o w7e @sddlZddlZddlZddlZddlZddlZddlmZddl m Z m Z m Z m Z mZddlmmmZddlmZddlmZddlmZmZmZmZmZmZmZddlmZmZddl m!Z!dd l"m#Z#dd l$m%Z%m&Z&m'Z'm(Z(m)Z)dd l*m+Z+dd l,m-Z-d Z.dgdgddgddgddgdgdggdgddgddgd Z/e0e1Z2e3dZ4gdZ5ej6ej7d Z8Gd!d"d"ej9ej:d#Z;d$ed$eZ>d?d@Z?dde@fdAdBZAe&j'ddCdDZBe&j'dEdFZCdGdHZDdIdJZEe&j'ddKdLZFe&j'dMdNZGe&j'dOdPZHdQdRZIdSdTZJe6dUdVZKdWdXZLdYdZZMe*d[d\ZNd]d^ZOd_d`ZPdadbZQdcddZRdedfZSdgdhZTdidjZUdkdlZVddmdnZWdoeXdpe@fdqdrZYdsdtZZddudvZ[ddxdyZ\ddzd{Z]dd|d}Z^d~dZ_e`dddZae`d dded edefddZbdedededefddZcdefddZdddeXdedefddZee6dedededededeXf ddZfd S)Distroz python3-pipz/usr/libz /etc/hostsz/etc/doas.confz"/etc/sudoers.d/90-cloud-init-usersz /etc/hostnamez/usr/share/zoneinfoz root:rootservicerenderer_configsNnetworking_clsz-Hz-Pz-r)haltpoweroffrebootFz/etc/resolv.confosfamilycCs:||_||_||_||_tjtjtjg|_ t j |_ dSN) _paths_cfgnamerC networkingr IscDhclientDhcpcdUdhcpcdhcp_client_priorityiproute2Iproute2net_ops)selfrLcfgpathsrXNo network activator found, not bringing up network interfacesTz3Not bringing up newly configured network interfacesF) rvrarrrxrqrrrnrbring_up_all_interfaces)rUrrrurrnrXrXrYapply_network_config s*        zDistro.apply_network_configcCr_rIr`)rUlocaleout_fnrXrXrY apply_locale2rdzDistro.apply_localecCr_rIr`)rUrrXrXrY set_timezone6rdzDistro.set_timezonecCsdS)Nz 127.0.0.1rXrrXrXrY_get_localhost_ip:szDistro._get_localhost_ipcCr_rIr`rrXrXrY get_locale=szDistro.get_localecCr_rIr`)rUfilenamerrXrXrY_read_hostname@rdzDistro._read_hostnamecCr_rIr`)rUrrrXrXrYrDrdzDistro._write_hostnamecCr_rIr`rrXrXrY_read_system_hostnameHrdzDistro._read_system_hostnamecCsFtd|z td|gWdStjy"ttd|YdSw)Nz2Non-persistently setting the system hostname to %srz;Failed to non-persistently adjust the system hostname to %s)rqrrr ProcessExecutionErrorrlogexc)rUrrXrXrYrLs zDistro._apply_hostnamecCs&t|jd|jr |r |S|s|S|S)Nprefer_fqdn_over_hostname)rget_cfg_option_boolrK prefer_fqdn)rUrrrXrXrYr]s zDistro._select_hostnamecCs6g}|D]}|tvrtd||t|q|S)Nz&No distributions found for osfamily {}) OSFAMILIES ValueErrorformatextend) family_listdistrosfamilyrXrXrYexpand_osfamilykszDistro.expand_osfamilyc Cs|}|||}|rtj|r||}nd}|\}}g}|r&||kr+|||r5||kr:||kr:|||rK|rK||krKtd||dSt dd|D}t d|t ||D]} z| || Wq_t yzttd|| Yq_w||vr||dSdS)Nz6%s differs from %s, assuming user maintained hostname.cSsg|]}|r|qSrXrX).0frXrXrY z*Distro.update_hostname..z/Attempting to update hostname to %s in %s filesz!Failed to write hostname %s to %s)rrzr{existsrrappendrqinfosetrrlenrrrrr) rUrrprev_hostname_fnapplying_hostname prev_hostnamesys_fn sys_hostname update_filesfnrXrXrYupdate_hostnamevsH       zDistro.update_hostnamec Cszd}tj|jrtt|j}n td}tjdd}| }| |}d}|s5| |||d}ndd}|D]*}d} g} t |dkrI|d} t |dkrU|dd} | durc| |krc|| vrcd}q9|rt |} | ||g||| D] }t |dkr| ||dqxt |dkr|j |g|Rqx|rt} |r| d || d |tj|j| d d dSdS) NaddedbaseFTrGrz%s imode)rzr{rhosts_fnr HostsConfr load_file make_headerr get_entry add_entryrlistr del_entriesrwrite write_filegetvalue) rUrrrehlocal_ip prev_info need_changeentry entry_fqdn entry_aliases new_entriesrrXrXrYupdate_etc_hostssP         zDistro.update_etc_hostscCs|jstt|_|jS)z7Allow distro to determine the preferred ntp client list)_preferred_ntp_clientsrPREFERRED_NTP_CLIENTSrrXrXrYpreferred_ntp_clientss zDistro.preferred_ntp_clientscCst)rer`)rU device_namerXrXrY_bring_up_interfaceszDistro._bring_up_interfacecCs0d}|D] }||s|d7}q|dkrdSdS)rerrGTF)r)rU device_names am_faileddrXrXrYrs zDistro._bring_up_interfacescCs |dS)N default_user)rrrXrXrYget_default_users zDistro.get_default_userc Ksvt|r td|dSd|vr|d}nd}d|g}d|g}tr/|d|dddd d d d d dddd }dddd}dg}|d} | rt| t rV| d} t| t rgtj d|dddddd| D} d | |d<|d } | r| | |r| r| D]} t| s|| td!| |qd"|vrt |d"|d"<t|D]D\} } | |vr| rt| t r||| | g| |vr||| d#gq||| | gq| |vr| r||| ||| q|d$s|d%r |d&|d&n |d'|d'td(|z tj||d)WdSty:}z ttd*||d}~ww)+z Add a user to the system using standard GNU tools This should be overriden on distros where useradd is not desirable or not available. z!User %s already exists, skipping.N create_groupsTuseradd --extrausersz --commentz--homez--gidz--uidz--groupsz --passwordz--shellz --expiredatez --inactivez--selinux-user) gecoshomedir primary_groupuidgroupspasswdshell expiredateinactive selinux_userz--no-user-groupz--systemz --no-log-init) no_user_groupsystem no_log_initr r ,z The user z) has a 'groups' config value of type dict22.3z=Use a comma-delimited string or array instead: group1,group2. deprecateddeprecated_version extra_messagecSsg|]}|qSrXstrip)rgrXrXrYr=rz#Distro.add_user..r z created group '%s' for user '%s'r REDACTEDno_create_homerz-Mz-mzAdding user %s logstringzFailed to create user %s)ris_userrqrpopsystem_is_snappyrrs isinstancer~splitdict deprecater|is_group create_grouprrkeyssorteditemsrr Exceptionr)rUrLkwargsr useradd_cmdlog_useradd_cmd useradd_opts useradd_flags redact_optsr r groupkeyvalerXrXrYadd_users                     zDistro.add_userc Ks|d}|dd}gd}|r|d||td|ztj||dd\}}td ||t|}|d d } W| StyU} z ttd || d } ~ ww) zD Add a snappy user to the system using snappy tools snapuserknownF)snapz create-userz--sudoerz--jsonz--knownzAdding snap user %sT)r!capturez snap create-user returned: %s:%susernameNzFailed to create snap user %s) rsrrqrrr r load_jsonr.r) rUrLr/r:r;create_user_cmdouterrjobjr>r8rXrXrY add_snap_useros(       zDistro.add_snap_usercKsd|vr |j|fi|S|j|fi|d|vr&|dr&|||dd|vr8|dr8|j||ddd|ddrC||d|vrS|drS|||dd|vrv|drd|||dn|dd urvtjd |d d d dd|vr|d}t |t r|g}n t |t rt | }|durt |tt tfstdt|g}nt|pg}tt||d|vr|dg}|std||ddS|d}tj}|d|}|d|}tjt|||ddS)a Creates or partially updates the ``name`` user in the system. This defers the actual user creation to ``self.add_user`` or ``self.add_snap_user``, and most of the keys in ``kwargs`` will be processed there if and only if the user does not already exist. Once the existence of the ``name`` user has been ensured, this method then processes these keys (for both just-created and pre-existing users): * ``plain_text_passwd`` * ``hashed_passwd`` * ``lock_passwd`` * ``doas`` * ``sudo`` * ``ssh_authorized_keys`` * ``ssh_redirect_user`` r:plain_text_passwd hashed_passwdT)hashed lock_passwddoassudoFzThe value of 'false' in user z's 'sudo' configrzUse 'null' instead.rssh_authorized_keysNzZInvalid type '%s' detected for 'ssh_authorized_keys', expected list, string, dict, or set.ssh_redirect_usercloud_public_ssh_keysz^Unable to disable SSH logins for %s given ssh_redirect_user: %s. No cloud public-keys present.z$USERz $DISABLE_USER)options)rDr9 set_passwdrsrHwrite_doas_ruleswrite_sudo_rulesrr(r%r~r'rvaluestuplerrqrtyper setup_user_keysDISABLE_USER_OPTSreplace)rUrLr/r+ cloud_keys redirect_userdisable_optionrXrXrY create_usersj            zDistro.create_userc Csdd|gdd|gf}z tdd|D}Wnty/}ztd|dd |Df|d }~wwzt|Wd StyM}z ttd ||d }~ww) zL Lock the password of a user, i.e., disable password logins r z-lusermodz--lockcss"|] }t|dr|VqdS)rN)r which)rtoolrXrXrY  z%Distro.lock_passwd..zBUnable to lock user account '%s'. No tools available. Tried: %s.cSsg|]}|dqS)rrXrcrXrXrYrrz&Distro.lock_passwd..Nz&Failed to disable password for user %s)next StopIteration RuntimeErrorr r.rrrq)rUrL lock_toolscmdr8rXrXrYrHs(zDistro.lock_passwdc CsBz tdd|gWdSty }z ttd||d}~ww)Nr z--expirezFailed to set 'expire' for %s)r r.rrrq)rUuserr8rXrXrY expire_passwdszDistro.expire_passwdc Csfd||f}dg}|r|dz tj||d|dWdSty2}z ttd||d}~ww)Nz%s:%schpasswd-ezchpasswd for %sr zFailed to set password for %sT)rr r.rrrq)rUrhr rG pass_stringrgr8rXrXrYrOs  zDistro.set_passwdplist_inrGcCs<ddd|Dd}dg|rdgng}t||dS)Nrcss"|] \}}d||gVqdS):Nr|)rrLpasswordrXrXrYr_r`z"Distro.chpasswd..rjrk)r|r )rUrmrGpayloadrgrXrXrYrjs zDistro.chpasswdcCstd}td||t||}|r3td|d|d|kr(tddStd|ddStd dS) Nz^(?:permit|deny)(?:\s+(?:nolog|nopass|persist|keepenv|setenv \{[^}]+\})+)*\s+([a-zA-Z0-9_]+)+(?:\s+as\s+[a-zA-Z0-9_]+)*(?:\s+cmd\s+[^\s]+(?:\s+args\s+[^\s]+(?:\s*[^\s]+)*)*)*\s*$z3Checking if user '%s' is referenced in doas rule %rz!User '%s' referenced in doas rulerGz'Correct user is referenced in doas ruleTz.Incorrect user '%s' is referenced in doas ruleFz/doas rule does not appear to reference any user)rqrrresearchr5)rUrhrule rule_pattern valid_matchrXrXrYis_doas_rule_valid!s(     zDistro.is_doas_rule_validc Cs"|s|j}|D]}|||sd||f}t|dSqdd|g}|D] }|d|q&d|}|d7}tj|sit |g}zt j |d|ddWdSt yh} z t td|| d} ~ ww|t |vrz t ||WdSt y} z t td || d} ~ wwdS) NzHInvalid doas rule %r for user '%s', not writing any doas rules for user!rz# cloud-init User rules for %s%sr rzFailed to write doas file %sz Failed to append to doas file %s)doas_fnrwrqerrorrr|rzr{rrrrrrr append_file) rUrhrules doas_filertmsglinescontentrr8rXrXrYrPAsH      zDistro.write_doas_rules /etc/sudoersc Cs6d}d}tj|rt|}d}d}|D]'}|}td|}|s&q| d}|s0qtj |}||kr>d}nq|sz<|s^ddtj ddd |dg} d | }t ||d ndtj ddd |dg} d | }t||td ||Wnty} z ttd || d} ~ wwt|ddS)NrFTz^[#|@]includedir\s+(.*)$rGz?# See sudoers(5) for more information on "#include" directives:rrz#includedir %srryzAdded '#includedir %s' to %szFailed to write %si)rzr{rrr splitlinesrrrrsr5abspathrr|rr|rqrrrr ensure_dir) rUr{ sudo_basesudoers_contents base_exists found_includeline include_match included_dirrr8rXrXrYensure_sudo_diresX          zDistro.ensure_sudo_dirc CsH|s|j}dd|g}t|ttfr!|D] }|d||fqnt|tr0|d||fn d}t|t|d |}|d7}| t j |t j |s|t|g}z t|d |dWdSty{} z ttd|| d} ~ ww|t|vrz t||WdSty} z ttd|| d} ~ wwdS) Nrz# User rules for %sz%s %sz1Can not create sudoers rule addition with type %rrryzFailed to write sudoers file %sz#Failed to append to sudoers file %s) ci_sudoers_fnr%rrSrr~ TypeErrorrobj_namer|rrzr{dirnamerrrrrrrqrr|) rUrhr} sudo_filerrtrrrr8rXrXrYrQsL   zDistro.write_sudo_rulescCsd|g}tr |d|sg}t|rtd|nz t|td|Wnty:t td|Ynwt |dkrd|D]"}t |sRtd||qCtdd d ||gtd ||qCdSdS) Ngroupaddrz(Skipping creation of existing group '%s'zCreated new group %szFailed to create group %srzCUnable to add group member '%s' to group '%s'; user does not exist.r\z-az-GzAdded user '%s' to group '%s') rr$rr)rqrr rr.rrr")rUrLmembers group_add_cmdmemberrXrXrYr*s4      zDistro.create_groupc Csld|j|g}z |dkrdt|}Wnty'}ztd|f|d}~ww||g}|r4|||S)Nshutdownnowz+%dz?power_state[delay] must be 'now' or '+m' (minutes). found '%s'.)shutdown_options_mapintrrr)rUrdelaymessagerr8rrXrXrYshutdown_commands&   zDistro.shutdown_commandcCs2|j}|s d|vr|dg}tj|d|dSdS)zX Reload systemd startup daemon. May raise ProcessExecutionError systemctlz daemon-reloadTr=rcsN)init_cmdrr )clsrrrgrXrXrY reload_inits zDistro.reload_init)raction extra_argsc Gs|j}|s d|vr*dg}d|gd|gd|gd|gd|gd|gd|gd |gd }n|dg|dg|dg|dg|dg|dg|dg|d gd }t|t||}tj|d |d S) z Perform the requested action on a service. This handles the common 'systemctl' and 'service' cases and may be overridden in subclasses as necessary. May raise ProcessExecutionError rstopstartenabledisablerestartzreload-or-restartzreload-or-try-restartstatus)rrrrrreloadz try-reloadrTr)rrrr )rrrArrrcmdsrgrXrXrYmanage_services.   zDistro.manage_servicelayoutmodelvariantrNcCs(|rtdd||||gdSt)N localectlzset-x11-keymap)rr ra)rUrrrrNrXrXrY set_keymaps zDistro.set_keymapcCs.tjdd}t|ds|Stj|jddS)NT) needs_exenoexecz cloud-initclouddir)rget_tmp_ancestorr has_mount_optrzr{r| usr_lib_exec)rUtmp_dirrXrXrYget_tmp_exec_path.s  zDistro.get_tmp_exec_pathrrrhcwdc Ks>|rd|dnd}tjdd|d|dd|gfi|S) a` Perform a command as the requested user. Behaves like subp() Note: We pass `PATH` to the user env by using `env`. This could be probably simplified after bionic EOL by using `su --whitelist-environment=PATH ...`, more info on: https://lore.kernel.org/all/20180815110445.4qefy5zx5gfgbqly@ws.net.home/T/ zcd z && rsur?z-czenv PATH=$PATH  )r r|)rUrrhrr/ directoryrXrXrYdo_as4s z Distro.do_asr{ lease_filepid_file interface config_filec Cs,|ddd|d|ddg |rd||gS|gS)Nz-1z-vz-lfz-pfz-sfz /bin/truez-cfrX)r{rrrrrXrXrYbuild_dhclient_cmdIs   zDistro.build_dhclient_cmdrI)NN)T)F)r)r)g__name__ __module__ __qualname__pip_package_namerrrzrrr} default_ownerrrBrr~rr__annotations__rrrCrrrrRrSrT_ci_pkl_versionrresolve_conf_fnrrNrOrPrQrZrr^abcabstractmethodrcrgpropertyrrNetworkActivatorrnrrvrxrrrr staticmethodrrrrrrrrrboolrrrrrrrrrrrrrrrrrr9rDr[rHrirOrrjrwrPrrQr*r classmethodrrrrrrrXrXrXrYr@]s                %       A+  ta  $ 1 )    $r@) metaclassurltransformationscCsztj|}Wn tyYdSw|j}|durdS|D]}||}|dur,|Sq|}|jdur;d||j}tj|j|dS)a Apply transformations to a URL's hostname, return transformed URL. This is a separate function because unwrapping and rewrapping only the hostname portion of a URL is complex. :param url: The URL to operate on. :param transformations: A list of ``(str) -> Optional[str]`` functions, which will be applied in order to the hostname portion of the URL. If any function (regardless of ordering) returns None, ``url`` will be returned without any modification. :return: A string whose value is ``url`` with the hostname ``transformations`` applied, or ``None`` if ``url`` is unparseable. Nz{}:{})netloc) urllibparseurlsplitrrportr urlunsplit_replace)rrparts new_hostnametransformation new_netlocrXrXrY&_apply_hostname_transformations_to_url^s"  rcs2tdddddfddddg}t||S)aH Given a mirror URL, replace or remove any invalid URI characters. This performs the following actions on the URL's hostname: * Checks if it is an IP address, returning the URL immediately if it is * Converts it to its IDN form (see below for details) * Replaces any non-Letters/Digits/Hyphen (LDH) characters in it with hyphens * Removes any leading/trailing hyphens from each domain name label Before we replace any invalid domain name characters, we first need to ensure that any valid non-ASCII characters in the hostname will not be replaced, by ensuring the hostname is in its Internationalized domain name (IDN) representation (see RFC 5890). This conversion has to be applied to the whole hostname (rather than just the substitution variables), because the Punycode algorithm used by IDNA transcodes each part of the hostname as a whole string (rather than encoding individual characters). It cannot be applied to the whole URL, because (a) the Punycode algorithm expects to operate on domain names so doesn't output a valid URL, and (b) non-ASCII characters in non-hostname parts of the URL aren't encoded via Punycode. To put this in RFC 5890's terminology: before we remove or replace any characters from our domain name (which we do to ensure that each label is a valid LDH Label), we first ensure each label is in its A-label form. (Note that Python's builtin idna encoding is actually IDNA2003, not IDNA2008. This changes the specifics of how some characters are encoded to ASCII, but doesn't affect the logic here.) :param url: The URL to operate on. :return: A sanitized version of the URL, which will have been IDNA encoded if necessary, or ``None`` if the generated string is not a parseable URL. .cSst|rdS|SrI)r is_ip_addressrrXrXrYsz&_sanitize_mirror_url..cSs|ddS)Nidnaascii)encodedecoderrXrXrYrscsdfdd|DS)Nrc3s |] }|vr |ndVqdSr?NrXraacceptable_charsrXrYr_s 9_sanitize_mirror_url....rorrrXrYrscSsddd|dDS)Nrcss|]}|dVqdSrr)rpartrXrXrYr_s  r)r|r&rrXrXrYrs )LDH_ASCII_CHARSr)rrrXrrY_sanitize_mirror_urls&  rc Cs"|si}i}|r1|jr1|j|d<t|jr1|jdd}tr&d||d<n |jdkr1d||d<|r;|jr;|j|d<i}|diD]\}}|||<qE|d iD]2\}}g} |D]} z| |}Wn tyoYq^wt |}|dur}| |q^|| } | r| ||<qVt d ||S) Navailability_zonerrx ec2_regionec2regionfailsaferszfiltered distro mirror info: %s) r _EC2_AZ_REmatchr platform_typerrsr-KeyErrorrrrqrr) rr mirror_filtersubstrresultsrLmirror searchlistmirrorstmplfoundrXrXrYrsD            rcCs8d}|D]}|d}||vr|Sd|vr|}q|S)Narchesr)rs)rrritemrrXrXrYrs rrLr\cCsHt|dtgdg\}}|std||ft|d}t|d}|S)Nrr@z1No distribution found for distro %s (searched %s)r)r find_moduler ImportError import_modulegetattr)rLlocs looked_locsmodrrXrXrYfetchs r /etc/timezone/etc/localtimecCsjt|t|d|r3|r3tj|}|stj|s-|r%t|t ||dSt ||dS)Nr) rrr~rstriprzr{islinkrdel_filesymlinkcopy)rrtz_conftz_localrrXrXrYset_etc_timezones    rcCs.z td}t|jWStyYdSw)Nz/run/systemd/systemF)rzlstatstatS_ISDIRst_moder.)resrXrXrYr s   r)Nrr)Frrzrrrstring urllib.parseriortypingrrrrrcloudinit.net.netops.iproute2r netopsrR cloudinitrr loggingr r r rrrcloudinit.distros.networkingrrcloudinit.distros.parsersrcloudinit.featuresr cloudinit.netrrrrrcloudinit.net.network_statercloudinit.net.rendererr ALL_DISTROSr getLoggerrrqcompilerr ascii_lettersdigitsrCloudInitPickleMixinABCMetar@r~rrrsearch_for_mirrorrrrrrrXrXrXrYsj    $      $  +< 3