Add 3 ecdsa-sha2-nistp* ssh key types now that they are standardized
cloud-init adds ssh_authorized_keys to the default user fedora and to
root but for root it disables the keys with a prefix command.
However, if the key is of type ecdsa-sha2-nistp521, it is not parsed
correctly, and the prefix command is not prepended.
On EC2, instance metadata can include credentials that remain valid for as
much as 6 hours. Reading these and allowing them to be pickled represents
a potential vulnerability if a snapshot of the disk is taken and shared as
part of an AMI.
This skips security-credentials when walking the meta-data tree.
LP: #1638312
Reviewed-by: Ian Weller <email address hidden>
Reviewed-by: Ben Cressey <email address hidden>
Reported-by: Kyle Barnes <email address hidden>
145410f...
by
"Erik M. Bray" <email address hidden>
doc: Fix typos and clarify some aspects of the part-handler
The existing documentation referred to a handle_type method when it
really should be handle_part. It also referred to 'methods' when it
really should say 'functions' to be clear (while it's true the built-in
handlers are classes with methods of these names, in this context we
mean module-level functions).
Also clarified that a part-handler should come before the parts that
it handles, and can override built-in handlers.
OpenStack: Use timeout and retries from config in get_data.
This modifies get_data in DataSourceOpenStack.py to get the timeout
and retries values from the data source configuration, rather than
from keyword arguments. This permits get_data to use the same timeout
as other methods, and allows an operator to increase the timeout in
environments where the metadata service takes longer than five seconds
to respond.
Fixed Misc issues related to VMware customization.
- staticIPV4 property can be either None or a valid Array. Need to
check for None before accessing the ip address.
- Modified few misc. log messages.
- Added a new log message while waiting for the customization config file.
- Added support to configure the maximum amount of time to wait for the
customization config file.
- VMware Customization Support is provided only for DataSourceOVF class and
not for any other child classes. Implemented a new variable
vmware_customization_supported to check whether the 'VMware Customization'
support is available for a specific datasource or not.
- Changed the function get_vmware_cust_settings to get_max_wait_from_cfg.
- Removed the code that does 'ifdown and iup' in NIC configurator.
Recent fedora releases use "dnf" instead of "yum" for package
management. While there is a compatible "yum" cli available, there's
no guarantee that it will be available.
With this patch, cloud-init will check for /usr/bin/dnf and use that
if it exists instead of yum.
Get early logging logged, including failures of cmdline url.
Failures to load the kernel command line's url (cloud-config-url=)
would previously get swallowed. This should make it much more
obvious when that happens. With logging going to expected places
at sane levels (WARN will go to stderr by default).
