diff options
| author | James Falcon <james.falcon@canonical.com> | 2023-04-20 16:38:52 -0500 |
|---|---|---|
| committer | James Falcon <james.falcon@canonical.com> | 2023-04-21 14:18:41 -0500 |
| commit | 13a5953a9c6823b0b069ed7e050096fad66d1681 (patch) | |
| tree | 2fb6acab977b9090a161f8e97a6d2347f58d8864 | |
| parent | 055c9dcce225f70ca076c3cd4a7162587e01e5e8 (diff) | |
| download | cloud-init-git-13a5953a9c6823b0b069ed7e050096fad66d1681.tar.gz | |
Add postinst for LP: #2013967
| -rw-r--r-- | debian/cloud-init.postinst | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/debian/cloud-init.postinst b/debian/cloud-init.postinst index 268f3ec8..68b73c16 100644 --- a/debian/cloud-init.postinst +++ b/debian/cloud-init.postinst @@ -359,6 +359,56 @@ change_cloud_init_output_log_permissions() { fi } +fix_lp2013967() { + # Ensure sensitive user data and vendor data gets redacted from instance-data.json + local oldver="$1" last_bad_ver="23.1.1-0ubuntu0~22.10.1" + dpkg --compare-versions "$oldver" le-nl "$last_bad_ver" || return 0 + + if ! python3 -c ' +import json +import os +from pathlib import Path + +from cloudinit.atomic_helper import write_json +from cloudinit.sources import ( + DataSource, + process_instance_metadata, + redact_sensitive_keys, +) +from cloudinit.sources.DataSourceLXD import DataSourceLXD +from cloudinit.sources.DataSourceVultr import DataSourceVultr +from cloudinit.stages import Init + +init = Init() +log_file = init.cfg["def_log_file"] +if os.path.exists(log_file): + os.chmod(log_file, 0o640) + +rundir = init.paths.run_dir +instance_data_path = Path(rundir, "instance-data.json") + +instance_json = json.load(instance_data_path.open(encoding="utf-8")) + +if Path(rundir, "cloud-id-lxd").exists(): + sensitive_keys = DataSourceLXD.sensitive_metadata_keys +elif Path(rundir, "cloud-id-vultr").exists(): + sensitive_keys = DataSourceVultr.sensitive_metadata_keys +else: + sensitive_keys = DataSource.sensitive_metadata_keys + +processed_json = process_instance_metadata( + instance_json, sensitive_keys=sensitive_keys +) +redacted_json = redact_sensitive_keys(processed_json) + +write_json(str(instance_data_path), redacted_json)' >/dev/null 2>&1; then + # instance-data.json will get regenerated on boot. Try to remove it for now and signal reboot required. + rm -f /run/cloud-init/instance-data.json + [ -x /usr/share/update-notifier/notify-reboot-required ] && \ + /usr/share/update-notifier/notify-reboot-required || true + fi +} + if [ "$1" = "configure" ]; then if db_get cloud-init/datasources; then @@ -393,6 +443,8 @@ EOF cleanup_ureadahead "$2" fix_lp1889555 "$2" change_cloud_init_output_log_permissions "$2" + + fix_lp2013967 "$2" fi #DEBHELPER# |