| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
They looked funny italicized currently, switch to inline codeblock.
|
|
|
|
| |
https://sphinx-rtd-theme.readthedocs.io/en/stable/installing.html
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Implying a cryptographic hash function is "safe" generally doesn't age well.
- Linux users are likely to require escalating privileges on the host as part
of system administration. Therefore, telling users to "only use ssh, not
passwords" is likely to be interpreted as one of the following:
- log in as root via ssh [1]
- log in as a user that has passwordless sudo access [1]
Both of these interpretations go against security best practices.
Rather than giving security advice, warn of the risks associated with the
feature and let users make their own decisions.
[1] using an auth method such as ssh keys
|
| |
|
|
|
|
|
| |
- m2r seems abandoned, switch to m2r2
- fix rst to actually render the security page
|
| |
|
|
|
|
|
|
| |
Order building cloud-init before building doc-requirements.txt.
Building '.' invokes a 'pip install --upgrade .' which happens to also
re-install the latest versions of previously pinned docs dependencies
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
cloudinit/config/cc_ssh_authkey_fingerprints.py unintentionally ends
up creating a home directory for a user even when `no_create_home:
true` or `system: true`. This prevents it.
`cc_ssh_authkey_fingerprints.py` calls `ssh_util.extract_authorized_keys`,
which ends up calling `check_create_path`, which creates the as yet
non-existent home while looking for an `authorized_keys` file to parse.
`cc_ssh_authkey_fingerprints.py` looks like the best place to stop this.
NOTE that I do not handle the situation where (`no_create_home: true`
or `system: true`) *and* yet `ssh_authorized_keys` is provided. In
this case, by virtue of the code `no_create_home: true` / `system:
true` takes precedence
|
| |
|
| |
|
|
|
|
|
|
|
| |
Just a minor refactoring to cleanup the shim.
Update tests to use pytest parametrization.
Signed-off-by: Chris Patterson <cpatterson@microsoft.com>
|
|
|
|
|
|
|
|
|
|
| |
* Fix cloud-init status --wait when no datasource found
In 0de7acb1, we modified status checks to wait until we get an "enabled"
or "disabled" file from ds-identiy. ds-identify never outputs a
"disabled" file, so "status --wait" will wait indefinitely if no
datasource is found.
LP: #1966085
|
|
|
|
|
|
|
|
|
|
| |
Includes:
- cc_resizefs
- cc_resolv_conf
- cc_rh_subscription
- cc_rightscale_userdata
- cc_rsyslog
- cc_runcmd
- cc_salt_minion
|
|
|
|
|
|
| |
I've contributed to several Canonical projects over the years,
what's one more? :)
Signed-off-by: Neal Gompa <ngompa13@gmail.com>
|
| |
|
|
|
|
|
| |
(#1335)
Signed-off-by: yangzz-97 <yangzz-97@1162011203@qq.com>
|
|
|
|
|
|
|
| |
This patch addresses an issue where the absence of set-name
in a network configuration potentially results in an unintended
network configuration.
LP: #1855945
|
|
|
|
|
|
|
|
|
| |
This patch refactors several network, helper functions out of the
network_state.py file and into cloudinit.net. This is in relation
to LP #1855945 and github.com/canonical/cloud-init/pull/1327. The
aforementioned issue requires some refactoring to avoid circular
imports, but it was not proper to do that refactoring in *that*
pull request. Thus this PR is specific to the refactoring and can
be evaluated on its own merits.
|
|
|
|
|
|
|
| |
It may be useful to configure connection timeout and read timeout
separately. Update readurl() to accept a tuple that is supported
by python requests to configure both.
Signed-off-by: Chris Patterson <cpatterson@microsoft.com>
|
|
|
|
|
| |
- ConfigDrive datasource works with CONFIG-2, document it
- RbxCloud datasource works with cloudmd, document it
- OpenNebula datasource supports CDROM, but ds-identify doesn't check it
|
|
|
|
|
|
|
|
|
|
| |
On kernels >=5.10, LXD starts qemu with kvm and hv_passthrough.
This causes `systemd-detect-virt` to identify the host as "qemu", rather than "kvm".
Cloud-init treats emulated (TCG) virtualization the same way as virtualized (KVM).
If systemd (see issue #22709) decides to report this as something other than
kvm/qemu, we'll need to extend our list of accepted types to include that as well.
https://github.com/systemd/systemd/issues/22709
|
|
|
|
|
|
|
| |
Summary:
- currently we log redundant data, which at a glance looks like ds-identify runs twice
- use return code for control flow rather than strings
- group templated code and add demarcation comments around it
- explicitly define generator log file
|
|
|
| |
Signed-off-by: Chris Patterson <cpatterson@microsoft.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
find_fallback_nic_on_linux(), etc. provides valuable filtering of
network interfaces in an effort to determine the best candidate
for the fallback interface.
Expose this logic with a new set of methods for finding the candidate
network interfaces. These methods can be used by data sources which
cannot rely on the fallback interface being the correct choice.
Note that the MAC address filtering is now part of
find_candidate_nics_on_linux(). This should be consistent behavior
as find_fallback_nic_on_linux() never selected an interface without
a MAC. find_fallback_nic_on_linux() continues to prefer eth0,
but we make no such distinction in the candidate search.
Signed-off-by: Chris Patterson cpatterson@microsoft.com
|
|
|
|
|
|
|
|
| |
This reverts commit b306633fd17e5ba0173ad3c41add59cb11884757.
While this ultimately seems like a better solution, currently the
file /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg exists on
all Oracle launched instances which will prevent networking from
being properly initialized.
|
|
|
|
|
|
|
| |
When using a ConfigDrive as a data source for cloud-init only
vendordata is currently evaluated. This patch adds support for
vendor_data2 when used with ConfigDrive and aligns with the same
feature parity that is found when using the OpenStack Neutron metadata
service (DataSourceOpenStack.py).
|
|
|
|
|
|
| |
At present the test to get the host info is dependent on the network
of the host on which the test is run. If there is no network the test will
fail. Make the test host independent by applying appropriate mocks and
expand the test to cover ipv4, ipv6, and dual stack setups.
|
|
|
|
|
|
|
| |
Includes:
* cc_package_update_upgrade_install
* cc_phone_home
* cc_power_state_change
* cc_puppet
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With reporting ready now happening in local phase, we have access
to ephemeral DHCP lease options and no longer need to parse DHCP
lease files.
- Switch from tracking wireserver endpoint in its encoded form to the
IP string, parsing it only when read from lease options.
- Drop fallback_lease_file and dhcp_options parameters in favor of
processed endpoint string.
- Add some minor type information for mypy.
- Update various tests.
Signed-off-by: Chris Patterson <cpatterson@microsoft.com>
|
|
|
| |
Move test_ssh_import_id to cause us problems in jenkins instead
|
|
|
|
| |
Travis 3.10 support previously required pinning to 3.10.1. This restriction
no longer exists.
|
|
|
|
|
|
|
|
|
|
|
| |
If a private interface is configured, has a DHCP server on it, and
cloud-init runs, the datasource fails to fail over to the next
interface interrupting seeking. Configuring it as such can also lead
to delays in deploy time if it did. This sorts the interface list to
limit the potential of this occurring. Checks for the metadata route
before trying, and now appropriately fails over if those contingencies
fails by appropriately continuing to seek on metadata failure as was
originally intended. Ideally the upcoming candidate_nic would have
been used here to avoid the interface list function.
|
|
|
| |
/run/cloud-init/network-config-ready is not used
|
|
|
|
| |
Remove incorrect API documentation and convert documentation todos to
comments
|
| |
|
|
|
|
|
|
|
| |
Support for jinja do statements will prevent having to workaround
the following exception:
jinja2.exceptions.TemplateSyntaxError: Encountered unknown tag 'do'.
LP: #1962759
|
|
|
|
|
|
|
|
|
|
|
| |
With debug logging, tight loops may result in huge log file sizes, e.g.:
"Unable to find fallback nic"
1. Raise NoDHCPLeaseMissingDhclientError to caller if no dhclient found
instead of retrying DHCP, retrying will not fix a missing dhclient.
2. For other DHCP failures, retry after sleeping one second.
Signed-off-by: Chris Patterson <cpatterson@microsoft.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When performing DHCP, it is useful for the caller to have context
on the type of failure. This can be done with some new exceptions
types, subclassing NoDHCPLeaseError so the caller's current
contract remains.
- Add the following errors:
- NoDHCPLeaseInterfaceError if there are problems finding
the (possibly specified) interface.
- NoDHCPLeaseMissingDhclientError for missing dhclient.
- Update InvalidDHCPLeaseFileError to subclass NoDHCPLeaseError.
- Pass through these errors rather than catching it in obtain_lease().
Tests:
- Add missing mock for test_provided_nic_does_not_exist().
- Add new test coverage for EphemeralDHCPv4 errors.
- Update existing tests for maybe_perform_dhcp_discovery() to match
new behavior.
Signed-off-by: Chris Patterson <cpatterson@microsoft.com>
|
|
|
|
|
| |
Expect that "systemctl" is found in the PATH. Using the '/bin' prefix
is very distribution specific. A number of distributions are moving
all executables from '/' to '/usr'.
|
| |
|
|
|
| |
Blacken the script.
|
|
|
|
|
|
| |
The hostname command, that cloud-init uses to apply a hostname change,
is in a package that is typically around, but not guarranteed to be.
Include it in package dependencies.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fedora currently relies on sysconfig/ifcfg renderer. This is not too great,
because Fedora (also RHEL since version 8) dropped support for the legacy
network service that uses ifcfg files long ago.
In turn, Fedora ended up patching cloud-init downstream to utilize
NetworkManager's ifcfg compatibility mode [1]. This seems to have worked
for a while, nevertheless the NetworkManager's ifcfg backend is reaching
the end of its useful life too [2].
[1] https://src.fedoraproject.org/rpms/cloud-init/blob/rawhide/f/cloud-init-21.3-nm-controlled.patch
[2] https://fedoraproject.org/wiki/Changes/NoIfcfgFiles
Let's not mangle things downstream and make vanilla cloud-init work great
on Fedora instead.
This also means that the sysconfig compatibility with
Network Manager was removed.
Firstly, this relies upon the fact that you can get ifcfg support by adding
it to NetworkManager.conf. That is not guaranteed and certainly will not
be case in future.
Secondly, cloud-init always generates configuration with
NM_CONTROLLED=no, so the generated ifcfg files are no good for
NetworkManager. Fedora patches around this by just removing those lines
in their cloud-init package.
|
| |
|
|
|
| |
Mapped from adam-collard
|
|
|
|
|
|
| |
If a dead symlink by the same name is present, os.path.exists returns
false, use os.path.lexists instead.
Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com>
|
|
|
|
|
|
| |
The docs do not make it obvious that uid is supposed to be of type string.
Current behavior is to silently ignore integer uid.
LP: #1875772
|
|
|
|
|
| |
Integration tests should create their own VPC in EC2 because
an account's default VPC, subnets, security groups and ACLs
cloud be configured for for limited or unexpected connectivity.
|
|
|
| |
permissively allow either launchpadcontent or launchpad
|