| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
| |
Signed-off-by: Jacob Salmela <jacob.salmela@hpe.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On Linux, we only disable login via Password authentication.
On FreeBSD, we were right out locking the account.
This was reported back when #93 was merged, but back then I didn't
understand that.
Newly created FreeBSD users can now login with with SSH keys.
Sponsored by: The FreeBSD Foundation
LP: #1854594
Fixes: #3507
|
|
|
|
|
|
|
|
|
| |
this FreeBSD specific resizer resizes the root partition and grows the
Filesystem all in one.
All we have to do is call ``service growfs onestart``
Document behaviour: especially that growfs will insert a swap partition
if none is present, unless instructed otherwise.
Sponsored by: The FreeBSD Foundation
|
|
|
|
|
| |
Add additional test in test_azure.py to vet the expected behavior of
suppressing error messages from mount_cb.
This is addressing PR #2134
|
| |
|
|
|
|
|
| |
This fixes KeyError on specific network configuration when running
cloud-init on "network" stage. The same problem was mentioned in
#746 and #1041.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix cloud-init schema --system being unable to find merged
userdata stored at /var/lib/cloud/instance/cloud_config.txt.
Init.paths.get_ipath only has visibility to merged cloud config in
/var/lib/cloud/<instance_id>/cloud-config.txt after fetching the
existing cached datasource which provides instance-id from metadata
in order to determine the unique instance-id which represents the
path to the cloud-config.txt.
To support reuse of read_cfg_paths helper function, add an optional
parameter fetch_existing_datasource which indicates whether reading
the existing datasource is necessary for this helper function.
cloud-init schema --system calls read_cfg_paths providing
fetch_existing_datasource="trust" prior to calls to
paths.get_ipath().
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Always report failure to host, but report failure to fabric only
outside of _check_if_nic_is_primary() which is expected to fail if
nic is not primary.
Add two types of reportable errors for IMDS metadata:
- add ReportableErrorImdsUrlError() for url errors.
- add ReportableErrorImdsMetadataParsingException() for parsing errors.
Tweak ReportableError repr to be a bit friendlier.
Signed-off-by: Chris Patterson <cpatterson@microsoft.com>
|
|
|
|
|
|
|
| |
The code is already in the Dragonfly path, we just need to use it.
LP: #2016350
Sponsored by: The FreeBSD Foundation
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Add host_only flag to _report_failure() to allow caller to only
report the failure to host. This is for cases where we don't want
_report_failure() to attempt DHCP or we expect that we may recover
from the reported error (there is no issue reporting multiple times
to host, whereas fabric reports will immediately fail the VM
provisioning).
- Add ReportableErrorDhcpLease() to report lease failures.
- Add ReportableErrorDhcpInterfaceNotFound() to report errors where the
DHCP interface hasn't been found yet.
- Add TestReportFailure class with new test coverage. Will migrate other
_report_failure() tests in the future as they currently depend on
TestAzureDataSource/CiTestCase.
Future work will add the interface name to supporting data, but as that
information is not available with iface=None, another PR will explicitly
add a call to net.find_fallback_nic() to specify it.
Signed-off-by: Chris Patterson <cpatterson@microsoft.com>
|
|
|
|
|
|
|
|
|
|
| |
It was only used by Hyper-V which now has a filtering
mechanism that does not require the use of a denylist.
This exposed some issues with tests misspelling "hv_netvsc"
and using unmatched mac addresses. This fixes those to work
with the current filter that does not rely on the driver name.
Signed-off-by: Chris Patterson <cpatterson@microsoft.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Azure is introducing a new VF ("MANA") that will initially behave
similarly to mlx4/5 but cannot be denylisted in the same manner.
This is because the synthetic interface (hv_netvsc) will no longer
be required to function in the future which means we must
intelligently filter the VFs out instead of relying solely on the
driver name.
- Isolate filtering logic for Hyper-V's SR-IOV/VFs when used
with synthetic hv_netvsc interfaces.
- Move the filter up to get_interfaces() from
get_interfaces_by_mac_on_linux() to increase coverage of the
filter. With this in place, we should be able to purge the
"blacklist_drivers" across the codebase as it will no longer be
necessary unless there are other paths to be considered.
Signed-off-by: Chris Patterson <cpatterson@microsoft.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Much of the filtering logic used in get_interfaces() is duplicated in
find_candidate_nics_on_linux(). Consolidate the two interfaces by
updating find_candidate_nics_on_linux() to use get_interfaces() and
provide boolean toggles to maintain existing behavior.
The following parameters have been added to get_interfaces():
log_filtered_reasons: bool = False
filter_openvswitch_internal: bool = True
filter_vlan: bool = True
filter_without_own_mac: bool = True
filter_zero_mac: bool = True
It may be that these deltas are unwanted or harmless, but the toggles
could be removed independently with more deliberate consideration.
Similarly, logging could be extended if desired for
log_filtered_reasons.
Signed-off-by: Chris Patterson <cpatterson@microsoft.com>
|
|
|
|
|
|
|
| |
Systems running systemd-resolved or dnsmasq can utlize more than three
namervers. Older systems will just use the first three and ignore the
rest.
Signed-off-by: Major Hayden <major@redhat.com>
|
|
|
|
|
|
| |
Provide an option to suppress error logging from mount_cb as some
errors can be expected error and handled appropriately by
DataSources. For example: failure to mount NTFS volumes on VMs that
do not have NTFS drivers.
|
| |
|
| |
|
| |
|
|
|
|
|
| |
* Fix logger, use instance rather than module function
* add dunder names
|
| |
|
|
|
| |
This reverts commit a9cec5daa52aa9fb0a1f17dfc939e3ff61a476b9.
|
|
|
|
|
|
|
|
|
|
|
|
| |
(#2142)
DSA and ED25519 key types are not supported when FIPS is enabled in crypto.
Check if FIPS has been enabled on the system and if so, do not generate those
key types. Presently the check is only available on Linux systems.
LP: 2017761
RHBZ: 2187164
Signed-off-by: Ani Sinha <anisinha@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add success reporting to the host via KVP.
- Move _report_failure_to_host() into kvp module.
- Tweak error description to use result=error instead of
PROVISIONING_ERROR: ...
- Use result=success for the successful ("ready") reports.
- report_x_via_kvp => report_x_to_host for consistency with fabric.
ReportableError.as_description() => as_encoded_report()
Signed-off-by: Chris Patterson <cpatterson@microsoft.com>
|
|
|
|
|
| |
Distributions other than RHEL also use /usr/lib/udev for the rules
path. Instead of hardcoding the udev rules path for RedHat, check
pkg-config for the proper location.
|
|
|
|
|
|
|
|
|
| |
The `network_data.json` allows the definition of the DNS through the
`services` list at the network level.
See:
- https://opendev.org/openstack/nova/src/commit/700db274c613d6f8f30e5cdc3462beaeb0fda456/nova/tests/unit/network/test_network_info.py#L979-L980
- https://opendev.org/openstack/metalsmith/src/commit/f98dfa61c1d7475b81c20dabbf2c74198c38c793/metalsmith/test/test_network_metadata.py#L52-L90
- https://opendev.org/openstack/nova/commit/4b333b989dfc778a8b61db4a1b8552e988a10471
|
|
|
|
| |
util.get_mount_info() which is called from the
distro base class is linux-specific
|
|
|
|
|
|
|
|
|
|
|
| |
The CLI cloud-init schema now asserts that the leading header comment in user-data files is a valid user-data type. Raise an informative error otherwise about valid user-data types.
For user-data files declared with '## template: jinja', render those files first sourcing jinja variables from /run/cloud-init/instance-data.json or a new --instance-data parameter.
Once the jinja template is rendered, validate schema of the resulting #cloud-config user-data.
This branch also ensures any errors and deprecation warnings are unique.
LP: #1881925
|
|
|
|
|
|
|
| |
Google wants to allow users to make changes on nics while the instance
is stopped. Activate network discovery on every boot.
Additionally, skip the call to `netplan generate` if the rendered
config is the same on subsequent boots.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Because user data and vendor data may contain sensitive information,
this commit ensures that any user data or vendor data written to
instance-data.json gets redacted and is only available to root user.
Also, modify the permissions of cloud-init.log to be 640, so that
sensitive data leaked to the log isn't world readable.
Additionally, remove the logging of user data and vendor data to
cloud-init.log from the Vultr datasource.
LP: #2013967
CVE: CVE-2023-1786
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- describe kernel command line override
- add OpenStack Ironic selection instructions
- describe datasource selection
- move datasource creation doc to dev section
- remove generator stage from boot stages
- document how to disable cloud-init in howtos
- fix missing kernel-cmdline.rst link
- update outdated security advice
Document the following commits:
34e8c914df666c937e48f5d1c3add0bd47e4e7eb
f146fe71733e72b94fad525b8cc9988b1405e760
250280ada67995a8449b64027b879d01939d2729
612b4de892d19333c33276d541fed99fd16d3998
a60c0845806baff72c74603286d048efbafab664
d1ffbea556a06105d1ade88b4143ad43f53692c4
02202954c65a7a1cdb9b28703bd0af01edd0e091
|
|
|
|
| |
Updating the links to the paths in the codebase for the various
network configuration examples
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Azure can report provisioning failures via the Wireserver health
endpoint. However, in the event of networking failures or Wireserver
issues, this report cannot be made and the VM will result in an OS
provisioning timeout and a generic error is presented to the user.
Report the failure via KVP using the "PROVISIONING_REPORT" key so
that the host can relay the provisioning error report to the user
when the VM fails to provision.
The format used is subject to change and/or removal.
Signed-off-by: Chris Patterson <cpatterson@microsoft.com>
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of a fixed number of retries, allow up to 5 minutes to fetch
metadata from IMDS. The current approach allows for up to 11 attempts
depending on the path. Given the timeout setting, this can vary from
~11 seconds up to ~32 seconds depending on whether or not read/connection
timeouts are encountered.
Delaying boot on the rare occasion that IMDS is delayed is better than
ignoring the metadata as it ensures the VM is configured as expected.
This is a very conservative timeout and may be reduced in the future.
Signed-off-by: Chris Patterson <cpatterson@microsoft.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move isc-dhclient code to dhcp.py
In support of the upcoming deprecation of
isc-dhcp-client, this code refactors current
dhcp code into classes in dhcp.py. The
primary user-visible change should be the
addition of the following log:
dhcp.py[DEBUG]: DHCP client selected: dhclient
This code lays groundwork to enable
alternate implementations to live side by
side in the codebase to be selected with
distro-defined priority fallback. Note that
maybe_perform_dhcp_discovery() now selects
which dhcp client to call, and then runs the
corresponding client's dhcp_discovery()
method. Currently only class IscDhclient is
implemented, however a yet-to-be-implemented
class Dhcpcd exists to test fallback behavior
and this will be implemented in part two of
this series.
Part of this refactor includes shifting
dhclient service management from hardcoded
calls to the distro-defined manage_service()
method in the *BSDs. Future work is required
in this area to support multiple clients via
select_dhcp_client().
|
|
|
|
|
|
| |
Save a few characters by decoding it as utf-8 string rather than using
the bytes representation.
Signed-off-by: Chris Patterson <cpatterson@microsoft.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When provisioning failures occur an Azure, a generic description is
used in the report and ultimately returned to the user. To improve
the user experience, report details of the failure in a manner that is
parsable, readable and succinct. The current approach is to use csv
with a custom delimiter ("|") and quote character ("'"). This format
may change in the future.
Gracefully handle reportable errors thrown while crawling metadata and
treat other exceptions as ReportableErrorUnhandledException. Future
work will introduce more reportable errors to handle the expected
failure cases.
Signed-off-by: Chris Patterson <cpatterson@microsoft.com>
|
|
|
|
|
|
|
|
| |
When defining json schema in a63f45f7, we were a bit too strict by
setting `minItems: 1` on the `users:` list.
This schema definition regressed the ability to prevent default_user
creation with user-data. Remove that schema constraint because the
code already supports this case.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Add query_system_uuid() for getting system uuid from dmi in
normalized (lower-cased) form.
- Add byte_swap_system_uuid() to convert a system uuid for gen1
instances to the compute.vmId as presented by IMDS.
- Add convert_system_uuid_to_vm() to convert system uuid to vm
id depending on whether it is gen1 or gen2.
- Add is_vm_gen1() to determine if VM is Azure's gen1 by checking
for available of EFI (used in gen2).
- Add query_vm_id() helper to get VM id without system uuid.
- Move ChassisAssetTag from Azure helpers into identity.
- Update DataSourceAzure._iid() to use this module.
Signed-off-by: Chris Patterson <cpatterson@microsoft.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Some distros support disabling cloud-init using the
kernel argument cloud-init=disabled. Standardize it
across non-systemd distros. Skip NetBSD, which
doesn't support passing external arguments to the
kernel.
Also add support for disabling cloud-init using
/etc/cloud/cloud-init.disabled to non-systemd
distros.
|
| |
|
|
|
|
|
|
|
|
| |
Historically ds=nocloud-net was a required argument
for the user to pass in to tell cloud-init which mode
to use. This argument, however, is redundant when a
seedfrom argument is passed. Allow the mode to be
automatically determined, so that the user need not
pass a mode configuration to achieve desired behavior.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Test failures may have truncated assertions using `...` in some
output.
Increase verbosity and print locals to help with triaging failures
caught in CI, particularly as some environments may not be readily
testable locally.
Signed-off-by: Chris Patterson <cpatterson@microsoft.com>
|
|
|
|
|
|
|
|
| |
Truncate any trailing semi-colon delimited kernel
commandline parameters when trying to match the
designated datasource from /proc/cmdline.
This was broken in 612b4de892d on systemd systems.
Add an integration test for this codepath.
|