diff --git a/0001-replace-deprecated-collections-Iterable-with-abc-replacement.patch b/0001-replace-deprecated-collections-Iterable-with-abc-replacement.patch deleted file mode 100644 index 3722a3b17208a3606d3ad955881cf873b83b12b2..0000000000000000000000000000000000000000 --- a/0001-replace-deprecated-collections-Iterable-with-abc-replacement.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 31eb954bf463f221e6c5ca234bd290b1441b90f8 Mon Sep 17 00:00:00 2001 -From: "jinkangkang.jkk" -Date: Wed, 23 Mar 2022 19:16:16 +0800 -Subject: [PATCH] Replace deprecated collections.Iterable with abc replacement - ---- - cloudinit/log.py | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/cloudinit/log.py b/cloudinit/log.py -index 5ae312b..82d4257 100644 ---- a/cloudinit/log.py -+++ b/cloudinit/log.py -@@ -12,7 +12,7 @@ import logging - import logging.config - import logging.handlers - --import collections -+import collections.abc - import os - import sys - -@@ -82,7 +82,7 @@ def setupLogging(cfg=None): - for a_cfg in cfg['log_cfgs']: - if isinstance(a_cfg, six.string_types): - log_cfgs.append(a_cfg) -- elif isinstance(a_cfg, (collections.Iterable)): -+ elif isinstance(a_cfg, (collections.abc.Iterable)): - cfg_str = [str(c) for c in a_cfg] - log_cfgs.append('\n'.join(cfg_str)) - else: --- -2.30.1 (Apple Git-130) \ No newline at end of file diff --git a/0002-Make-user-vendor-data-sensitive-and-remove-log-permi.patch b/0002-Make-user-vendor-data-sensitive-and-remove-log-permi.patch deleted file mode 100644 index 02079cb93bd8ca10c22c0ccdcc0604ea17cc8e23..0000000000000000000000000000000000000000 --- a/0002-Make-user-vendor-data-sensitive-and-remove-log-permi.patch +++ /dev/null @@ -1,143 +0,0 @@ -From 42372a17d19fab9435cab2b87e5d370238dddb2d Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?=E5=88=98=E5=90=91=E9=9B=A810206134?= - -Date: Tue, 27 May 2025 11:03:00 +0800 -Subject: [PATCH] Make user/vendor data sensitive and remove log permissions - -ANBZ:7595 - -commit a378b7e4f47375458651c0972e7cd813f6fe0a6b upstream. - -fix CVE: CVE-2023-1786 - -Because user data and vendor data may contain sensitive information, -this commit ensures that any user data or vendor data written to -instance-data.json gets redacted and is only available to root user. - -Also, modify the permissions of cloud-init.log to be 640, so that -sensitive data leaked to the log isn't world readable. -Additionally, remove the logging of user data and vendor data to -cloud-init.log from the Vultr datasource. - -LP: #2013967 -CVE: CVE-2023-1786 - -Signed-off-by: James Falcon -Fixes: CVE-2023-1786 ---- - cloudinit/sources/__init__.py | 30 +++++++++++++++++++++++++--- - cloudinit/sources/tests/test_init.py | 19 ++++++++++++++++-- - cloudinit/stages.py | 4 +++- - 3 files changed, 47 insertions(+), 6 deletions(-) - -diff --git a/cloudinit/sources/__init__.py b/cloudinit/sources/__init__.py -index e6966b3..f484a69 100644 ---- a/cloudinit/sources/__init__.py -+++ b/cloudinit/sources/__init__.py -@@ -91,7 +91,10 @@ def process_instance_metadata(metadata, key_path='', sensitive_keys=()): - sub_key_path = key_path + '/' + key - else: - sub_key_path = key -- if key in sensitive_keys or sub_key_path in sensitive_keys: -+ if ( -+ key.lower() in sensitive_keys -+ or sub_key_path.lower() in sensitive_keys -+ ): - md_copy['sensitive_keys'].append(sub_key_path) - if isinstance(val, str) and val.startswith('ci-b64:'): - md_copy['base64_encoded_keys'].append(sub_key_path) -@@ -112,6 +115,12 @@ def redact_sensitive_keys(metadata, redact_value=REDACT_SENSITIVE_VALUE): - - Replace any keys values listed in 'sensitive_keys' with redact_value. - """ -+ # While 'sensitive_keys' should already sanitized to only include what -+ # is in metadata, it is possible keys will overlap. For example, if -+ # "merged_cfg" and "merged_cfg/ds/userdata" both match, it's possible that -+ # "merged_cfg" will get replaced first, meaning "merged_cfg/ds/userdata" -+ # no longer represents a valid key. -+ # Thus, we still need to do membership checks in this function. - if not metadata.get('sensitive_keys', []): - return metadata - md_copy = copy.deepcopy(metadata) -@@ -119,7 +128,11 @@ def redact_sensitive_keys(metadata, redact_value=REDACT_SENSITIVE_VALUE): - path_parts = key_path.split('/') - obj = md_copy - for path in path_parts: -- if isinstance(obj[path], dict) and path != path_parts[-1]: -+ if ( -+ path in obj -+ and isinstance(obj[path], dict) -+ and path != path_parts[-1] -+ ): - obj = obj[path] - obj[path] = redact_value - return md_copy -@@ -179,7 +192,18 @@ class DataSource(object): - - # N-tuple of keypaths or keynames redact from instance-data.json for - # non-root users -- sensitive_metadata_keys = ('security-credentials',) -+ sensitive_metadata_keys = ( -+ "merged_cfg", -+ "security-credentials", -+ "userdata", -+ "user-data", -+ "user_data", -+ "vendordata", -+ "vendor-data", -+ # Provide ds/vendor_data to avoid redacting top-level -+ # "vendor_data": {enabled: True} -+ "ds/vendor_data", -+ ) - - def __init__(self, sys_cfg, distro, paths, ud_proc=None): - self.sys_cfg = sys_cfg -diff --git a/cloudinit/sources/tests/test_init.py b/cloudinit/sources/tests/test_init.py -index 6378e98..d6ad335 100644 ---- a/cloudinit/sources/tests/test_init.py -+++ b/cloudinit/sources/tests/test_init.py -@@ -329,9 +329,24 @@ class TestDataSource(CiTestCase): - 'local-hostname': 'test-subclass-hostname', - 'region': 'myregion', - 'some': {'security-credentials': { -- 'cred1': 'sekret', 'cred2': 'othersekret'}}}) -+ 'cred1': 'sekret', 'cred2': 'othersekret' -+ } -+ }, -+ }, -+ ) - self.assertEqual( -- ('security-credentials',), datasource.sensitive_metadata_keys) -+ ( -+ "merged_cfg", -+ "security-credentials", -+ "userdata", -+ "user-data", -+ "user_data", -+ "vendordata", -+ "vendor-data", -+ "ds/vendor_data", -+ ), -+ datasource.sensitive_metadata_keys, -+ ) - datasource.get_data() - json_file = self.tmp_path(INSTANCE_JSON_FILE, tmp) - sensitive_json_file = self.tmp_path(INSTANCE_JSON_SENSITIVE_FILE, tmp) -diff --git a/cloudinit/stages.py b/cloudinit/stages.py -index da7d349..9ab322a 100644 ---- a/cloudinit/stages.py -+++ b/cloudinit/stages.py -@@ -149,7 +149,9 @@ class Init(object): - util.ensure_dirs(self._initial_subdirs()) - log_file = util.get_cfg_option_str(self.cfg, 'def_log_file') - if log_file: -- util.ensure_file(log_file) -+ # At this point the log file should have already been created -+ # in the setupLogging function of log.py -+ util.ensure_file(log_file, mode=0o640) - perms = self.cfg.get('syslog_fix_perms') - if not perms: - perms = {} --- -2.27.0 - diff --git a/1001-support-anolis.patch b/1001-support-anolis.patch new file mode 100644 index 0000000000000000000000000000000000000000..2ec81b27a52f725d8a8e0911f1b370ecbde15292 --- /dev/null +++ b/1001-support-anolis.patch @@ -0,0 +1,24 @@ +From 590b7274a979882c58220901107fb53642aa19fd Mon Sep 17 00:00:00 2001 +From: mgb01105731 +Date: Thu, 3 Jul 2025 05:59:23 -0400 +Subject: [PATCH 1/1] support anolis + +--- + tools/render-template | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/render-template b/tools/render-template +index 3cd4271..c9b7350 100755 +--- a/tools/render-template ++++ b/tools/render-template +@@ -41,6 +41,7 @@ def main(): + "ubuntu", + "unknown", + "virtuozzo", ++ "anolis" + ] + parser = argparse.ArgumentParser() + platform = util.system_info() +-- +2.41.0 + diff --git a/Enable-ipv6-network-by-default.patch b/Enable-ipv6-network-by-default.patch deleted file mode 100644 index 432a1d788eb54404c6fdaa210bda0d5d0a860baa..0000000000000000000000000000000000000000 --- a/Enable-ipv6-network-by-default.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- cloud-init-19.1.14/config/cloud.cfg.tmpl 2021-12-14 11:10:30.000000000 +0800 -+++ cloud-init-19.1.14-edit/config/cloud.cfg.tmpl 2022-05-23 20:57:09.060790268 +0800 -@@ -22,7 +22,7 @@ - - manage_etc_hosts: localhost - --{% if variant in ["sles","opensuse","aliyun"]%} -+{% if variant in ["sles","opensuse"]%} - network: - config: disabled - {% endif%} diff --git a/cloud-init-19.1.17.tgz b/cloud-init-19.1.17.tgz deleted file mode 100644 index efb9e6ca12bca791051bde7b988ec14bfd759f5b..0000000000000000000000000000000000000000 Binary files a/cloud-init-19.1.17.tgz and /dev/null differ diff --git a/cloud-init-25.1.3.tar.gz b/cloud-init-25.1.3.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..43e04086cf5c4eca0b34a0674493123942572468 Binary files /dev/null and b/cloud-init-25.1.3.tar.gz differ diff --git a/cloud-init-tmpfiles.conf b/cloud-init-tmpfiles.conf new file mode 100644 index 0000000000000000000000000000000000000000..0c6d2a3be841d2fbd0d7fc70e7fc1ca30a1aa7cb --- /dev/null +++ b/cloud-init-tmpfiles.conf @@ -0,0 +1 @@ +d /run/cloud-init 0700 root root - - diff --git a/cloud-init.spec b/cloud-init.spec index bd9c63e91d1fb5f1dfb2e6efd7d2d9b9f33e0591..692c7aed000acfe0c55352a5cc133a02f817682b 100644 --- a/cloud-init.spec +++ b/cloud-init.spec @@ -1,189 +1,169 @@ -%define anolis_release 5 +%define anolis_release 1 -%{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")} - -%define __python /usr/bin/python3 -%define init_system systemd - -%if 0%{?alinux} -%define file_patch /usr/libexec/cloud-init -%else -%define file_patch /usr/lib/cloud-init -%endif - -# See: http://www.zarb.org/~jasonc/macros.php -# Or: http://www.rpm.org/max-rpm/ch-rpm-inside.html +%bcond_without tests Name: cloud-init -Version: 19.1.17 +Version: 25.1.3 Release: %{anolis_release}%{?dist} Summary: Cloud instance init scripts +License: Apache-2.0 or GPL-3.0-only +URL: https://github.com/canonical/cloud-init -Group: System Environment/Base -License: Dual-licesed GPLv3 or Apache 2.0 -URL: http://launchpad.net/cloud-init - -Source0: cloud-init-19.1.17.tgz +Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz +Source1: cloud-init-tmpfiles.conf -Patch0: Enable-ipv6-network-by-default.patch -Patch1001: 0001-replace-deprecated-collections-Iterable-with-abc-replacement.patch -Patch1002: 0002-Make-user-vendor-data-sensitive-and-remove-log-permi.patch +Patch0: 1001-support-anolis.patch BuildArch: noarch -BuildRoot: %{_tmppath} - -Requires: systemd -BuildRequires: systemd -Requires: systemd-units -BuildRequires: systemd-units - -# These are runtime dependencies, but declared as BuildRequires so that -# - tests can be run here. -# - parts of cloud-init such (setup.py) use these dependencies. -BuildRequires: python3-requests -BuildRequires: python3-configobj -BuildRequires: python3-jsonschema -BuildRequires: python3-six -BuildRequires: python3-jinja2 -BuildRequires: python3-pyyaml -BuildRequires: python3-oauthlib -BuildRequires: python3-jsonpatch -BuildRequires: e2fsprogs -BuildRequires: iproute -BuildRequires: net-tools -BuildRequires: procps -BuildRequires: rsyslog -BuildRequires: shadow-utils -BuildRequires: sudo + +BuildRequires: systemd-rpm-macros BuildRequires: python3-devel -BuildRequires: python3-setuptools +BuildRequires: pkgconfig(systemd) -# System util packages needed -%ifarch x86_64 -Requires: dmidecode +%if %{with tests} +BuildRequires: iproute +BuildRequires: passwd +# dnf is needed to make cc_ntp unit tests work +# https://bugs.launchpad.net/cloud-init/+bug/1721573 +BuildRequires: /usr/bin/dnf +BuildRequires: python3dist(pytest) +BuildRequires: python3dist(pytest-mock) +BuildRequires: python3dist(responses) +BuildRequires: python3dist(passlib) +BuildRequires: python3dist(pyserial) %endif -# Install 'dynamic' runtime reqs from *requirements.txt and pkg-deps.json -Requires: python3-requests -Requires: python3-configobj -Requires: python3-jsonschema -Requires: python3-six -Requires: python3-jinja2 -Requires: python3-pyyaml -Requires: python3-oauthlib -Requires: python3-jsonpatch +Requires: dhcp-client +Requires: hostname Requires: e2fsprogs Requires: iproute +Requires: python3-libselinux Requires: net-tools +Requires: policycoreutils-python3 Requires: procps -Requires: rsyslog Requires: shadow-utils -Requires: sudo -Requires: python3-devel -Requires: python3-setuptools +Requires: util-linux +Requires: xfsprogs +# https://bugzilla.redhat.com/show_bug.cgi?id=1974262 +Requires: gdisk +Requires: openssl + +%{?systemd_requires} -Requires(post): systemd -Requires(preun): systemd -Requires(postun): systemd %description Cloud-init is a set of init scripts for cloud instances. Cloud instances need special scripts to run during initialization to retrieve and install ssh keys and to let the user run various scripts. + %prep -%autosetup -n cloud-init-19.1.17 -p1 +%autosetup -p1 + +# Change shebangs +sed -i -e 's|#!/usr/bin/env python|#!/usr/bin/env python3|' \ + -e 's|#!/usr/bin/python|#!/usr/bin/python3|' tools/* cloudinit/ssh_util.py + +# Removing shebang manually because of rpmlint, will update upstream later +sed -i -e 's|#!/usr/bin/python||' cloudinit/cmd/main.py + +# Use unittest from the standard library. unittest2 is old and being +# retired in Fedora. See https://bugzilla.redhat.com/show_bug.cgi?id=1794222 +find tests/ -type f | xargs sed -i s/unittest2/unittest/ +find tests/ -type f | xargs sed -i s/assertItemsEqual/assertCountEqual/ + + +%generate_buildrequires +%pyproject_buildrequires + %build -%{__python} setup.py build +%py3_build -%install -%{__python} setup.py install -O1 \ - --skip-build --root $RPM_BUILD_ROOT \ - --init-system=%{init_system} -mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/rsyslog.d -cp -p tools/21-cloudinit.conf \ - $RPM_BUILD_ROOT/%{_sysconfdir}/rsyslog.d/21-cloudinit.conf +%install +%py3_install -- --init-system=systemd -# Remove the tests -rm -rf $RPM_BUILD_ROOT%{python_sitelib}/tests +# Generate cloud-config file +python3 tools/render-template --variant anolis > $RPM_BUILD_ROOT/%{_sysconfdir}/cloud/cloud.cfg -# Required dirs... -mkdir -p $RPM_BUILD_ROOT/%{_sharedstatedir}/cloud -mkdir -p $RPM_BUILD_ROOT/%{_libexecdir}/%{name} +mkdir -p $RPM_BUILD_ROOT/var/lib/cloud -# patch in the full version to version.py -version_pys=$(cd "$RPM_BUILD_ROOT" && find . -name version.py -type f) -[ -n "$version_pys" ] || - { echo "failed to find 'version.py' to patch with version." 1>&2; exit 1; } -( cd "$RPM_BUILD_ROOT" && - sed -i "s,@@PACKAGED_VERSION@@,%{version}-%{release}," $version_pys ) +# /run/cloud-init needs a tmpfiles.d entry +mkdir -p $RPM_BUILD_ROOT/run/cloud-init +mkdir -p $RPM_BUILD_ROOT/%{_tmpfilesdir} +cp -p %{SOURCE1} $RPM_BUILD_ROOT/%{_tmpfilesdir}/%{name}.conf -%clean -rm -rf $RPM_BUILD_ROOT +mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/rsyslog.d +cp -p tools/21-cloudinit.conf $RPM_BUILD_ROOT/%{_sysconfdir}/rsyslog.d/21-cloudinit.conf + +# installing man pages +mkdir -p ${RPM_BUILD_ROOT}%{_mandir}/man1/ +for man in cloud-id.1 cloud-init.1 cloud-init-per.1; do + install -c -m 0644 doc/man/${man} ${RPM_BUILD_ROOT}%{_mandir}/man1/${man} + chmod -x ${RPM_BUILD_ROOT}%{_mandir}/man1/* +done + +%check +%if %{with tests} +python3 -m pytest tests/unittests +%else +%py3_check_import cloudinit +%endif %post -if [ $1 -eq 1 ] -then - /bin/systemctl enable cloud-config.service >/dev/null 2>&1 || : - /bin/systemctl enable cloud-final.service >/dev/null 2>&1 || : - /bin/systemctl enable cloud-init.service >/dev/null 2>&1 || : - /bin/systemctl enable cloud-init-local.service >/dev/null 2>&1 || : -fi -grep -Eiq 'qboot|quick boot' /etc/image-id && sed -i "/Before=sshd.service/d" /usr/lib/systemd/system/cloud-init.service -grep -Eiq 'qboot|quick boot' /etc/image-id && sed -i "/Before=sshd-keygen.service/d" /usr/lib/systemd/system/cloud-init.service -grep -Eiq 'qboot|quick boot' /etc/image-id && sed -i "s/Before=network-online.target/After=network-online.target/g" /usr/lib/systemd/system/cloud-init.service -grep -Eiq 'qboot|quick boot' /etc/image-id && sed -i "/Wants=network-pre.target/d" /usr/lib/systemd/system/cloud-init-local.service -grep -Eiq 'qboot|quick boot' /etc/image-id && sed -i "/Before=NetworkManager.service/d" /usr/lib/systemd/system/cloud-init-local.service -grep -Eiq 'qboot|quick boot' /etc/image-id && sed -i "s/Before=network-pre.target/Requires=network-online.target/g" /usr/lib/systemd/system/cloud-init-local.service -grep -Eiq 'qboot|quick boot' /etc/image-id && sed -i "s/After=systemd-remount-fs.service/After=systemd-remount-fs.service network-online.target/g" /usr/lib/systemd/system/cloud-init-local.service -ln -sf /sys/firmware/qemu_fw_cfg/by_name/etc/cloud-init/vendor-data/raw /etc/cloud/cloud.cfg.d/aliyun_cloud.cfg +%systemd_post cloud-config.service cloud-config.target cloud-final.service cloud-init.service cloud-init.target cloud-init-local.service + %preun -if [ $1 -eq 0 ] -then - /bin/systemctl --no-reload disable cloud-config.service >/dev/null 2>&1 || : - /bin/systemctl --no-reload disable cloud-final.service >/dev/null 2>&1 || : - /bin/systemctl --no-reload disable cloud-init.service >/dev/null 2>&1 || : - /bin/systemctl --no-reload disable cloud-init-local.service >/dev/null 2>&1 || : -fi +%systemd_preun cloud-config.service cloud-config.target cloud-final.service cloud-init.service cloud-init.target cloud-init-local.service + %postun -/bin/systemctl daemon-reload >/dev/null 2>&1 || : +%systemd_postun cloud-config.service cloud-config.target cloud-final.service cloud-init.service cloud-init.target cloud-init-local.service + %files -/lib/udev/rules.d/66-azure-ephemeral.rules +%license LICENSE LICENSE-Apache2.0 LICENSE-GPLv3 +%doc ChangeLog +%doc doc/* +%{_mandir}/man1/* +%config(noreplace) %{_sysconfdir}/cloud/cloud.cfg +%dir %{_sysconfdir}/cloud/cloud.cfg.d +%config(noreplace) %{_sysconfdir}/cloud/cloud.cfg.d/*.cfg +%doc %{_sysconfdir}/cloud/cloud.cfg.d/README +%dir %{_sysconfdir}/cloud/templates +%config(noreplace) %{_sysconfdir}/cloud/templates/* +%dir %{_sysconfdir}/rsyslog.d +%config(noreplace) %{_sysconfdir}/rsyslog.d/21-cloudinit.conf +%{_udevrulesdir}/66-azure-ephemeral.rules +%{_unitdir}/cloud-config.service +%{_unitdir}/cloud-final.service +%{_unitdir}/cloud-init-main.service +%{_unitdir}/cloud-init-local.service +%{_unitdir}/cloud-init-network.service +%{_unitdir}/cloud-config.target +%{_unitdir}/cloud-init.target /usr/lib/systemd/system-generators/cloud-init-generator -%{_unitdir}/cloud-* -%{_sysconfdir}/NetworkManager/dispatcher.d/hook-network-manager -%{_sysconfdir}/dhcp/dhclient-exit-hooks.d/hook-dhclient -# Program binaries +%{_unitdir}/cloud-init-hotplugd.service +%{_unitdir}/cloud-init-hotplugd.socket +%{_unitdir}/sshd-keygen@.service.d/disable-sshd-keygen-if-cloud-init-active.conf +%{_tmpfilesdir}/%{name}.conf +%{python3_sitelib}/* +%{_libdir}/%{name} %{_bindir}/cloud-init* -%{_bindir}/cloud-id* -# Docs -%doc LICENSE ChangeLog TODO.rst requirements.txt -%doc %{_defaultdocdir}/cloud-init/* -# Configs -%config(noreplace) %{_sysconfdir}/cloud/cloud.cfg -%dir %{_sysconfdir}/cloud/cloud.cfg.d -%config(noreplace) %{_sysconfdir}/cloud/cloud.cfg.d/*.cfg -%config(noreplace) %{_sysconfdir}/cloud/cloud.cfg.d/README -%dir %{_sysconfdir}/cloud/templates -%config(noreplace) %{_sysconfdir}/cloud/templates/* -%config(noreplace) %{_sysconfdir}/rsyslog.d/21-cloudinit.conf -# Bash completion script +%{_bindir}/cloud-id +%dir /run/cloud-init +%dir /var/lib/cloud %{_datadir}/bash-completion/completions/cloud-init -%{_libexecdir}/%{name} -%dir %{_sharedstatedir}/cloud -# Python code is here... -%{python_sitelib}/* -%{file_patch}/ds-identify -%{file_patch}/uncloud-init -%{file_patch}/write-ssh-key-fingerprints + %changelog -* Thu May 27 2025 shaxiaoxiao - 19.1.17-5 +* Thu Jul 03 2025 mgb01105731 - 25.1.3-1 +- Update to 25.1.3 to fix CVE-2024-6174 and CVE-2024-11584 and CVE-2023-1786 +- Delete patches as patch content is no longer needed + +* Tue May 27 2025 shaxiaoxiao - 19.1.17-5 - Fix CVE-2023-1786 * Thu Apr 17 2025 mgb01105731 - 19.1.17-4