From cbf3b8acd4f8bbc07410856c0e06e0a43d211931ecf497336ed31b637324dcd0 Mon Sep 17 00:00:00 2001 From: Robert Schweikert Date: Mon, 14 Aug 2023 10:54:59 +0000 Subject: [PATCH] - reset to SLE version and keep flake enabled OBS-URL: https://build.opensuse.org/package/show/Cloud:Tools/cloud-init?expand=0&rev=213 --- cloud-init-23.1.2.tar.gz | 3 - cloud-init-23.1.tar.gz | 3 + ...-1786-redact-instance-data-json-main.patch | 175 ++++++++++++++++++ cloud-init.changes | 12 -- cloud-init.spec | 149 ++++++++------- 5 files changed, 263 insertions(+), 79 deletions(-) delete mode 100644 cloud-init-23.1.2.tar.gz create mode 100644 cloud-init-23.1.tar.gz create mode 100644 cloud-init-cve-2023-1786-redact-instance-data-json-main.patch diff --git a/cloud-init-23.1.2.tar.gz b/cloud-init-23.1.2.tar.gz deleted file mode 100644 index d28a8bf..0000000 --- a/cloud-init-23.1.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:f38515f6b29ce9b8216001cf543cfd8422fed3103f3729ac55b5a598658ff106 -size 1539960 diff --git a/cloud-init-23.1.tar.gz b/cloud-init-23.1.tar.gz new file mode 100644 index 0000000..4c729b5 --- /dev/null +++ b/cloud-init-23.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7d6a13210c9fc82c82e471c335de9fbb53ccd63ac92c1d1c462a6e5c8e992ebc +size 1540625 diff --git a/cloud-init-cve-2023-1786-redact-instance-data-json-main.patch b/cloud-init-cve-2023-1786-redact-instance-data-json-main.patch new file mode 100644 index 0000000..67ea4e7 --- /dev/null +++ b/cloud-init-cve-2023-1786-redact-instance-data-json-main.patch @@ -0,0 +1,175 @@ +--- cloudinit/sources/DataSourceLXD.py.orig ++++ cloudinit/sources/DataSourceLXD.py +@@ -173,6 +173,8 @@ class DataSourceLXD(sources.DataSource): + "user.meta-data", + "user.vendor-data", + "user.user-data", ++ "cloud-init.user-data", ++ "cloud-init.vendor-data", + ) + + skip_hotplug_detect = True +--- cloudinit/sources/DataSourceVultr.py.orig ++++ cloudinit/sources/DataSourceVultr.py +@@ -5,6 +5,8 @@ + # Vultr Metadata API: + # https://www.vultr.com/metadata/ + ++from typing import Tuple ++ + import cloudinit.sources.helpers.vultr as vultr + from cloudinit import log as log + from cloudinit import sources, util, version +@@ -27,6 +29,9 @@ BUILTIN_DS_CONFIG = { + class DataSourceVultr(sources.DataSource): + + dsname = "Vultr" ++ sensitive_metadata_keys: \ ++ Tuple[str, ...] = \ ++ sources.DataSource.sensitive_metadata_keys + ("startup-script",) + + def __init__(self, sys_cfg, distro, paths): + super(DataSourceVultr, self).__init__(sys_cfg, distro, paths) +@@ -54,13 +59,8 @@ class DataSourceVultr(sources.DataSource + self.get_datasource_data(self.metadata) + + # Dump some data so diagnosing failures is manageable +- LOG.debug("Vultr Vendor Config:") +- LOG.debug(util.json_dumps(self.metadata["vendor-data"])) + LOG.debug("SUBID: %s", self.metadata["instance-id"]) + LOG.debug("Hostname: %s", self.metadata["local-hostname"]) +- if self.userdata_raw is not None: +- LOG.debug("User-Data:") +- LOG.debug(self.userdata_raw) + + return True + +@@ -146,7 +146,4 @@ if __name__ == "__main__": + config = md["vendor-data"] + sysinfo = vultr.get_sysinfo() + +- print(util.json_dumps(sysinfo)) +- print(util.json_dumps(config)) +- + # vi: ts=4 expandtab +--- cloudinit/sources/__init__.py.orig ++++ cloudinit/sources/__init__.py +@@ -132,6 +132,12 @@ def redact_sensitive_keys(metadata, reda + + Replace any keys values listed in 'sensitive_keys' with redact_value. + """ ++ # While 'sensitive_keys' should already sanitized to only include what ++ # is in metadata, it is possible keys will overlap. For example, if ++ # "merged_cfg" and "merged_cfg/ds/userdata" both match, it's possible that ++ # "merged_cfg" will get replaced first, meaning "merged_cfg/ds/userdata" ++ # no longer represents a valid key. ++ # Thus, we still need to do membership checks in this function. + if not metadata.get("sensitive_keys", []): + return metadata + md_copy = copy.deepcopy(metadata) +@@ -139,9 +145,14 @@ def redact_sensitive_keys(metadata, reda + path_parts = key_path.split("/") + obj = md_copy + for path in path_parts: +- if isinstance(obj[path], dict) and path != path_parts[-1]: ++ if ( ++ path in obj ++ and isinstance(obj[path], dict) ++ and path != path_parts[-1] ++ ): + obj = obj[path] +- obj[path] = redact_value ++ if path in obj: ++ obj[path] = redact_value + return md_copy + + +@@ -249,6 +260,14 @@ class DataSource(CloudInitPickleMixin, m + sensitive_metadata_keys: Tuple[str, ...] = ( + "merged_cfg", + "security-credentials", ++ "userdata", ++ "user-data", ++ "user_data", ++ "vendordata", ++ "vendor-data", ++ # Provide ds/vendor_data to avoid redacting top-level ++ # "vendor_data": {enabled: True} ++ "ds/vendor_data", + ) + + # True on datasources that may not see hotplugged devices reflected +--- cloudinit/stages.py.orig ++++ cloudinit/stages.py +@@ -203,7 +203,9 @@ class Init: + util.ensure_dirs(self._initial_subdirs()) + log_file = util.get_cfg_option_str(self.cfg, "def_log_file") + if log_file: +- util.ensure_file(log_file, mode=0o640, preserve_mode=True) ++ # At this point the log file should have already been created ++ # in the setupLogging function of log.py ++ util.ensure_file(log_file, mode=0o640, preserve_mode=False) + perms = self.cfg.get("syslog_fix_perms") + if not perms: + perms = {} +--- tests/unittests/sources/test_init.py.orig ++++ tests/unittests/sources/test_init.py +@@ -464,6 +464,12 @@ class TestDataSource(CiTestCase): + ( + "merged_cfg", + "security-credentials", ++ "userdata", ++ "user-data", ++ "user_data", ++ "vendordata", ++ "vendor-data", ++ "ds/vendor_data", + ), + datasource.sensitive_metadata_keys, + ) +@@ -574,6 +580,12 @@ class TestDataSource(CiTestCase): + ( + "merged_cfg", + "security-credentials", ++ "userdata", ++ "user-data", ++ "user_data", ++ "vendordata", ++ "vendor-data", ++ "ds/vendor_data", + ), + datasource.sensitive_metadata_keys, + ) +--- tests/unittests/test_stages.py.orig ++++ tests/unittests/test_stages.py +@@ -606,19 +606,23 @@ class TestInit_InitializeFilesystem: + # Assert we create it 0o640 by default if it doesn't already exist + assert 0o640 == stat.S_IMODE(log_file.stat().mode) + +- def test_existing_file_permissions_are_not_modified(self, init, tmpdir): +- """If the log file already exists, we should not modify its permissions ++ def test_existing_file_permissions(self, init, tmpdir): ++ """Test file permissions are set as expected. ++ ++ CIS Hardening requires 640 permissions. These permissions are ++ currently hardcoded on every boot, but if there's ever a reason ++ to change this, we need to then ensure that they ++ are *not* set every boot. + + See https://bugs.launchpad.net/cloud-init/+bug/1900837. + """ +- # Use a mode that will never be made the default so this test will +- # always be valid +- mode = 0o606 + log_file = tmpdir.join("cloud-init.log") + log_file.ensure() +- log_file.chmod(mode) ++ # Use a mode that will never be made the default so this test will ++ # always be valid ++ log_file.chmod(0o606) + init._cfg = {"def_log_file": str(log_file)} + + init._initialize_filesystem() + +- assert mode == stat.S_IMODE(log_file.stat().mode) ++ assert 0o640 == stat.S_IMODE(log_file.stat().mode) diff --git a/cloud-init.changes b/cloud-init.changes index 79101b0..cffc404 100644 --- a/cloud-init.changes +++ b/cloud-init.changes @@ -1,15 +1,3 @@ -------------------------------------------------------------------- -Sun Aug 13 21:02:31 UTC 2023 - Dirk Müller - -- update to 23.1.2: - * Make user/vendor data sensitive and remove log permissions - * source: Force OpenStack when it is only option (#2045) - * sources/azure: fix regressions in IMDS behavior -- drop - cloud-init-cve-2023-1786-redact-instance-data-json-main.patch (upstream) -- spec-file cleanups, including dropping flake8 (as build fails - with newer flake8 versions) - ------------------------------------------------------------------- Thu Jul 6 12:06:22 UTC 2023 - Robert Schweikert diff --git a/cloud-init.spec b/cloud-init.spec index 21cf585..2f43852 100644 --- a/cloud-init.spec +++ b/cloud-init.spec @@ -1,7 +1,7 @@ # # spec file for package cloud-init # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2023 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,45 +12,49 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# Please submit bugfixes or comments via http://bugs.opensuse.org/ # - - # change this whenever config changes incompatible %global configver 0.7 -%global docdir %{_defaultdocdir}/%{name} + Name: cloud-init -Version: 23.1.2 +Version: 23.1 Release: 0 +License: GPL-3.0 Summary: Cloud node initialization tool -License: GPL-3.0-only +Url: https://github.com/canonical/cloud-init Group: System/Management -URL: https://github.com/canonical/cloud-init -Source0: https://github.com/canonical/cloud-init/archive/refs/tags/%{version}.tar.gz#/%{name}-%{version}.tar.gz +Source0: %{name}-%{version}.tar.gz Source1: rsyslog-cloud-init.cfg Source2: hidesensitivedata -Patch1: datasourceLocalDisk.patch +Patch1: datasourceLocalDisk.patch # FIXME (lp#1849296) -Patch2: cloud-init-break-resolv-symlink.patch +Patch2: cloud-init-break-resolv-symlink.patch # FIXME no proposed solution -Patch3: cloud-init-sysconf-path.patch +Patch3: cloud-init-sysconf-path.patch # FIXME (lp#1860164) -Patch4: cloud-init-no-tempnet-oci.patch +Patch4: cloud-init-no-tempnet-oci.patch # FIXME https://github.com/canonical/cloud-init/pull/2036 -Patch5: cloud-init-fix-ca-test.patch +Patch5: cloud-init-fix-ca-test.patch # FIXME (lp#1812117) -Patch6: cloud-init-write-routes.patch +Patch6: cloud-init-write-routes.patch +Patch7: cloud-init-cve-2023-1786-redact-instance-data-json-main.patch # FIXME https://github.com/canonical/cloud-init/pull/2148 -Patch8: cloud-init-power-rhel-only.patch +Patch8: cloud-init-power-rhel-only.patch BuildRequires: fdupes +BuildRequires: filesystem # pkg-config is needed to find correct systemd unit dir -BuildRequires: pkgconfig +BuildRequires: pkg-config +# needed for /lib/udev +BuildRequires: pkgconfig(udev) BuildRequires: python-rpm-macros +BuildRequires: python3-devel +BuildRequires: python3-setuptools # Test requirements BuildRequires: python3-Jinja2 BuildRequires: python3-PyYAML BuildRequires: python3-configobj >= 5.0.2 -BuildRequires: python3-devel +BuildRequires: python3-flake8 BuildRequires: python3-httpretty BuildRequires: python3-jsonpatch BuildRequires: python3-jsonschema @@ -62,28 +66,28 @@ BuildRequires: python3-pytest-mock BuildRequires: python3-requests BuildRequires: python3-responses BuildRequires: python3-serial -BuildRequires: python3-setuptools BuildRequires: system-user-nobody +%if 0%{?is_opensuse} +BuildRequires: openSUSE-release +%else +BuildRequires: sles-release +%endif BuildRequires: util-linux -BuildRequires: pkgconfig(systemd) -# needed for /lib/udev -BuildRequires: pkgconfig(udev) Requires: bash -Requires: cloud-init-config = %{configver} Requires: dhcp-client -Requires: e2fsprogs Requires: file Requires: growpart +Requires: e2fsprogs Requires: net-tools Requires: openssh -Requires: python3-Jinja2 -Requires: python3-PyYAML Requires: python3-configobj >= 5.0.2 +Requires: python3-Jinja2 Requires: python3-jsonpatch Requires: python3-jsonschema Requires: python3-netifaces Requires: python3-oauthlib Requires: python3-pyserial +Requires: python3-PyYAML Requires: python3-requests Requires: python3-serial Requires: python3-setuptools @@ -91,18 +95,23 @@ Requires: python3-xml Requires: sudo Requires: util-linux Requires: wget -%{?systemd_requires} -%if 0%{?is_opensuse} -BuildRequires: openSUSE-release -%else -BuildRequires: sles-release -%endif %if 0%{?suse_version} && 0%{?suse_version} <= 1500 Requires: wicked-service %endif -%ifarch %{ix86} x86_64 +Requires: cloud-init-config = %configver +BuildRoot: %{_tmppath}/%{name}-%{version}-build +%define docdir %{_defaultdocdir}/%{name} +%ifarch %ix86 x86_64 Requires: dmidecode %endif +%define initsys systemd +BuildRequires: pkgconfig(systemd) +%{?systemd_requires} +%if 0%{?suse_version} && 0%{?suse_version} == 1220 +%define systemd_prefix /lib +%else +%define systemd_prefix /usr/lib +%endif %description Cloud-init is an init script that initializes a cloud node (VM) @@ -110,9 +119,9 @@ according to the fetched configuration data from the admin node. %package config-suse Summary: Configuration file for Cloud node initialization tool +Provides: cloud-init-config = %configver Group: System/Management -Conflicts: cloud-init-config -Provides: cloud-init-config = %{configver} +Conflicts: otherproviders(cloud-init-config) %description config-suse This package contains the product specific configuration file @@ -131,12 +140,13 @@ Documentation and examples for cloud-init tools %prep %setup -q -%patch1 +%patch1 -p0 %patch2 %patch3 %patch4 %patch5 %patch6 +%patch7 %patch8 # patch in the full version to version.py @@ -149,10 +159,11 @@ sed -i "s,@@PACKAGED_VERSION@@,%{version}-%{release}," $version_pys python3 setup.py build %check -%make_build unittest +make unittest +make flake8 %install -python3 setup.py install --root=%{buildroot} --prefix=%{_prefix} --install-lib=%{python3_sitelib} --init-system=systemd +python3 setup.py install --root=%{buildroot} --prefix=%{_prefix} --install-lib=%{python3_sitelib} --init-system=%{initsys} find %{buildroot} \( -name .gitignore -o -name .placeholder \) -delete # from debian install script for x in "%{buildroot}%{_bindir}/"*.py; do @@ -165,6 +176,10 @@ mv %{buildroot}%{_datadir}/doc/%{name} %{buildroot}%{_defaultdocdir} # man pages mkdir -p %{buildroot}%{_mandir}/man1 mv doc/man/* %{buildroot}%{_mandir}/man1 +# copy the LICENSE +mkdir -p %{buildroot}%{_defaultlicensedir}/%{name} +cp LICENSE %{buildroot}%{_defaultlicensedir}/%{name} +cp LICENSE-GPLv3 %{buildroot}%{_defaultlicensedir}/%{name} # Set the distribution indicator %if 0%{?suse_version} %if 0%{?is_opensuse} @@ -173,10 +188,12 @@ sed -i s/suse/opensuse/ %{buildroot}/%{_sysconfdir}/cloud/cloud.cfg sed -i s/suse/sles/ %{buildroot}/%{_sysconfdir}/cloud/cloud.cfg %endif %endif -install -D -m 644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/rsyslog.d/21-cloudinit.conf -mkdir -p %{buildroot}%{_prefix}/lib/udev/rules.d/ -mv %{buildroot}/lib/udev/rules.d/66-azure-ephemeral.rules %{buildroot}%{_prefix}/lib/udev/rules.d/ -install -D -m 755 %{SOURCE2} %{buildroot}%{_sbindir}/hidesensitivedata +mkdir -p %{buildroot}/%{_sysconfdir}/rsyslog.d +mkdir -p %{buildroot}/usr/lib/udev/rules.d/ +cp -a %{SOURCE1} %{buildroot}/%{_sysconfdir}/rsyslog.d/21-cloudinit.conf +mv %{buildroot}/lib/udev/rules.d/66-azure-ephemeral.rules %{buildroot}/usr/lib/udev/rules.d/ +mkdir -p %{buildroot}%{_sbindir} +install -m 755 %{SOURCE2} %{buildroot}%{_sbindir} # remove debian/ubuntu specific profile.d file (bnc#779553) rm -f %{buildroot}%{_sysconfdir}/profile.d/Z99-cloud-locale-test.sh @@ -186,15 +203,16 @@ rm %{buildroot}/%{_sysconfdir}/cloud/templates/*.debian.* rm %{buildroot}/%{_sysconfdir}/cloud/templates/*.redhat.* rm %{buildroot}/%{_sysconfdir}/cloud/templates/*.ubuntu.* +%post +/usr/sbin/hidesensitivedata + # remove duplicate files %if 0%{?suse_version} %fdupes %{buildroot}%{python3_sitelib} %endif -%post -%{_sbindir}/hidesensitivedata - %files +%defattr(-,root,root) %license LICENSE LICENSE-GPLv3 %{_bindir}/cloud-id %{_bindir}/cloud-init @@ -217,33 +235,36 @@ rm %{buildroot}/%{_sysconfdir}/cloud/templates/*.ubuntu.* %{python3_sitelib}/cloudinit %{python3_sitelib}/cloud_init-%{version}*.egg-info %{_prefix}/lib/cloud-init -%{_prefix}/lib/systemd/system-generators/cloud-init-generator -%{_prefix}/lib/systemd/system/cloud-config.service -%{_prefix}/lib/systemd/system/cloud-config.target -%{_prefix}/lib/systemd/system/cloud-init-local.service -%{_prefix}/lib/systemd/system/cloud-init.service -%{_prefix}/lib/systemd/system/cloud-init.target -%{_prefix}/lib/systemd/system/cloud-final.service +%{systemd_prefix}/systemd/system-generators/cloud-init-generator +%{systemd_prefix}/systemd/system/cloud-config.service +%{systemd_prefix}/systemd/system/cloud-config.target +%{systemd_prefix}/systemd/system/cloud-init-local.service +%{systemd_prefix}/systemd/system/cloud-init.service +%{systemd_prefix}/systemd/system/cloud-init.target +%{systemd_prefix}/systemd/system/cloud-final.service %dir %{_sysconfdir}/rsyslog.d %{_sysconfdir}/rsyslog.d/21-cloudinit.conf -%{_prefix}/lib/udev/rules.d/66-azure-ephemeral.rules +/usr/lib/udev/rules.d/66-azure-ephemeral.rules # We use cloud-netconfig to handle new interfaces added to the instance -%exclude %{_prefix}/lib/systemd/system/cloud-init-hotplugd.service -%exclude %{_prefix}/lib/systemd/system/cloud-init-hotplugd.socket +%exclude %{systemd_prefix}/systemd/system/cloud-init-hotplugd.service +%exclude %{systemd_prefix}/systemd/system/cloud-init-hotplugd.socket %dir %attr(0755, root, root) %{_localstatedir}/lib/cloud -%dir %docdir -%dir %{_sysconfdir}/NetworkManager -%dir %{_sysconfdir}/NetworkManager/dispatcher.d -%dir %{_sysconfdir}/dhcp -%dir %{_sysconfdir}/dhcp/dhclient-exit-hooks.d -%dir %{_sysconfdir}/systemd/system/sshd-keygen@.service.d +%dir %{docdir} +%dir /etc/NetworkManager +%dir /etc/NetworkManager/dispatcher.d +%dir /etc/dhcp +%dir /etc/dhcp/dhclient-exit-hooks.d +%dir /etc/systemd/system/sshd-keygen@.service.d + %files config-suse +%defattr(-,root,root) %config(noreplace) %{_sysconfdir}/cloud/cloud.cfg %files doc -%docdir/examples/* -%docdir/*.txt -%dir %docdir/examples +%defattr(-,root,root) +%{docdir}/examples/* +%{docdir}/*.txt +%dir %{docdir}/examples %changelog