, "", mode=0o644)
+    util.delete_dir_contents(distro_cfg['ca_cert_path'])
+    util.delete_dir_contents(distro_cfg['ca_cert_system_path'])
+    util.write_file(distro_cfg['ca_cert_config'], "", mode=0o644)
 
-    if distro_name != 'alpine':
+    if distro_name in ['debian', 'ubuntu']:
         debconf_sel = (
             "ca-certificates ca-certificates/trust_new_crts " + "select no")
         subp.subp(('debconf-set-selections', '-'), debconf_sel)
@@ -120,22 +164,23 @@ def handle(name, cfg, cloud, log, _args):
         return
 
     ca_cert_cfg = cfg['ca-certs']
+    distro_cfg = _distro_ca_certs_configs(cloud.distro.name)
 
     # If there is a remove-defaults option set to true, remove the system
     # default trusted CA certs first.
     if ca_cert_cfg.get("remove-defaults", False):
         log.debug("Removing default certificates")
-        remove_default_ca_certs(cloud.distro.name)
+        remove_default_ca_certs(cloud.distro.name, distro_cfg)
 
     # If we are given any new trusted CA certs to add, add them.
     if "trusted" in ca_cert_cfg:
         trusted_certs = util.get_cfg_option_list(ca_cert_cfg, "trusted")
         if trusted_certs:
             log.debug("Adding %d certificates" % len(trusted_certs))
-            add_ca_certs(trusted_certs)
+            add_ca_certs(distro_cfg, trusted_certs)
 
     # Update the system with the new cert configuration.
     log.debug("Updating certificates")
-    update_ca_certs()
+    update_ca_certs(distro_cfg)
 
 # vi: ts=4 expandtab
diff --git a/cloudinit/config/cc_resolv_conf.py b/cloudinit/config/cc_resolv_conf.py
index 7beb11ca..466dad03 100644
--- a/cloudinit/config/cc_resolv_conf.py
+++ b/cloudinit/config/cc_resolv_conf.py
@@ -14,12 +14,12 @@ Resolv Conf
 This module is intended to manage resolv.conf in environments where early
 configuration of resolv.conf is necessary for further bootstrapping and/or
 where configuration management such as puppet or chef own dns configuration.
-As Debian/Ubuntu will, by default, utilize resolvconf, and similarly RedHat
+As Debian/Ubuntu will, by default, utilize resolvconf, and similarly Red Hat
 will use sysconfig, this module is likely to be of little use unless those
 are configured correctly.
 
 .. note::
-    For RedHat with sysconfig, be sure to set PEERDNS=no for all DHCP
+    For Red Hat with sysconfig, be sure to set PEERDNS=no for all DHCP
     enabled NICs.
 
 .. note::
diff --git a/cloudinit/config/cc_rh_subscription.py b/cloudinit/config/cc_rh_subscription.py
index 28d62e9d..693317c2 100644
--- a/cloudinit/config/cc_rh_subscription.py
+++ b/cloudinit/config/cc_rh_subscription.py
@@ -5,15 +5,15 @@
 # This file is part of cloud-init. See LICENSE file for license information.
 
 """
-RedHat Subscription
--------------------
+Red Hat Subscription
+--------------------
 **Summary:** register red hat enterprise linux based system
 
-Register a RedHat system either by username and password *or* activation and
+Register a Red Hat system either by username and password *or* activation and
 org. Following a sucessful registration, you can auto-attach subscriptions, set
 the service level, add subscriptions based on pool id, enable/disable yum
 repositories based on repo id, and alter the rhsm_baseurl and server-hostname
-in ``/etc/rhsm/rhs.conf``. For more details, see the ``Register RedHat
+in ``/etc/rhsm/rhs.conf``. For more details, see the ``Register Red Hat
 Subscription`` example config.
 
 **Internal name:** ``cc_rh_subscription``
diff --git a/cloudinit/config/cc_seed_random.py b/cloudinit/config/cc_seed_random.py
index 4fb9b44e..911789c7 100644
--- a/cloudinit/config/cc_seed_random.py
+++ b/cloudinit/config/cc_seed_random.py
@@ -24,15 +24,19 @@ Configuration for this module is under the ``random_seed`` config key. The
 optionally be specified in encoded form, with the encoding specified in
 ``encoding``.
 
+If the cloud provides its own random seed data, it will be appended to ``data``
+before it is written to ``file``.
+
 .. note::
     when using a multiline value for ``data`` or specifying binary data, be
     sure to follow yaml syntax and use the ``|`` and ``!binary`` yaml format
     specifiers when appropriate
 
-Instead of specifying a data string, a command can be run to generate/collect
-the data to be written. The command should be specified as a list of args in
-the ``command`` key. If a command is specified that cannot be run, no error
-will be reported unless ``command_required`` is set to true.
+If the ``command`` key is specified, the given command will be executed.  This
+will happen after ``file`` has been populated.  That command's environment will
+contain the value of the ``file`` key as ``RANDOM_SEED_FILE``. If a command is
+specified that cannot be run, no error will be reported unless
+``command_required`` is set to true.
 
 For example, to use ``pollinate`` to gather data from a
 remote entropy server and write it to ``/dev/urandom``, the following could be