| Age | Commit message (Collapse) | Author |
|---|
|
* cc_ssh: fix capitalisation of SSH
* doc: fix capitalisation of SSH
* cc_keys_to_console: fix capitalisation of SSH
* ssh_util: fix capitalisation of SSH
* DataSourceIBMCloud: fix capitalisation of SSH
* DataSourceAzure: fix capitalisation of SSH
* cs_utils: fix capitalisation of SSH
* distros/__init__: fix capitalisation of SSH
* cc_set_passwords: fix capitalisation of SSH
* cc_ssh_import_id: fix capitalisation of SSH
* cc_users_groups: fix capitalisation of SSH
* cc_ssh_authkey_fingerprints: fix capitalisation of SSH
|
|
|
|
Azure stores the instance ID with an incorrect byte ordering for the
first three hyphen delimited parts. This results in invalid
is_new_instance checks forcing Azure datasource to recrawl the metadata
service.
When persisting instance-id from the metadata service, swap the
instance-id string byte order such that it is consistent with
that returned by dmi information. Check whether the instance-id
string is a byte-swapped match when determining correctly whether
the Azure platform instance-id has actually changed.
|
|
On non-Linux systems, `/sys` won't be available. In these cases, we can query `dmidecode(8)` directly. This PR implements a dmi_decode function to query the same fields ds-identify
would otherwise read from /sys. This path is taken when /sys isn't present. In addition to
adding dmidecode support, non-Linux systems also need to map in virtualization detection
as systemd-detect-virt is not present; on FreeBSD, use sysctl kern.vm_guest and provide a
mapping[1] between BSD values and those that match with systemd-detect-virt[2].
1. https://github.com/freebsd/freebsd/blob/master/sys/kern/subr_param.c#L149-L157
2. https://www.freedesktop.org/software/systemd/man/systemd-detect-virt.html
LP: #1852442
|
|
Currently cloud-init does not know how to handle multiple file
configuration on section AuthorizedKeysFile of ssh configuration.
cloud-init will mess up the home user directory by creating bogus
folders inside it.
This patch provides a fix for this erroneous behavior. It gathers all
keys from all the files listed on the section AuthorizedKeysFile of ssh
configuration and merge all of them inside home user
~/.ssh/authorized_keys of the vm deployed.
Signed-off-by: Eduardo Otubo <otubo@redhat.com>
|
|
Headers param was accidentally omitted and no longer passed through to
readurl due to a previous commit.
To avoid this omission of params in the future, drop positional param
definitions from read_file_or_url and pass all kwargs through to readurl
when we are not operating on a file.
In util:read_seeded, correct the case where invalid positional param
file_retries was being passed into read_file_or_url.
Also drop duplicated file:// prefix addition from read_seeded because
read_file_or_url does that work anyway.
LP: #1854084
|
|
Allow setting of user passwords on FreeBSD
The www/chpasswd utility which we depended on for FreeBSD installations
does *not* do the same thing as the equally named Linux utility.
For FreeBSD, we now use the pw(8) utility (which can only process one
user at a time)
Additionally, we abstract expire passwd into a function, and override it
in the FreeBSD distro class.
Co-Authored-By: Chad Smith <chad.smith@canonical.com>
|
|
Since `is_FreeBSD()` is used a lot, which uses `system_info()`, which uses `get_linux_distro()` we add caching, by decorating the following functions with `@lru_cache`:
- get_architecture()
- _lsb_release()
- is_FreeBSD
- get_linux_distro
- system_info()
- _get_cmdline()
Since [functools](https://docs.python.org/3/library/functools.html) only exists in Python 3, only python 3 will benefit from this improvement. For python 2, our shim is just a pass-thru. Too bad, but, also… https://pythonclock.org/
The main motivation here was, at first, to cache more, following the style of _lsb_release.
That is now consolidated under this very same roof.
LP: #1815030
|
|
* ec2: Add support for AWS IMDS v2 (session-oriented)
AWS now supports a new version of fetching Instance Metadata[1].
Update cloud-init's ec2 utility functions and update ec2 derived
datasources accordingly. For DataSourceEc2 (versus ec2-look-alikes)
cloud-init will issue the PUT request to obtain an API token for
the maximum lifetime and then all subsequent interactions with the
IMDS will include the token in the header.
If the API token endpoint is unreachable on Ec2 platform, log a
warning and fallback to using IMDS v1 and which does not use
session tokens when communicating with the Instance metadata
service.
We handle read errors, typically seen if the IMDS is beyond one
etwork hop (IMDSv2 responses have a ttl=1), by setting the api token
to a disabled value and then using IMDSv1 paths.
To support token-based headers, ec2_utils functions were updated
to support custom headers_cb and exception_cb callback functions
so Ec2 could store, or refresh API tokens in the event of token
becoming stale.
[1] https://docs.aws.amazon.com/AWSEC2/latest/ \
UserGuide/ec2-instance-metadata.html \
#instance-metadata-v2-how-it-works
|
|
The cloudsigma tests had few test cases that were not getting
all the "mocks" set up correctly. Specifically is_running_in_cloudsigma
was not getting replaced and calls would leak through to
util.read_dmi_data.
|
|
Router advertisements are required for the default route
to be set up, thus accept_ra should be enabled for
dhcpv6-stateful.
sysconf: IPV6_FORCE_ACCEPT_RA controls accept_ra sysctl.
eni: mode static and mode dhcp 'accept_ra' controls sysctl.
Add 'accept-ra: true|false' parameter to config v1 and
v2. When True: accept_ra is set to '1'. When False:
accept_ra is set to '0'. When not defined in config the
value is left to the operating system default.
This change also extend the IPv6 support to distinguish
between slaac and dhcpv6-stateless. SLAAC is autoconfig
without any options from DHCP, while stateless auto-configures
the address and the uses DHCP for other options.
LP: #1806014
LP: #1808647
|
|
Azure's Instance Metadata Service (IMDS) reports multiple IPv6
addresses, via the http://169.254.169.254/metadata/instance/network
route. Any additional values after the first in 'ipAddresses' under the
'ipv6' interface key are extracted and configured as static IPs on
the interface.
|
|
The KVPs currently being emitted to the .kvp_pool file can have
duplicate keys which is wrong since these keys should be unique.
The situation can occur if for example one azure function
called twice or more and this function is reporting telemetry
through the use of KVPs. Any KVP consumer can get confused by
the duplicate keys and a race condition can and have occurred.
|
|
Network v2 configuration for Azure will set both dhcp4 and
dhcp6 to False by default.
When IPv6 privateIpAddresses are present for an interface in Azure's
Instance Metadata Service (IMDS), set dhcp6: True and provide a
route-metric value that will match the corresponding dhcp4 route-metric.
The route-metric value will increase by 100 for each additional
interface present to ensure the primary interface has a route to IMDS.
Also fix dhcp route-metric rendering for eni and sysconfig distros.
LP: #1850308
|
|
When ConfigDrive discovers the source path /config-drive, subplatform
is now reports 'config-drive'
LP: #1849731
|
|
In typical cases, SmartOS does not use DHCP for network configuration.
As such, if the network configuration changes that is reflected in
metadata and will be picked up during the next boot.
LP: #1765801
Joyent: OS-6902 reconfigure network on each boot
|
|
This patch enables control over SSH public-key import and
discarding supplied user-data (both disabled by default).
allow-userdata: false
ssh:
allow_public_ssh_keys: false
This feature enables closed appliances to prevent customers
from unintentionally breaking the appliance which were
not designed for user interaction.
The downstream change for this is here:
https://github.com/delphix/cloud-init/pull/4
|
|
Function return false for ipv6_dhcpv6-stateless|stateful,
the eni renderer does not add '6' to 'inet' which is
incorrect.
The subnet_is_ipv6() function is updated to also return
true if startswith('ipv6').
LP: #1848690
|
|
For security concern, we disable the custom script
by default.If a custom script is provided, stop
customization unless the custom script is explicitly
enabled by tools config.
|
|
This change adds two new parameters:
* csr_attributes
* csr_attributes_path
Those parameters allow to configure the content of the
csr_attributes.yaml file.
See https://puppet.com/docs/puppet/latest/config_file_csr_attributes.html
|
|
After initial boot ovf-env.xml is copied to agent dir
(/var/lib/waagent/) with REDACTED password.
On subsequent boots DataSourceAzure loads with a configuration where the
user specified in /var/lib/waagent/ovf-env.xml is locked.
If instance id changes, cc_users_groups action will lock the user.
Fix this behavior by not locking the user if its password is REDACTED.
LP: #1849677
|
|
netplan introduced an 'info' subcommand which emits yaml describing
implemented features that indicate new or changed fields and values
in the yaml that it accepts. Previously, cloud-init emitted the key
'mtu6' for ipv6 MTU values. This is not correct and netplan will
fail to parse these values. Netplan as of 0.98 supports both the
info subcommand and the ipv6-mtu key.
This branch modifies the netplan renderer to collect the netplan
info output into a 'features' property which is a list of available
feature flags which the renderer can use to modify its output. If
the command is not available, no feature flags are set and
cloud-init will render IPv6 MTU values just as MTU for the subnet.
|
|
Here we replace uses of the pyyaml module directly with functions
provided by cloudinit.safeyaml. Also, change/move
cloudinit.util.yaml_dumps
to
cloudinit.safeyaml.dumps
LP: #1849640
|
|
Commit e7b0e5f72 added support for configuring infiniband devices by
adding a new infiniband 'type'. This commit updates eni and sysconfig
renderers to consume this new type and configure infiniband devices
correctly.
LP: #1847114
|
|
Handle the special characters when reading VM Tools configure file.
For example, the key and value may contain _, - and . etc.
|
|
Commit 6797e822959b84c98cf73e02b2a6e3d6ab3fd4fe replaced
the LOG.warn calls that linters were warning about; this
also replaces calls that linters would not have recognised
(as `log` is generally a parameter in these scenarios).
LP: #1508442
|
|
Openstack subnets can be configured to use SLAAC by setting
ipv6_address_mode=dhcpv6-stateless. When this is the case
the sysconfig interface configuration should use
IPV6_AUTOCONF=yes and not set DHCPV6C=yes.
This change sets the subnets type property to the full
network['type'] from openstack metadata.
cloudinit/net/sysconfig.py and cloudinit/net/eni.py
are updated to support new subnet types:
- 'ipv6_dhcpv6-stateless' => IPV6_AUTOCONF=yes
- 'ipv6_dhcpv6-stateful' => DHCPV6C=yes
Type 'dhcp6' in sysconfig is kept for backward compatibility
with any implementations that set subnet_type == 'dhcp6'.
LP: #1847517
|
|
e24cloud provides an EC2 compatible datasource.
This just identifies their platform based on dmi 'system-vendor'
having 'e24cloud'. https://www.e24cloud.com/en/ .
Updated chassis typo in zstack unit test docstring.
LP: #1696476
|
|
|
|
Specifically, add in "reboot" to make it clear what people should expect
when modifying the file.
This also renames the variable to indicate it is used for netplan and
ENI, not just ENI.
LP: #1845669
|
|
Cloud-init will not operate properly if the instance-id value changes
on each boot. This is the source of a number of behavioral bugs filed
against cloud-init with OVF datasource. Instead, use a static instance-id
value, iid-vmware-imc, similar to iid-dsovf.
|
|
If an OS image provided an /etc/resolv.conf file that was not empty
cloud-init would read and re-write it with a cloud-init header even
if no DNS network configuration was provided (e.g. DHCP only).
This can cause problems for some network services which don't
ignore cloud-init's header.
LP: #1843634
|
|
The sysconfig renderer used the distro name directly which mean
some variants of distros were not considered supported. Fix this
by using util.system_info()['variant'] instead. Fix the list of
KNOWN_DISTROS value for redhat -> rhel.
LP: #1843584
|
|
Zstack platform provides a AWS Ec2 metadata service, and
identifies their platform to the guest by setting the 'chassis asset tag'
to a string that ends with '.zstack.io'.
LP: #1841181
|
|
The detection for brightbox in both ds-identify and in
identify_brightbox would incorrectly match the domain 'bobrightbox',
which is not a brightbox platform. The fix here is to restrict
matching to '*.brightbox.com' rather than '*brightbox.com'
Also, while here remove a url to bug 1661693 which added the
knowledge of brightbox.
|
|
VMWware customization already has support to run a custom script during
the VM customization. Adding this option allows a VM administrator to
disable the execution of customization scripts. If set the script
will not execute and the customization status is set to
GUESTCUST_ERROR_SCRIPT_DISABLED.
|
|
Make sure Exoscale supplements or overrides existing system config
setting cloud_config_modules instead of replacing it with a one item
list set-passords
LP: #1841454
|
|
This refactors read_initramfs_config to support multiple different types
of initramfs network configuration. It introduces an
InitramfsNetworkConfigSource abstract base class. There is currently a
single sub-class, KlibcNetworkConfigSource, which contains the logic
which previously was directly within read_initramfs_config.
|
|
To accept NVIDIA EULA, cloud-init needs to emit latelink=true debconf
setting to the linux-restricted-modules package to allow NVIDIA
drivers to properly link to the running kernel.
LP: #1840080
|
|
Collect and record the following information through KVP:
+ timestamps related to kernel initialization and systemd activation
of cloud-init services
+ system information including cloud-init version, kernel version,
distro version, and python version
+ diagnostic events for the most common provisioning error issues
such as empty dhcp lease, corrupted ovf-env.xml, etc.
+ increasing the log frequency of polling IMDS during reprovision.
|
|
The function generate_fallback_config is used by Azure by default when
not consuming IMDS configuration data. This function is also used by any
datasource which does not implement it's own network config. This simple
fallback configuration sets up dhcp on the most likely NIC. It will now
emit network v2 instead of network v1.
This is a step toward moving all components talking in v2 and allows us
to avoid costly conversions between v1 and v2 for newer distributions
which rely on netplan.
|
|
This adds an empty publish_host_keys() method to the default datasource
that is called by cc_ssh.py. This feature can be controlled by the
'ssh_publish_hostkeys' config option. It is enabled by default but can
be disabled by setting 'enabled' to false. Also, a blacklist of key
types is supported.
In addition, this change implements ssh_publish_hostkeys() for the GCE
datasource, attempting to write the hostkeys to the instance's guest
attributes. Using these hostkeys for ssh connections is currently
supported by the alpha version of Google's 'gcloud' command-line tool.
(On Google Compute Engine, this feature will be enabled by setting the
'enable-guest-attributes' metadata key to 'true' for the
project/instance that you would like to use this feature for. When
connecting to the instance for the first time using 'gcloud compute ssh'
the hostkeys will be read from the guest attributes for the instance and
written to the user's local known_hosts file for Google Compute Engine
instances.)
|
|
- dsidentify switches to the new Exoscale datasource on matching DMI name
- New Exoscale datasource added
Signed-off-by: Mathieu Corbin <mathieu.corbin@exoscale.ch>
|
|
Previously "cmdline" network configuration could be either
user-specified network-config=... configuration data, or
initramfs-provided configuration data. Before data sources could modify
the order in which network config sources were considered, this
conflation didn't matter (and, indeed, in the default data source
configuration it will continue to not matter).
However, it _is_ desirable for a data source to be able to specify that
its network configuration should be preferred over the
initramfs-provided network configuration but still allow explicit
network-config=... configuration passed to the kernel cmdline to
continue to override both of those sources.
(This also modifies the Oracle data source to use read_initramfs_config
directly, which is effectively what it was using
read_kernel_cmdline_config for previously.)
|
|
Currently, if a platform provides any network configuration via the
"cmdline" method (i.e. network-data=... on the kernel command line,
ip=... on the kernel command line, or iBFT config via /run/net-*.conf),
the value of the data source's network_config property is completely
ignored.
This means that on platforms that use iSCSI boot (such as Oracle Compute
Infrastructure), there is no way for the data source to configure any
network interfaces other than those that have already been configured by
the initramfs.
This change allows data sources to specify the order in which network
configuration sources are considered. Data sources that opt to use this
mechanism will be expected to consume the command line network data and
integrate it themselves.
(The generic merging of network configuration sources was considered,
but we concluded that the single use case we have presently (a) didn't
warrant the increased complexity, and (b) didn't give us a broad enough
view to be sure that our generic implementation would be sufficiently
generic. This change in no way precludes a merging strategy in future.)
|
|
If input to network_state.parse_net_config_data was netplan (v2 yaml)
then the network state would lose the mtu information on bond or vlan.
LP: #1836949
|
|
On systems with many interfaces, processing udev events may take a while.
Cloud-init expects devices included in a provided network-configuration
to be present when attempting to configure them. This patch adds a step
in net configuration where it will check for devices provided in the
configuration and if not found, issue udevadm settle commands to wait
for them to appear.
Additionally, the default path for udev persistent network rules
70-persistent-net.rules may also be written to systems which include
the 75-net-generator.rules. During boot, cloud-init and the
generator may race and interleave values causing issues. OpenSUSE
will now use a newer file, 85-persistent-net-cloud-init.rules which
will take precedence over values created by 75-net-generator and
avoid collisions on the same file.
LP: #1817368
|
|
The EphemeralDHCP context manager did not parse or handle
rfc3442 classless static routes which prevented reading
datasource metadata in some clouds. This branch adds support
for extracting the field from the leases output, parsing the
format and then adding the required iproute2 ip commands to
apply (and teardown) the static routes.
LP: #1821102
|
|
The debian ntp.conf template did not contain a newline for the
comment used to mark the rendered ntp pools configured. This
resulted in an invalid line:
'# poolspool 0.int.pool.ntp.org iburst'
rather than:
'# pools
pool 0.int.pool.ntp.org iburst'
This patch fixes the template and updates the unittest to
verify that the rendered templates puts servers and pools
at the beginning of a line.
LP: #1836598
|
|
Support is for now implemented in such a way that it will fall back to
the old `_write_network()` if netplan is not available on the image.
|
