cloud-init

Merge ~chad.smith/cloud-init:ubuntu/devel into cloud-init:ubuntu/devel

  1. Git
  2. lp:~chad.smith/cloud-init
  3. ubuntu/devel
  4. Merge into ubuntu/devel
Proposed by Chad Smith
Status: Merged
Merged at revision: b901d2b09f8e93c84c6ecd66b716a43364de24bf
Proposed branch: ~chad.smith/cloud-init:ubuntu/devel
Merge into: cloud-init:ubuntu/devel
Diff against target: 379 lines (+273/-12)
8 files modified
ChangeLog (+226/-0)
cloudinit/config/cc_users_groups.py (+6/-2)
cloudinit/distros/__init__.py (+1/-1)
cloudinit/distros/freebsd.py (+1/-1)
cloudinit/version.py (+1/-1)
debian/changelog (+10/-0)
doc/examples/cloud-config-user-groups.txt (+20/-7)
tests/unittests/test_distros/test_create_users.py (+8/-0)
Reviewer Review Type Date Requested Status
Server Team CI bot continuous-integration Approve
Scott Moser Approve
Review via email: mp+348300@code.launchpad.net

Commit message

New upstream snapshot of cloud-init 18.3 for release in Cosmic

To post a comment you must log in.
Revision history for this message
Scott Moser (smoser) wrote :

doing a build and upload.

review: Approve
Revision history for this message
Server Team CI bot (server-team-bot) wrote :

PASSED: Continuous integration, rev:b901d2b09f8e93c84c6ecd66b716a43364de24bf
https://jenkins.ubuntu.com/server/job/cloud-init-ci/109/
Executed test runs:
    SUCCESS: Checkout
    SUCCESS: Unit & Style Tests
    SUCCESS: Ubuntu LTS: Build
    SUCCESS: Ubuntu LTS: Integration
    SUCCESS: MAAS Compatability Testing
    IN_PROGRESS: Declarative: Post Actions

Click here to trigger a rebuild:
https://jenkins.ubuntu.com/server/job/cloud-init-ci/109/rebuild

review: Approve (continuous-integration)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/ChangeLog b/ChangeLog
2index daa7ccf..72c5287 100644
3--- a/ChangeLog
4+++ b/ChangeLog
5@@ -1,3 +1,229 @@
6+18.3:
7+ - docs: represent sudo:false in docs for user_groups config module
8+ - Explicitly prevent `sudo` access for user module
9+ [Jacob Bednarz] (LP: #1771468)
10+ - lxd: Delete default network and detach device if lxd-init created them.
11+ (LP: #1776958)
12+ - openstack: avoid unneeded metadata probe on non-openstack platforms
13+ (LP: #1776701)
14+ - stages: fix tracebacks if a module stage is undefined or empty
15+ [Robert Schweikert] (LP: #1770462)
16+ - Be more safe on string/bytes when writing multipart user-data to disk.
17+ (LP: #1768600)
18+ - Fix get_proc_env for pids that have non-utf8 content in environment.
19+ (LP: #1775371)
20+ - tests: fix salt_minion integration test on bionic and later
21+ - tests: provide human-readable integration test summary when --verbose
22+ - tests: skip chrony integration tests on lxd running artful or older
23+ - test: add optional --preserve-instance arg to integraiton tests
24+ - netplan: fix mtu if provided by network config for all rendered types
25+ (LP: #1774666)
26+ - tests: remove pip install workarounds for pylxd, take upstream fix.
27+ - subp: support combine_capture argument.
28+ - tests: ordered tox dependencies for pylxd install
29+ - util: add get_linux_distro function to replace platform.dist
30+ [Robert Schweikert] (LP: #1745235)
31+ - pyflakes: fix unused variable references identified by pyflakes 2.0.0.
32+ - - Do not use the systemd_prefix macro, not available in this environment
33+ [Robert Schweikert]
34+ - doc: Add config info to ec2, openstack and cloudstack datasource docs
35+ - Enable SmartOS network metadata to work with netplan via per-subnet
36+ routes [Dan McDonald] (LP: #1763512)
37+ - openstack: Allow discovery in init-local using dhclient in a sandbox.
38+ (LP: #1749717)
39+ - tests: Avoid using https in httpretty, improve HttPretty test case.
40+ (LP: #1771659)
41+ - yaml_load/schema: Add invalid line and column nums to error message
42+ - Azure: Ignore NTFS mount errors when checking ephemeral drive
43+ [Paul Meyer]
44+ - packages/brpm: Get proper dependencies for cmdline distro.
45+ - packages: Make rpm spec files patch in package version like in debs.
46+ - tools/run-container: replace tools/run-centos with more generic.
47+ - Update version.version_string to contain packaged version. (LP: #1770712)
48+ - cc_mounts: Do not add devices to fstab that are already present.
49+ [Lars Kellogg-Stedman]
50+ - ds-identify: ensure that we have certain tokens in PATH. (LP: #1771382)
51+ - tests: enable Ubuntu Cosmic in integration tests [Joshua Powers]
52+ - read_file_or_url: move to url_helper, fix bug in its FileResponse.
53+ - cloud_tests: help pylint [Ryan Harper]
54+ - flake8: fix flake8 errors in previous commit.
55+ - typos: Fix spelling mistakes in cc_mounts.py log messages [Stephen Ford]
56+ - tests: restructure SSH and initial connections [Joshua Powers]
57+ - ds-identify: recognize container-other as a container, test SmartOS.
58+ - cloud-config.service: run After snap.seeded.service. (LP: #1767131)
59+ - tests: do not rely on host /proc/cmdline in test_net.py
60+ [Lars Kellogg-Stedman] (LP: #1769952)
61+ - ds-identify: Remove dupe call to is_ds_enabled, improve debug message.
62+ - SmartOS: fix get_interfaces for nics that do not have addr_assign_type.
63+ - tests: fix package and ca_cert cloud_tests on bionic
64+ (LP: #1769985)
65+ - ds-identify: make shellcheck 0.4.6 happy with ds-identify.
66+ - pycodestyle: Fix deprecated string literals, move away from flake8.
67+ - azure: Add reported ready marker file. [Joshua Chan] (LP: #1765214)
68+ - tools: Support adding a release suffix through packages/bddeb.
69+ - FreeBSD: Invoke growfs on ufs filesystems such that it does not prompt.
70+ [Harm Weites] (LP: #1404745)
71+ - tools: Re-use the orig tarball in packages/bddeb if it is around.
72+ - netinfo: fix netdev_pformat when a nic does not have an address
73+ assigned. (LP: #1766302)
74+ - collect-logs: add -v flag, write to stderr, limit journal to single
75+ boot. (LP: #1766335)
76+ - IBMCloud: Disable config-drive and nocloud only if IBMCloud is enabled.
77+ (LP: #1766401)
78+ - Add reporting events and log_time around early source of blocking time
79+ [Ryan Harper]
80+ - IBMCloud: recognize provisioning environment during debug boots.
81+ (LP: #1767166)
82+ - net: detect unstable network names and trigger a settle if needed
83+ [Ryan Harper] (LP: #1766287)
84+ - IBMCloud: improve documentation in datasource.
85+ - sysconfig: dhcp6 subnet type should not imply dhcpv4 [Vitaly Kuznetsov]
86+ - packages/debian/control.in: add missing dependency on iproute2.
87+ (LP: #1766711)
88+ - DataSourceSmartOS: add locking of serial device.
89+ [Mike Gerdts] (LP: #1746605)
90+ - DataSourceSmartOS: sdc:hostname is ignored [Mike Gerdts] (LP: #1765085)
91+ - DataSourceSmartOS: list() should always return a list
92+ [Mike Gerdts] (LP: #1763480)
93+ - schema: in validation, raise ImportError if strict but no jsonschema.
94+ - set_passwords: Add newline to end of sshd config, only restart if
95+ updated. (LP: #1677205)
96+ - pylint: pay attention to unused variable warnings.
97+ - doc: Add documentation for AliYun datasource. [Junjie Wang]
98+ - Schema: do not warn on duplicate items in commands. (LP: #1764264)
99+ - net: Depend on iproute2's ip instead of net-tools ifconfig or route
100+ - DataSourceSmartOS: fix hang when metadata service is down
101+ [Mike Gerdts] (LP: #1667735)
102+ - DataSourceSmartOS: change default fs on ephemeral disk from ext3 to
103+ ext4. [Mike Gerdts] (LP: #1763511)
104+ - pycodestyle: Fix invalid escape sequences in string literals.
105+ - Implement bash completion script for cloud-init command line
106+ [Ryan Harper]
107+ - tools: Fix make-tarball cli tool usage for development
108+ - renderer: support unicode in render_from_file.
109+ - Implement ntp client spec with auto support for distro selection
110+ [Ryan Harper] (LP: #1749722)
111+ - Apport: add Brightbox, IBM, LXD, and OpenTelekomCloud to list of clouds.
112+ - tests: fix ec2 integration network metadata validation
113+ - tests: fix integration tests to support lxd 3.0 release
114+ - correct documentation to match correct attribute name usage.
115+ [Dominic Schlegel] (LP: #1420018)
116+ - cc_resizefs, util: handle no /dev/zfs [Ryan Harper]
117+ - doc: Fix links in OpenStack datasource documentation.
118+ [Dominic Schlegel] (LP: #1721660)
119+ - docs: represent sudo:false in docs for user_groups config module
120+ - Explicitly prevent `sudo` access for user module
121+ [Jacob Bednarz] (LP: #1771468)
122+ - lxd: Delete default network and detach device if lxd-init created them.
123+ (LP: #1776958)
124+ - openstack: avoid unneeded metadata probe on non-openstack platforms
125+ (LP: #1776701)
126+ - stages: fix tracebacks if a module stage is undefined or empty
127+ [Robert Schweikert] (LP: #1770462)
128+ - Be more safe on string/bytes when writing multipart user-data to disk.
129+ (LP: #1768600)
130+ - Fix get_proc_env for pids that have non-utf8 content in environment.
131+ (LP: #1775371)
132+ - tests: fix salt_minion integration test on bionic and later
133+ - tests: provide human-readable integration test summary when --verbose
134+ - tests: skip chrony integration tests on lxd running artful or older
135+ - test: add optional --preserve-instance arg to integraiton tests
136+ - netplan: fix mtu if provided by network config for all rendered types
137+ (LP: #1774666)
138+ - tests: remove pip install workarounds for pylxd, take upstream fix.
139+ - subp: support combine_capture argument.
140+ - tests: ordered tox dependencies for pylxd install
141+ - util: add get_linux_distro function to replace platform.dist
142+ [Robert Schweikert] (LP: #1745235)
143+ - pyflakes: fix unused variable references identified by pyflakes 2.0.0.
144+ - - Do not use the systemd_prefix macro, not available in this environment
145+ [Robert Schweikert]
146+ - doc: Add config info to ec2, openstack and cloudstack datasource docs
147+ - Enable SmartOS network metadata to work with netplan via per-subnet
148+ routes [Dan McDonald] (LP: #1763512)
149+ - openstack: Allow discovery in init-local using dhclient in a sandbox.
150+ (LP: #1749717)
151+ - tests: Avoid using https in httpretty, improve HttPretty test case.
152+ (LP: #1771659)
153+ - yaml_load/schema: Add invalid line and column nums to error message
154+ - Azure: Ignore NTFS mount errors when checking ephemeral drive
155+ [Paul Meyer]
156+ - packages/brpm: Get proper dependencies for cmdline distro.
157+ - packages: Make rpm spec files patch in package version like in debs.
158+ - tools/run-container: replace tools/run-centos with more generic.
159+ - Update version.version_string to contain packaged version. (LP: #1770712)
160+ - cc_mounts: Do not add devices to fstab that are already present.
161+ [Lars Kellogg-Stedman]
162+ - ds-identify: ensure that we have certain tokens in PATH. (LP: #1771382)
163+ - tests: enable Ubuntu Cosmic in integration tests [Joshua Powers]
164+ - read_file_or_url: move to url_helper, fix bug in its FileResponse.
165+ - cloud_tests: help pylint [Ryan Harper]
166+ - flake8: fix flake8 errors in previous commit.
167+ - typos: Fix spelling mistakes in cc_mounts.py log messages [Stephen Ford]
168+ - tests: restructure SSH and initial connections [Joshua Powers]
169+ - ds-identify: recognize container-other as a container, test SmartOS.
170+ - cloud-config.service: run After snap.seeded.service. (LP: #1767131)
171+ - tests: do not rely on host /proc/cmdline in test_net.py
172+ [Lars Kellogg-Stedman] (LP: #1769952)
173+ - ds-identify: Remove dupe call to is_ds_enabled, improve debug message.
174+ - SmartOS: fix get_interfaces for nics that do not have addr_assign_type.
175+ - tests: fix package and ca_cert cloud_tests on bionic
176+ (LP: #1769985)
177+ - ds-identify: make shellcheck 0.4.6 happy with ds-identify.
178+ - pycodestyle: Fix deprecated string literals, move away from flake8.
179+ - azure: Add reported ready marker file. [Joshua Chan] (LP: #1765214)
180+ - tools: Support adding a release suffix through packages/bddeb.
181+ - FreeBSD: Invoke growfs on ufs filesystems such that it does not prompt.
182+ [Harm Weites] (LP: #1404745)
183+ - tools: Re-use the orig tarball in packages/bddeb if it is around.
184+ - netinfo: fix netdev_pformat when a nic does not have an address
185+ assigned. (LP: #1766302)
186+ - collect-logs: add -v flag, write to stderr, limit journal to single
187+ boot. (LP: #1766335)
188+ - IBMCloud: Disable config-drive and nocloud only if IBMCloud is enabled.
189+ (LP: #1766401)
190+ - Add reporting events and log_time around early source of blocking time
191+ [Ryan Harper]
192+ - IBMCloud: recognize provisioning environment during debug boots.
193+ (LP: #1767166)
194+ - net: detect unstable network names and trigger a settle if needed
195+ [Ryan Harper] (LP: #1766287)
196+ - IBMCloud: improve documentation in datasource.
197+ - sysconfig: dhcp6 subnet type should not imply dhcpv4 [Vitaly Kuznetsov]
198+ - packages/debian/control.in: add missing dependency on iproute2.
199+ (LP: #1766711)
200+ - DataSourceSmartOS: add locking of serial device.
201+ [Mike Gerdts] (LP: #1746605)
202+ - DataSourceSmartOS: sdc:hostname is ignored [Mike Gerdts] (LP: #1765085)
203+ - DataSourceSmartOS: list() should always return a list
204+ [Mike Gerdts] (LP: #1763480)
205+ - schema: in validation, raise ImportError if strict but no jsonschema.
206+ - set_passwords: Add newline to end of sshd config, only restart if
207+ updated. (LP: #1677205)
208+ - pylint: pay attention to unused variable warnings.
209+ - doc: Add documentation for AliYun datasource. [Junjie Wang]
210+ - Schema: do not warn on duplicate items in commands. (LP: #1764264)
211+ - net: Depend on iproute2's ip instead of net-tools ifconfig or route
212+ - DataSourceSmartOS: fix hang when metadata service is down
213+ [Mike Gerdts] (LP: #1667735)
214+ - DataSourceSmartOS: change default fs on ephemeral disk from ext3 to
215+ ext4. [Mike Gerdts] (LP: #1763511)
216+ - pycodestyle: Fix invalid escape sequences in string literals.
217+ - Implement bash completion script for cloud-init command line
218+ [Ryan Harper]
219+ - tools: Fix make-tarball cli tool usage for development
220+ - renderer: support unicode in render_from_file.
221+ - Implement ntp client spec with auto support for distro selection
222+ [Ryan Harper] (LP: #1749722)
223+ - Apport: add Brightbox, IBM, LXD, and OpenTelekomCloud to list of clouds.
224+ - tests: fix ec2 integration network metadata validation
225+ - tests: fix integration tests to support lxd 3.0 release
226+ - correct documentation to match correct attribute name usage.
227+ [Dominic Schlegel] (LP: #1420018)
228+ - cc_resizefs, util: handle no /dev/zfs [Ryan Harper]
229+ - doc: Fix links in OpenStack datasource documentation.
230+ [Dominic Schlegel] (LP: #1721660)
231+
232 18.2:
233 - Hetzner: Exit early if dmi system-manufacturer is not Hetzner.
234 - Add missing dependency on isc-dhcp-client to trunk ubuntu packaging.
235diff --git a/cloudinit/config/cc_users_groups.py b/cloudinit/config/cc_users_groups.py
236index b215e95..c95bdaa 100644
237--- a/cloudinit/config/cc_users_groups.py
238+++ b/cloudinit/config/cc_users_groups.py
239@@ -54,8 +54,9 @@ config keys for an entry in ``users`` are as follows:
240 - ``ssh_authorized_keys``: Optional. List of ssh keys to add to user's
241 authkeys file. Default: none
242 - ``ssh_import_id``: Optional. SSH id to import for user. Default: none
243- - ``sudo``: Optional. Sudo rule to use, or list of sudo rules to use.
244- Default: none.
245+ - ``sudo``: Optional. Sudo rule to use, list of sudo rules to use or False.
246+ Default: none. An absence of sudo key, or a value of none or false
247+ will result in no sudo rules being written for the user.
248 - ``system``: Optional. Create user as system user with no home directory.
249 Default: false
250 - ``uid``: Optional. The user's ID. Default: The next available value.
251@@ -82,6 +83,9 @@ config keys for an entry in ``users`` are as follows:
252
253 users:
254 - default
255+ # User explicitly omitted from sudo permission; also default behavior.
256+ - name: <some_restricted_user>
257+ sudo: false
258 - name: <username>
259 expiredate: <date>
260 gecos: <comment>
261diff --git a/cloudinit/distros/__init__.py b/cloudinit/distros/__init__.py
262index 6c22b07..ab0b077 100755
263--- a/cloudinit/distros/__init__.py
264+++ b/cloudinit/distros/__init__.py
265@@ -531,7 +531,7 @@ class Distro(object):
266 self.lock_passwd(name)
267
268 # Configure sudo access
269- if 'sudo' in kwargs:
270+ if 'sudo' in kwargs and kwargs['sudo'] is not False:
271 self.write_sudo_rules(name, kwargs['sudo'])
272
273 # Import SSH keys
274diff --git a/cloudinit/distros/freebsd.py b/cloudinit/distros/freebsd.py
275index 5b1718a..ff22d56 100644
276--- a/cloudinit/distros/freebsd.py
277+++ b/cloudinit/distros/freebsd.py
278@@ -266,7 +266,7 @@ class Distro(distros.Distro):
279 self.lock_passwd(name)
280
281 # Configure sudo access
282- if 'sudo' in kwargs:
283+ if 'sudo' in kwargs and kwargs['sudo'] is not False:
284 self.write_sudo_rules(name, kwargs['sudo'])
285
286 # Import SSH keys
287diff --git a/cloudinit/version.py b/cloudinit/version.py
288index ce3b8c1..3b60fc4 100644
289--- a/cloudinit/version.py
290+++ b/cloudinit/version.py
291@@ -4,7 +4,7 @@
292 #
293 # This file is part of cloud-init. See LICENSE file for license information.
294
295-__VERSION__ = "18.2"
296+__VERSION__ = "18.3"
297 _PACKAGED_VERSION = '@@PACKAGED_VERSION@@'
298
299 FEATURES = [
300diff --git a/debian/changelog b/debian/changelog
301index e419f47..4817495 100644
302--- a/debian/changelog
303+++ b/debian/changelog
304@@ -1,3 +1,13 @@
305+cloud-init (18.3-0ubuntu1) cosmic; urgency=medium
306+
307+ * New upstream release.
308+ - release 18.3 (LP: #1777743)
309+ - docs: represent sudo:false in docs for user_groups config module
310+ - Explicitly prevent `sudo` access for user module
311+ [Jacob Bednarz] (LP: #1771468)
312+
313+ -- Chad Smith <chad.smith@canonical.com> Wed, 20 Jun 2018 11:33:36 -0600
314+
315 cloud-init (18.2-77-g4ce67201-0ubuntu1) cosmic; urgency=medium
316
317 * New upstream snapshot.
318diff --git a/doc/examples/cloud-config-user-groups.txt b/doc/examples/cloud-config-user-groups.txt
319index 7bca24a..01ecad7 100644
320--- a/doc/examples/cloud-config-user-groups.txt
321+++ b/doc/examples/cloud-config-user-groups.txt
322@@ -30,6 +30,11 @@ users:
323 gecos: Magic Cloud App Daemon User
324 inactive: true
325 system: true
326+ - name: fizzbuzz
327+ sudo: False
328+ ssh_authorized_keys:
329+ - <ssh pub key 1>
330+ - <ssh pub key 2>
331 - snapuser: joe@joeuser.io
332
333 # Valid Values:
334@@ -71,13 +76,21 @@ users:
335 # no_log_init: When set to true, do not initialize lastlog and faillog database.
336 # ssh_import_id: Optional. Import SSH ids
337 # ssh_authorized_keys: Optional. [list] Add keys to user's authorized keys file
338-# sudo: Defaults to none. Set to the sudo string you want to use, i.e.
339-# ALL=(ALL) NOPASSWD:ALL. To add multiple rules, use the following
340-# format.
341-# sudo:
342-# - ALL=(ALL) NOPASSWD:/bin/mysql
343-# - ALL=(ALL) ALL
344-# Note: Please double check your syntax and make sure it is valid.
345+# sudo: Defaults to none. Accepts a sudo rule string, a list of sudo rule
346+# strings or False to explicitly deny sudo usage. Examples:
347+#
348+# Allow a user unrestricted sudo access.
349+# sudo: ALL=(ALL) NOPASSWD:ALL
350+#
351+# Adding multiple sudo rule strings.
352+# sudo:
353+# - ALL=(ALL) NOPASSWD:/bin/mysql
354+# - ALL=(ALL) ALL
355+#
356+# Prevent sudo access for a user.
357+# sudo: False
358+#
359+# Note: Please double check your syntax and make sure it is valid.
360 # cloud-init does not parse/check the syntax of the sudo
361 # directive.
362 # system: Create the user as a system user. This means no home directory.
363diff --git a/tests/unittests/test_distros/test_create_users.py b/tests/unittests/test_distros/test_create_users.py
364index 5670904..07176ca 100644
365--- a/tests/unittests/test_distros/test_create_users.py
366+++ b/tests/unittests/test_distros/test_create_users.py
367@@ -145,4 +145,12 @@ class TestCreateUser(TestCase):
368 mock.call(['passwd', '-l', user])]
369 self.assertEqual(m_subp.call_args_list, expected)
370
371+ def test_explicit_sudo_false(self, m_subp, m_is_snappy):
372+ user = 'foouser'
373+ self.dist.create_user(user, sudo=False)
374+ self.assertEqual(
375+ m_subp.call_args_list,
376+ [self._useradd2call([user, '-m']),
377+ mock.call(['passwd', '-l', user])])
378+
379 # vi: ts=4 expandtab

Subscribers

People subscribed via source and target branches