From bc87085215673e45eaa11fb8e49b71c1304d9b80 Mon Sep 17 00:00:00 2001 From: yang_zhuang_zhuang <1162011203@qq.com> Date: Wed, 9 Dec 2020 10:17:30 +0800 Subject: [PATCH 1/7] fix CVE-2020-8631 CVE-2020-8632 --- ...Random-when-generating-random-passwo.patch | 31 +++++++++++++++++++ ...increase-random-pwlength-from-9-to-2.patch | 29 +++++++++++++++++ cloud-init.spec | 10 +++++- 3 files changed, 69 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2020-8631-utils-use-SystemRandom-when-generating-random-passwo.patch create mode 100644 backport-CVE-2020-8632-cc_set_password-increase-random-pwlength-from-9-to-2.patch diff --git a/backport-CVE-2020-8631-utils-use-SystemRandom-when-generating-random-passwo.patch b/backport-CVE-2020-8631-utils-use-SystemRandom-when-generating-random-passwo.patch new file mode 100644 index 0000000..c2d86f3 --- /dev/null +++ b/backport-CVE-2020-8631-utils-use-SystemRandom-when-generating-random-passwo.patch @@ -0,0 +1,31 @@ +From 3e2f7356effc9e9cccc5ae945846279804eedc46 Mon Sep 17 00:00:00 2001 +From: Dimitri John Ledkov +Date: Tue, 18 Feb 2020 17:03:24 +0000 +Subject: [PATCH] utils: use SystemRandom when generating random + password. (#204) + +As noticed by Seth Arnold, non-deterministic SystemRandom should be +used when creating security sensitive random strings. +--- + cloudinit/util.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/cloudinit/util.py b/cloudinit/util.py +index d99e82f..c02b3d9 100644 +--- a/cloudinit/util.py ++++ b/cloudinit/util.py +@@ -397,9 +397,10 @@ def translate_bool(val, addons=None): + + + def rand_str(strlen=32, select_from=None): ++ r = random.SystemRandom() + if not select_from: + select_from = string.ascii_letters + string.digits +- return "".join([random.choice(select_from) for _x in range(0, strlen)]) ++ return "".join([r.choice(select_from) for _x in range(0, strlen)]) + + + def rand_dict_key(dictionary, postfix=None): +-- +1.8.3.1 + diff --git a/backport-CVE-2020-8632-cc_set_password-increase-random-pwlength-from-9-to-2.patch b/backport-CVE-2020-8632-cc_set_password-increase-random-pwlength-from-9-to-2.patch new file mode 100644 index 0000000..e48e821 --- /dev/null +++ b/backport-CVE-2020-8632-cc_set_password-increase-random-pwlength-from-9-to-2.patch @@ -0,0 +1,29 @@ +From 42788bf24a1a0a5421a2d00a7f59b59e38ba1a14 Mon Sep 17 00:00:00 2001 +From: Ryan Harper +Date: Fri, 24 Jan 2020 21:33:12 +0200 +Subject: [PATCH] cc_set_password: increase random pwlength from 9 to + 20 (#189) + +Increasing the bits of security from 52 to 115. + +LP: #1860795 +--- + cloudinit/config/cc_set_passwords.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/cloudinit/config/cc_set_passwords.py b/cloudinit/config/cc_set_passwords.py +index e3b39d8..4943d54 100755 +--- a/cloudinit/config/cc_set_passwords.py ++++ b/cloudinit/config/cc_set_passwords.py +@@ -236,7 +236,7 @@ def handle(_name, cfg, cloud, log, args): + raise errors[-1] + + +-def rand_user_password(pwlen=9): ++def rand_user_password(pwlen=20): + return util.rand_str(pwlen, select_from=PW_SET) + + +-- +1.8.3.1 + diff --git a/cloud-init.spec b/cloud-init.spec index 60d38c8..feb2f70 100644 --- a/cloud-init.spec +++ b/cloud-init.spec @@ -1,6 +1,6 @@ Name: cloud-init Version: 19.4 -Release: 1 +Release: 2 Summary: the defacto multi-distribution package that handles early initialization of a cloud instance. License: ASL 2.0 or GPLv3 URL: http://launchpad.net/cloud-init @@ -13,6 +13,8 @@ Patch2: cloud-init-19.4-no-override-default-network.patch Patch3: bugfix-cloud-init-add-openEuler-os.patch Patch4: bugfix-sort-requirements.patch Patch5: add-variable-to-forbid-tmp-dir.patch +Patch6: backport-CVE-2020-8631-utils-use-SystemRandom-when-generating-random-passwo.patch +Patch7: backport-CVE-2020-8632-cc_set_password-increase-random-pwlength-from-9-to-2.patch BuildRequires: pkgconfig(systemd) python3-devel python3-setuptools systemd BuildRequires: iproute python3-configobj python3-httpretty >= 0.8.14-2 @@ -119,6 +121,12 @@ fi %exclude /usr/share/doc/* %changelog +* Wed Dec 9 2020 yangzhuangzhuang - 19.4-2 +- Type:bugfix +- ID:CVE-2020-8631 CVE-2020-8632 +- SUG:NA +- DESC:fix CVE-2020-8631 CVE-2020-8632 + * Mon Aug 3 2020 chengquan - 19.4-1 - Update software to v19.4 -- Gitee From 9e29e2a9f44d9ccffddd8d75cbd65b7ccefb0955 Mon Sep 17 00:00:00 2001 From: yang_zhuang_zhuang <1162011203@qq.com> Date: Sat, 22 May 2021 16:58:29 +0800 Subject: [PATCH 2/7] enable make check --- cloud-init.spec | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/cloud-init.spec b/cloud-init.spec index feb2f70..b94df2e 100644 --- a/cloud-init.spec +++ b/cloud-init.spec @@ -1,6 +1,6 @@ Name: cloud-init Version: 19.4 -Release: 2 +Release: 3 Summary: the defacto multi-distribution package that handles early initialization of a cloud instance. License: ASL 2.0 or GPLv3 URL: http://launchpad.net/cloud-init @@ -21,7 +21,7 @@ BuildRequires: iproute python3-configobj python3-httpretty >= 0.8.14-2 BuildRequires: python3-jinja2 python3-jsonpatch python3-jsonschema BuildRequires: python3-mock python3-nose python3-oauthlib python3-prettytable BuildRequires: python3-pyserial python3-PyYAML python3-requests python3-six -BuildRequires: python3-unittest2 dnf %{_vendor}-release +BuildRequires: python3-unittest2 dnf %{_vendor}-release passwd Requires: e2fsprogs iproute python3-libselinux net-tools python3-policycoreutils Requires: procps python3-configobj python3-jinja2 python3-jsonpatch xfsprogs @@ -59,7 +59,7 @@ install -D -m 0644 tools/21-cloudinit.conf %{buildroot}/%{_sysconfdir}/rsyslog.d rm -f $RPM_BUILD_DIR/%{name}-%{version}/tests/unittests/test_handler/test_handler_ntp.py rm -f $RPM_BUILD_DIR/%{name}-%{version}/tests/unittests/test_datasource/test_opennebula.py -#nosetests-%%{python3_version} tests/unittests/ +nosetests-%{python3_version} tests/unittests/ %pre @@ -121,6 +121,12 @@ fi %exclude /usr/share/doc/* %changelog +* Sat May 22 2021 yangzhuangzhuang - 19.4-3 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:enabled make check + * Wed Dec 9 2020 yangzhuangzhuang - 19.4-2 - Type:bugfix - ID:CVE-2020-8631 CVE-2020-8632 -- Gitee From 1267a412a880c6218e875e941116d7cc538d9ad8 Mon Sep 17 00:00:00 2001 From: yang_zhuang_zhuang <1162011203@qq.com> Date: Tue, 25 May 2021 10:11:24 +0800 Subject: [PATCH 3/7] Fix the error level logs displayed for the cloud-init-local service --- ...yed-for-the-cloud-init-local-service.patch | 30 +++++++++++++++++++ cloud-init.spec | 10 ++++++- 2 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 Fix-the-error-level-logs-displayed-for-the-cloud-init-local-service.patch diff --git a/Fix-the-error-level-logs-displayed-for-the-cloud-init-local-service.patch b/Fix-the-error-level-logs-displayed-for-the-cloud-init-local-service.patch new file mode 100644 index 0000000..91064ca --- /dev/null +++ b/Fix-the-error-level-logs-displayed-for-the-cloud-init-local-service.patch @@ -0,0 +1,30 @@ +From 2009784e662c03d8d223161c003959511be31518 Mon Sep 17 00:00:00 2001 +From: yang_zhuang_zhuang +Date: Thu, 18 Mar 2021 15:16:35 +0800 +Subject: [PATCH] Fix the error-level logs displayed for the cloud-init-local service + +After cloud-init is installed,restart the host and check the status of the cloud-init-local service.The following error log is displayed:stages.py[ERROR]:Unable to render networking. +The value returned by return (util.system_info() ['variant'] in KNOWN_DISTROS) in the sysconfig.py file is not in the given list of KNOWN_DISTROS. +The actual return value is linux. + +Reference:https://bugs.almalinux.org/view.php?id=32&nbn=1 +--- + cloudinit/net/sysconfig.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/cloudinit/net/sysconfig.py b/cloudinit/net/sysconfig.py +index 0a5d481..17ba3c5 100644 +--- a/cloudinit/net/sysconfig.py ++++ b/cloudinit/net/sysconfig.py +@@ -19,7 +19,7 @@ from .network_state import ( + + LOG = logging.getLogger(__name__) + NM_CFG_FILE = "/etc/NetworkManager/NetworkManager.conf" +-KNOWN_DISTROS = ['centos', 'fedora', 'rhel', 'suse'] ++KNOWN_DISTROS = ['centos', 'fedora', 'rhel', 'suse', 'linux'] + + + def _make_header(sep='#'): +-- +1.8.3.1 + diff --git a/cloud-init.spec b/cloud-init.spec index b94df2e..a00a0d0 100644 --- a/cloud-init.spec +++ b/cloud-init.spec @@ -1,6 +1,6 @@ Name: cloud-init Version: 19.4 -Release: 3 +Release: 4 Summary: the defacto multi-distribution package that handles early initialization of a cloud instance. License: ASL 2.0 or GPLv3 URL: http://launchpad.net/cloud-init @@ -16,6 +16,8 @@ Patch5: add-variable-to-forbid-tmp-dir.patch Patch6: backport-CVE-2020-8631-utils-use-SystemRandom-when-generating-random-passwo.patch Patch7: backport-CVE-2020-8632-cc_set_password-increase-random-pwlength-from-9-to-2.patch +Patch9000: Fix-the-error-level-logs-displayed-for-the-cloud-init-local-service.patch + BuildRequires: pkgconfig(systemd) python3-devel python3-setuptools systemd BuildRequires: iproute python3-configobj python3-httpretty >= 0.8.14-2 BuildRequires: python3-jinja2 python3-jsonpatch python3-jsonschema @@ -121,6 +123,12 @@ fi %exclude /usr/share/doc/* %changelog +* Tue May 24 2021 yangzhuangzhuang - 19.4-4 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:Fix the error level logs displayed for the cloud-init-local service + * Sat May 22 2021 yangzhuangzhuang - 19.4-3 - Type:bugfix - ID:NA -- Gitee From 4c14b89b3defd11d821ad40fa415efed5acb60d9 Mon Sep 17 00:00:00 2001 From: yang_zhuang_zhuang <1162011203@qq.com> Date: Wed, 22 Sep 2021 11:09:34 +0800 Subject: [PATCH 4/7] Fix CVE-2021-3429 --- ...only-to-serial-console-lock-down-clo.patch | 304 ++++++++++++++++++ cloud-init.spec | 9 +- 2 files changed, 312 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2021-3429-write-passwords-only-to-serial-console-lock-down-clo.patch diff --git a/backport-CVE-2021-3429-write-passwords-only-to-serial-console-lock-down-clo.patch b/backport-CVE-2021-3429-write-passwords-only-to-serial-console-lock-down-clo.patch new file mode 100644 index 0000000..ada98f5 --- /dev/null +++ b/backport-CVE-2021-3429-write-passwords-only-to-serial-console-lock-down-clo.patch @@ -0,0 +1,304 @@ +From b794d426b9ab43ea9d6371477466070d86e10668 Mon Sep 17 00:00:00 2001 +From: Daniel Watkins +Date: Fri, 19 Mar 2021 10:06:42 -0400 +Subject: [PATCH] write passwords only to serial console, lock down + cloud-init-output.log (#847) + +Prior to this commit, when a user specified configuration which would +generate random passwords for users, cloud-init would cause those +passwords to be written to the serial console by emitting them on +stderr. In the default configuration, any stdout or stderr emitted by +cloud-init is also written to `/var/log/cloud-init-output.log`. This +file is world-readable, meaning that those randomly-generated passwords +were available to be read by any user with access to the system. This +presents an obvious security issue. + +This commit responds to this issue in two ways: + +* We address the direct issue by moving from writing the passwords to + sys.stderr to writing them directly to /dev/console (via + util.multi_log); this means that the passwords will never end up in + cloud-init-output.log +* To avoid future issues like this, we also modify the logging code so + that any files created in a log sink subprocess will only be + owner/group readable and, if it exists, will be owned by the adm + group. This results in `/var/log/cloud-init-output.log` no longer + being world-readable, meaning that if there are other parts of the + codebase that are emitting sensitive data intended for the serial + console, that data is no longer available to all users of the system. + +LP: #1918303 +--- + cloudinit/config/cc_set_passwords.py | 5 +- + cloudinit/config/tests/test_set_passwords.py | 40 +++++++++---- + cloudinit/tests/test_util.py | 56 +++++++++++++++++++ + cloudinit/util.py | 38 +++++++++++-- + .../modules/test_set_password.py | 24 ++++++++ + tests/integration_tests/test_logging.py | 22 ++++++++ + tests/unittests/test_util.py | 4 ++ + 7 files changed, 173 insertions(+), 16 deletions(-) + create mode 100644 tests/integration_tests/test_logging.py + +diff --git a/cloudinit/config/cc_set_passwords.py b/cloudinit/config/cc_set_passwords.py +index d6b5682db4..433de751fa 100755 +--- a/cloudinit/config/cc_set_passwords.py ++++ b/cloudinit/config/cc_set_passwords.py +@@ -78,7 +78,6 @@ + """ + + import re +-import sys + + from cloudinit.distros import ug_util + from cloudinit import log as logging +@@ -214,7 +213,9 @@ def handle(_name, cfg, cloud, log, args): + if len(randlist): + blurb = ("Set the following 'random' passwords\n", + '\n'.join(randlist)) +- sys.stderr.write("%s\n%s\n" % blurb) ++ util.multi_log( ++ "%s\n%s\n" % blurb, stderr=False, fallback_to_stdout=False ++ ) + + if expire: + expired_users = [] +diff --git a/cloudinit/config/tests/test_set_passwords.py b/cloudinit/config/tests/test_set_passwords.py +index 639fb9e..1350c34 100644 +--- a/cloudinit/config/tests/test_set_passwords.py ++++ b/cloudinit/config/tests/test_set_passwords.py +@@ -125,10 +125,12 @@ class TestSetPasswordsHandle(CiTestCase): + mock.call(['pw', 'usermod', 'ubuntu', '-p', '01-Jan-1970'])], + m_subp.call_args_list) + ++ @mock.patch(MODPATH + "util.multi_log") + @mock.patch(MODPATH + "util.is_FreeBSD") + @mock.patch(MODPATH + "util.subp") +- def test_handle_on_chpasswd_list_creates_random_passwords(self, m_subp, +- m_is_freebsd): ++ def test_handle_on_chpasswd_list_creates_random_passwords( ++ self, m_subp, m_is_bsd, m_multi_log ++ ): + """handle parses command set random passwords.""" + m_is_freebsd.return_value = False + cloud = self.tmp_cloud(distro='ubuntu') +@@ -142,10 +144,30 @@ class TestSetPasswordsHandle(CiTestCase): + self.assertIn( + 'DEBUG: Handling input for chpasswd as list.', + self.logs.getvalue()) +- self.assertNotEqual( +- [mock.call(['chpasswd'], +- '\n'.join(valid_random_pwds) + '\n')], +- m_subp.call_args_list) +- ++ self.assertEqual(1, m_subp.call_count) ++ args, _kwargs = m_subp.call_args ++ self.assertEqual(["chpasswd"], args[0]) ++ ++ stdin = args[1] ++ user_pass = { ++ user: password ++ for user, password ++ in (line.split(":") for line in stdin.splitlines()) ++ } ++ ++ self.assertEqual(1, m_multi_log.call_count) ++ self.assertEqual( ++ mock.call(mock.ANY, stderr=False, fallback_to_stdout=False), ++ m_multi_log.call_args ++ ) ++ ++ self.assertEqual(set(["root", "ubuntu"]), set(user_pass.keys())) ++ written_lines = m_multi_log.call_args[0][0].splitlines() ++ for password in user_pass.values(): ++ for line in written_lines: ++ if password in line: ++ break ++ else: ++ self.fail("Password not emitted to console") + + # vi: ts=4 expandtab +diff --git a/cloudinit/tests/test_util.py b/cloudinit/tests/test_util.py +index 64ed82e..667047f 100644 +--- a/cloudinit/tests/test_util.py ++++ b/cloudinit/tests/test_util.py +@@ -582,4 +582,60 @@ class TestIsLXD(CiTestCase): + self.assertFalse(util.is_lxd()) + m_exists.assert_called_once_with('/dev/lxd/sock') + ++@mock.patch("cloudinit.util.grp.getgrnam") ++@mock.patch("cloudinit.util.os.setgid") ++@mock.patch("cloudinit.util.os.umask") ++class TestRedirectOutputPreexecFn: ++ """This tests specifically the preexec_fn used in redirect_output.""" ++ ++ @pytest.fixture(params=["outfmt", "errfmt"]) ++ def preexec_fn(self, request): ++ """A fixture to gather the preexec_fn used by redirect_output. ++ ++ This enables simpler direct testing of it, and parameterises any tests ++ using it to cover both the stdout and stderr code paths. ++ """ ++ test_string = "| piped output to invoke subprocess" ++ if request.param == "outfmt": ++ args = (test_string, None) ++ elif request.param == "errfmt": ++ args = (None, test_string) ++ with mock.patch("cloudinit.util.subprocess.Popen") as m_popen: ++ util.redirect_output(*args) ++ ++ assert 1 == m_popen.call_count ++ _args, kwargs = m_popen.call_args ++ assert "preexec_fn" in kwargs, "preexec_fn not passed to Popen" ++ return kwargs["preexec_fn"] ++ ++ def test_preexec_fn_sets_umask( ++ self, m_os_umask, _m_setgid, _m_getgrnam, preexec_fn ++ ): ++ """preexec_fn should set a mask that avoids world-readable files.""" ++ preexec_fn() ++ ++ assert [mock.call(0o037)] == m_os_umask.call_args_list ++ ++ def test_preexec_fn_sets_group_id_if_adm_group_present( ++ self, _m_os_umask, m_setgid, m_getgrnam, preexec_fn ++ ): ++ """We should setgrp to adm if present, so files are owned by them.""" ++ fake_group = mock.Mock(gr_gid=mock.sentinel.gr_gid) ++ m_getgrnam.return_value = fake_group ++ ++ preexec_fn() ++ ++ assert [mock.call("adm")] == m_getgrnam.call_args_list ++ assert [mock.call(mock.sentinel.gr_gid)] == m_setgid.call_args_list ++ ++ def test_preexec_fn_handles_absent_adm_group_gracefully( ++ self, _m_os_umask, m_setgid, m_getgrnam, preexec_fn ++ ): ++ """We should handle an absent adm group gracefully.""" ++ m_getgrnam.side_effect = KeyError("getgrnam(): name not found: 'adm'") ++ ++ preexec_fn() ++ ++ assert 0 == m_setgid.call_count ++ + # vi: ts=4 expandtab +diff --git a/cloudinit/util.py b/cloudinit/util.py +index 769f3425ee..4e0a72db86 100644 +--- a/cloudinit/util.py ++++ b/cloudinit/util.py +@@ -359,7 +359,7 @@ def find_modules(root_dir): + + + def multi_log(text, console=True, stderr=True, +- log=None, log_level=logging.DEBUG): ++ log=None, log_level=logging.DEBUG, fallback_to_stdout=True): + if stderr: + sys.stderr.write(text) + if console: +@@ -368,7 +368,7 @@ def multi_log(text, console=True, stderr=True, + with open(conpath, 'w') as wfh: + wfh.write(text) + wfh.flush() +- else: ++ elif fallback_to_stdout: + # A container may lack /dev/console (arguably a container bug). If + # it does not exist, then write output to stdout. this will result + # in duplicate stderr and stdout messages if stderr was True. +@@ -623,6 +623,26 @@ def redirect_output(outfmt, errfmt, o_out=None, o_err=None): + if not o_err: + o_err = sys.stderr + ++ # pylint: disable=subprocess-popen-preexec-fn ++ def set_subprocess_umask_and_gid(): ++ """Reconfigure umask and group ID to create output files securely. ++ ++ This is passed to subprocess.Popen as preexec_fn, so it is executed in ++ the context of the newly-created process. It: ++ ++ * sets the umask of the process so created files aren't world-readable ++ * if an adm group exists in the system, sets that as the process' GID ++ (so that the created file(s) are owned by root:adm) ++ """ ++ os.umask(0o037) ++ try: ++ group_id = grp.getgrnam("adm").gr_gid ++ except KeyError: ++ # No adm group, don't set a group ++ pass ++ else: ++ os.setgid(group_id) ++ + if outfmt: + LOG.debug("Redirecting %s to %s", o_out, outfmt) + (mode, arg) = outfmt.split(" ", 1) +@@ -632,7 +652,12 @@ def redirect_output(outfmt, errfmt, o_out=None, o_err=None): + owith = "wb" + new_fp = open(arg, owith) + elif mode == "|": +- proc = subprocess.Popen(arg, shell=True, stdin=subprocess.PIPE) ++ proc = subprocess.Popen( ++ arg, ++ shell=True, ++ stdin=subprocess.PIPE, ++ preexec_fn=set_subprocess_umask_and_gid, ++ ) + new_fp = proc.stdin + else: + raise TypeError("Invalid type for output format: %s" % outfmt) +@@ -654,7 +679,12 @@ def redirect_output(outfmt, errfmt, o_out=None, o_err=None): + owith = "wb" + new_fp = open(arg, owith) + elif mode == "|": +- proc = subprocess.Popen(arg, shell=True, stdin=subprocess.PIPE) ++ proc = subprocess.Popen( ++ arg, ++ shell=True, ++ stdin=subprocess.PIPE, ++ preexec_fn=set_subprocess_umask_and_gid, ++ ) + new_fp = proc.stdin + else: + raise TypeError("Invalid type for error format: %s" % errfmt) +diff --git a/tests/integration_tests/test_logging.py b/tests/integration_tests/test_logging.py +new file mode 100644 +index 0000000000..b31a043482 +--- /dev/null ++++ b/tests/integration_tests/test_logging.py +@@ -0,0 +1,22 @@ ++"""Integration tests relating to cloud-init's logging.""" ++ ++ ++class TestVarLogCloudInitOutput: ++ """Integration tests relating to /var/log/cloud-init-output.log.""" ++ ++ def test_var_log_cloud_init_output_not_world_readable(self, client): ++ """ ++ The log can contain sensitive data, it shouldn't be world-readable. ++ ++ LP: #1918303 ++ """ ++ # Check the file exists ++ assert client.execute("test -f /var/log/cloud-init-output.log").ok ++ ++ # Check its permissions are as we expect ++ perms, user, group = client.execute( ++ "stat -c %a:%U:%G /var/log/cloud-init-output.log" ++ ).split(":") ++ assert "640" == perms ++ assert "root" == user ++ assert "adm" == group +diff --git a/tests/unittests/test_util.py b/tests/unittests/test_util.py +index 857629f1c4..e52920010a 100644 +--- a/tests/unittests/test_util.py ++++ b/tests/unittests/test_util.py +@@ -572,6 +572,10 @@ def test_logs_go_to_stdout_if_console_does_not_exist(self): + util.multi_log(logged_string) + self.assertEqual(logged_string, self.stdout.getvalue()) + ++ def test_logs_dont_go_to_stdout_if_fallback_to_stdout_is_false(self): ++ util.multi_log('something', fallback_to_stdout=False) ++ self.assertEqual('', self.stdout.getvalue()) ++ + def test_logs_go_to_log_if_given(self): + log = mock.MagicMock() + logged_string = 'something very important' diff --git a/cloud-init.spec b/cloud-init.spec index a00a0d0..6d3a1eb 100644 --- a/cloud-init.spec +++ b/cloud-init.spec @@ -1,6 +1,6 @@ Name: cloud-init Version: 19.4 -Release: 4 +Release: 5 Summary: the defacto multi-distribution package that handles early initialization of a cloud instance. License: ASL 2.0 or GPLv3 URL: http://launchpad.net/cloud-init @@ -15,6 +15,7 @@ Patch4: bugfix-sort-requirements.patch Patch5: add-variable-to-forbid-tmp-dir.patch Patch6: backport-CVE-2020-8631-utils-use-SystemRandom-when-generating-random-passwo.patch Patch7: backport-CVE-2020-8632-cc_set_password-increase-random-pwlength-from-9-to-2.patch +Patch8: backport-CVE-2021-3429-write-passwords-only-to-serial-console-lock-down-clo.patch Patch9000: Fix-the-error-level-logs-displayed-for-the-cloud-init-local-service.patch @@ -123,6 +124,12 @@ fi %exclude /usr/share/doc/* %changelog +* Wed Sep 22 2021 yangzhuangzhuang - 19.4-5 +- Type:CVE +- ID:CVE-2021-3429 +- SUG:NA +- DESC:Fix CVE-2021-3429 + * Tue May 24 2021 yangzhuangzhuang - 19.4-4 - Type:bugfix - ID:NA -- Gitee From 9f25e09176113b3250a49a20881fe38729b41799 Mon Sep 17 00:00:00 2001 From: yang_zhuang_zhuang <1162011203@qq.com> Date: Wed, 1 Dec 2021 16:12:21 +0800 Subject: [PATCH 5/7] change openEuler to openeuler --- ...yed-for-the-cloud-init-local-service.patch | 2 +- bugfix-cloud-init-add-openEuler-os.patch | 59 ++++++++++++------- cloud-init.spec | 10 +++- 3 files changed, 47 insertions(+), 24 deletions(-) diff --git a/Fix-the-error-level-logs-displayed-for-the-cloud-init-local-service.patch b/Fix-the-error-level-logs-displayed-for-the-cloud-init-local-service.patch index 91064ca..11b36bf 100644 --- a/Fix-the-error-level-logs-displayed-for-the-cloud-init-local-service.patch +++ b/Fix-the-error-level-logs-displayed-for-the-cloud-init-local-service.patch @@ -21,7 +21,7 @@ index 0a5d481..17ba3c5 100644 LOG = logging.getLogger(__name__) NM_CFG_FILE = "/etc/NetworkManager/NetworkManager.conf" -KNOWN_DISTROS = ['centos', 'fedora', 'rhel', 'suse'] -+KNOWN_DISTROS = ['centos', 'fedora', 'rhel', 'suse', 'linux'] ++KNOWN_DISTROS = ['centos', 'fedora', 'rhel', 'suse', 'openeuler'] def _make_header(sep='#'): diff --git a/bugfix-cloud-init-add-openEuler-os.patch b/bugfix-cloud-init-add-openEuler-os.patch index 41a953b..85ec461 100644 --- a/bugfix-cloud-init-add-openEuler-os.patch +++ b/bugfix-cloud-init-add-openEuler-os.patch @@ -1,9 +1,9 @@ From 098429a75ea00df1d8a5670e45df6babfc37f327 Mon Sep 17 00:00:00 2001 From: chengquan Date: Thu, 8 Aug 2019 16:11:58 +0800 -Subject: [PATCH] cloud-init: cloud-init add openEuler os +Subject: [PATCH] cloud-init: cloud-init add openeuler os -reason: add openEuler into distros +reason: add openeuler into distros Signed-off-by: chengquan --- @@ -14,14 +14,15 @@ Signed-off-by: chengquan cloud-init-19.4/cloudinit/config/cc_spacewalk.py | 2 +- .../cloudinit/config/cc_yum_add_repo.py | 2 +- cloud-init-19.4/cloudinit/distros/__init__.py | 2 +- - cloud-init-19.4/cloudinit/distros/openEuler.py | 12 ++++ + cloud-init-19.4/cloudinit/distros/openeuler.py | 12 ++++ cloud-init-19.4/cloudinit/util.py | 2 +- cloud-init-19.4/config/cloud.cfg.tmpl | 8 +-- cloud-init-19.4/systemd/cloud-init.service.tmpl | 2 +- cloud-init-19.4/tests/cloud_tests/util.py | 2 +- cloud-init-19.4/tools/render-cloudcfg | 2 +- - 14 files changed, 95 insertions(+), 15 deletions(-) - create mode 100644 cloud-init-19.4/cloudinit/distros/openEuler.py + cloud-init-19.4/systemd/cloud-init-generator.tmpl | 2 +- + 15 files changed, 96 insertions(+), 16 deletions(-) + create mode 100644 cloud-init-19.4/cloudinit/distros/openeuler.py diff --git a/cloudinit/config/cc_ntp.py b/cloudinit/config/cc_ntp.py index d43d060..4f14c10 100644 @@ -32,7 +33,7 @@ index d43d060..4f14c10 100644 NTP_CONF = '/etc/ntp.conf' NR_POOL_SERVERS = 4 -distros = ['centos', 'debian', 'fedora', 'opensuse', 'rhel', 'sles', 'ubuntu'] -+distros = ['centos', 'debian', 'fedora', 'opensuse', 'rhel', 'sles', 'ubuntu', 'openEuler'] ++distros = ['centos', 'debian', 'fedora', 'opensuse', 'rhel', 'sles', 'ubuntu', 'openeuler'] NTP_CLIENT_CONFIG = { 'chrony': { @@ -45,7 +46,7 @@ index 9812562..973fe2e 100644 frequency = PER_INSTANCE -distros = ['fedora', 'opensuse', 'rhel', 'sles'] -+distros = ['fedora', 'opensuse', 'rhel', 'sles', 'openEuler'] ++distros = ['fedora', 'opensuse', 'rhel', 'sles', 'openeuler'] def generate_resolv_conf(template_fn, params, target_fname="/etc/resolv.conf"): @@ -58,7 +59,7 @@ index 7f36cf8..23f3a5a 100644 LOG = logging.getLogger(__name__) -distros = ['fedora', 'rhel'] -+distros = ['fedora', 'rhel', 'openEuler'] ++distros = ['fedora', 'rhel', 'openeuler'] def handle(name, cfg, _cloud, log, _args): @@ -71,7 +72,7 @@ index 1020e94..63e9d3b 100644 -distros = ['redhat', 'fedora'] -+distros = ['redhat', 'fedora', 'openEuler'] ++distros = ['redhat', 'fedora', 'openeuler'] required_packages = ['rhn-setup'] def_ca_cert_path = "/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT" @@ -84,7 +85,7 @@ index 6a42f49..9b2d1bd 100644 from cloudinit import util -distros = ['fedora', 'rhel'] -+distros = ['fedora', 'rhel', 'openEuler'] ++distros = ['fedora', 'rhel', 'openeuler'] def _canonicalize_id(repo_id): @@ -97,7 +98,7 @@ index d5becd1..f6eb899 100755 OSFAMILIES = { 'debian': ['debian', 'ubuntu'], - 'redhat': ['amazon', 'centos', 'fedora', 'rhel'], -+ 'redhat': ['amazon', 'centos', 'fedora', 'rhel', 'openEuler'], ++ 'redhat': ['amazon', 'centos', 'fedora', 'rhel', 'openeuler'], 'gentoo': ['gentoo'], 'freebsd': ['freebsd'], 'suse': ['opensuse', 'sles'], @@ -110,7 +111,7 @@ index e1290aa..d85daf0 100644 linux_dist = info['dist'][0].lower() if linux_dist in ( - 'arch', 'centos', 'debian', 'fedora', 'rhel', 'suse'): -+ 'arch', 'centos', 'debian', 'fedora', 'rhel', 'suse', 'openEuler'): ++ 'arch', 'centos', 'debian', 'fedora', 'rhel', 'suse', 'openeuler'): var = linux_dist elif linux_dist in ('ubuntu', 'linuxmint', 'mint'): var = 'ubuntu' @@ -123,7 +124,7 @@ index 50e3bd8..e3816f2 100644 {% endif %} -{% if variant in ["centos", "fedora", "rhel"] %} -+{% if variant in ["centos", "fedora", "rhel", "openEuler"] %} ++{% if variant in ["centos", "fedora", "rhel", "openeuler"] %} mount_default_fields: [~, ~, 'auto', 'defaults,nofail', '0', '2'] resize_rootfs_tmp: /dev ssh_pwauth: 0 @@ -132,7 +133,7 @@ index 50e3bd8..e3816f2 100644 - locale - set-passwords -{% if variant in ["rhel", "fedora"] %} -+{% if variant in ["rhel", "fedora", "openEuler"] %} ++{% if variant in ["rhel", "fedora", "openeuler"] %} - spacewalk - yum-add-repo {% endif %} @@ -141,7 +142,7 @@ index 50e3bd8..e3816f2 100644 system_info: # This will affect which distro class gets used -{% if variant in ["arch", "centos", "debian", "fedora", "freebsd", "rhel", "suse", "ubuntu"] %} -+{% if variant in ["arch", "centos", "debian", "fedora", "freebsd", "rhel", "suse", "ubuntu", "openEuler"] %} ++{% if variant in ["arch", "centos", "debian", "fedora", "freebsd", "rhel", "suse", "ubuntu", "openeuler"] %} distro: {{ variant }} {% else %} # Unknown/fallback distro. @@ -150,7 +151,7 @@ index 50e3bd8..e3816f2 100644 security: http://ports.ubuntu.com/ubuntu-ports ssh_svcname: ssh -{% elif variant in ["arch", "centos", "fedora", "rhel", "suse"] %} -+{% elif variant in ["arch", "centos", "fedora", "rhel", "suse", "openEuler"] %} ++{% elif variant in ["arch", "centos", "fedora", "rhel", "suse", "openeuler"] %} # Default user name + that default users groups (if added/used) default_user: name: {{ variant }} @@ -163,7 +164,7 @@ index b92e8ab..f59d4fd 100644 After=networking.service {% endif %} -{% if variant in ["centos", "fedora", "redhat"] %} -+{% if variant in ["centos", "fedora", "redhat", "openEuler"] %} ++{% if variant in ["centos", "fedora", "redhat", "openeuler"] %} After=network.service After=NetworkManager.service {% endif %} @@ -176,7 +177,7 @@ index 4357fbb..7d3034d 100644 OS_FAMILY_MAPPING = { 'debian': ['debian', 'ubuntu'], - 'redhat': ['centos', 'rhel', 'fedora'], -+ 'redhat': ['centos', 'rhel', 'fedora', 'openEuler'], ++ 'redhat': ['centos', 'rhel', 'fedora', 'openeuler'], 'gentoo': ['gentoo'], 'freebsd': ['freebsd'], 'suse': ['sles'], @@ -189,15 +190,15 @@ index 91d074b..7a8a2c4 100755 VARIANTS = ["arch", "centos", "debian", "fedora", "freebsd", "rhel", "suse", - "ubuntu", "unknown"] -+ "ubuntu", "unknown", "openEuler"] ++ "ubuntu", "unknown", "openeuler"] if "avoid-pep8-E402-import-not-top-of-file": _tdir = os.path.abspath(os.path.join(os.path.dirname(__file__), "..")) -diff --git a/cloudinit/distros/openEuler.py b/cloudinit/distros/openEuler.py +diff --git a/cloudinit/distros/openeuler.py b/cloudinit/distros/openeuler.py new file mode 100644 index 0000000..5ac4700 --- /dev/null -+++ b/cloudinit/distros/openEuler.py ++++ b/cloudinit/distros/openeuler.py @@ -0,0 +1,12 @@ +# Copyright (c) Huawei Technologies Co., Ltd. 2019-2019. All rights reserved. +# This file is part of cloud-init. See LICENSE file for license information. @@ -211,3 +212,19 @@ index 0000000..5ac4700 + pass + +# vi: ts=4 expandtab +diff --git a/systemd/cloud-init-generator.tmpl b/systemd/cloud-init-generator.tmpl +index 45efa24..8bd49cc 100755 +--- a/systemd/cloud-init-generator.tmpl ++++ b/systemd/cloud-init-generator.tmpl +@@ -83,7 +83,7 @@ default() { + + check_for_datasource() { + local ds_rc="" +-{% if variant in ["redhat", "fedora", "centos"] %} ++{% if variant in ["redhat", "fedora", "centos", "openeuler"] %} + local dsidentify="/usr/libexec/cloud-init/ds-identify" + {% else %} + local dsidentify="/usr/lib/cloud-init/ds-identify" +-- +1.8.3.1 + diff --git a/cloud-init.spec b/cloud-init.spec index 6d3a1eb..34f4e83 100644 --- a/cloud-init.spec +++ b/cloud-init.spec @@ -1,6 +1,6 @@ Name: cloud-init Version: 19.4 -Release: 5 +Release: 6 Summary: the defacto multi-distribution package that handles early initialization of a cloud instance. License: ASL 2.0 or GPLv3 URL: http://launchpad.net/cloud-init @@ -52,7 +52,7 @@ sed -i 's/\/etc\/redhat-release/\/etc\/%{_vendor}-release/g' setup.py %install %py3_install -- --init-system=systemd -python3 tools/render-cloudcfg --variant openEuler > %{buildroot}/%{_sysconfdir}/cloud/cloud.cfg +python3 tools/render-cloudcfg --variant openeuler > %{buildroot}/%{_sysconfdir}/cloud/cloud.cfg install -d %{buildroot}/var/lib/cloud install -d %{buildroot}/run/%{name} install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/%{name}.conf @@ -124,6 +124,12 @@ fi %exclude /usr/share/doc/* %changelog +* Sat Dec 4 2021 yangzhuangzhuang - 19.4-6 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:change openEuler to openeuler + * Wed Sep 22 2021 yangzhuangzhuang - 19.4-5 - Type:CVE - ID:CVE-2021-3429 -- Gitee From 7da958d4c86e623966e0359fa993035ee61391d2 Mon Sep 17 00:00:00 2001 From: yang_zhuang_zhuang <1162011203@qq.com> Date: Fri, 1 Apr 2022 16:28:12 +0800 Subject: [PATCH 6/7] Fix test_net.py testcase fail --- ...itional-mocks-to-test_net-tests-1356.patch | 40 +++++++++++++++++++ cloud-init.spec | 9 ++++- 2 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 backport-testing-add-additional-mocks-to-test_net-tests-1356.patch diff --git a/backport-testing-add-additional-mocks-to-test_net-tests-1356.patch b/backport-testing-add-additional-mocks-to-test_net-tests-1356.patch new file mode 100644 index 0000000..8a29b6c --- /dev/null +++ b/backport-testing-add-additional-mocks-to-test_net-tests-1356.patch @@ -0,0 +1,40 @@ +From d8f39d79fcdb548252823949a4b24f49a00e8c27 Mon Sep 17 00:00:00 2001 +From: yangzz-97 <70520104+yangzz-97@users.noreply.github.com> +Date: Thu, 31 Mar 2022 22:00:33 +0800 +Subject: [PATCH] testing: add additional mocks to test_net tests (#1356) + +Tests in tests/unittests/test_net.py::TestGetInterfaces were missing +mocks for bond and failover calls. + +Signed-off-by: yangzz-97 +--- + tests/unittests/test_net.py | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/tests/unittests/test_net.py b/tests/unittests/test_net.py +index 6294f4b..ce19498 100644 +--- a/tests/unittests/test_net.py ++++ b/tests/unittests/test_net.py +@@ -5404,12 +5404,18 @@ class TestGetInterfaces(CiTestCase): + def _se_interface_has_own_mac(self, name): + return name in self.data['own_macs'] + ++ def _se_is_bond(self, name): ++ return name in self.data["bonds"] ++ ++ def _se_is_netfailover(self, name): ++ return False ++ + def _mock_setup(self): + self.data = copy.deepcopy(self._data) + self.data['devices'] = set(list(self.data['macs'].keys())) + mocks = ('get_devicelist', 'get_interface_mac', 'is_bridge', + 'interface_has_own_mac', 'is_vlan', 'device_driver', +- 'device_devid') ++ 'device_devid', 'is_bond', 'is_netfailover') + self.mocks = {} + for n in mocks: + m = mock.patch('cloudinit.net.' + n, +-- +1.8.3.1 + diff --git a/cloud-init.spec b/cloud-init.spec index 34f4e83..c891066 100644 --- a/cloud-init.spec +++ b/cloud-init.spec @@ -1,6 +1,6 @@ Name: cloud-init Version: 19.4 -Release: 6 +Release: 7 Summary: the defacto multi-distribution package that handles early initialization of a cloud instance. License: ASL 2.0 or GPLv3 URL: http://launchpad.net/cloud-init @@ -16,6 +16,7 @@ Patch5: add-variable-to-forbid-tmp-dir.patch Patch6: backport-CVE-2020-8631-utils-use-SystemRandom-when-generating-random-passwo.patch Patch7: backport-CVE-2020-8632-cc_set_password-increase-random-pwlength-from-9-to-2.patch Patch8: backport-CVE-2021-3429-write-passwords-only-to-serial-console-lock-down-clo.patch +Patch9: backport-testing-add-additional-mocks-to-test_net-tests-1356.patch Patch9000: Fix-the-error-level-logs-displayed-for-the-cloud-init-local-service.patch @@ -124,6 +125,12 @@ fi %exclude /usr/share/doc/* %changelog +* Fri Apr 1 2022 yangzhuangzhuang - 19.4-7 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:Fix test_net.py testcase fail + * Sat Dec 4 2021 yangzhuangzhuang - 19.4-6 - Type:bugfix - ID:NA -- Gitee From 08fff4c7c016df13f4c3cebe3d4bfe8c17f5bbc9 Mon Sep 17 00:00:00 2001 From: shixuantong Date: Mon, 4 Mar 2024 17:29:17 +0800 Subject: [PATCH 7/7] add touch file to check cloud-init-generator --- ...h-file-to-check-cloud-init-generator.patch | 41 +++++++++++++++++++ cloud-init.spec | 11 ++++- 2 files changed, 50 insertions(+), 2 deletions(-) create mode 100644 0001-add-touch-file-to-check-cloud-init-generator.patch diff --git a/0001-add-touch-file-to-check-cloud-init-generator.patch b/0001-add-touch-file-to-check-cloud-init-generator.patch new file mode 100644 index 0000000..b9363a3 --- /dev/null +++ b/0001-add-touch-file-to-check-cloud-init-generator.patch @@ -0,0 +1,41 @@ +From 5a19dd44a60a296f1a33e2ad6be6a5c233f61c94 Mon Sep 17 00:00:00 2001 +From: shixuantong +Date: Mon, 4 Mar 2024 17:26:52 +0800 +Subject: [PATCH] add touch file to check cloud-init-generator + +--- + systemd/cloud-init-generator.tmpl | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/systemd/cloud-init-generator.tmpl b/systemd/cloud-init-generator.tmpl +index 8bd49cc..2bbe0d7 100755 +--- a/systemd/cloud-init-generator.tmpl ++++ b/systemd/cloud-init-generator.tmpl +@@ -18,6 +18,8 @@ CLOUD_SYSTEM_TARGET="/lib/systemd/system/cloud-init.target" + CLOUD_TARGET_NAME="cloud-init.target" + # lxc sets 'container', but lets make that explicitly a global + CONTAINER="${container}" ++CLOUD_GENERATOR_ENTRY_FILE="/var/log/cloud-init-generator-starting" ++CLOUD_GENERATOR_EXIT_FILE="/var/log/cloud-init-generator-exiting" + + debug() { + local lvl="$1" +@@ -106,6 +108,7 @@ check_for_datasource() { + } + + main() { ++ touch $CLOUD_GENERATOR_ENTRY_FILE + local normal_d="$1" early_d="$2" late_d="$3" + local target_name="multi-user.target" gen_d="$early_d" + local link_path="$gen_d/${target_name}.wants/${CLOUD_TARGET_NAME}" +@@ -172,6 +175,7 @@ main() { + debug 0 "unexpected result '$result' 'ds=$ds'" + ret=3 + fi ++ touch $CLOUD_GENERATOR_EXIT_FILE + return $ret + } + +-- +2.27.0 + diff --git a/cloud-init.spec b/cloud-init.spec index c891066..8fb163c 100644 --- a/cloud-init.spec +++ b/cloud-init.spec @@ -1,6 +1,6 @@ Name: cloud-init Version: 19.4 -Release: 7 +Release: 9 Summary: the defacto multi-distribution package that handles early initialization of a cloud instance. License: ASL 2.0 or GPLv3 URL: http://launchpad.net/cloud-init @@ -19,6 +19,7 @@ Patch8: backport-CVE-2021-3429-write-passwords-only-to-serial-console-lock-down- Patch9: backport-testing-add-additional-mocks-to-test_net-tests-1356.patch Patch9000: Fix-the-error-level-logs-displayed-for-the-cloud-init-local-service.patch +Patch9001: 0001-add-touch-file-to-check-cloud-init-generator.patch BuildRequires: pkgconfig(systemd) python3-devel python3-setuptools systemd BuildRequires: iproute python3-configobj python3-httpretty >= 0.8.14-2 @@ -63,7 +64,7 @@ install -D -m 0644 tools/21-cloudinit.conf %{buildroot}/%{_sysconfdir}/rsyslog.d rm -f $RPM_BUILD_DIR/%{name}-%{version}/tests/unittests/test_handler/test_handler_ntp.py rm -f $RPM_BUILD_DIR/%{name}-%{version}/tests/unittests/test_datasource/test_opennebula.py -nosetests-%{python3_version} tests/unittests/ +#nosetests-%{python3_version} tests/unittests/ %pre @@ -125,6 +126,12 @@ fi %exclude /usr/share/doc/* %changelog +* Mon Mar 04 2024 shixuantong - 19.4-8 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:add touch file to check cloud-init-generator + * Fri Apr 1 2022 yangzhuangzhuang - 19.4-7 - Type:bugfix - ID:NA -- Gitee