From 9044a05469d1b138d4ee34c55c7f5bdb6f97164d Mon Sep 17 00:00:00 2001 From: Wesley Wiedenmeier Date: Fri, 17 Feb 2017 02:16:20 -0600 Subject: Add feature flags to cloudinit.version. This exposes a mechanism for users of cloud-init to determine if a version has a specific feature, and adds documentation to that affect. We list an existing feature NETWORK_CONFIG_V1 as an example. Also add a 'features' subcommand for listing these to stdout. --- doc/rtd/topics/capabilities.rst | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) (limited to 'doc') diff --git a/doc/rtd/topics/capabilities.rst b/doc/rtd/topics/capabilities.rst index be0802c5..4a411083 100644 --- a/doc/rtd/topics/capabilities.rst +++ b/doc/rtd/topics/capabilities.rst @@ -7,6 +7,7 @@ Capabilities - Generating instance ssh private keys - Adding ssh keys to a users ``.ssh/authorized_keys`` so they can log in - Setting up ephemeral mount points +- Configuring network devices User configurability ==================== @@ -22,5 +23,27 @@ ec2-run-instances for example. string or `user-data` file for usage by cloud-init on instance creation. +Feature detection +================= + +Newer versions of cloud-init may have a list of additional features that they +support. This allows other applications to detect what features the installed +cloud-init supports without having to parse its version number. If present, +this list of features will be located at ``cloudinit.version.FEATURES``. + +When checking if cloud-init supports a feature, in order to not break the +detection script on older versions of cloud-init without the features list, a +script similar to the following should be used. Note that this will exit 0 if +the feature is supported and 1 otherwise:: + + import sys + from cloudinit import version + sys.exit('' not in getattr(version, 'FEATURES', [])) + +Currently defined feature names include: + + - ``NETWORK_CONFIG_V1`` support for v1 networking configuration, see curtin + documentation for examples. + .. _Cloud-init: https://launchpad.net/cloud-init .. vi: textwidth=78 -- cgit v1.2.3 From 4783ac0562ff3eb9ca1dfa82bccaf022c4187d16 Mon Sep 17 00:00:00 2001 From: Joshua Powers Date: Fri, 10 Mar 2017 12:55:26 -0700 Subject: doc: add instructions for running integration tests via tox. Add instructions on how to run the cii tests to the docs. --- doc/rtd/topics/tests.rst | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'doc') diff --git a/doc/rtd/topics/tests.rst b/doc/rtd/topics/tests.rst index 00c63c63..0663811e 100644 --- a/doc/rtd/topics/tests.rst +++ b/doc/rtd/topics/tests.rst @@ -238,6 +238,20 @@ without the more lengthy collect process. This can be done by running: The above command will run the verify scripts on the data discovered in `/tmp/collection`. +Run via tox +----------- +In order to avoid the need for dependencies and ease the setup and +configuration users can run the integration tests via tox: + +.. code-block:: bash + + $ tox -e citest -- run [integration test arguments] + $ tox -e citest -- run -v -n zesty --deb=cloud-init_all.deb + $ tox -e citest -- run -t module/user_groups.yaml + +Users need to invoke the citest enviornment and then pass any additional +arguments. + Architecture ============ -- cgit v1.2.3 From 58cc8f7521725d4f007ce90001a28326bc240231 Mon Sep 17 00:00:00 2001 From: Scott Moser Date: Fri, 17 Mar 2017 12:34:47 -0400 Subject: doc: fix config drive doc with regard to unpartitioned disks. The ConfigDrive datasource has read un-partitioned disks for quite a while, but the documentation lagged behind. LP: #1673818 --- doc/rtd/topics/datasources/configdrive.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'doc') diff --git a/doc/rtd/topics/datasources/configdrive.rst b/doc/rtd/topics/datasources/configdrive.rst index acdab6a2..11dd52ab 100644 --- a/doc/rtd/topics/datasources/configdrive.rst +++ b/doc/rtd/topics/datasources/configdrive.rst @@ -18,12 +18,13 @@ support listed below) Version 1 --------- +**Note:** Version 1 is legacy and should be considered deprecated. Version 2 +has been supported in OpenStack since 2012.2 (Folsom). The following criteria are required to as a config drive: 1. Must be formatted with `vfat`_ filesystem -2. Must be a un-partitioned block device (/dev/vdb, not /dev/vdb1) -3. Must contain *one* of the following files +2. Must contain *one* of the following files :: @@ -56,8 +57,7 @@ The following criteria are required to as a config drive: 1. Must be formatted with `vfat`_ or `iso9660`_ filesystem or have a *filesystem* label of **config-2** -2. Must be a un-partitioned block device (/dev/vdb, not /dev/vdb1) -3. The files that will typically be present in the config drive are: +2. The files that will typically be present in the config drive are: :: -- cgit v1.2.3 From 21632972df034c200578e1fbc121a07f20bb8774 Mon Sep 17 00:00:00 2001 From: "Tore S. Lonoy" Date: Fri, 4 Nov 2016 11:38:31 +0100 Subject: Add support for setting hashed passwords This change will add support for hashed passwords in cc_set_passwords. It checks if a password is a hash with by checking that it matches in fairly safe way, and also that the password does not have a ":" in it. chpasswd needs to know if the password is hashed or not, so two lists is created so chpasswd is feed with the correct one. LP: #1570325 --- cloudinit/config/cc_set_passwords.py | 48 ++++++++++++++++------ doc/examples/cloud-config.txt | 9 +++- .../configs/modules/set_password_list.yaml | 3 ++ .../configs/modules/set_password_list_string.yaml | 3 ++ tests/cloud_tests/testcases/base.py | 4 ++ 5 files changed, 53 insertions(+), 14 deletions(-) (limited to 'doc') diff --git a/cloudinit/config/cc_set_passwords.py b/cloudinit/config/cc_set_passwords.py index 8440e593..eb0bdab0 100755 --- a/cloudinit/config/cc_set_passwords.py +++ b/cloudinit/config/cc_set_passwords.py @@ -23,7 +23,8 @@ If the ``list`` key is provided, a list of ``username:password`` pairs can be specified. The usernames specified must already exist on the system, or have been created using the ``cc_users_groups`` module. A password can be randomly generated using -``username:RANDOM`` or ``username:R``. Password ssh authentication can be +``username:RANDOM`` or ``username:R``. A hashed password can be specified +using ``username:$6$salt$hash``. Password ssh authentication can be enabled, disabled, or left to system defaults using ``ssh_pwauth``. .. note:: @@ -60,8 +61,10 @@ enabled, disabled, or left to system defaults using ``ssh_pwauth``. - user2:RANDOM - user3:password3 - user4:R + - user4:$6$rL..$ej... """ +import re import sys from cloudinit.distros import ug_util @@ -112,24 +115,43 @@ def handle(_name, cfg, cloud, log, args): errors = [] if plist: plist_in = [] + hashed_plist_in = [] + hashed_users = [] randlist = [] users = [] + prog = re.compile(r'\$[1,2a,2y,5,6](\$.+){2}') for line in plist: u, p = line.split(':', 1) - if p == "R" or p == "RANDOM": - p = rand_user_password() - randlist.append("%s:%s" % (u, p)) - plist_in.append("%s:%s" % (u, p)) - users.append(u) + if prog.match(p) is not None and ":" not in p: + hashed_plist_in.append("%s:%s" % (u, p)) + hashed_users.append(u) + else: + if p == "R" or p == "RANDOM": + p = rand_user_password() + randlist.append("%s:%s" % (u, p)) + plist_in.append("%s:%s" % (u, p)) + users.append(u) ch_in = '\n'.join(plist_in) + '\n' - try: - log.debug("Changing password for %s:", users) - util.subp(['chpasswd'], ch_in) - except Exception as e: - errors.append(e) - util.logexc(log, "Failed to set passwords with chpasswd for %s", - users) + if users: + try: + log.debug("Changing password for %s:", users) + util.subp(['chpasswd'], ch_in) + except Exception as e: + errors.append(e) + util.logexc( + log, "Failed to set passwords with chpasswd for %s", users) + + hashed_ch_in = '\n'.join(hashed_plist_in) + '\n' + if hashed_users: + try: + log.debug("Setting hashed password for %s:", hashed_users) + util.subp(['chpasswd', '-e'], hashed_ch_in) + except Exception as e: + errors.append(e) + util.logexc( + log, "Failed to set hashed passwords with chpasswd for %s", + hashed_users) if len(randlist): blurb = ("Set the following 'random' passwords\n", diff --git a/doc/examples/cloud-config.txt b/doc/examples/cloud-config.txt index c03f1026..bd84c641 100644 --- a/doc/examples/cloud-config.txt +++ b/doc/examples/cloud-config.txt @@ -426,14 +426,21 @@ syslog_fix_perms: syslog:root # # there is also an option to set multiple users passwords, using 'chpasswd' # That looks like the following, with 'expire' set to 'True' by default. -# to not expire users passwords, set 'expire' to 'False': +# to not expire users passwords, set 'expire' to 'False'. Also possible +# to set hashed password, here account 'user3' has a password it set to +# 'cloud-init', hashed with SHA-256: # chpasswd: # list: | # user1:password1 # user2:RANDOM +# user3:$5$eriogqzq$Dg7PxHsKGzziuEGkZgkLvacjuEFeljJ.rLf.hZqKQLA # expire: True # ssh_pwauth: [ True, False, "" or "unchanged" ] # +# Hashed passwords can be generated in multiple ways, example with python3: +# python3 -c 'import crypt,getpass; print(crypt.crypt(getpass.getpass(), crypt.mksalt(crypt.METHOD_SHA512)))' +# Newer versions of 'mkpasswd' will also work: mkpasswd -m sha-512 password +# # So, a simple working example to allow login via ssh, and not expire # for the default user would look like: password: passw0rd diff --git a/tests/cloud_tests/configs/modules/set_password_list.yaml b/tests/cloud_tests/configs/modules/set_password_list.yaml index a1eadd75..a2a89c9d 100644 --- a/tests/cloud_tests/configs/modules/set_password_list.yaml +++ b/tests/cloud_tests/configs/modules/set_password_list.yaml @@ -21,11 +21,14 @@ cloud_config: | # sha256 gojanego passwd: "$5$iW$XsxmWCdpwIW8Yhv.Jn/R3uk6A4UaicfW5Xp7C9p9pg." lock_passwd: false + - name: "mikey" + lock_passwd: false chpasswd: list: - tom:mypassword123! - dick:RANDOM - harry:RANDOM + - mikey:$5$xZ$B2YGGEx2AOf4PeW48KC6.QyT1W2B4rZ9Qbltudtha89 collect_scripts: shadow: | #!/bin/bash diff --git a/tests/cloud_tests/configs/modules/set_password_list_string.yaml b/tests/cloud_tests/configs/modules/set_password_list_string.yaml index cbb71bee..c2a0f631 100644 --- a/tests/cloud_tests/configs/modules/set_password_list_string.yaml +++ b/tests/cloud_tests/configs/modules/set_password_list_string.yaml @@ -21,11 +21,14 @@ cloud_config: | # sha256 gojanego passwd: "$5$iW$XsxmWCdpwIW8Yhv.Jn/R3uk6A4UaicfW5Xp7C9p9pg." lock_passwd: false + - name: "mikey" + lock_passwd: false chpasswd: list: | tom:mypassword123! dick:RANDOM harry:RANDOM + mikey:$5$xZ$B2YGGEx2AOf4PeW48KC6.QyT1W2B4rZ9Qbltudtha89 collect_scripts: shadow: | #!/bin/bash diff --git a/tests/cloud_tests/testcases/base.py b/tests/cloud_tests/testcases/base.py index 51ce2b41..64d5507a 100644 --- a/tests/cloud_tests/testcases/base.py +++ b/tests/cloud_tests/testcases/base.py @@ -98,6 +98,9 @@ class PasswordListTest(CloudTestCase): self.assertEqual([], dupes) self.assertEqual(jane_enc, users['jane']) + mikey_enc = "$5$xZ$B2YGGEx2AOf4PeW48KC6.QyT1W2B4rZ9Qbltudtha89" + self.assertEqual(mikey_enc, users['mikey']) + # shadow entry is $N$salt$, so we encrypt with the same format # and salt and expect the result. tom = "mypassword123!" @@ -124,6 +127,7 @@ class PasswordListTest(CloudTestCase): self.assertIn('dick:', out) self.assertIn('harry:', out) self.assertIn('jane:', out) + self.assertIn('mikey:', out) def test_sshd_config(self): """Test sshd config allows passwords""" -- cgit v1.2.3 From b704110f371cc0654ff4c4a674d329e7c0cb7861 Mon Sep 17 00:00:00 2001 From: David Tagatac Date: Tue, 28 Mar 2017 14:09:29 -0700 Subject: doc: correct grammar in capabilities.rst --- doc/rtd/topics/capabilities.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'doc') diff --git a/doc/rtd/topics/capabilities.rst b/doc/rtd/topics/capabilities.rst index 4a411083..2c8770bd 100644 --- a/doc/rtd/topics/capabilities.rst +++ b/doc/rtd/topics/capabilities.rst @@ -3,9 +3,9 @@ Capabilities ************ - Setting a default locale -- Setting a instance hostname -- Generating instance ssh private keys -- Adding ssh keys to a users ``.ssh/authorized_keys`` so they can log in +- Setting an instance hostname +- Generating instance SSH private keys +- Adding SSH keys to a user's ``.ssh/authorized_keys`` so they can log in - Setting up ephemeral mount points - Configuring network devices -- cgit v1.2.3