cloud-init icon indicating copy to clipboard operation
cloud-init copied to clipboard
verified publisher icon canonical

Add support for Aeza.net hosting provider

Open cofob opened this issue 1 year ago • 3 comments

Proposed Commit Message

Add support for Aeza.net hosting provider

Added a DataSource for the Aeza.net hosting provider, enabling
metadata and user data retrieval and instance provisioning via
cloud-init.

Additional Context

Test urls:

Test Steps

At the moment cloud-init support in our service is in draft state. We have tested the functionality of these changes.

Checklist

Merge type

  • [x] Squash merge using "Proposed Commit Message"
  • [ ] Rebase and merge unique commits. Requires commit messages per-commit each referencing the pull request number (#<PR_NUM>)

cofob avatar May 17 '24 17:05 cofob

Also a general security question here. Given that user-data and vendor-data likely contains potentially sensitive information and Aeza.net's instance metadata endpoint is providing content over http that appears to be accessible to anyone with the URL http://77.221.156.49/v1/cloudinit/3c0fff62-b1db-4165-a2b2-f819c5ddf83f/meta-data and UUIDs can be guessable, what sort of authentication layer do you have planned to avoid potential exposure of sensitive information to unwanted parties?

blackboxsw avatar Jun 05 '24 22:06 blackboxsw

Also a general security question here. Given that user-data and vendor-data likely contains potentially sensitive information and Aeza.net's instance metadata endpoint is providing content over http that appears to be accessible to anyone with the URL http://77.221.156.49/v1/cloudinit/3c0fff62-b1db-4165-a2b2-f819c5ddf83f/meta-data and UUIDs can be guessable, what sort of authentication layer do you have planned to avoid potential exposure of sensitive information to unwanted parties?

The UUID is not guessable, as it always uses UUIDv4, in which 122 bits are random and using system-level random source. I believe that this is a sufficient layer of authorization. And in order to accurately prevent cloud-init metadata information retrieval the service will be limited through rate-limit requests per second.

cofob avatar Jun 19 '24 15:06 cofob

@blackboxsw can you please take a look?

cofob avatar Jun 27 '24 21:06 cofob

@TheRealFalcon can you please take a look?

cofob avatar Jul 12 '24 00:07 cofob

Hi @cofob, I don't see that your github username has signed the cloud-init's Contributor License Agreement. So that I can enable CI on this PR and move toward merging this PR, would you mind reviewing and signing our CLA so that we may include this work in upstream cloud-init?

blackboxsw avatar Jul 12 '24 19:07 blackboxsw

Hi @cofob, I don't see that your github username has signed the cloud-init's Contributor License Agreement. So that I can enable CI on this PR and move toward merging this PR, would you mind reviewing and signing our CLA so that we may include this work in upstream cloud-init?

I signed the CLA

cofob avatar Jul 25 '24 14:07 cofob

@blackboxsw I have made the changes according to your comments.

cofob avatar Jul 25 '24 14:07 cofob

@blackboxsw can you review my changes please?

cofob avatar Aug 14 '24 20:08 cofob

@cofob if the proposed changes work for you, I think the final thing we'd need (once we agree on the approach for how to address util.read_seeded) would be to have you test this version of cloud-init in your environment and paste the following:

  • captured output of sudo DI_LOG=stderr /usr/lib/cloud-init/ds-identify --force on a working system to ensure ds-identify is working well.
  • Captured /var/log/cloud-init.log after running sudo cloud-init init --local and sudo cloud-init init
  • Captured output of sudo cloud-init query --all

blackboxsw avatar Aug 16 '24 01:08 blackboxsw

Ping @cofob. I think this PR needs a git rebase upstream/main to ensure it has visibility to the incompatible changes in util.read_seeded which surfaces a 4-tuple return value. Let us know how we should proceed with the previous change suggestions.

blackboxsw avatar Aug 30 '24 04:08 blackboxsw

Hello! Thank you for this proposed change to cloud-init. This pull request is now marked as stale as it has not seen any activity in 14 days. If no activity occurs within the next 7 days, this pull request will automatically close.

If you are waiting for code review and you are seeing this message, apologies! Please reply, tagging TheRealFalcon, and he will ensure that someone takes a look soon.

(If the pull request is closed and you would like to continue working on it, please do tag TheRealFalcon to reopen it.)

github-actions[bot] avatar Oct 05 '24 00:10 github-actions[bot]