- reset to SLE version and keep flake enabled

OBS-URL: https://build.opensuse.org/package/show/Cloud:Tools/cloud-init?expand=0&rev=213
2023-08-14 10:54:59 +00:00 · 2023-08-14 10:54:59 +00:00 · cbf3b8acd4
commit cbf3b8acd4
parent 131faa9cb9
5 changed files with 263 additions and 79 deletions
--- a/cloud-init-23.1.2.tar.gz
+++ b/cloud-init-23.1.2.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:f38515f6b29ce9b8216001cf543cfd8422fed3103f3729ac55b5a598658ff106
 size 1539960
--- a/cloud-init-23.1.tar.gz
+++ b/cloud-init-23.1.tar.gz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:7d6a13210c9fc82c82e471c335de9fbb53ccd63ac92c1d1c462a6e5c8e992ebc
 size 1540625
--- a/cloud-init-cve-2023-1786-redact-instance-data-json-main.patch
+++ b/cloud-init-cve-2023-1786-redact-instance-data-json-main.patch
@ -0,0 +1,175 @@
 --- cloudinit/sources/DataSourceLXD.py.orig
 +++ cloudinit/sources/DataSourceLXD.py
@@ -173,6 +173,8 @@ class DataSourceLXD(sources.DataSource):
         "user.meta-data",
         "user.vendor-data",
         "user.user-data",
 +        "cloud-init.user-data",
 +        "cloud-init.vendor-data",
     )
     skip_hotplug_detect = True
 --- cloudinit/sources/DataSourceVultr.py.orig
 +++ cloudinit/sources/DataSourceVultr.py
@@ -5,6 +5,8 @@
 # Vultr Metadata API:
 # https://www.vultr.com/metadata/
 +from typing import Tuple
 +
 import cloudinit.sources.helpers.vultr as vultr
 from cloudinit import log as log
 from cloudinit import sources, util, version
@@ -27,6 +29,9 @@ BUILTIN_DS_CONFIG = {
 class DataSourceVultr(sources.DataSource):
     dsname = "Vultr"
 +    sensitive_metadata_keys: \
 +        Tuple[str, ...] = \
 +        sources.DataSource.sensitive_metadata_keys + ("startup-script",)
     def __init__(self, sys_cfg, distro, paths):
         super(DataSourceVultr, self).__init__(sys_cfg, distro, paths)
@@ -54,13 +59,8 @@ class DataSourceVultr(sources.DataSource
         self.get_datasource_data(self.metadata)
         # Dump some data so diagnosing failures is manageable
 -        LOG.debug("Vultr Vendor Config:")
 -        LOG.debug(util.json_dumps(self.metadata["vendor-data"]))
         LOG.debug("SUBID: %s", self.metadata["instance-id"])
         LOG.debug("Hostname: %s", self.metadata["local-hostname"])
 -        if self.userdata_raw is not None:
 -            LOG.debug("User-Data:")
 -            LOG.debug(self.userdata_raw)
         return True
@@ -146,7 +146,4 @@ if __name__ == "__main__":
     config = md["vendor-data"]
     sysinfo = vultr.get_sysinfo()
 -    print(util.json_dumps(sysinfo))
 -    print(util.json_dumps(config))
 -
 # vi: ts=4 expandtab
 --- cloudinit/sources/__init__.py.orig
 +++ cloudinit/sources/__init__.py
@@ -132,6 +132,12 @@ def redact_sensitive_keys(metadata, reda
     Replace any keys values listed in 'sensitive_keys' with redact_value.
     """
 +    # While 'sensitive_keys' should already sanitized to only include what
 +    # is in metadata, it is possible keys will overlap. For example, if
 +    # "merged_cfg" and "merged_cfg/ds/userdata" both match, it's possible that
 +    # "merged_cfg" will get replaced first, meaning "merged_cfg/ds/userdata"
 +    # no longer represents a valid key.
 +    # Thus, we still need to do membership checks in this function.
     if not metadata.get("sensitive_keys", []):
         return metadata
     md_copy = copy.deepcopy(metadata)
@@ -139,9 +145,14 @@ def redact_sensitive_keys(metadata, reda
         path_parts = key_path.split("/")
         obj = md_copy
         for path in path_parts:
 -            if isinstance(obj[path], dict) and path != path_parts[-1]:
 +            if (
 +                path in obj
 +                and isinstance(obj[path], dict)
 +                and path != path_parts[-1]
 +            ):
                 obj = obj[path]
 -        obj[path] = redact_value
 +        if path in obj:
 +            obj[path] = redact_value
     return md_copy
@@ -249,6 +260,14 @@ class DataSource(CloudInitPickleMixin, m
     sensitive_metadata_keys: Tuple[str, ...] = (
         "merged_cfg",
         "security-credentials",
 +        "userdata",
 +        "user-data",
 +        "user_data",
 +        "vendordata",
 +        "vendor-data",
 +        # Provide ds/vendor_data to avoid redacting top-level
 +        #  "vendor_data": {enabled: True}
 +        "ds/vendor_data",
     )
     # True on datasources that may not see hotplugged devices reflected
 --- cloudinit/stages.py.orig
 +++ cloudinit/stages.py
@@ -203,7 +203,9 @@ class Init:
         util.ensure_dirs(self._initial_subdirs())
         log_file = util.get_cfg_option_str(self.cfg, "def_log_file")
         if log_file:
 -            util.ensure_file(log_file, mode=0o640, preserve_mode=True)
 +            # At this point the log file should have already been created
 +            # in the setupLogging function of log.py
 +            util.ensure_file(log_file, mode=0o640, preserve_mode=False)
             perms = self.cfg.get("syslog_fix_perms")
             if not perms:
                 perms = {}
 --- tests/unittests/sources/test_init.py.orig
 +++ tests/unittests/sources/test_init.py
@@ -464,6 +464,12 @@ class TestDataSource(CiTestCase):
             (
                 "merged_cfg",
                 "security-credentials",
 +                "userdata",
 +                "user-data",
 +                "user_data",
 +                "vendordata",
 +                "vendor-data",
 +                "ds/vendor_data",
             ),
             datasource.sensitive_metadata_keys,
         )
@@ -574,6 +580,12 @@ class TestDataSource(CiTestCase):
             (
                 "merged_cfg",
                 "security-credentials",
 +                "userdata",
 +                "user-data",
 +                "user_data",
 +                "vendordata",
 +                "vendor-data",
 +                "ds/vendor_data",
             ),
             datasource.sensitive_metadata_keys,
         )
 --- tests/unittests/test_stages.py.orig
 +++ tests/unittests/test_stages.py
@@ -606,19 +606,23 @@ class TestInit_InitializeFilesystem:
         # Assert we create it 0o640  by default if it doesn't already exist
         assert 0o640 == stat.S_IMODE(log_file.stat().mode)
 -    def test_existing_file_permissions_are_not_modified(self, init, tmpdir):
 -        """If the log file already exists, we should not modify its permissions
 +    def test_existing_file_permissions(self, init, tmpdir):
 +        """Test file permissions are set as expected.
 +
 +        CIS Hardening requires 640 permissions. These permissions are
 +        currently hardcoded on every boot, but if there's ever a reason
 +        to change this, we need to then ensure that they
 +        are *not* set every boot.
         See https://bugs.launchpad.net/cloud-init/+bug/1900837.
         """
 -        # Use a mode that will never be made the default so this test will
 -        # always be valid
 -        mode = 0o606
         log_file = tmpdir.join("cloud-init.log")
         log_file.ensure()
 -        log_file.chmod(mode)
 +        # Use a mode that will never be made the default so this test will
 +        # always be valid
 +        log_file.chmod(0o606)
         init._cfg = {"def_log_file": str(log_file)}
         init._initialize_filesystem()
 -        assert mode == stat.S_IMODE(log_file.stat().mode)
 +        assert 0o640 == stat.S_IMODE(log_file.stat().mode)
--- a/cloud-init.changes
+++ b/cloud-init.changes
@ -1,15 +1,3 @@
 -------------------------------------------------------------------
 Sun Aug 13 21:02:31 UTC 2023 - Dirk Müller <dmueller@suse.com>
 - update to 23.1.2:
  * Make user/vendor data sensitive and remove log permissions
  * source: Force OpenStack when it is only option (#2045)
  * sources/azure: fix regressions in IMDS behavior
 - drop 
  cloud-init-cve-2023-1786-redact-instance-data-json-main.patch (upstream)
 - spec-file cleanups, including dropping flake8 (as build fails
  with newer flake8 versions)
 -------------------------------------------------------------------
 Thu Jul  6 12:06:22 UTC 2023 - Robert Schweikert <rjschwei@suse.com>
--- a/cloud-init.spec
+++ b/cloud-init.spec
@ -1,7 +1,7 @@
 #
 # spec file for package cloud-init
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2023 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -12,45 +12,49 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
-# Please submit bugfixes or comments via https://bugs.opensuse.org/
+# Please submit bugfixes or comments via http://bugs.opensuse.org/
 #
 # change this whenever config changes incompatible
 %global configver 0.7
-%global docdir %{_defaultdocdir}/%{name}
+
 Name:           cloud-init
-Version:        23.1.2
+Version:        23.1
 Release:        0
 License:        GPL-3.0
 Summary:        Cloud node initialization tool
-License:        GPL-3.0-only
+Url:            https://github.com/canonical/cloud-init
 Group:          System/Management
-URL:            https://github.com/canonical/cloud-init
+Source0:        %{name}-%{version}.tar.gz
 Source0:        https://github.com/canonical/cloud-init/archive/refs/tags/%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Source1:        rsyslog-cloud-init.cfg
 Source2:        hidesensitivedata
-Patch1:         datasourceLocalDisk.patch
+Patch1:        datasourceLocalDisk.patch
 # FIXME (lp#1849296)
-Patch2:         cloud-init-break-resolv-symlink.patch
+Patch2:        cloud-init-break-resolv-symlink.patch
 # FIXME no proposed solution
-Patch3:         cloud-init-sysconf-path.patch
+Patch3:        cloud-init-sysconf-path.patch
 # FIXME (lp#1860164)
-Patch4:         cloud-init-no-tempnet-oci.patch
+Patch4:        cloud-init-no-tempnet-oci.patch
 # FIXME https://github.com/canonical/cloud-init/pull/2036
-Patch5:         cloud-init-fix-ca-test.patch
+Patch5:        cloud-init-fix-ca-test.patch
 # FIXME (lp#1812117)
-Patch6:         cloud-init-write-routes.patch
+Patch6:        cloud-init-write-routes.patch
 Patch7:        cloud-init-cve-2023-1786-redact-instance-data-json-main.patch
 # FIXME https://github.com/canonical/cloud-init/pull/2148
-Patch8:         cloud-init-power-rhel-only.patch
+Patch8:        cloud-init-power-rhel-only.patch
 BuildRequires:  fdupes
 BuildRequires:  filesystem
 # pkg-config is needed to find correct systemd unit dir
-BuildRequires:  pkgconfig
+BuildRequires:  pkg-config
 # needed for /lib/udev
 BuildRequires:  pkgconfig(udev)
 BuildRequires:  python-rpm-macros
 BuildRequires:  python3-devel
 BuildRequires:  python3-setuptools
 # Test requirements
 BuildRequires:  python3-Jinja2
 BuildRequires:  python3-PyYAML
 BuildRequires:  python3-configobj >= 5.0.2
-BuildRequires:  python3-devel
+BuildRequires:  python3-flake8
 BuildRequires:  python3-httpretty
 BuildRequires:  python3-jsonpatch
 BuildRequires:  python3-jsonschema
@ -62,28 +66,28 @@ BuildRequires:  python3-pytest-mock
 BuildRequires:  python3-requests
 BuildRequires:  python3-responses
 BuildRequires:  python3-serial
 BuildRequires:  python3-setuptools
 BuildRequires:  system-user-nobody
 %if 0%{?is_opensuse}
 BuildRequires:  openSUSE-release
 %else
 BuildRequires:  sles-release
 %endif
 BuildRequires:  util-linux
 BuildRequires:  pkgconfig(systemd)
 # needed for /lib/udev
 BuildRequires:  pkgconfig(udev)
 Requires:       bash
 Requires:       cloud-init-config = %{configver}
 Requires:       dhcp-client
 Requires:       e2fsprogs
 Requires:       file
 Requires:       growpart
 Requires:       e2fsprogs
 Requires:       net-tools
 Requires:       openssh
 Requires:       python3-Jinja2
 Requires:       python3-PyYAML
 Requires:       python3-configobj >= 5.0.2
 Requires:       python3-Jinja2
 Requires:       python3-jsonpatch
 Requires:       python3-jsonschema
 Requires:       python3-netifaces
 Requires:       python3-oauthlib
 Requires:       python3-pyserial
 Requires:       python3-PyYAML
 Requires:       python3-requests
 Requires:       python3-serial
 Requires:       python3-setuptools
@ -91,18 +95,23 @@ Requires:       python3-xml
 Requires:       sudo
 Requires:       util-linux
 Requires:       wget
 %{?systemd_requires}
 %if 0%{?is_opensuse}
 BuildRequires:  openSUSE-release
 %else
 BuildRequires:  sles-release
 %endif
 %if 0%{?suse_version} && 0%{?suse_version} <= 1500
 Requires:       wicked-service
 %endif
-%ifarch %{ix86} x86_64
+Requires:       cloud-init-config = %configver
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %define         docdir %{_defaultdocdir}/%{name}
 %ifarch %ix86 x86_64
 Requires:       dmidecode
 %endif
 %define initsys systemd
 BuildRequires: pkgconfig(systemd)
 %{?systemd_requires}
 %if 0%{?suse_version} && 0%{?suse_version} == 1220
 %define systemd_prefix /lib
 %else
 %define systemd_prefix /usr/lib
 %endif
 %description
 Cloud-init is an init script that initializes a cloud node (VM)
@ -110,9 +119,9 @@ according to the fetched configuration data from the admin node.
 %package config-suse
 Summary:        Configuration file for Cloud node initialization tool
 Provides:	    cloud-init-config = %configver
 Group:          System/Management
-Conflicts:      cloud-init-config
+Conflicts:	    otherproviders(cloud-init-config)
 Provides:       cloud-init-config = %{configver}
 %description config-suse
 This package contains the product specific configuration file
@ -131,12 +140,13 @@ Documentation and examples for cloud-init tools
 %prep
 %setup -q
-%patch1
+%patch1 -p0
 %patch2
 %patch3
 %patch4
 %patch5
 %patch6
 %patch7
 %patch8
 # patch in the full version to version.py
@ -149,10 +159,11 @@ sed -i "s,@@PACKAGED_VERSION@@,%{version}-%{release}," $version_pys
 python3 setup.py build
 %check
-%make_build unittest
+make unittest
 make flake8
 %install
-python3 setup.py install --root=%{buildroot} --prefix=%{_prefix} --install-lib=%{python3_sitelib} --init-system=systemd
+python3 setup.py install --root=%{buildroot} --prefix=%{_prefix} --install-lib=%{python3_sitelib} --init-system=%{initsys}
 find %{buildroot} \( -name .gitignore -o -name .placeholder \) -delete
 # from debian install script
 for x in "%{buildroot}%{_bindir}/"*.py; do
@ -165,6 +176,10 @@ mv %{buildroot}%{_datadir}/doc/%{name} %{buildroot}%{_defaultdocdir}
 # man pages
 mkdir -p %{buildroot}%{_mandir}/man1
 mv doc/man/* %{buildroot}%{_mandir}/man1
 # copy the LICENSE
 mkdir -p %{buildroot}%{_defaultlicensedir}/%{name}
 cp LICENSE %{buildroot}%{_defaultlicensedir}/%{name}
 cp LICENSE-GPLv3 %{buildroot}%{_defaultlicensedir}/%{name}
 # Set the distribution indicator
 %if 0%{?suse_version}
 %if 0%{?is_opensuse}
@ -173,10 +188,12 @@ sed -i s/suse/opensuse/ %{buildroot}/%{_sysconfdir}/cloud/cloud.cfg
 sed -i s/suse/sles/ %{buildroot}/%{_sysconfdir}/cloud/cloud.cfg
 %endif
 %endif
-install -D -m 644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/rsyslog.d/21-cloudinit.conf
+mkdir -p %{buildroot}/%{_sysconfdir}/rsyslog.d
-mkdir -p %{buildroot}%{_prefix}/lib/udev/rules.d/
+mkdir -p %{buildroot}/usr/lib/udev/rules.d/
-mv %{buildroot}/lib/udev/rules.d/66-azure-ephemeral.rules %{buildroot}%{_prefix}/lib/udev/rules.d/
+cp -a %{SOURCE1} %{buildroot}/%{_sysconfdir}/rsyslog.d/21-cloudinit.conf
-install -D -m 755 %{SOURCE2} %{buildroot}%{_sbindir}/hidesensitivedata
+mv %{buildroot}/lib/udev/rules.d/66-azure-ephemeral.rules %{buildroot}/usr/lib/udev/rules.d/
 mkdir -p %{buildroot}%{_sbindir}
 install -m 755 %{SOURCE2} %{buildroot}%{_sbindir}
 # remove debian/ubuntu specific profile.d file (bnc#779553)
 rm -f %{buildroot}%{_sysconfdir}/profile.d/Z99-cloud-locale-test.sh
@ -186,15 +203,16 @@ rm %{buildroot}/%{_sysconfdir}/cloud/templates/*.debian.*
 rm %{buildroot}/%{_sysconfdir}/cloud/templates/*.redhat.*
 rm %{buildroot}/%{_sysconfdir}/cloud/templates/*.ubuntu.*
 %post
 /usr/sbin/hidesensitivedata
 # remove duplicate files
 %if 0%{?suse_version}
 %fdupes %{buildroot}%{python3_sitelib}
 %endif
 %post
 %{_sbindir}/hidesensitivedata
 %files
 %defattr(-,root,root)
 %license LICENSE LICENSE-GPLv3
 %{_bindir}/cloud-id
 %{_bindir}/cloud-init
@ -217,33 +235,36 @@ rm %{buildroot}/%{_sysconfdir}/cloud/templates/*.ubuntu.*
 %{python3_sitelib}/cloudinit
 %{python3_sitelib}/cloud_init-%{version}*.egg-info
 %{_prefix}/lib/cloud-init
-%{_prefix}/lib/systemd/system-generators/cloud-init-generator
+%{systemd_prefix}/systemd/system-generators/cloud-init-generator
-%{_prefix}/lib/systemd/system/cloud-config.service
+%{systemd_prefix}/systemd/system/cloud-config.service
-%{_prefix}/lib/systemd/system/cloud-config.target
+%{systemd_prefix}/systemd/system/cloud-config.target
-%{_prefix}/lib/systemd/system/cloud-init-local.service
+%{systemd_prefix}/systemd/system/cloud-init-local.service
-%{_prefix}/lib/systemd/system/cloud-init.service
+%{systemd_prefix}/systemd/system/cloud-init.service
-%{_prefix}/lib/systemd/system/cloud-init.target
+%{systemd_prefix}/systemd/system/cloud-init.target
-%{_prefix}/lib/systemd/system/cloud-final.service
+%{systemd_prefix}/systemd/system/cloud-final.service
 %dir %{_sysconfdir}/rsyslog.d
 %{_sysconfdir}/rsyslog.d/21-cloudinit.conf
-%{_prefix}/lib/udev/rules.d/66-azure-ephemeral.rules
+/usr/lib/udev/rules.d/66-azure-ephemeral.rules
 # We use cloud-netconfig to handle new interfaces added to the instance
-%exclude %{_prefix}/lib/systemd/system/cloud-init-hotplugd.service
+%exclude %{systemd_prefix}/systemd/system/cloud-init-hotplugd.service
-%exclude %{_prefix}/lib/systemd/system/cloud-init-hotplugd.socket
+%exclude %{systemd_prefix}/systemd/system/cloud-init-hotplugd.socket
 %dir %attr(0755, root, root) %{_localstatedir}/lib/cloud
-%dir %docdir
+%dir %{docdir}
-%dir %{_sysconfdir}/NetworkManager
+%dir /etc/NetworkManager
-%dir %{_sysconfdir}/NetworkManager/dispatcher.d
+%dir /etc/NetworkManager/dispatcher.d
-%dir %{_sysconfdir}/dhcp
+%dir /etc/dhcp
-%dir %{_sysconfdir}/dhcp/dhclient-exit-hooks.d
+%dir /etc/dhcp/dhclient-exit-hooks.d
-%dir %{_sysconfdir}/systemd/system/sshd-keygen@.service.d
+%dir /etc/systemd/system/sshd-keygen@.service.d
 %files config-suse
 %defattr(-,root,root)
 %config(noreplace) %{_sysconfdir}/cloud/cloud.cfg
 %files doc
-%docdir/examples/*
+%defattr(-,root,root)
-%docdir/*.txt
+%{docdir}/examples/*
-%dir %docdir/examples
+%{docdir}/*.txt
 %dir %{docdir}/examples
 %changelog