From 65ea8602625e31ff7ac90e485cde15e6f4b6a6a8 Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Thu, 5 Oct 2023 20:05:05 +0200 Subject: [PATCH] kola: Disable the public update server by default This might have been an oversight: for release tests we used the public Nebraska server. This was already disabled for FCOS but not for the original CoreOS/Flatcar CL. Disable the public update server by default. The update tests overwrite it with their specific setting. In case a future test needs the default the usual test flag escape hatch in the form of NoDisableUpdates is added. --- kola/harness.go | 1 + kola/register/register.go | 1 + kola/tests/ignition/empty.go | 9 +++-- kola/tests/locksmith/locksmith.go | 14 ++++++-- kola/tests/misc/omaha.go | 2 ++ platform/cluster.go | 6 ++++ platform/conf/conf.go | 55 ++++++++++++++++++++++++++++--- platform/platform.go | 1 + 8 files changed, 79 insertions(+), 10 deletions(-) diff --git a/kola/harness.go b/kola/harness.go index 372f3682f..349bb74d9 100644 --- a/kola/harness.go +++ b/kola/harness.go @@ -565,6 +565,7 @@ func runTest(h *harness.H, t *register.Test, pltfrm string, flight platform.Flig NoSSHKeyInUserData: t.HasFlag(register.NoSSHKeyInUserData), NoSSHKeyInMetadata: t.HasFlag(register.NoSSHKeyInMetadata), NoEnableSelinux: t.HasFlag(register.NoEnableSelinux), + NoDisableUpdates: t.HasFlag(register.NoDisableUpdates), SSHRetries: Options.SSHRetries, SSHTimeout: Options.SSHTimeout, DefaultUser: t.DefaultUser, diff --git a/kola/register/register.go b/kola/register/register.go index 617894e7b..d792a4696 100644 --- a/kola/register/register.go +++ b/kola/register/register.go @@ -33,6 +33,7 @@ const ( NoEnableSelinux // don't enable selinux when starting or rebooting a machine NoKernelPanicCheck // don't check console output for kernel panic NoVerityCorruptionCheck // don't check console output for verity corruption + NoDisableUpdates // don't disable usage of the public update server ) // Test provides the main test abstraction for kola. The run function is diff --git a/kola/tests/ignition/empty.go b/kola/tests/ignition/empty.go index bb1b3ba57..1a024e665 100644 --- a/kola/tests/ignition/empty.go +++ b/kola/tests/ignition/empty.go @@ -32,7 +32,10 @@ func init() { ClusterSize: 1, ExcludePlatforms: []string{"qemu", "esx"}, Distros: []string{"cl"}, - UserData: conf.Empty(), + // The userdata injection of disabling the update server won't work + // for an empty config, we still take care of doing later it via SSH + Flags: []register.Flag{register.NoDisableUpdates, register.NoSSHKeyInUserData}, + UserData: conf.Empty(), // Should run on all cloud environments }) // Tests for https://github.com/coreos/bugs/issues/1981 @@ -59,5 +62,7 @@ func init() { }) } -func empty(_ cluster.TestCluster) { +func empty(c cluster.TestCluster) { + m := c.Machines()[0] + _ = c.MustSSH(m, "echo SERVER=disabled | sudo tee /etc/flatcar/update.conf") } diff --git a/kola/tests/locksmith/locksmith.go b/kola/tests/locksmith/locksmith.go index e6c506c34..c47cb8d7e 100644 --- a/kola/tests/locksmith/locksmith.go +++ b/kola/tests/locksmith/locksmith.go @@ -39,8 +39,13 @@ func init() { ClusterSize: 3, // When cl.etcd-member.discovery runs on all clouds to test CLC IP templating, we can skip running this Platforms: []string{"qemu", "qemu-unpriv"}, + // This test already specifies the update.conf file in the userdata. + // Disabling of the public server is done explicitly. + Flags: []register.Flag{register.NoDisableUpdates}, UserData: conf.ContainerLinuxConfig(`locksmith: reboot_strategy: etcd-lock +update: + server: disabled etcd: version: 3.5.0 listen_client_urls: http://0.0.0.0:2379 @@ -60,8 +65,11 @@ etcd: Distros: []string{"cl"}, }) register.Register(®ister.Test{ - Name: "coreos.locksmith.tls", - Run: locksmithTLS, + Name: "coreos.locksmith.tls", + Run: locksmithTLS, + // This test already specifies the update.conf file in the userdata. + // Disabling of the public server is done explicitly. + Flags: []register.Flag{register.NoDisableUpdates}, ClusterSize: 1, // This test is normally not related to the cloud environment Platforms: []string{"qemu", "qemu-unpriv"}, @@ -95,7 +103,7 @@ etcd: { "filesystem": "root", "path": "/etc/coreos/update.conf", - "contents": { "source": "data:,REBOOT_STRATEGY=etcd-lock%0A" }, + "contents": { "source": "data:,REBOOT_STRATEGY=etcd-lock%0ASERVER=disabled%0A" }, "mode": 420 }, { diff --git a/kola/tests/misc/omaha.go b/kola/tests/misc/omaha.go index cc66fab40..172219823 100644 --- a/kola/tests/misc/omaha.go +++ b/kola/tests/misc/omaha.go @@ -31,6 +31,8 @@ func init() { Run: OmahaPing, ClusterSize: 0, Name: "cl.omaha.ping", + // This test already sets its own update server in the userdata + Flags: []register.Flag{register.NoDisableUpdates}, // This test is normally not related to the cloud environment Platforms: []string{"qemu"}, ExcludePlatforms: []string{"qemu-unpriv"}, diff --git a/platform/cluster.go b/platform/cluster.go index 431cf8aca..e59b9dc50 100644 --- a/platform/cluster.go +++ b/platform/cluster.go @@ -191,6 +191,12 @@ func (bc *BaseCluster) RenderUserData(userdata *conf.UserData, ignitionVars map[ conf.CopyKeys(keys) } + // disable the public update server by default + if !bc.rconf.NoDisableUpdates { + conf.AddFile("/etc/flatcar/update.conf", "root", `SERVER=disabled +`, 0644) + } + // disable Zincati & Pinger by default if bc.Distribution() == "fcos" { conf.AddFile("/etc/fedora-coreos-pinger/config.d/90-disable-reporting.toml", "root", `[reporting] diff --git a/platform/conf/conf.go b/platform/conf/conf.go index 8e9b3d826..5dc9fb1d8 100644 --- a/platform/conf/conf.go +++ b/platform/conf/conf.go @@ -585,7 +585,8 @@ func (c *Conf) addFileV3(path, filesystem, contents string, mode int) { Files: []v3types.File{ { Node: v3types.Node{ - Path: path, + Path: path, + Overwrite: &[]bool{true}[0], }, FileEmbedded1: v3types.FileEmbedded1{ Contents: v3types.FileContents{ @@ -610,7 +611,8 @@ func (c *Conf) addFileV31(path, filesystem, contents string, mode int) { Files: []v31types.File{ { Node: v31types.Node{ - Path: path, + Path: path, + Overwrite: &[]bool{true}[0], }, FileEmbedded1: v31types.FileEmbedded1{ Contents: v31types.Resource{ @@ -635,7 +637,8 @@ func (c *Conf) addFileV32(path, filesystem, contents string, mode int) { Files: []v32types.File{ { Node: v32types.Node{ - Path: path, + Path: path, + Overwrite: &[]bool{true}[0], }, FileEmbedded1: v32types.FileEmbedded1{ Contents: v32types.Resource{ @@ -660,7 +663,8 @@ func (c *Conf) addFileV33(path, filesystem, contents string, mode int) { Files: []v33types.File{ { Node: v33types.Node{ - Path: path, + Path: path, + Overwrite: &[]bool{true}[0], }, FileEmbedded1: v33types.FileEmbedded1{ Contents: v33types.Resource{ @@ -707,6 +711,41 @@ func (c *Conf) addFileCloudConfig(path, filesystem, contents string, mode int) { }) } +func (c *Conf) addFileScript(path, filesystem, contents string, mode int) { + c.script += fmt.Sprintf(` +cat < %s +%s +EOF +chmod %o %s +`, path, contents, mode, path) +} + +func (c *Conf) addFileMultipartMime(path, filesystem, contents string, mode int) { + header := textproto.MIMEHeader{ + "Content-Type": []string{"text/cloud-config; charset=\"us-ascii\""}, + "MIME-Version": []string{"1.0"}, + "Content-Transfer-Encoding": []string{"7bit"}, + "Content-Disposition": []string{"attachment; filename=\"testing-keys.yaml\""}, + } + cc := cci.CloudConfig{ + WriteFiles: []cci.File{ + cci.File{ + Content: contents, + Owner: "root", + Path: path, + RawFilePermissions: fmt.Sprintf("%#o", mode), + }, + }, + } + asYaml, err := yaml.Marshal(cc) + if err != nil { + plog.Errorf("failed to marshal yaml: %v", err) + return + } + c.multipartMime.AddPart(header, asYaml) + +} + func (c *Conf) AddFile(path, filesystem, contents string, mode int) { if c.ignitionV33 != nil { c.addFileV33(path, filesystem, contents, mode) @@ -728,8 +767,12 @@ func (c *Conf) AddFile(path, filesystem, contents string, mode int) { c.addFileV1(path, filesystem, contents, mode) } else if c.cloudconfig != nil { c.addFileCloudConfig(path, filesystem, contents, mode) + } else if c.multipartMime != nil { + c.addFileMultipartMime(path, filesystem, contents, mode) + } else if c.script != "" { + c.addFileScript(path, filesystem, contents, mode) } else { - panic(fmt.Errorf("unimplemented case in AddFile")) + panic(fmt.Errorf("unimplemented case in AddFile (conf.Empty not supported on purpose")) } } @@ -1346,6 +1389,8 @@ func (c *Conf) CopyKeys(keys []*agent.Key) { c.copyKeysScript(keys) } else if c.multipartMime != nil { c.copyKeysMultipartMime(keys) + } else { + panic(fmt.Errorf("unimplemented case in CopyKeys (conf.Empty not supported on purpose")) } } diff --git a/platform/platform.go b/platform/platform.go index b00532551..1a53cc0fc 100644 --- a/platform/platform.go +++ b/platform/platform.go @@ -175,6 +175,7 @@ type RuntimeConfig struct { NoSSHKeyInUserData bool // don't inject SSH key into Ignition/cloud-config NoSSHKeyInMetadata bool // don't add SSH key to platform metadata NoEnableSelinux bool // don't enable selinux when starting or rebooting a machine + NoDisableUpdates bool // don't disable usage of the public update server AllowFailedUnits bool // don't fail CheckMachine if a systemd unit has failed SSHRetries int // see SSHRetries field in Options SSHTimeout time.Duration // see SSHTimeout field in Options