diff --git a/add-variable-to-forbid-tmp-dir.patch b/add-variable-to-forbid-tmp-dir.patch deleted file mode 100644 index 8ff6ab6d7e8c38f2509ca94d0c85e041e268c707..0000000000000000000000000000000000000000 --- a/add-variable-to-forbid-tmp-dir.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 224da46b2331b582577b86c3eb707f67d57800fb Mon Sep 17 00:00:00 2001 -From: chengquan -Date: Thu, 8 Aug 2019 16:15:31 +0800 -Subject: [PATCH] cloud-init: add variable to forbid tmp dir - -reason: add variable to forbid temporary directory - -Signed-off-by: chengquan ---- - setup.py | 15 ++++++++++++--- - 1 file changed, 12 insertions(+), 3 deletions(-) - -diff --git a/setup.py b/setup.py -index c3659cc..b4847ac 100644 ---- a/setup.py -+++ b/setup.py -@@ -49,6 +49,8 @@ RENDERED_TMPD_PREFIX = "RENDERED_TEMPD" - VARIANT = None - PREFIX = None - -+# add variable to forbid tmp dir -+num = 0 - - def render_tmpl(template, mode=None, is_yaml=False): - """render template into a tmpdir under same dir as setup.py -@@ -69,7 +71,10 @@ def render_tmpl(template, mode=None, is_yaml=False): - return template - - topdir = os.path.dirname(sys.argv[0]) -- tmpd = tempfile.mkdtemp(dir=topdir, prefix=RENDERED_TMPD_PREFIX) -+ global num -+ os.mkdir(topdir + str(num)) -+ tmpd = os.path.abspath(topdir + str(num)) -+ num = num + 1 - atexit.register(shutil.rmtree, tmpd) - bname = os.path.basename(template) - ename, ext = os.path.splitext(bname) -@@ -99,6 +104,10 @@ def render_tmpl(template, mode=None, is_yaml=False): - return os.path.join(os.path.basename(tmpd), bname) - - -+def sort_files(file_list): -+ file_list.sort() -+ return file_list -+ - # User can set the variant for template rendering - for a in sys.argv: - if a.startswith("--distro"): -@@ -139,11 +148,11 @@ INITSYS_FILES = { - "systemd": lambda: [ - render_tmpl(f) - for f in ( -- glob("systemd/*.tmpl") -+ sort_files((glob('systemd/*.tmpl') - + glob("systemd/*.service") - + glob("systemd/*.socket") - + glob("systemd/*.target") -- ) -+ ))) - if (is_f(f) and not is_generator(f)) - ], - "systemd.generators": lambda: [ --- -2.27.0 - diff --git a/backport-CVE-2024-11584.patch b/backport-CVE-2024-11584.patch deleted file mode 100644 index b70e147ec3cd0d54b61df27dda5e32e83882ffdc..0000000000000000000000000000000000000000 --- a/backport-CVE-2024-11584.patch +++ /dev/null @@ -1,97 +0,0 @@ -From 4839736429e9057a309ccd835cb3159fb51b1353 Mon Sep 17 00:00:00 2001 -From: James Falcon -Date: Wed, 11 Jun 2025 16:22:32 -0500 -Subject: [PATCH] fix: Make hotplug socket writable only by root (#25) - -The 'hook-hotplug-cmd' was writable by all users, allowing any user -to trigger the hotplug hook script. This script should only be run -by root via a udev trigger. - -Also move socket into 'share' directory and update references -accordingly. Since the 'share' directory is only readable by root, -this adds another layer of security while also being in a consistent -location with the other sockets used by cloud-init. - -CVE-2024-11584 ---- - cloudinit/cmd/devel/logs.py | 2 +- - systemd/cloud-init-hotplugd.service | 2 +- - systemd/cloud-init-hotplugd.socket | 5 +++-- - tools/cloud-init-hotplugd | 2 +- - tools/hook-hotplug | 2 +- - 5 files changed, 7 insertions(+), 6 deletions(-) - -diff --git a/cloudinit/cmd/devel/logs.py b/cloudinit/cmd/devel/logs.py -index 17be2c1d5..b8d87d6f3 100755 ---- a/cloudinit/cmd/devel/logs.py -+++ b/cloudinit/cmd/devel/logs.py -@@ -295,7 +295,7 @@ def _get_run_dir(run_dir: pathlib.Path) -> Iterator[pathlib.Path]: - Note that this only globs the top-level directory as there are currently - no relevant files within subdirectories. - """ -- return (p for p in run_dir.glob("*") if p.name != "hook-hotplug-cmd") -+ return run_dir.glob("*") - - - def _collect_logs_into_tmp_dir( -diff --git a/systemd/cloud-init-hotplugd.service b/systemd/cloud-init-hotplugd.service -index 2e552a0a0..5f4c8e838 100644 ---- a/systemd/cloud-init-hotplugd.service -+++ b/systemd/cloud-init-hotplugd.service -@@ -1,5 +1,5 @@ - # Paired with cloud-init-hotplugd.socket to read from the FIFO --# /run/cloud-init/hook-hotplug-cmd which is created during a udev network -+# hook-hotplug-cmd which is created during a udev network - # add or remove event as processed by 90-cloud-init-hook-hotplug.rules. - - # On start, read args from the FIFO, process and provide structured arguments -diff --git a/systemd/cloud-init-hotplugd.socket b/systemd/cloud-init-hotplugd.socket -index c56b978f3..023dfa2a9 100644 ---- a/systemd/cloud-init-hotplugd.socket -+++ b/systemd/cloud-init-hotplugd.socket -@@ -1,5 +1,5 @@ - # cloud-init-hotplugd.socket listens on the FIFO file --# /run/cloud-init/hook-hotplug-cmd which is created during a udev network -+# hook-hotplug-cmd which is created during a udev network - # add or remove event as processed by 90-cloud-init-hook-hotplug.rules. - - # Known bug with an enforcing SELinux policy: LP: #1936229 -@@ -14,7 +14,8 @@ ConditionKernelCommandLine=!cloud-init=disabled - ConditionEnvironment=!KERNEL_CMDLINE=cloud-init=disabled - - [Socket] --ListenFIFO=/run/cloud-init/hook-hotplug-cmd -+ListenFIFO=/run/cloud-init/share/hook-hotplug-cmd -+SocketMode=0600 - - [Install] - WantedBy=cloud-config.target -diff --git a/tools/cloud-init-hotplugd b/tools/cloud-init-hotplugd -index 70977d48e..3d56fffa7 100755 ---- a/tools/cloud-init-hotplugd -+++ b/tools/cloud-init-hotplugd -@@ -9,7 +9,7 @@ - # upon a network device event). Anything received via the pipe is then - # passed on via the "cloud-init devel hotplug-hook handle" command. - --PIPE="/run/cloud-init/hook-hotplug-cmd" -+PIPE="/run/cloud-init/share/hook-hotplug-cmd" - - mkfifo -m700 $PIPE - -diff --git a/tools/hook-hotplug b/tools/hook-hotplug -index 208d21dd7..f142d4b95 100755 ---- a/tools/hook-hotplug -+++ b/tools/hook-hotplug -@@ -4,7 +4,7 @@ - # This script checks if cloud-init has hotplug hooked and if - # cloud-init is ready; if so invoke cloud-init hotplug-hook - --fifo=/run/cloud-init/hook-hotplug-cmd -+fifo=/run/cloud-init/share/hook-hotplug-cmd - log_file=/run/cloud-init/hook-hotplug.log - - should_run() { --- -2.27.0 - diff --git a/backport-feat-support-nmap-in-socket-protocol-6339.patch b/backport-feat-support-nmap-in-socket-protocol-6339.patch deleted file mode 100644 index 5d5a6a38121bb82940bbfad215d2297906bbcc2f..0000000000000000000000000000000000000000 --- a/backport-feat-support-nmap-in-socket-protocol-6339.patch +++ /dev/null @@ -1,161 +0,0 @@ -From e10c8809e8dcf1b05c9d111a2551c33adaf7edbc Mon Sep 17 00:00:00 2001 -From: Brett Holman -Date: Thu, 28 Aug 2025 05:27:56 -0600 -Subject: [PATCH] feat: support nmap in socket protocol (#6339) - -Nmap's netcat implementation doesn't support creating a return -socket for datagram mode. Switch the socket mode to stream for -better compatibility. - -Fixes GH-6136 ---- - cloudinit/socket.py | 20 ++++++++------------ - systemd/cloud-config.service | 2 +- - systemd/cloud-final.service | 2 +- - systemd/cloud-init-local.service.tmpl | 2 +- - systemd/cloud-init-network.service.tmpl | 2 +- - tests/unittests/test_all_stages.py | 3 +-- - 6 files changed, 13 insertions(+), 18 deletions(-) - -diff --git a/cloudinit/socket.py b/cloudinit/socket.py -index 98c82886f..0a5485a07 100644 ---- a/cloudinit/socket.py -+++ b/cloudinit/socket.py -@@ -5,6 +5,7 @@ import os - import socket - import sys - from contextlib import suppress -+from typing import Dict - - from cloudinit import performance - from cloudinit.settings import DEFAULT_RUN_DIR -@@ -55,16 +56,16 @@ class SocketSync: - :param names: stage names, used as a unique identifiers - """ - self.stage = "" -- self.remote = "" - self.first_exception = "" - self.systemd_exit_code = 0 - self.experienced_any_error = False - self.sockets = { - name: socket.socket( -- socket.AF_UNIX, socket.SOCK_DGRAM | socket.SOCK_CLOEXEC -+ socket.AF_UNIX, socket.SOCK_STREAM | socket.SOCK_CLOEXEC - ) - for name in names - } -+ self.connections: Dict[str, socket.socket] = {} - # ensure the directory exists - os.makedirs(f"{DEFAULT_RUN_DIR}/share", mode=0o700, exist_ok=True) - # removing stale sockets and bind -@@ -73,6 +74,7 @@ class SocketSync: - with suppress(FileNotFoundError): - os.remove(socket_path) - sock.bind(socket_path) -+ sock.listen() - - def __call__(self, stage: str): - """Set the stage before entering context. -@@ -116,19 +118,14 @@ class SocketSync: - # reply, which is expected to be /path/to/{self.stage}-return.sock - sock = self.sockets[self.stage] - with performance.Timed(f"Waiting to start stage {self.stage}"): -- chunk, self.remote = sock.recvfrom(5) -+ connection, _ = sock.accept() -+ chunk, _ = connection.recvfrom(5) -+ self.connections[self.stage] = connection - - if b"start" != chunk: - # The protocol expects to receive a command "start" - self.__exit__(None, None, None) - raise ValueError(f"Received invalid message: [{str(chunk)}]") -- elif f"{DEFAULT_RUN_DIR}/share/{self.stage}-return.sock" != str( -- self.remote -- ): -- # assert that the return path is in a directory with appropriate -- # permissions -- self.__exit__(None, None, None) -- raise ValueError(f"Unexpected path to unix socket: {self.remote}") - - sd_notify(f"STATUS=Running ({self.stage} stage)") - return self -@@ -156,8 +153,7 @@ class SocketSync: - self.experienced_any_error = self.experienced_any_error or bool( - self.systemd_exit_code - ) -- sock = self.sockets[self.stage] -- sock.connect(self.remote) -+ sock = self.connections[self.stage] - - # the returned message will be executed in a subshell - # hardcode this message rather than sending a more informative message -diff --git a/systemd/cloud-config.service b/systemd/cloud-config.service -index 68f80d2b3..3fe62f9d9 100644 ---- a/systemd/cloud-config.service -+++ b/systemd/cloud-config.service -@@ -16,7 +16,7 @@ Type=oneshot - # process has completed this stage. The output from the return socket is piped - # into a shell so that the process can send a completion message (defaults to - # "done", otherwise includes an error message) and an exit code to systemd. --ExecStart=sh -c 'echo "start" | nc -Uu -W1 /run/cloud-init/share/config.sock -s /run/cloud-init/share/config-return.sock | sh' -+ExecStart=sh -c 'echo "start" | nc -U /run/cloud-init/share/config.sock | sh' - RemainAfterExit=yes - TimeoutSec=0 - -diff --git a/systemd/cloud-final.service b/systemd/cloud-final.service -index fb74a47c8..e7e892ab9 100644 ---- a/systemd/cloud-final.service -+++ b/systemd/cloud-final.service -@@ -19,7 +19,7 @@ Type=oneshot - # process has completed this stage. The output from the return socket is piped - # into a shell so that the process can send a completion message (defaults to - # "done", otherwise includes an error message) and an exit code to systemd. --ExecStart=sh -c 'echo "start" | nc -Uu -W1 /run/cloud-init/share/final.sock -s /run/cloud-init/share/final-return.sock | sh' -+ExecStart=sh -c 'echo "start" | nc -U /run/cloud-init/share/final.sock | sh' - RemainAfterExit=yes - TimeoutSec=0 - TasksMax=infinity -diff --git a/systemd/cloud-init-local.service.tmpl b/systemd/cloud-init-local.service.tmpl -index 26a6aee1d..b8a2f3311 100644 ---- a/systemd/cloud-init-local.service.tmpl -+++ b/systemd/cloud-init-local.service.tmpl -@@ -33,7 +33,7 @@ ExecStartPre=/sbin/restorecon /run/cloud-init - # process has completed this stage. The output from the return socket is piped - # into a shell so that the process can send a completion message (defaults to - # "done", otherwise includes an error message) and an exit code to systemd. --ExecStart=sh -c 'echo "start" | nc -Uu -W1 /run/cloud-init/share/local.sock -s /run/cloud-init/share/local-return.sock | sh' -+ExecStart=sh -c 'echo "start" | nc -U /run/cloud-init/share/local.sock | sh' - RemainAfterExit=yes - TimeoutSec=0 - -diff --git a/systemd/cloud-init-network.service.tmpl b/systemd/cloud-init-network.service.tmpl -index 61425b4a9..9658af1d6 100644 ---- a/systemd/cloud-init-network.service.tmpl -+++ b/systemd/cloud-init-network.service.tmpl -@@ -56,7 +56,7 @@ Type=oneshot - # process has completed this stage. The output from the return socket is piped - # into a shell so that the process can send a completion message (defaults to - # "done", otherwise includes an error message) and an exit code to systemd. --ExecStart=sh -c 'echo "start" | nc -Uu -W1 /run/cloud-init/share/network.sock -s /run/cloud-init/share/network-return.sock | sh' -+ExecStart=sh -c 'echo "start" | nc -U /run/cloud-init/share/network.sock | sh' - RemainAfterExit=yes - TimeoutSec=0 - -diff --git a/tests/unittests/test_all_stages.py b/tests/unittests/test_all_stages.py -index 90bde5e1a..1b66e6955 100644 ---- a/tests/unittests/test_all_stages.py -+++ b/tests/unittests/test_all_stages.py -@@ -15,9 +15,8 @@ class Sync: - """ - - def __init__(self, name: str, path: str): -- self.sock = socket.socket(socket.AF_UNIX, socket.SOCK_DGRAM) -+ self.sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) - self.sock.connect(f"{path}/share/{name}.sock") -- self.sock.bind(f"{path}/share/{name}-return.sock") - self.sock.sendall(b"start") - - def receive(self): --- -2.43.0 - diff --git a/bugfix-sort-requirements.patch b/bugfix-sort-requirements.patch deleted file mode 100644 index 95c21399da96d11519108f92f0199a1f2872b240..0000000000000000000000000000000000000000 --- a/bugfix-sort-requirements.patch +++ /dev/null @@ -1,27 +0,0 @@ -From ef3f0c73fd940accf732f94cace4d53fc1604142 Mon Sep 17 00:00:00 2001 -From: chengquan -Date: Thu, 8 Aug 2019 16:14:06 +0800 -Subject: [PATCH] sort requirements - -reason: sort requirements in setup - -Signed-off-by: chengquan ---- - setup.py | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/setup.py b/setup.py -index d0b1c99..55b929a 100644 ---- a/setup.py -+++ b/setup.py -@@ -331,6 +331,7 @@ cmdclass = { - } - - requirements = read_requires() -+requirements.sort() - - setuptools.setup( - name="cloud-init", --- -2.27.0 - diff --git a/cloud-init-25.1.tar.gz b/cloud-init-25.1.tar.gz deleted file mode 100644 index bd85cf2c223c1cc7d23d6d717e706771f7221aa6..0000000000000000000000000000000000000000 Binary files a/cloud-init-25.1.tar.gz and /dev/null differ diff --git a/cloud-init-25.3.tar.gz b/cloud-init-25.3.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..6dca4ed7a4d0bc8b839dfa3a5481d1a10fbe49c4 Binary files /dev/null and b/cloud-init-25.3.tar.gz differ diff --git a/cloud-init.spec b/cloud-init.spec index cdd712a7e555b418615edb3c738a25fcf824ccb6..42746472cd629ee94b56bd51c1703e246b406f3c 100644 --- a/cloud-init.spec +++ b/cloud-init.spec @@ -1,6 +1,6 @@ Name: cloud-init -Version: 25.1 -Release: 5 +Version: 25.3 +Release: 1 Summary: the defacto multi-distribution package that handles early initialization of a cloud instance. License: ASL 2.0 or GPLv3 URL: http://launchpad.net/cloud-init @@ -8,14 +8,9 @@ Source0: https://launchpad.net/%{name}/trunk/%{version}/+download/%{name}-%{vers Source1: cloud-init-tmpfiles.conf -Patch1: bugfix-sort-requirements.patch -Patch2: add-variable-to-forbid-tmp-dir.patch Patch3: delete-config-nopasswd-all.patch Patch4: skip-test_ntp_custom_client_overrides_installed_clie.patch -Patch5: fix-CVE-2024-6174-1.patch -Patch6: fix-CVE-2024-6174-2.patch -Patch7: backport-CVE-2024-11584.patch -Patch8: backport-feat-support-nmap-in-socket-protocol-6339.patch +Patch5: delete-openeuler-support-in-cc_rh_subscription.patch BuildRequires: pkgconfig(systemd) python3-devel python3-setuptools systemd BuildRequires: iproute python3-configobj python3-responses @@ -24,6 +19,7 @@ BuildRequires: python3-mock python3-oauthlib python3-prettytable BuildRequires: python3-pyserial python3-PyYAML python3-requests BuildRequires: dnf %{_vendor}-release python3-pytest passwd python3-netifaces BuildRequires: python3-pytest-mock python3-passlib +BuildRequires: meson cmake bash-completion Requires: e2fsprogs iproute python3-libselinux net-tools python3-policycoreutils Requires: procps python3-configobj python3-jinja2 python3-jsonpatch xfsprogs @@ -41,22 +37,26 @@ initialization of a cloud instance. %prep %autosetup -n %{name}-%{version} -p1 -echo %{_vendor} -sed -i -e 's|#!/usr/bin/env python|#!/usr/bin/env python3|' \ - -e 's|#!/usr/bin/python|#!/usr/bin/python3|' tools/* cloudinit/ssh_util.py -sed -i 's/\/etc\/redhat-release/\/etc\/%{_vendor}-release/g' setup.py %build -%py3_build +%meson -Dinit_system=systemd -Ddisable_sshd_keygen=True +%meson_build %install -%py3_install -- --init-system=systemd +%meson_install python3 tools/render-template --variant openeuler > %{buildroot}/%{_sysconfdir}/cloud/cloud.cfg install -d %{buildroot}/var/lib/cloud install -d %{buildroot}/run/%{name} install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/%{name}.conf install -D -m 0644 tools/21-cloudinit.conf %{buildroot}/%{_sysconfdir}/rsyslog.d/21-cloudinit.conf +# patch in the full version to version.py +version_pys=$(cd "$RPM_BUILD_ROOT" && find . -name version.py -type f) +[ -n "$version_pys" ] || + { echo "failed to find 'version.py' to patch with version." 1>&2; exit 1; } + ( cd "$RPM_BUILD_ROOT" && + sed -i "s,@@PACKAGED_VERSION@@,%{version}-%{release}," $version_pys ) + %check SKIP_TESTS="" @@ -144,9 +144,14 @@ fi %doc doc/* %dir %{_sysconfdir}/cloud/templates %config(noreplace) %{_sysconfdir}/cloud/templates/* +%_mandir/man1/cloud-*gz %exclude /usr/share/doc/* %changelog +* Sun Sep 28 2025 shixuantong - 25.3-1 +- upgrade version to 25.3 +- delete openeuler support in cc_rh_subscription + * Mon Sep 01 2025 Linux_zhang - 25.1-5 - Support nmap in socket protocol diff --git a/delete-openeuler-support-in-cc_rh_subscription.patch b/delete-openeuler-support-in-cc_rh_subscription.patch new file mode 100644 index 0000000000000000000000000000000000000000..529e4b0e7bdf3aeeb94a8ca03353c8b730e10551 --- /dev/null +++ b/delete-openeuler-support-in-cc_rh_subscription.patch @@ -0,0 +1,25 @@ +From fdc8e8e46dafada6187c780aba215e2ac6bb68ea Mon Sep 17 00:00:00 2001 +From: shixuantong +Date: Mon, 29 Sep 2025 16:18:23 +0800 +Subject: [PATCH] delete openeuler support in cc_rh_subscription + +--- + cloudinit/config/cc_rh_subscription.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/cloudinit/config/cc_rh_subscription.py b/cloudinit/config/cc_rh_subscription.py +index 9033f45..48a59d6 100644 +--- a/cloudinit/config/cc_rh_subscription.py ++++ b/cloudinit/config/cc_rh_subscription.py +@@ -17,7 +17,7 @@ LOG = logging.getLogger(__name__) + + meta: MetaSchema = { + "id": "cc_rh_subscription", +- "distros": ["fedora", "rhel", "openeuler"], ++ "distros": ["fedora", "rhel"], + "frequency": PER_INSTANCE, + "activate_by_schema_keys": ["rh_subscription"], + } +-- +2.27.0 + diff --git a/fix-CVE-2024-6174-1.patch b/fix-CVE-2024-6174-1.patch deleted file mode 100644 index eceab77bb49d48d833ca3bc434b45772be7fc3bb..0000000000000000000000000000000000000000 --- a/fix-CVE-2024-6174-1.patch +++ /dev/null @@ -1,167 +0,0 @@ -From f43937f0b462734eb9c76700491c18fe4133c8e1 Mon Sep 17 00:00:00 2001 -From: Brett Holman -Date: Mon, 7 Jul 2025 10:19:50 +0800 -Subject: [PATCH] fix: Don't attempt to identify non-x86 OpenStack instances - -This causes cloud-init to attempt to reach out to the OpenStack Nova -datasource in non-Nova deployments on non-x86 architectures. - -Change default policy of ds-identify to disallow discovery of datasources -without strict identifiable artifacts in either kernel cmdline, DMI -platform information or system configuration files. This prevents -cloud-init from attempting to reach out to well-known hard-codded link-local -IP addresses for configuration information unless the platform strictly -identifies as a specific datasource. - -CVE-2024-6174 -LP: #2069607 -BREAKING_CHANGE: This may break non-x86 OpenStack Nova users. Affected users - may wish to use ConfigDrive as a workaround. - ---- - doc/rtd/reference/breaking_changes.rst | 49 ++++++++++++++++++++++++++ - tests/unittests/test_ds_identify.py | 13 ++++--- - tools/ds-identify | 8 ++--- - 3 files changed, 59 insertions(+), 11 deletions(-) - -diff --git a/doc/rtd/reference/breaking_changes.rst b/doc/rtd/reference/breaking_changes.rst -index db59b62..176eea5 100644 ---- a/doc/rtd/reference/breaking_changes.rst -+++ b/doc/rtd/reference/breaking_changes.rst -@@ -11,6 +11,54 @@ releases. - many operating system vendors patch out breaking changes in - cloud-init to ensure consistent behavior on their platform. - -+25.1.3 -+====== -+ -+Strict datasource identity before network -+----------------------------------------- -+Affects detection of Ec2, OpenStack or AltCloud datasources for non-x86 -+architectures where DMI may not be accessible.Expand commentComment on line R20Code has comments. Press enter to view. -+ -+Datasource detection provided by ds-identify in cloud-init now requires strict -+identification based on DMI platform information, kernel command line or -+`datasource_list:` system configuration in /etc/cloud/cloud.cfg.d. -+ -+Prior to this change, ds-identify would allow non-x86 architectures without -+strict identifying platform information to run in a discovery mode which would -+attempt to reach out to well known static link-local IPs to attempt to -+retrieve configuration once system networking is up. -+ -+To mitigate the potential of a bad-actor in a local network responding -+to such provisioning requests from cloud-init clients, ds-identify will no -+longer allow this late discovery mode for platforms unable to expose clear -+identifying characteristics of a known cloud-init datasource. -+ -+The most likely affected cloud platforms are AltCloud, Ec2 and OpenStack for -+non-x86 architectures where DMI data is not exposed by the kernel. -+ -+If your non-x86 architecture or images no longer detect the proper datasource, -+any of the following steps can ensure proper detection of cloud-init config: -+ -+- Provide kernel commandline containing ``ds=`` -+ which forces ds-identify to discover a specific datasource. -+- Image creators: provide a config file part such as -+ :file:`/etc/cloud/cloud.cfg.d/*.cfg` containing the -+ case-sensitive ``datasource_list: [ ]`` to force cloud-init -+ to use a specific datasource without performing discovery. -+ -+For example, to force OpenStack discovery in cloud-init any of the following -+approaches work: -+ -+- OpenStack: `attach a ConfigDrive`_ as an alternative config source -+- Kernel command line containing ``ds=openstack`` -+- Custom images provide :file:`/etc/cloud/cloud.cfg.d/91-set-datasource.cfg` -+ containing: -+ -+.. code-block:: yaml -+ -+ datasource_list: [ OpenStack ] -+ -+ - 25.1 - ==== - -@@ -162,5 +210,6 @@ Workarounds include updating the kernel command line and optionally configuring - a ``datasource_list`` in ``/etc/cloud/cloud.cfg.d/*.cfg``. - - -+.. _attach a ConfigDrive: https://docs.openstack.org/nova/2024.1/admin/config-drive.html - .. _this patch: https://github.com/canonical/cloud-init/blob/ubuntu/noble/debian/patches/no-single-process.patch - .. _Python3 equivalent: https://github.com/canonical/cloud-init/pull/5489#issuecomment-2408210561 -diff --git a/tests/unittests/test_ds_identify.py b/tests/unittests/test_ds_identify.py -index 309acd3..3b9d70a 100644 ---- a/tests/unittests/test_ds_identify.py -+++ b/tests/unittests/test_ds_identify.py -@@ -208,9 +208,9 @@ system_info: - """ - - POLICY_FOUND_ONLY = "search,found=all,maybe=none,notfound=disabled" --POLICY_FOUND_OR_MAYBE = "search,found=all,maybe=all,notfound=disabled" --DI_DEFAULT_POLICY = "search,found=all,maybe=all,notfound=disabled" --DI_DEFAULT_POLICY_NO_DMI = "search,found=all,maybe=all,notfound=enabled" -+POLICY_FOUND_OR_MAYBE = "search,found=all,maybe=none,notfound=disabled" -+DI_DEFAULT_POLICY = "search,found=all,maybe=none,notfound=disabled" -+DI_DEFAULT_POLICY_NO_DMI = "search,found=all,maybe=none,notfound=enabled" - DI_EC2_STRICT_ID_DEFAULT = "true" - OVF_MATCH_STRING = "http://schemas.dmtf.org/ovf/environment/1" - -@@ -947,7 +947,7 @@ class TestDsIdentify(DsIdentifyBase): - self._test_ds_found("OpenStack-AssetTag-Compute") - - def test_openstack_on_non_intel_is_maybe(self): -- """On non-Intel, openstack without dmi info is maybe. -+ """On non-Intel, openstack without dmi info is none. - - nova does not identify itself on platforms other than intel. - https://bugs.launchpad.net/cloud-init/+bugs?field.tag=dsid-nova""" -@@ -967,10 +967,9 @@ class TestDsIdentify(DsIdentifyBase): - - # updating the uname to ppc64 though should get a maybe. - data.update({"mocks": [MOCK_VIRT_IS_KVM, MOCK_UNAME_IS_PPC64]}) -- (_, _, err, _, _) = self._check_via_dict( -- data, RC_FOUND, dslist=["OpenStack", "None"] -- ) -+ (_, _, err, _, _) = self._check_via_dict(data, RC_NOT_FOUND) - self.assertIn("check for 'OpenStack' returned maybe", err) -+ self.assertIn("No ds found", err) - - def test_default_ovf_is_found(self): - """OVF is identified found when ovf/ovf-env.xml seed file exists.""" -diff --git a/tools/ds-identify b/tools/ds-identify -index ac0f82f..ec33710 100755 ---- a/tools/ds-identify -+++ b/tools/ds-identify -@@ -14,7 +14,7 @@ - # The format is: - # ,found=value,maybe=value,notfound=value - # default setting is: --# search,found=all,maybe=all,notfound=disabled -+# search,found=all,maybe=none,notfound=disabled - # - # kernel command line option: ci.di.policy= - # example line in /etc/cloud/ds-identify.cfg: -@@ -40,7 +40,7 @@ - # first: use the first found do no further checking - # all: enable all DS_FOUND - # --# maybe: (default=all) -+# maybe: (default=none) - # if nothing returned 'found', then how to handle maybe. - # no network sources are allowed to return 'maybe'. - # all: enable all DS_MAYBE -@@ -100,8 +100,8 @@ DI_MAIN=${DI_MAIN:-main} - - DI_BLKID_EXPORT_OUT="" - DI_GEOM_LABEL_STATUS_OUT="" --DI_DEFAULT_POLICY="search,found=all,maybe=all,notfound=${DI_DISABLED}" --DI_DEFAULT_POLICY_NO_DMI="search,found=all,maybe=all,notfound=${DI_ENABLED}" -+DI_DEFAULT_POLICY="search,found=all,maybe=none,notfound=${DI_DISABLED}" -+DI_DEFAULT_POLICY_NO_DMI="search,found=all,maybe=none,notfound=${DI_ENABLED}" - DI_DMI_BOARD_NAME="" - DI_DMI_CHASSIS_ASSET_TAG="" - DI_DMI_PRODUCT_NAME="" --- -2.43.0 - diff --git a/fix-CVE-2024-6174-2.patch b/fix-CVE-2024-6174-2.patch deleted file mode 100644 index f7f0ec0d331866100d83fae77fe0472eb07078dd..0000000000000000000000000000000000000000 --- a/fix-CVE-2024-6174-2.patch +++ /dev/null @@ -1,80 +0,0 @@ -From e3f42adc2674a38fb29e414cfbf96f884934b2d2 Mon Sep 17 00:00:00 2001 -From: Chad Smith -Date: Mon, 7 Jul 2025 10:26:46 +0800 -Subject: [PATCH] fix: strict disable in ds-identify on no datasources found - -Take the CVE-2024-6174 strict detection fix one step further. - -Commit 8c3ae1b took a step to ignore DS_MAYBE datasource discovery. -But, if no datasources are met the DS_FOUND conditions, ds-identify was -still leaving cloud-init enabled. This resulted in cloud-init python -code attempting to discover all datasources later in boot based on -the default datasource_list. - -ds-identify will now assert that at least one datasource is found. If -no datasources, ds-identify will exit 1 which disables cloud-init boot -stages and results in no boot configuration operations from cloud-init. - -OpenStack images which cannot identify a valid datasource with DMI-data -or kernel command line ci.ds=OpenStack parameter will need to either: -- provide image-based configuration in either /etc/cloud/cloud.cfg.* to set - datasource_list: [ OpenStack ] -- provide --config-drive true to openstack server create -- attach a nocloud disk labelled CIDATA containing user-data and - meta-data files - -CVE-2024-6174 -LP: #2069607 - ---- - tests/unittests/test_ds_identify.py | 6 ++++-- - tools/ds-identify | 2 +- - 2 files changed, 5 insertions(+), 3 deletions(-) - -diff --git a/tests/unittests/test_ds_identify.py b/tests/unittests/test_ds_identify.py -index 3b9d70a..45894d3 100644 ---- a/tests/unittests/test_ds_identify.py -+++ b/tests/unittests/test_ds_identify.py -@@ -210,7 +210,7 @@ system_info: - POLICY_FOUND_ONLY = "search,found=all,maybe=none,notfound=disabled" - POLICY_FOUND_OR_MAYBE = "search,found=all,maybe=none,notfound=disabled" - DI_DEFAULT_POLICY = "search,found=all,maybe=none,notfound=disabled" --DI_DEFAULT_POLICY_NO_DMI = "search,found=all,maybe=none,notfound=enabled" -+DI_DEFAULT_POLICY_NO_DMI = "search,found=all,maybe=none,notfound=disabled" - DI_EC2_STRICT_ID_DEFAULT = "true" - OVF_MATCH_STRING = "http://schemas.dmtf.org/ovf/environment/1" - -@@ -957,7 +957,7 @@ class TestDsIdentify(DsIdentifyBase): - data.update( - { - "policy_dmi": POLICY_FOUND_OR_MAYBE, -- "policy_no_dmi": POLICY_FOUND_OR_MAYBE, -+ "policy_no_dmi": DI_DEFAULT_POLICY_NO_DMI, - } - ) - -@@ -970,6 +970,8 @@ class TestDsIdentify(DsIdentifyBase): - (_, _, err, _, _) = self._check_via_dict(data, RC_NOT_FOUND) - self.assertIn("check for 'OpenStack' returned maybe", err) - self.assertIn("No ds found", err) -+ self.assertIn("Disabled cloud-init", err) -+ self.assertIn("returning 1", err) - - def test_default_ovf_is_found(self): - """OVF is identified found when ovf/ovf-env.xml seed file exists.""" -diff --git a/tools/ds-identify b/tools/ds-identify -index ec33710..e6efa40 100755 ---- a/tools/ds-identify -+++ b/tools/ds-identify -@@ -101,7 +101,7 @@ DI_MAIN=${DI_MAIN:-main} - DI_BLKID_EXPORT_OUT="" - DI_GEOM_LABEL_STATUS_OUT="" - DI_DEFAULT_POLICY="search,found=all,maybe=none,notfound=${DI_DISABLED}" --DI_DEFAULT_POLICY_NO_DMI="search,found=all,maybe=none,notfound=${DI_ENABLED}" -+DI_DEFAULT_POLICY_NO_DMI="search,found=all,maybe=none,notfound=${DI_DISABLED}" - DI_DMI_BOARD_NAME="" - DI_DMI_CHASSIS_ASSET_TAG="" - DI_DMI_PRODUCT_NAME="" --- -2.43.0 -