-
Notifications
You must be signed in to change notification settings - Fork 155
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
subiquity.network: cloud-init networking when netplan root-readonly #1530
subiquity.network: cloud-init networking when netplan root-readonly #1530
Conversation
ee21ba2
to
ffce792
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just recording this point already made out of band
subiquity/models/network.py
Outdated
@@ -15,6 +15,7 @@ | |||
|
|||
import logging | |||
|
|||
from cloudinit import features |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So this is cloudinit from the snap, where we really want the features from the cloudinit on the target system which is a bit harder to access. It also makes things a bit more annoying because now (pedantically speaking) the result of NetworkModel.render now depends on the configuration of the source model (now I'm off wondering about how this would work when we support downloading the install artefacts over the network but well that's definitely one for the future)
3a14e53
to
0ffded7
Compare
e4c73e6
to
ad36664
Compare
ad36664
to
e2043a7
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A couple of nits, nothing major
subiquity/models/network.py
Outdated
'write_files': { | ||
'etc_netplan_installer': { | ||
'path': ( | ||
'etc/cloud/cloud.cfg.d' '/90-installer-network.cfg' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is there a space on this line?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oops leftover from my accidental black formatting run due to a stray pre-commit hook setup I had. I manually reverted, but didn't squash the string all the way back to one from the multi-line that was setup due to earlier iteration of this change. Dropped
'path': ( | ||
'etc/cloud/cloud.cfg.d' '/90-installer-network.cfg' | ||
), | ||
'content': self.stringify_config(netplan), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Presumably this file should be written as 0o600?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good thought and correct. added 'permissions': '0600'. Defeats the purpose if we leave this world-readable.
When cloudinit.features.NETPLAN_CONFIG_ROOT_READ_ONLY is True, cloud-init will write /etc/netplan/50-cloud-init.yaml as read-only root. This added security allows for subiquity to use cloud-init's network renderer directly allowing both datasource and network configuration passed in one place. Read cloud-init features from /run/cloud-init/combined-cloud-config.json when present. Any netplan wifi configuration can be specified in a single root-read-only network config file /etc/cloud/cloud.cfg.d/90-installer-network.cfg instead of having a separate config file for wifi, which could contain credentials. This simplifies golden image creation from images installed using subiquity because image builders will not need to track down and purge separate /etc/netplan/00-installer-config.yaml and /etc/netplan/subiquity-disable-cloudinit-networking.cfg when preparing a golden image. Eventually, netplan config validation and cloudinit will support separation of sensitive configuration by cloud-init without needing to pre-categorize sensitive information. This will allow cloud-init to grow to ability to write separate world-readable configuration from config which is security sensitive with no change needed in subiquity.
e2043a7
to
2af5829
Compare
subiquity.network: cloud-init networking when netplan root-readonly
When cloudinit.features.NETPLAN_CONFIG_ROOT_READ_ONLY is True,
cloud-init will write /etc/netplan/50-cloud-init.yaml as read-only
root.
This added security allows for subiquity to use cloud-init's
network renderer directly allowing both datasource and network
configuration passed in one place.
Read cloud-init features from
/run/cloud-init/combined-cloud-config.json when present.
Any netplan wifi configuration can be specified in a single
root-read-only network config file
/etc/cloud/cloud.cfg.d/90-installer-network.cfg instead of
having a separate config file for wifi, which could contain
credentials.
This simplifies golden image creation from images installed using
subiquity because image builders will not need to track down and
purge separate /etc/netplan/00-installer-config.yaml and
/etc/netplan/subiquity-disable-cloudinit-networking.cfg when preparing
a golden image.
Eventually, netplan config validation and cloudinit will support
separation of sensitive configuration by cloud-init without needing
to pre-categorize sensitive information.
This will allow cloud-init to grow to ability to write separate
world-readable configuration from config which is security sensitive
with no change needed in subiquity.