Ubuntu
cloud-init package

Merge lp:~smoser/ubuntu/trusty/cloud-init/trusty-1461242 into lp:ubuntu/trusty/cloud-init

Trusty (14.04)
trusty-1461242
Merge into trusty

Proposed by Scott Moser on 2015-09-10

Status:	Merged
Merged at revision:	351
Proposed branch:	lp:~smoser/ubuntu/trusty/cloud-init/trusty-1461242
Merge into:	lp:ubuntu/trusty/cloud-init
Diff against target:	411 lines (+294/-31) 6 files modified .pc/applied-patches (+1/-0) .pc/lp-1461242-generate-ed25519-host-keys.patch/cloudinit/config/cc_ssh.py (+138/-0) cloudinit/config/cc_ssh.py (+33/-30) debian/changelog (+6/-1) debian/patches/lp-1461242-generate-ed25519-host-keys.patch (+115/-0) debian/patches/series (+1/-0)
To merge this branch:	bzr merge lp:~smoser/ubuntu/trusty/cloud-init/trusty-1461242
Related bugs:	Link a bug report

Reviewer	Date Requested	Status
Ben Howard (community)		Approve on 2015-09-11
Dan Watkins	2015-09-10	Pending
Review via email: mp+270711@code.launchpad.net

lp:~smoser/ubuntu/trusty/cloud-init/trusty-1461242 updated on 2015-09-10

352. By Scott Moser on 2015-09-10

remove use of 'decode_binary'

there is no 'decode_binary' here.
the return values from subp in python2 are strings.

Revision history for this message

Ben Howard (darkmuggle-deactivatedaccount) wrote on 2015-09-11:

Tested and okay for merger. It works as expected by creating ed25519 keys in /etc/ssh.

I would merge it, but bzr is complaining of a "readonly transport."

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Scott Moser

Ubuntu branches

Ubuntu
cloud-init package

Merge lp:~smoser/ubuntu/trusty/cloud-init/trusty-1461242 into lp:ubuntu/trusty/cloud-init

Commit message

Description of the change

Preview Diff

Subscribers

 === modified file '.pc/applied-patches'
 --- .pc/applied-patches	2015-09-10 16:24:44 +0000
 +++ .pc/applied-patches	2015-09-10 16:50:23 +0000
@@ -14,3 +14,4 @@
  lp-1470890-include-regions-in-dynamic-mirror-discovery.patch
  lp-1490796-azure-fix-mount_cb-for-symlinks.patch
  lp-1469260-fix-consumption-of-vendor-data.patch
++lp-1461242-generate-ed25519-host-keys.patch
 === added directory '.pc/lp-1461242-generate-ed25519-host-keys.patch'
 === added directory '.pc/lp-1461242-generate-ed25519-host-keys.patch/cloudinit'
 === added directory '.pc/lp-1461242-generate-ed25519-host-keys.patch/cloudinit/config'
 === added file '.pc/lp-1461242-generate-ed25519-host-keys.patch/cloudinit/config/cc_ssh.py'
 --- .pc/lp-1461242-generate-ed25519-host-keys.patch/cloudinit/config/cc_ssh.py	1970-01-01 00:00:00 +0000
 +++ .pc/lp-1461242-generate-ed25519-host-keys.patch/cloudinit/config/cc_ssh.py	2015-09-10 16:50:23 +0000
@@ -0,0 +1,138 @@
++# vi: ts=4 expandtab
++#
++#    Copyright (C) 2009-2010 Canonical Ltd.
++#    Copyright (C) 2012, 2013 Hewlett-Packard Development Company, L.P.
++#
++#    Author: Scott Moser <scott.moser@canonical.com>
++#    Author: Juerg Haefliger <juerg.haefliger@hp.com>
++#
++#    This program is free software: you can redistribute it and/or modify
++#    it under the terms of the GNU General Public License version 3, as
++#    published by the Free Software Foundation.
++#
++#    This program is distributed in the hope that it will be useful,
++#    but WITHOUT ANY WARRANTY; without even the implied warranty of
++#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++#    GNU General Public License for more details.
++#
++#    You should have received a copy of the GNU General Public License
++#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
++
++import glob
++import os
++
++# Ensure this is aliased to a name not 'distros'
++# since the module attribute 'distros'
++# is a list of distros that are supported, not a sub-module
++from cloudinit import distros as ds
++
++from cloudinit import ssh_util
++from cloudinit import util
++
++DISABLE_ROOT_OPTS = ("no-port-forwarding,no-agent-forwarding,"
++"no-X11-forwarding,command=\"echo \'Please login as the user \\\"$USER\\\" "
++"rather than the user \\\"root\\\".\';echo;sleep 10\"")
++
++KEY_2_FILE = {
++    "rsa_private": ("/etc/ssh/ssh_host_rsa_key", 0600),
++    "rsa_public": ("/etc/ssh/ssh_host_rsa_key.pub", 0644),
++    "dsa_private": ("/etc/ssh/ssh_host_dsa_key", 0600),
++    "dsa_public": ("/etc/ssh/ssh_host_dsa_key.pub", 0644),
++    "ecdsa_private": ("/etc/ssh/ssh_host_ecdsa_key", 0600),
++    "ecdsa_public": ("/etc/ssh/ssh_host_ecdsa_key.pub", 0644),
++}
++
++PRIV_2_PUB = {
++    'rsa_private': 'rsa_public',
++    'dsa_private': 'dsa_public',
++    'ecdsa_private': 'ecdsa_public',
++}
++
++KEY_GEN_TPL = 'o=$(ssh-keygen -yf "%s") && echo "$o" root@localhost > "%s"'
++
++GENERATE_KEY_NAMES = ['rsa', 'dsa', 'ecdsa']
++
++KEY_FILE_TPL = '/etc/ssh/ssh_host_%s_key'
++
++
++def handle(_name, cfg, cloud, log, _args):
++
++    # remove the static keys from the pristine image
++    if cfg.get("ssh_deletekeys", True):
++        key_pth = os.path.join("/etc/ssh/", "ssh_host_*key*")
++        for f in glob.glob(key_pth):
++            try:
++                util.del_file(f)
++            except:
++                util.logexc(log, "Failed deleting key file %s", f)
++
++    if "ssh_keys" in cfg:
++        # if there are keys in cloud-config, use them
++        for (key, val) in cfg["ssh_keys"].iteritems():
++            if key in KEY_2_FILE:
++                tgt_fn = KEY_2_FILE[key][0]
++                tgt_perms = KEY_2_FILE[key][1]
++                util.write_file(tgt_fn, val, tgt_perms)
++
++        for (priv, pub) in PRIV_2_PUB.iteritems():
++            if pub in cfg['ssh_keys'] or not priv in cfg['ssh_keys']:
++                continue
++            pair = (KEY_2_FILE[priv][0], KEY_2_FILE[pub][0])
++            cmd = ['sh', '-xc', KEY_GEN_TPL % pair]
++            try:
++                # TODO(harlowja): Is this guard needed?
++                with util.SeLinuxGuard("/etc/ssh", recursive=True):
++                    util.subp(cmd, capture=False)
++                log.debug("Generated a key for %s from %s", pair[0], pair[1])
++            except:
++                util.logexc(log, "Failed generated a key for %s from %s",
++                            pair[0], pair[1])
++    else:
++        # if not, generate them
++        genkeys = util.get_cfg_option_list(cfg,
++                                           'ssh_genkeytypes',
++                                           GENERATE_KEY_NAMES)
++        for keytype in genkeys:
++            keyfile = KEY_FILE_TPL % (keytype)
++            util.ensure_dir(os.path.dirname(keyfile))
++            if not os.path.exists(keyfile):
++                cmd = ['ssh-keygen', '-t', keytype, '-N', '', '-f', keyfile]
++                try:
++                    # TODO(harlowja): Is this guard needed?
++                    with util.SeLinuxGuard("/etc/ssh", recursive=True):
++                        util.subp(cmd, capture=False)
++                except:
++                    util.logexc(log, "Failed generating key type %s to "
++                                "file %s", keytype, keyfile)
++
++    try:
++        (users, _groups) = ds.normalize_users_groups(cfg, cloud.distro)
++        (user, _user_config) = ds.extract_default(users)
++        disable_root = util.get_cfg_option_bool(cfg, "disable_root", True)
++        disable_root_opts = util.get_cfg_option_str(cfg, "disable_root_opts",
++                                                    DISABLE_ROOT_OPTS)
++
++        keys = cloud.get_public_ssh_keys() or []
++        if "ssh_authorized_keys" in cfg:
++            cfgkeys = cfg["ssh_authorized_keys"]
++            keys.extend(cfgkeys)
++
++        apply_credentials(keys, user, disable_root, disable_root_opts)
++    except:
++        util.logexc(log, "Applying ssh credentials failed!")
++
++
++def apply_credentials(keys, user, disable_root, disable_root_opts):
++
++    keys = set(keys)
++    if user:
++        ssh_util.setup_user_keys(keys, user)
++
++    if disable_root:
++        if not user:
++            user = "NONE"
++        key_prefix = disable_root_opts.replace('$USER', user)
++    else:
++        key_prefix = ''
++
++    ssh_util.setup_user_keys(keys, 'root', options=key_prefix)
 === modified file 'cloudinit/config/cc_ssh.py'
 --- cloudinit/config/cc_ssh.py	2013-07-10 13:35:59 +0000
 +++ cloudinit/config/cc_ssh.py	2015-09-10 16:50:23 +0000
@@ -20,6 +20,7 @@
  import glob
  import os
++import sys
  # Ensure this is aliased to a name not 'distros'
  # since the module attribute 'distros'
@@ -33,27 +34,19 @@
  "no-X11-forwarding,command=\"echo \'Please login as the user \\\"$USER\\\" "
  "rather than the user \\\"root\\\".\';echo;sleep 10\"")
--KEY_2_FILE = {
--    "rsa_private": ("/etc/ssh/ssh_host_rsa_key", 0600),
--    "rsa_public": ("/etc/ssh/ssh_host_rsa_key.pub", 0644),
--    "dsa_private": ("/etc/ssh/ssh_host_dsa_key", 0600),
--    "dsa_public": ("/etc/ssh/ssh_host_dsa_key.pub", 0644),
--    "ecdsa_private": ("/etc/ssh/ssh_host_ecdsa_key", 0600),
--    "ecdsa_public": ("/etc/ssh/ssh_host_ecdsa_key.pub", 0644),
--}
++GENERATE_KEY_NAMES = ['rsa', 'dsa', 'ecdsa', 'ed25519']
++KEY_FILE_TPL = '/etc/ssh/ssh_host_%s_key'
--PRIV_2_PUB = {
--    'rsa_private': 'rsa_public',
--    'dsa_private': 'dsa_public',
--    'ecdsa_private': 'ecdsa_public',
--}
++CONFIG_KEY_TO_FILE = {}
++PRIV_TO_PUB = {}
++for k in GENERATE_KEY_NAMES:
++    CONFIG_KEY_TO_FILE.update({"%s_private" % k: (KEY_FILE_TPL % k, 0o600)})
++    CONFIG_KEY_TO_FILE.update(
++        {"%s_public" % k: (KEY_FILE_TPL % k + ".pub", 0o600)})
++    PRIV_TO_PUB["%s_private" % k] = "%s_public" % k
  KEY_GEN_TPL = 'o=$(ssh-keygen -yf "%s") && echo "$o" root@localhost > "%s"'
--GENERATE_KEY_NAMES = ['rsa', 'dsa', 'ecdsa']
--
--KEY_FILE_TPL = '/etc/ssh/ssh_host_%s_key'
--
  def handle(_name, cfg, cloud, log, _args):
@@ -69,15 +62,15 @@
      if "ssh_keys" in cfg:
          # if there are keys in cloud-config, use them
          for (key, val) in cfg["ssh_keys"].iteritems():
--            if key in KEY_2_FILE:
--                tgt_fn = KEY_2_FILE[key][0]
--                tgt_perms = KEY_2_FILE[key][1]
++            if key in CONFIG_KEY_TO_FILE:
++                tgt_fn = CONFIG_KEY_TO_FILE[key][0]
++                tgt_perms = CONFIG_KEY_TO_FILE[key][1]
                  util.write_file(tgt_fn, val, tgt_perms)
--        for (priv, pub) in PRIV_2_PUB.iteritems():
++        for (priv, pub) in PRIV_TO_PUB.items():
              if pub in cfg['ssh_keys'] or not priv in cfg['ssh_keys']:
                  continue
--            pair = (KEY_2_FILE[priv][0], KEY_2_FILE[pub][0])
++            pair = (CONFIG_KEY_TO_FILE[priv][0], CONFIG_KEY_TO_FILE[pub][0])
              cmd = ['sh', '-xc', KEY_GEN_TPL % pair]
              try:
                  # TODO(harlowja): Is this guard needed?
@@ -92,18 +85,28 @@
          genkeys = util.get_cfg_option_list(cfg,
                                             'ssh_genkeytypes',
                                             GENERATE_KEY_NAMES)
++        lang_c = os.environ.copy()
++        lang_c['LANG'] = 'C'
          for keytype in genkeys:
              keyfile = KEY_FILE_TPL % (keytype)
++            if os.path.exists(keyfile):
++                continue
              util.ensure_dir(os.path.dirname(keyfile))
--            if not os.path.exists(keyfile):
--                cmd = ['ssh-keygen', '-t', keytype, '-N', '', '-f', keyfile]
++            cmd = ['ssh-keygen', '-t', keytype, '-N', '', '-f', keyfile]
++
++            # TODO(harlowja): Is this guard needed?
++            with util.SeLinuxGuard("/etc/ssh", recursive=True):
                  try:
--                    # TODO(harlowja): Is this guard needed?
--                    with util.SeLinuxGuard("/etc/ssh", recursive=True):
--                        util.subp(cmd, capture=False)
--                except:
--                    util.logexc(log, "Failed generating key type %s to "
--                                "file %s", keytype, keyfile)
++                    out, err = util.subp(cmd, capture=True, env=lang_c)
++                    sys.stdout.write(out)
++                except util.ProcessExecutionError as e:
++                    err = e.stderr.lower()
++                    if (e.exit_code == 1 and
++                            err.lower().startswith("unknown key")):
++                        log.debug("ssh-keygen: unknown key type '%s'", keytype)
++                    else:
++                        util.logexc(log, "Failed generating key type %s to "
++                                    "file %s", keytype, keyfile)
      try:
          (users, _groups) = ds.normalize_users_groups(cfg, cloud.distro)
 === modified file 'debian/changelog'
 --- debian/changelog	2015-09-10 16:24:44 +0000
 +++ debian/changelog	2015-09-10 16:50:23 +0000
@@ -1,10 +1,15 @@
  cloud-init (0.7.5-0ubuntu1.11) UNRELEASED; urgency=medium
++  [ Felipe Reyes ]
    * d/patches/fix-consumption-of-vendor-data.patch:
      - Fix consumption of vendor-data in OpenStack to allow namespacing
        (LP: #1469260).
-- -- Felipe Reyes <felipe.reyes@canonical.com>  Thu, 10 Sep 2015 12:50:32 -0300
++  [ Scott Moser ]
++  * d/patches/lp-1461242-generate-ed25519-host-keys.patch:
++    - ssh: generate ed25519 host keys if supported (LP: #1461242)
++
++ -- Scott Moser <smoser@ubuntu.com>  Thu, 10 Sep 2015 12:36:14 -0400
  cloud-init (0.7.5-0ubuntu1.10) trusty; urgency=medium
 === added file 'debian/patches/lp-1461242-generate-ed25519-host-keys.patch'
 --- debian/patches/lp-1461242-generate-ed25519-host-keys.patch	1970-01-01 00:00:00 +0000
 +++ debian/patches/lp-1461242-generate-ed25519-host-keys.patch	2015-09-10 16:50:23 +0000
@@ -0,0 +1,115 @@
++Author: Scott Moser <smoser@ubuntu.com>
++Bug: https://launchpad.net/bugs/1461242
++Applied-Upstream: yes
++Origin: http://bazaar.launchpad.net/~cloud-init-dev/cloud-init/trunk/revision/1125
++Description: ssh: generate ed25519 host keys if supported
++ .
++ now we attempt to generate ed25519 host keys.
++ If ssh-keygen does not support it, a debug log message will be written.
++
++=== modified file 'cloudinit/config/cc_ssh.py'
++--- a/cloudinit/config/cc_ssh.py
+++++ b/cloudinit/config/cc_ssh.py
++@@ -20,6 +20,7 @@
++
++ import glob
++ import os
+++import sys
++
++ # Ensure this is aliased to a name not 'distros'
++ # since the module attribute 'distros'
++@@ -33,26 +34,18 @@ DISABLE_ROOT_OPTS = ("no-port-forwarding
++ "no-X11-forwarding,command=\"echo \'Please login as the user \\\"$USER\\\" "
++ "rather than the user \\\"root\\\".\';echo;sleep 10\"")
++
++-KEY_2_FILE = {
++-    "rsa_private": ("/etc/ssh/ssh_host_rsa_key", 0600),
++-    "rsa_public": ("/etc/ssh/ssh_host_rsa_key.pub", 0644),
++-    "dsa_private": ("/etc/ssh/ssh_host_dsa_key", 0600),
++-    "dsa_public": ("/etc/ssh/ssh_host_dsa_key.pub", 0644),
++-    "ecdsa_private": ("/etc/ssh/ssh_host_ecdsa_key", 0600),
++-    "ecdsa_public": ("/etc/ssh/ssh_host_ecdsa_key.pub", 0644),
++-}
++-
++-PRIV_2_PUB = {
++-    'rsa_private': 'rsa_public',
++-    'dsa_private': 'dsa_public',
++-    'ecdsa_private': 'ecdsa_public',
++-}
++-
++-KEY_GEN_TPL = 'o=$(ssh-keygen -yf "%s") && echo "$o" root@localhost > "%s"'
+++GENERATE_KEY_NAMES = ['rsa', 'dsa', 'ecdsa', 'ed25519']
+++KEY_FILE_TPL = '/etc/ssh/ssh_host_%s_key'
++
++-GENERATE_KEY_NAMES = ['rsa', 'dsa', 'ecdsa']
+++CONFIG_KEY_TO_FILE = {}
+++PRIV_TO_PUB = {}
+++for k in GENERATE_KEY_NAMES:
+++    CONFIG_KEY_TO_FILE.update({"%s_private" % k: (KEY_FILE_TPL % k, 0o600)})
+++    CONFIG_KEY_TO_FILE.update(
+++        {"%s_public" % k: (KEY_FILE_TPL % k + ".pub", 0o600)})
+++    PRIV_TO_PUB["%s_private" % k] = "%s_public" % k
++
++-KEY_FILE_TPL = '/etc/ssh/ssh_host_%s_key'
+++KEY_GEN_TPL = 'o=$(ssh-keygen -yf "%s") && echo "$o" root@localhost > "%s"'
++
++
++ def handle(_name, cfg, cloud, log, _args):
++@@ -69,15 +62,15 @@ def handle(_name, cfg, cloud, log, _args
++     if "ssh_keys" in cfg:
++         # if there are keys in cloud-config, use them
++         for (key, val) in cfg["ssh_keys"].iteritems():
++-            if key in KEY_2_FILE:
++-                tgt_fn = KEY_2_FILE[key][0]
++-                tgt_perms = KEY_2_FILE[key][1]
+++            if key in CONFIG_KEY_TO_FILE:
+++                tgt_fn = CONFIG_KEY_TO_FILE[key][0]
+++                tgt_perms = CONFIG_KEY_TO_FILE[key][1]
++                 util.write_file(tgt_fn, val, tgt_perms)
++
++-        for (priv, pub) in PRIV_2_PUB.iteritems():
+++        for (priv, pub) in PRIV_TO_PUB.items():
++             if pub in cfg['ssh_keys'] or not priv in cfg['ssh_keys']:
++                 continue
++-            pair = (KEY_2_FILE[priv][0], KEY_2_FILE[pub][0])
+++            pair = (CONFIG_KEY_TO_FILE[priv][0], CONFIG_KEY_TO_FILE[pub][0])
++             cmd = ['sh', '-xc', KEY_GEN_TPL % pair]
++             try:
++                 # TODO(harlowja): Is this guard needed?
++@@ -92,18 +85,28 @@ def handle(_name, cfg, cloud, log, _args
++         genkeys = util.get_cfg_option_list(cfg,
++                                            'ssh_genkeytypes',
++                                            GENERATE_KEY_NAMES)
+++        lang_c = os.environ.copy()
+++        lang_c['LANG'] = 'C'
++         for keytype in genkeys:
++             keyfile = KEY_FILE_TPL % (keytype)
+++            if os.path.exists(keyfile):
+++                continue
++             util.ensure_dir(os.path.dirname(keyfile))
++-            if not os.path.exists(keyfile):
++-                cmd = ['ssh-keygen', '-t', keytype, '-N', '', '-f', keyfile]
+++            cmd = ['ssh-keygen', '-t', keytype, '-N', '', '-f', keyfile]
+++
+++            # TODO(harlowja): Is this guard needed?
+++            with util.SeLinuxGuard("/etc/ssh", recursive=True):
++                 try:
++-                    # TODO(harlowja): Is this guard needed?
++-                    with util.SeLinuxGuard("/etc/ssh", recursive=True):
++-                        util.subp(cmd, capture=False)
++-                except:
++-                    util.logexc(log, "Failed generating key type %s to "
++-                                "file %s", keytype, keyfile)
+++                    out, err = util.subp(cmd, capture=True, env=lang_c)
+++                    sys.stdout.write(out)
+++                except util.ProcessExecutionError as e:
+++                    err = e.stderr.lower()
+++                    if (e.exit_code == 1 and
+++                            err.lower().startswith("unknown key")):
+++                        log.debug("ssh-keygen: unknown key type '%s'", keytype)
+++                    else:
+++                        util.logexc(log, "Failed generating key type %s to "
+++                                    "file %s", keytype, keyfile)
++
++     try:
++         (users, _groups) = ds.normalize_users_groups(cfg, cloud.distro)
 === modified file 'debian/patches/series'
 --- debian/patches/series	2015-09-10 16:24:44 +0000
 +++ debian/patches/series	2015-09-10 16:50:23 +0000
@@ -14,3 +14,4 @@
  lp-1470890-include-regions-in-dynamic-mirror-discovery.patch
  lp-1490796-azure-fix-mount_cb-for-symlinks.patch
  lp-1469260-fix-consumption-of-vendor-data.patch
++lp-1461242-generate-ed25519-host-keys.patch

Ubuntucloud-init package

Merge lp:~smoser/ubuntu/trusty/cloud-init/trusty-1461242 into lp:ubuntu/trusty/cloud-init

Commit message

Description of the change

Preview Diff

Subscribers

Ubuntu
cloud-init package