Make user/vendor data sensitive and remove log permissions
Because user data and vendor data may contain sensitive information,
this commit ensures that any user data or vendor data written to
instance-data.json gets redacted and is only available to root user.
Also, modify the permissions of cloud-init.log to be 640, so that
sensitive data leaked to the log isn't world readable.
Additionally, remove the logging of user data and vendor data to
cloud-init.log from the Vultr datasource.
source: Force OpenStack when it is only option (#2045)
Running on OpenStack Ironic was broken in 1efa8a0a0,
which prevented a system configured to run on only
Openstack from actually running this ds. This change
also prevents the kernel commandline definition from
working. This change was required to prevent
unnecessarily probing OpenStack on Ec2, and is
therefore still required.
This commit reverts an earlier attempt[1][2] to
automatically detect OpenStack, due to regression
it caused. Additionally, this change allows a
system that defines a datasource list containing
only [OpenStack] or [OpenStack, None] to attempt
running on OpenStack, overriding ds_detect(). A
datasource list that defines [OpenStack, None]
still falls back to DataSourceNone if OpenStack
fails to reach the IMDS.
This change also lays groundwork for the following
future work:
1. Add support for other datasources
2. Also override datasource checking when the kernel
command line defines a datasource. This work needs
to be done manually to support non-systemd systems.
Besides forcing OpenStack to run when it is the only
datasource in the datasource list, this commit also:
[1] 0220295 (it breaks some use cases)
[2] 29faf66 (no longer used)
5d7e747...
by
Chris Patterson <email address hidden>
sources/azure: fix regressions in IMDS behavior (#2041)
There are effectively two regressions in the recent IMDS refactor:
1. The metadata check len(imds_md["interface"]) in
_check_if_nic_is_primary() is no longer correct as the refactor
switched URLs and did not update this call to account for the
fact that this metadata now lives under "network".
2. Network metadata was fetched with infinite=True and is now limited
to ten retries. This callback had the twist of only allowing up to
ten connection errors but otherwise would retry indefinetely.
For check_if_nic_is_primary():
- Drop the interface count check for _check_if_nic_is_primary(),
we don't need it anyways.
- Fix/update the unit tests mocks that allowed the tests to pass,
adding another test to verify max retries for http and connection
errors.
- Use 300 retries. We do want to hit a case where we spin forever,
but this should be more than enough time for IMDS to respond in
the Savable PPS case (~5 minutes).
For IMDS:
- Consolidate IMDS retry handlers into a new ReadUrlRetryHandler class
that supports the options required for each variant of request.
- Minor tweaks to log and expand logging checks in unit tests.
- Move all unit tests to mocking via mock_requests_session_request
and replace mock_readurl fixture with wrapped_readurl to improve
consistency between tests.
Note that this change drops usage of `retry_on_url_exc` and can probably
be removed altogether as it is no longer used AFAICT.
Signed-off-by: Chris Patterson <email address hidden>
Support transactional-updates for SUSE based distros (#1997)
openSUSE/SUSE has distros that use read only root and btrfs. To update
a running system in such a setup the transactional-update command
needs to be used. This change implements support for use of the
transactional-update commend when appropriate.
