subiquity.network: cloud-init networking when netplan root-readonly #1530
Conversation
blackboxsw
force-pushed
the
use-cloudinit-for-networking
branch
2 times, most recently
from
ee21ba2
to
ffce792
Compare
subiquity/models/network.py
Outdated
| @@ -15,6 +15,7 @@ | |||
|
|
|||
| import logging | |||
|
|
|||
| from cloudinit import features | |||
There was a problem hiding this comment.
So this is cloudinit from the snap, where we really want the features from the cloudinit on the target system which is a bit harder to access. It also makes things a bit more annoying because now (pedantically speaking) the result of NetworkModel.render now depends on the configuration of the source model (now I'm off wondering about how this would work when we support downloading the install artefacts over the network but well that's definitely one for the future)
blackboxsw
force-pushed
the
use-cloudinit-for-networking
branch
2 times, most recently
from
3a14e53
to
0ffded7
Compare
blackboxsw
changed the title
blackboxsw
force-pushed
the
use-cloudinit-for-networking
branch
2 times, most recently
from
e4c73e6
to
ad36664
Compare
blackboxsw
force-pushed
the
use-cloudinit-for-networking
branch
from
ad36664
to
e2043a7
Compare
subiquity/models/network.py
Outdated
| 'write_files': { | ||
| 'etc_netplan_installer': { | ||
| 'path': ( | ||
| 'etc/cloud/cloud.cfg.d' '/90-installer-network.cfg' |
There was a problem hiding this comment.
Why is there a space on this line?
There was a problem hiding this comment.
oops leftover from my accidental black formatting run due to a stray pre-commit hook setup I had. I manually reverted, but didn't squash the string all the way back to one from the multi-line that was setup due to earlier iteration of this change. Dropped
| 'path': ( | ||
| 'etc/cloud/cloud.cfg.d' '/90-installer-network.cfg' | ||
| ), | ||
| 'content': self.stringify_config(netplan), |
There was a problem hiding this comment.
Presumably this file should be written as 0o600?
There was a problem hiding this comment.
Good thought and correct. added 'permissions': '0600'. Defeats the purpose if we leave this world-readable.
When cloudinit.features.NETPLAN_CONFIG_ROOT_READ_ONLY is True, cloud-init will write /etc/netplan/50-cloud-init.yaml as read-only root. This added security allows for subiquity to use cloud-init's network renderer directly allowing both datasource and network configuration passed in one place. Read cloud-init features from /run/cloud-init/combined-cloud-config.json when present. Any netplan wifi configuration can be specified in a single root-read-only network config file /etc/cloud/cloud.cfg.d/90-installer-network.cfg instead of having a separate config file for wifi, which could contain credentials. This simplifies golden image creation from images installed using subiquity because image builders will not need to track down and purge separate /etc/netplan/00-installer-config.yaml and /etc/netplan/subiquity-disable-cloudinit-networking.cfg when preparing a golden image. Eventually, netplan config validation and cloudinit will support separation of sensitive configuration by cloud-init without needing to pre-categorize sensitive information. This will allow cloud-init to grow to ability to write separate world-readable configuration from config which is security sensitive with no change needed in subiquity.
blackboxsw
force-pushed
the
use-cloudinit-for-networking
branch
from
e2043a7
to
2af5829
Compare
subiquity.network: cloud-init networking when netplan root-readonly
When cloudinit.features.NETPLAN_CONFIG_ROOT_READ_ONLY is True,
cloud-init will write /etc/netplan/50-cloud-init.yaml as read-only
root.
This added security allows for subiquity to use cloud-init's
network renderer directly allowing both datasource and network
configuration passed in one place.
Read cloud-init features from
/run/cloud-init/combined-cloud-config.json when present.
Any netplan wifi configuration can be specified in a single
root-read-only network config file
/etc/cloud/cloud.cfg.d/90-installer-network.cfg instead of
having a separate config file for wifi, which could contain
credentials.
This simplifies golden image creation from images installed using
subiquity because image builders will not need to track down and
purge separate /etc/netplan/00-installer-config.yaml and
/etc/netplan/subiquity-disable-cloudinit-networking.cfg when preparing
a golden image.
Eventually, netplan config validation and cloudinit will support
separation of sensitive configuration by cloud-init without needing
to pre-categorize sensitive information.
This will allow cloud-init to grow to ability to write separate
world-readable configuration from config which is security sensitive
with no change needed in subiquity.