#!/bin/sh -e . /usr/share/debconf/confmodule set -f # disable pathname expansion db_capb escape # to support carriage return / multi-line values debug() { [ "${_CI_UPGRADE_DEBUG:-0}" = "0" ] && return 0 echo "$@" 1>&2 || : } update_cfg() { # takes filename, header, new object (in yaml), optionally 'remover' # and merges new into existing object in filename, and then updates file # remover a string that means "delete existing entry" python3 -c ' import sys, yaml def update(src, cand): if not (isinstance(src, dict) and isinstance(cand, dict)): return cand for k, v in cand.items(): # if the candidate has _ as value, delete source if v == REMOVER: if k in src: del src[k] continue if k not in src: src[k] = v else: src[k] = update(src[k], v) return src (fname, header, newyaml) = sys.argv[1:4] REMOVER = object if len(sys.argv) == 5: REMOVER = sys.argv[4] newcfg = yaml.load(newyaml) with open(fname, "r") as fp: cfg = yaml.load(fp) if not cfg: cfg = {} cfg = update(cfg, newcfg) with open(fname, "w") as fp: fp.write(header + "\n") fp.write(yaml.dump(cfg))' "$@" } handle_preseed_maas() { local cfg_file="/etc/cloud/cloud.cfg.d/90_dpkg_maas.cfg" local md_url="" creds_all="" c_key="" t_key="" t_sec="" c_sec=""; db_get "cloud-init/maas-metadata-url" && md_url="$RET" || : db_get "cloud-init/maas-metadata-credentials" && creds_all="$RET" || : # nothing to do [ -n "$md_url" -o -n "$creds_all" ] || return 0 # change a url query string format into : delimited if [ -n "$creds_all" -a "${creds_all#*&}" != "${creds_all}" ]; then # the command here ends up looking like: # python3 -c '...' 'oauth_consumer_key=v1&oauth_token_key=v2...' \ # oauth_consumer_key oauth_token_key oauth_token_secret creds_all=$(python3 -c 'from six.moves.urllib.parse import parse_qs; import sys; keys = parse_qs(sys.argv[1]) for k in sys.argv[2:]: sys.stdout.write("%s:" % keys.get(k,[""])[0])' "$creds_all" \ oauth_consumer_key oauth_token_key oauth_token_secret ) fi # now, if non-empty creds_all is: consumer_key:token_key:token_secret if [ -n "$creds_all" ]; then OIFS="$IFS"; IFS=:; set -- $creds_all; IFS="$OIFS" c_key=$1; t_key=$2; t_sec=$3 fi if [ "$md_url" = "_" -a "${c_key}:${t_key}:${t_sec}" = "_:_:_" ]; then # if all these values were '_', the delete value, just delete the file. rm -f "$cfg_file" else local header="# written by cloud-init debian package per preseed entries # cloud-init/{maas-metadata-url,/maas-metadata-credentials}" local pair="" k="" v="" pload="" orig_umask="" for pair in "metadata_url:$md_url" "consumer_key:${c_key}" \ "token_key:${t_key}" "token_secret:$t_sec"; do k=${pair%%:*} v=${pair#${k}:} [ -n "$v" ] && pload="${pload} $k: \"$v\"," done # '_' would indicate "delete", otherwise, existing entries are left orig_umask=$(umask) umask 066 : >> "$cfg_file" && chmod 600 "$cfg_file" update_cfg "$cfg_file" "$header" "datasource: { MAAS: { ${pload%,} } }" _ umask ${orig_umask} fi # now clear the database of the values, as they've been consumed db_unregister "cloud-init/maas-metadata-url" || : db_unregister "cloud-init/maas-metadata-credentials" || : } handle_preseed_local_cloud_config() { local ccfg="" debconf_name="cloud-init/local-cloud-config" local cfg_file="/etc/cloud/cloud.cfg.d/90_dpkg_local_cloud_config.cfg" local header="# written by cloud-init debian package per preseed entry # $debconf_name" db_get "${debconf_name}" && ccfg="$RET" || : if [ "$ccfg" = "_" ]; then rm -f "$cfg_file" elif [ -n "$ccfg" ]; then { echo "$header"; echo "$ccfg"; } > "$cfg_file" fi db_unregister "${debconf_name}" || : } fix_1978422_redact_sensitive_logs_on_invalid_userdata_schema() { local oldver="$1" last_bad_ver="22.2-0ubuntu1~18.04.2" dpkg --compare-versions "$oldver" le "$last_bad_ver" || return 0 MSG="Redacting sensitive logs due to invalid cloud-config user-data from" REMOTE_LOG_MSG="Sensitive logs containing 'Invalid cloud-config provided:' exist in journalctl and any remote log aggregators. Please manually redact such logs as necessary." INVALID_USERDATA_LOG="Invalid cloud-config provided:$" if [ -f /var/log/cloud-init.log ]; then if grep -q "${INVALID_USERDATA_LOG}" /var/log/cloud-init.log; then echo "${MSG} /var/log/cloud-init.log" echo "${REMOTE_LOG_MSG}" # Replace generic warning about invalid user-data sed -i "s/Invalid cloud-config provided:/Invalid cloud-config provided: Please run 'sudo cloud-init schema --system' to see the schema errors./" /var/log/cloud-init.log # Redact any lines until the next DEBUG, WARNING, ERROR or Info log sed -i '/Invalid cloud-config provided:.*/,/DEBUG\|WARNING\|ERROR\|INFO\|Traceback/{/DEBUG\|WARNING\|ERROR\|INFO\|Traceback/b; /.*/d};' /var/log/cloud-init.log fi fi if [ -f /var/log/cloud-init-output.log ]; then if grep -q "${INVALID_USERDATA_LOG}" /var/log/cloud-init-output.log; then echo "${MSG} /var/log/cloud-init-output.log" # Replace generic warning about invalid user-data sed -i "s/Invalid cloud-config provided:/Invalid cloud-config provided: Please run 'sudo cloud-init schema --system' to see the schema errors./" /var/log/cloud-init-output.log # Redact any logs between Invalid cloud-config and 'Generating' or 'Cloud' log lines sed -i '/Invalid cloud-config provided:.*/,/Generating\|Cloud/{/Generating\|Cloud\|WARNING\|ERROR\|INFO\|Traceback/b; /.*/d};' /var/log/cloud-init-output.log fi fi } fix_1336855() { ### Begin fix for LP: 1336855 # fix issue where cloud-init misidentifies the location of grub and # where grub misidentifies the location of the device # if cloud-init's grub module did not run, then it did not break anything. [ -f /var/lib/cloud/instance/sem/config_grub_dpkg ] || return 0 # This bug only happened on /dev/xvda devices [ -b /dev/xvda ] || return 0 # we can't fix the system without /proc/cmdline [ -r /proc/cmdline ] || return 0 # Don't do anything unless we have grub command -v grub-install > /dev/null 2>&1 || return 0 # First, identify the kernel device for the parent. for parm in $(cat /proc/cmdline); do dev=$(echo $parm | awk -F\= '{print$NF}') case $parm in root=UUID*) [ -d /dev/disk/by-uuid ] && root_dev=$(readlink -f /dev/disk/by-uuid/$dev);; root=LABEL*) [ -d /dev/disk/by-label ] && root_dev=$(readlink -f /dev/disk/by-label/$dev);; root=/dev*) [ -d /dev ] && root_dev=$(readlink -f $dev);; esac [ -n "$root_dev" ] && break done # Don't continue if we don't have a root directive [ -z "$root_dev" ] && return 0 # Only deal with simple, cloud-based devices case $root_dev in /dev/vda*|/dev/xvda*|/dev/sda*) ;; *) return 0;; esac # Make sure that we are not chrooted. [ "$(stat -c %d:%i /)" != "$(stat -c %d:%i /proc/1/root/.)" ] && return 0 # Check if we are in a container, i.e. LXC if systemd-detect-virt --quiet --container || lxc-is-container 2>/dev/null; then return 0 fi # Find out where grub thinks the root device is. Only continue if # grub postinst would install/reinstall grub db_get grub-pc/install_devices && grub_cfg_dev=${RET} || return 0 db_get grub-pc/install_devices_empty && grub_dev_empty=${RET} || return 0 # Find out the parent device for the root device. # example output: sda/sda1 block_path=$(udevadm info -q path -n $root_dev | awk '-Fblock/' '{print$NF}') # Extract the parent device name. This works where the device is a block device # example output: /dev/sda parent_dev=$(echo $block_path | awk '-F/' '$1 { if ( $1 ) {print"/dev/"$1}}') [ -b "${parent_dev}" ] || return 0 # Do nothing if the device that the grub postinst would install is already used [ "$grub_cfg_dev" = "$parent_dev" -o "$grub_cfg_dev" = "$root_dev" ] && return 0 # If we get here, do the installation echo "Reconfiguring grub install device due to mismatch (LP: #1336855)" echo " Grub should use $parent_dev but is configured for $grub_cfg_dev" db_set grub-pc/install_devices "$parent_dev" grub-install $parent_dev && echo "Reinstalled grub" || echo "WARNING! Unable to fix grub device mismatch. You may be broken." } cleanup_lp1552999() { local oldver="$1" last_bad_ver="0.7.7~bzr1178" dpkg --compare-versions "$oldver" le "$last_bad_ver" || return 0 local edir="/etc/systemd/system/multi-user.target.wants" rm -f "$edir/cloud-config.service" "$edir/cloud-final.service" \ "$edir/cloud-init-local.service" "$edir/cloud-init.service" } disable_network_config_on_upgrade() { local oldver="$1" last_without_net="0.7.7~bzr1182-0ubuntu1" if [ ! -f /var/lib/cloud/instance/obj.pkl ]; then # this is a fresh system not one that has been booted. return 0 fi if dpkg --compare-versions "$oldver" le "$last_without_net"; then echo "dpkg upgrade from $oldver" > /var/lib/cloud/data/upgraded-network fi } fix_azure_upgrade_1611074() { # adjust /etc/fstab on azure so boot after resize does not mount # /mnt as ntfs and stop re-formatting. local fixed_ver="0.7.8-49-1" dspath="/var/lib/cloud/instance/datasource" local oldver="$1" tmpf="" r="" wmsg="" me="cloud-init postinst" # if not on azure, or not booted with instance/ skip out. if [ ! -e "$dspath" ]; then debug "no $dspath" return 0 fi if ! grep -qi azure "$dspath"; then debug "not on azure per $dspath" return 0 fi # if there is no /etc/fstab, then nothing to fix. if [ ! -e /etc/fstab ]; then debug "no /etc/fstab" return 0 fi if dpkg --compare-versions "$oldver" ge "$fixed_ver"; then debug "previous version was fixed" return 0 fi wmsg="WARN: $me failed." wmsg="$wmsg Subsequent resize may not update ephemeral correctly." tmpf=$(mktemp "${TMPDIR:-/tmp}/cloud-init-upgrade.XXXXXX") || { echo "$wmsg (mktemp failed with $?)" 1>&2 return 0; } awk '{ if ($4 !~ /x-systemd.requires/ && $4 ~ /comment=cloudconfig/) { sub(/comment=cloudconfig/, "x-systemd.requires=cloud-init.service,comment=cloudconfig") } printf("%s\n", $0)}' /etc/fstab > "$tmpf" || { echo "$wmsg (awk reading of /etc/fstab failed with $?)" 1>&2 rm -f "$tmpf" return 0; } if cmp /etc/fstab "$tmpf" >/dev/null 2>&1; then debug "no changes needed." else cat "$tmpf" > /etc/fstab || { r=$? echo "$wmsg (cp $tmpf /etc/fstab failed with $r)" echo ==== expected to write the following to /etc/fstab ===== cat "$tmpf" echo ======================================================== return $r } 1>&2 echo "$me fixed /etc/fstab for x-systemd.requires" 1>&2 fi rm "$tmpf" || : } cleanup_ureadahead() { local oldver="$1" last_bad_ver="0.7.9-243-ge74d775-0ubuntu2~" dpkg --compare-versions "$oldver" le "$last_bad_ver" || return 0 dpkg-divert --package cloud-init --remove --rename --divert \ /etc/init/ureadahead.conf.disabled /etc/init/ureadahead.conf } fix_lp1889555() { local oldver="$1" last_bad_ver="20.2-45-g5f7825e2-0ubuntu1~18.04.1" dpkg --compare-versions "$oldver" le-nl "$last_bad_ver" || return 0 # if cloud-init's grub module did not run, then it did not break anything. [ -f /var/lib/cloud/instance/sem/config_grub_dpkg ] || return 0 # Don't do anything unless we have grub command -v grub-install > /dev/null || return 0 # Make sure that we are not chrooted. [ "$(stat -c %d:%i /)" != "$(stat -c %d:%i /proc/1/root/.)" ] && return 0 # Check if we are in a container, i.e. LXC if systemd-detect-virt --quiet --container || lxc-is-container 2>/dev/null; then return 0 fi # This bug only applies to NVMe devices [ -e /dev/nvme0 ] || return 0 db_get grub-pc/install_devices && grub_cfg_dev=${RET} || return 0 # If the current setting is not the (potentially-incorrect) default we # expect, this implies user intervention so leave things alone [ "$grub_cfg_dev" = "/dev/sda" ] || return 0 correct_idev="$(python3 -c "import logging; from cloudinit.config.cc_grub_dpkg import fetch_idevs; print(fetch_idevs(logging.getLogger()))")" || return 0 # If correct_idev is the empty string, we failed to determine the correct # install device; do nothing [ -z "$correct_idev" ] && return 0 # If the correct_idev is already configured, do nothing [ "$grub_cfg_dev" = "$correct_idev" ] && return 0 echo "Reconfiguring grub install device due to mismatch (LP: #1889555)" echo " grub should use $correct_idev but is configured for $grub_cfg_dev" db_set grub-pc/install_devices "$correct_idev" db_set grub-pc/install_devices_empty "false" } change_cloud_init_output_log_permissions() { # As a consequence of LP: #1918303 local oldver="$1" last_bad_ver="20.4.1-0ubuntu1~18.04.1" dpkg --compare-versions "$oldver" le-nl "$last_bad_ver" || return 0 output_file="/var/log/cloud-init-output.log" if [ -f "$output_file" ]; then if getent group adm > /dev/null; then chown root:adm $output_file else chown root $output_file fi chmod 640 $output_file fi } fix_lp2013967() { # Ensure sensitive user data and vendor data gets redacted from instance-data.json local oldver="$1" last_bad_ver="23.1.1-0ubuntu0~18.04.1" dpkg --compare-versions "$oldver" le-nl "$last_bad_ver" || return 0 if ! python3 -c ' import json import os from pathlib import Path from cloudinit.atomic_helper import write_json from cloudinit.sources import ( DataSource, process_instance_metadata, redact_sensitive_keys, ) from cloudinit.sources.DataSourceLXD import DataSourceLXD from cloudinit.sources.DataSourceVultr import DataSourceVultr from cloudinit.stages import Init init = Init() log_file = init.cfg["def_log_file"] if os.path.exists(log_file): os.chmod(log_file, 0o640) rundir = init.paths.run_dir instance_data_path = Path(rundir, "instance-data.json") instance_json = json.load(instance_data_path.open(encoding="utf-8")) if Path(rundir, "cloud-id-lxd").exists(): sensitive_keys = DataSourceLXD.sensitive_metadata_keys elif Path(rundir, "cloud-id-vultr").exists(): sensitive_keys = DataSourceVultr.sensitive_metadata_keys else: sensitive_keys = DataSource.sensitive_metadata_keys processed_json = process_instance_metadata( instance_json, sensitive_keys=sensitive_keys ) redacted_json = redact_sensitive_keys(processed_json) write_json(str(instance_data_path), redacted_json)' >/dev/null 2>&1; then # instance-data.json will get regenerated on boot. Try to remove it for now and signal reboot required. rm -f /run/cloud-init/instance-data.json [ -x /usr/share/update-notifier/notify-reboot-required ] && \ /usr/share/update-notifier/notify-reboot-required || true fi } if [ "$1" = "configure" ]; then if db_get cloud-init/datasources; then values="$RET" if [ "${values#*MaaS}" != "${values}" ]; then # if db had old MAAS spelling, fix it. values=$(echo "$values" | sed 's,MaaS,MAAS,g') db_set cloud-init/datasources "$values" fi cat > /etc/cloud/cloud.cfg.d/90_dpkg.cfg <<EOF # to update this file, run dpkg-reconfigure cloud-init datasource_list: [ $values ] EOF fi # if there are maas settings pre-seeded apply them handle_preseed_maas # if there is generic cloud-config preseed, apply them handle_preseed_local_cloud_config # fix issue where cloud-init misidentifies the location of grub fix_1336855 # make upgrades disable network changes by cloud-init disable_network_config_on_upgrade "$2" fix_azure_upgrade_1611074 "$2" cleanup_ureadahead "$2" fix_lp1889555 "$2" change_cloud_init_output_log_permissions "$2" # Redact schema sensitive warning logs on invalid user-data fix_1978422_redact_sensitive_logs_on_invalid_userdata_schema "$2" fix_lp2013967 "$2" fi # Automatically added by dh_python3: if which py3compile >/dev/null 2>&1; then py3compile -p cloud-init fi # End automatically added section # Automatically added by dh_systemd_enable/11.1.6ubuntu1 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then # This will only remove masks created by d-s-h on package removal. deb-systemd-helper unmask 'cloud-config.service' >/dev/null || true # was-enabled defaults to true, so new installations run enable. if deb-systemd-helper --quiet was-enabled 'cloud-config.service'; then # Enables the unit on first installation, creates new # symlinks on upgrades if the unit file has changed. deb-systemd-helper enable 'cloud-config.service' >/dev/null || true else # Update the statefile to add new symlinks (if any), which need to be # cleaned up on purge. Also remove old symlinks. deb-systemd-helper update-state 'cloud-config.service' >/dev/null || true fi fi # End automatically added section # Automatically added by dh_systemd_enable/11.1.6ubuntu1 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then # This will only remove masks created by d-s-h on package removal. deb-systemd-helper unmask 'cloud-final.service' >/dev/null || true # was-enabled defaults to true, so new installations run enable. if deb-systemd-helper --quiet was-enabled 'cloud-final.service'; then # Enables the unit on first installation, creates new # symlinks on upgrades if the unit file has changed. deb-systemd-helper enable 'cloud-final.service' >/dev/null || true else # Update the statefile to add new symlinks (if any), which need to be # cleaned up on purge. Also remove old symlinks. deb-systemd-helper update-state 'cloud-final.service' >/dev/null || true fi fi # End automatically added section # Automatically added by dh_systemd_enable/11.1.6ubuntu1 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then # This will only remove masks created by d-s-h on package removal. deb-systemd-helper unmask 'cloud-init-hotplugd.socket' >/dev/null || true # was-enabled defaults to true, so new installations run enable. if deb-systemd-helper --quiet was-enabled 'cloud-init-hotplugd.socket'; then # Enables the unit on first installation, creates new # symlinks on upgrades if the unit file has changed. deb-systemd-helper enable 'cloud-init-hotplugd.socket' >/dev/null || true else # Update the statefile to add new symlinks (if any), which need to be # cleaned up on purge. Also remove old symlinks. deb-systemd-helper update-state 'cloud-init-hotplugd.socket' >/dev/null || true fi fi # End automatically added section # Automatically added by dh_systemd_enable/11.1.6ubuntu1 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then # This will only remove masks created by d-s-h on package removal. deb-systemd-helper unmask 'cloud-init-local.service' >/dev/null || true # was-enabled defaults to true, so new installations run enable. if deb-systemd-helper --quiet was-enabled 'cloud-init-local.service'; then # Enables the unit on first installation, creates new # symlinks on upgrades if the unit file has changed. deb-systemd-helper enable 'cloud-init-local.service' >/dev/null || true else # Update the statefile to add new symlinks (if any), which need to be # cleaned up on purge. Also remove old symlinks. deb-systemd-helper update-state 'cloud-init-local.service' >/dev/null || true fi fi # End automatically added section # Automatically added by dh_systemd_enable/11.1.6ubuntu1 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then # This will only remove masks created by d-s-h on package removal. deb-systemd-helper unmask 'cloud-init.service' >/dev/null || true # was-enabled defaults to true, so new installations run enable. if deb-systemd-helper --quiet was-enabled 'cloud-init.service'; then # Enables the unit on first installation, creates new # symlinks on upgrades if the unit file has changed. deb-systemd-helper enable 'cloud-init.service' >/dev/null || true else # Update the statefile to add new symlinks (if any), which need to be # cleaned up on purge. Also remove old symlinks. deb-systemd-helper update-state 'cloud-init.service' >/dev/null || true fi fi # End automatically added section # Automatically added by dh_installdeb/11.1.6ubuntu1 dpkg-maintscript-helper rm_conffile /etc/init/cloud-config.conf 0.7.9-243-ge74d775-0ubuntu2~ -- "$@" # End automatically added section # Automatically added by dh_installdeb/11.1.6ubuntu1 dpkg-maintscript-helper rm_conffile /etc/init/cloud-final.conf 0.7.9-243-ge74d775-0ubuntu2~ -- "$@" # End automatically added section # Automatically added by dh_installdeb/11.1.6ubuntu1 dpkg-maintscript-helper rm_conffile /etc/init/cloud-init-blocknet.conf 0.7.9-243-ge74d775-0ubuntu2~ -- "$@" # End automatically added section # Automatically added by dh_installdeb/11.1.6ubuntu1 dpkg-maintscript-helper rm_conffile /etc/init/cloud-init-container.conf 0.7.9-243-ge74d775-0ubuntu2~ -- "$@" # End automatically added section # Automatically added by dh_installdeb/11.1.6ubuntu1 dpkg-maintscript-helper rm_conffile /etc/init/cloud-init-local.conf 0.7.9-243-ge74d775-0ubuntu2~ -- "$@" # End automatically added section # Automatically added by dh_installdeb/11.1.6ubuntu1 dpkg-maintscript-helper rm_conffile /etc/init/cloud-init-nonet.conf 0.7.9-243-ge74d775-0ubuntu2~ -- "$@" # End automatically added section # Automatically added by dh_installdeb/11.1.6ubuntu1 dpkg-maintscript-helper rm_conffile /etc/init/cloud-init.conf 0.7.9-243-ge74d775-0ubuntu2~ -- "$@" # End automatically added section # Automatically added by dh_installdeb/11.1.6ubuntu1 dpkg-maintscript-helper rm_conffile /etc/init/cloud-log-shutdown.conf 0.7.9-243-ge74d775-0ubuntu2~ -- "$@" # End automatically added section if [ "$1" = "configure" ]; then oldver="$2" cleanup_lp1552999 "$oldver" fi