cloud-init:ubuntu/devel

Last commit made on 2021-03-22
Get this branch:
git clone -b ubuntu/devel https://git.launchpad.net/cloud-init
Members of cloud-init Commiters can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/devel
Repository:
lp:cloud-init

Recent commits

0400f9b... by James Falcon on 2021-03-22

releasing cloud-init version 21.1-19-gbad84ad4-0ubuntu2

e3e36b2... by James Falcon on 2021-03-22

debian/cloud-init.templates: Add UpCloud datasource

788bd80... by James Falcon on 2021-03-19

releasing cloud-init version 21.1-19-gbad84ad4-0ubuntu1

a85d181... by James Falcon on 2021-03-19

debian/cloud-init.postinst: Change output log permissions on upgrade

In b794d426 (#847), we changed log permissions on
/var/log/cloud-init.log to be owned by root:adm and have 740 permissions
by default. This commit performs that same change on upgrade.

LP: #1918303

9429493... by James Falcon on 2021-03-19

update changelog (New upstream snapshot 21.1-19-gbad84ad4).

7438965... by James Falcon on 2021-03-19

merge from upstream/master at 21.1-19-gbad84ad4

bad84ad... by Dan Watkins on 2021-03-19

.travis.yml: generate an SSH key before running tests (#848)

b794d42... by Dan Watkins on 2021-03-19

write passwords only to serial console, lock down cloud-init-output.log (#847)

Prior to this commit, when a user specified configuration which would
generate random passwords for users, cloud-init would cause those
passwords to be written to the serial console by emitting them on
stderr. In the default configuration, any stdout or stderr emitted by
cloud-init is also written to `/var/log/cloud-init-output.log`. This
file is world-readable, meaning that those randomly-generated passwords
were available to be read by any user with access to the system. This
presents an obvious security issue.

This commit responds to this issue in two ways:

* We address the direct issue by moving from writing the passwords to
  sys.stderr to writing them directly to /dev/console (via
  util.multi_log); this means that the passwords will never end up in
  cloud-init-output.log
* To avoid future issues like this, we also modify the logging code so
  that any files created in a log sink subprocess will only be
  owner/group readable and, if it exists, will be owned by the adm
  group. This results in `/var/log/cloud-init-output.log` no longer
  being world-readable, meaning that if there are other parts of the
  codebase that are emitting sensitive data intended for the serial
  console, that data is no longer available to all users of the system.

LP: #1918303

c6726c2... by James Falcon <email address hidden> on 2021-03-19

Fix apt default integration test (#845)

The apt default test wasn't ported over from cloud-tests correctly.
uri should be specified in the test, but it was not, so the test
failed on openstack (and likely other platforms) because without
a specified uri, the default uri will vary by platform. I separated
this uri test out into a separate test function.

Also add openstack specific test for apt configuration with no uri.
Other platform-specific tests should be added here over time.

dae45c3... by Dan Watkins on 2021-03-18

integration_tests: bump pycloudlib dependency (#846)

The latest pycloudlib now launches official Ubuntu cloud images for
xenial, meaning that `lxc exec` no longer works against them. This
commit includes handling for tests which are affected by this change;
further details and reasoning in the included comment.