From 0365e37c2d2d26d60b270cc3d5eb260de27fd11d Mon Sep 17 00:00:00 2001 From: Max Illfelder Date: Thu, 26 Oct 2017 10:21:39 -0700 Subject: [PATCH 01/11] Activating OS Login should log as informational. (#509) --- google_compute_engine/accounts/oslogin_utils.py | 4 ++-- google_compute_engine/accounts/tests/oslogin_utils_test.py | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/google_compute_engine/accounts/oslogin_utils.py b/google_compute_engine/accounts/oslogin_utils.py index ccfdbcb4..0fe915aa 100644 --- a/google_compute_engine/accounts/oslogin_utils.py +++ b/google_compute_engine/accounts/oslogin_utils.py @@ -82,9 +82,9 @@ def UpdateOsLogin(self, enable): if enable: action = 'activate' - self.logger.warning('Activating OS Login.') + self.logger.info('Activating OS Login.') else: action = 'deactivate' - self.logger.warning('Deactivating OS Login.') + self.logger.info('Deactivating OS Login.') return self._RunOsLoginControl(action) diff --git a/google_compute_engine/accounts/tests/oslogin_utils_test.py b/google_compute_engine/accounts/tests/oslogin_utils_test.py index 2a2cc4b5..73adbb9d 100644 --- a/google_compute_engine/accounts/tests/oslogin_utils_test.py +++ b/google_compute_engine/accounts/tests/oslogin_utils_test.py @@ -128,7 +128,7 @@ def testUpdateOsLoginActivate(self): oslogin_utils.OsLoginUtils.UpdateOsLogin(self.mock_oslogin, True) expected_calls = [ mock.call.oslogin._GetStatus(), - mock.call.logger.warning(mock.ANY), + mock.call.logger.info(mock.ANY), mock.call.oslogin._RunOsLoginControl('activate'), ] self.assertEqual(mocks.mock_calls, expected_calls) @@ -143,7 +143,7 @@ def testUpdateOsLoginDeactivate(self): oslogin_utils.OsLoginUtils.UpdateOsLogin(self.mock_oslogin, False) expected_calls = [ mock.call.oslogin._GetStatus(), - mock.call.logger.warning(mock.ANY), + mock.call.logger.info(mock.ANY), mock.call.oslogin._RunOsLoginControl('deactivate'), ] self.assertEqual(mocks.mock_calls, expected_calls) From 1e2667072e7f72e3f146683eff5d2dc3c9408e34 Mon Sep 17 00:00:00 2001 From: Max Illfelder Date: Fri, 27 Oct 2017 15:10:10 -0700 Subject: [PATCH 02/11] Generate SSH host keys when none are present. (#510) Provide an instance config option for specifying which host key types to generate. --- README.md | 35 ++++++++++--------- .../instance_setup/instance_config.py | 1 + .../instance_setup/instance_setup.py | 13 +++++-- .../tests/instance_setup_test.py | 15 +++++--- 4 files changed, 39 insertions(+), 25 deletions(-) diff --git a/README.md b/README.md index fa0805b4..3c3c3ccf 100644 --- a/README.md +++ b/README.md @@ -236,30 +236,31 @@ that do not override user configuration during package update. The following are valid user configuration options. -Section | Option | Value ------------------ | -------------------- | ----- -Accounts | deprovision\_remove | `true` makes deprovisioning a user destructive. -Accounts | groups | Comma separated list of groups for newly provisioned users. -Accounts | useradd\_cmd | Command string to create a new user. -Accounts | userdel\_cmd | Command string to delete a user. -Accounts | usermod\_cmd | Command string to modify a user's groups. -Accounts | groupadd\_cmd | Command string to create a new group. -Daemons | accounts\_daemon | `false` disables the accounts daemon. +Section | Option | Value +----------------- | ---------------------- | ----- +Accounts | deprovision\_remove | `true` makes deprovisioning a user destructive. +Accounts | groups | Comma separated list of groups for newly provisioned users. +Accounts | useradd\_cmd | Command string to create a new user. +Accounts | userdel\_cmd | Command string to delete a user. +Accounts | usermod\_cmd | Command string to modify a user's groups. +Accounts | groupadd\_cmd | Command string to create a new group. +Daemons | accounts\_daemon | `false` disables the accounts daemon. Daemons | clock\_skew\_daemon | `false` disables the clock skew daemon. Daemons | ip\_forwarding\_daemon | `false` disables the IP forwarding daemon. +InstanceSetup | host\_key\_types | Comma separated list of host key types to generate. InstanceSetup | optimize\_local\_ssd | `false` prevents optimizing for local SSD. -InstanceSetup | network\_enabled | `false` skips instance setup functions that require metadata. +InstanceSetup | network\_enabled | `false` skips instance setup functions that require metadata. InstanceSetup | set\_boto\_config | `false` skips setting up a `boto` config. InstanceSetup | set\_host\_keys | `false` skips generating host keys on first boot. -InstanceSetup | set\_multiqueue | `false` skips multiqueue driver support. +InstanceSetup | set\_multiqueue | `false` skips multiqueue driver support. IpForwarding | ethernet\_proto\_id | Protocol ID string for daemon added routes. -IpForwarding | ip\_aliases | `false` disables setting up alias IP routes. +IpForwarding | ip\_aliases | `false` disables setting up alias IP routes. IpForwarding | target\_instance\_ips | `false` disables internal IP address load balancing. -MetadataScripts | run\_dir | String base directory where metadata scripts are executed. -MetadataScripts | startup | `false` disables startup script execution. -MetadataScripts | shutdown | `false` disables shutdown script execution. -NetworkInterfaces | dhcp\_command | String to execute to enable network interfaces. -NetworkInterfaces | setup | `false` disables network interface setup. +MetadataScripts | run\_dir | String base directory where metadata scripts are executed. +MetadataScripts | startup | `false` disables startup script execution. +MetadataScripts | shutdown | `false` disables shutdown script execution. +NetworkInterfaces | dhcp\_command | String to execute to enable network interfaces. +NetworkInterfaces | setup | `false` disables network interface setup. Setting `network_enabled` to `false` will skip setting up host keys and the `boto` config in the guest. The setting may also prevent startup and shutdown diff --git a/google_compute_engine/instance_setup/instance_config.py b/google_compute_engine/instance_setup/instance_config.py index 56c1109c..98271371 100644 --- a/google_compute_engine/instance_setup/instance_config.py +++ b/google_compute_engine/instance_setup/instance_config.py @@ -72,6 +72,7 @@ class InstanceConfig(config_manager.ConfigManager): 'instance_id': '0', }, 'InstanceSetup': { + 'host_key_types': 'ecdsa,ed25519,rsa', 'optimize_local_ssd': 'true', 'network_enabled': 'true', 'set_boto_config': 'true', diff --git a/google_compute_engine/instance_setup/instance_setup.py b/google_compute_engine/instance_setup/instance_setup.py index 2c6e3d4d..e4791c42 100755 --- a/google_compute_engine/instance_setup/instance_setup.py +++ b/google_compute_engine/instance_setup/instance_setup.py @@ -55,7 +55,9 @@ def __init__(self, debug=False): self.instance_config = instance_config.InstanceConfig( logger=self.logger, instance_config_metadata=instance_config_metadata) if self.instance_config.GetOptionBool('InstanceSetup', 'set_host_keys'): - self._SetSshHostKeys() + host_key_types = self.instance_config.GetOptionString( + 'InstanceSetup', 'host_key_types') + self._SetSshHostKeys(host_key_types=host_key_types) if self.instance_config.GetOptionBool('InstanceSetup', 'set_boto_config'): self._SetupBotoConfig() if self.instance_config.GetOptionBool( @@ -155,13 +157,16 @@ def _StartSshd(self): subprocess.call(['service', 'sshd', 'start']) subprocess.call(['service', 'sshd', 'reload']) - def _SetSshHostKeys(self): + def _SetSshHostKeys(self, host_key_types=None): """Regenerates SSH host keys when the VM is restarted with a new IP address. Booting a VM from an image with a known SSH key allows a number of attacks. This function will regenerating the host key whenever the IP address changes. This applies the first time the instance is booted, and each time the disk is used to boot a new instance. + + Args: + host_key_types: string, a comma separated list of host key types. """ section = 'Instance' instance_id = self._GetInstanceId() @@ -171,7 +176,9 @@ def _SetSshHostKeys(self): file_regex = re.compile(r'ssh_host_(?P[a-z0-9]*)_key\Z') key_dir = '/etc/ssh' key_files = [f for f in os.listdir(key_dir) if file_regex.match(f)] - for key_file in key_files: + key_types = host_key_types.split(',') if host_key_types else [] + key_types_files = ['ssh_host_%s_key' % key_type for key_type in key_types] + for key_file in set(key_files) | set(key_types_files): key_type = file_regex.match(key_file).group('type') key_dest = os.path.join(key_dir, key_file) self._GenerateSshKey(key_type, key_dest) diff --git a/google_compute_engine/instance_setup/tests/instance_setup_test.py b/google_compute_engine/instance_setup/tests/instance_setup_test.py index 1de81342..bf7c18ba 100644 --- a/google_compute_engine/instance_setup/tests/instance_setup_test.py +++ b/google_compute_engine/instance_setup/tests/instance_setup_test.py @@ -49,6 +49,7 @@ def testInstanceSetup(self, mock_logger, mock_watcher, mock_config): mock_watcher.MetadataWatcher.return_value = mock_watcher_instance mock_config_instance = mock.Mock() mock_config_instance.GetOptionBool.return_value = True + mock_config_instance.GetOptionString.return_value = 'type' mock_config.InstanceConfig.return_value = mock_config_instance mock_setup._GetInstanceConfig.return_value = 'config' @@ -70,7 +71,9 @@ def testInstanceSetup(self, mock_logger, mock_watcher, mock_config): # Setup for SSH host keys if necessary. mock.call.config.InstanceConfig().GetOptionBool( 'InstanceSetup', 'set_host_keys'), - mock.call.setup._SetSshHostKeys(), + mock.call.config.InstanceConfig().GetOptionString( + 'InstanceSetup', 'host_key_types'), + mock.call.setup._SetSshHostKeys(host_key_types='type'), # Setup for the boto config if necessary. mock.call.config.InstanceConfig().GetOptionBool( 'InstanceSetup', 'set_boto_config'), @@ -325,7 +328,7 @@ def testSetSshHostKeysFirstBoot(self, mock_listdir): self.mock_setup._GenerateSshKey = mock_generate_key mock_listdir.return_value = [ 'ssh_config', - 'ssh_host_rsa_key', + 'ssh_host_dsa_key', 'ssh_host_dsa_key.pub', 'ssh_host_ed25519_key', 'ssh_host_ed25519_key.pub', @@ -333,13 +336,15 @@ def testSetSshHostKeysFirstBoot(self, mock_listdir): 'ssh_host_rsa_key.pub', ] - instance_setup.InstanceSetup._SetSshHostKeys(self.mock_setup) + instance_setup.InstanceSetup._SetSshHostKeys( + self.mock_setup, host_key_types='rsa,dsa,abc') expected_calls = [ - mock.call('rsa', '/etc/ssh/ssh_host_rsa_key'), + mock.call('abc', '/etc/ssh/ssh_host_abc_key'), + mock.call('dsa', '/etc/ssh/ssh_host_dsa_key'), mock.call('ed25519', '/etc/ssh/ssh_host_ed25519_key'), mock.call('rsa', '/etc/ssh/ssh_host_rsa_key'), ] - self.assertEqual(mock_generate_key.mock_calls, expected_calls) + self.assertEqual(sorted(mock_generate_key.mock_calls), expected_calls) self.mock_instance_config.SetOption.assert_called_once_with( 'Instance', 'instance_id', '123') From 83b6922ea3d2555c49465ce219e3a434793eae20 Mon Sep 17 00:00:00 2001 From: Tom Lanyon Date: Wed, 1 Nov 2017 06:18:17 +1100 Subject: [PATCH 03/11] Specify version for Python package in RPM spec. (#512) google-compute-engine requires python-google-compute-engine, but does not specify the required version; this allows google-compute-engine to be upgraded independently from the python distribution, which results in broken scripts. Fixes #511. --- specs/google-compute-engine.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/specs/google-compute-engine.spec b/specs/google-compute-engine.spec index 6f398318..13b71ac1 100644 --- a/specs/google-compute-engine.spec +++ b/specs/google-compute-engine.spec @@ -34,7 +34,7 @@ BuildRequires: systemd Requires: curl Requires: google-compute-engine-oslogin Requires: ntp -Requires: python-google-compute-engine +Requires: python-google-compute-engine = %{version} Requires: python-setuptools Requires: rsyslog %if 0%{?el7} From 084d1c649e2f97992e9f1a03ac2f6d9026ab1f8a Mon Sep 17 00:00:00 2001 From: Zach Marano Date: Thu, 2 Nov 2017 14:11:50 -0700 Subject: [PATCH 04/11] Add dhclient_script to README. (#514) * Add dhclient_script to README. * Updated description of dhclient script. --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 3c3c3ccf..1fe8d5db 100644 --- a/README.md +++ b/README.md @@ -259,6 +259,7 @@ IpForwarding | target\_instance\_ips | `false` disables internal IP addres MetadataScripts | run\_dir | String base directory where metadata scripts are executed. MetadataScripts | startup | `false` disables startup script execution. MetadataScripts | shutdown | `false` disables shutdown script execution. +NetworkInterfaces | dhclient\_script | String path to a dhclient script used by dhclient. NetworkInterfaces | dhcp\_command | String to execute to enable network interfaces. NetworkInterfaces | setup | `false` disables network interface setup. From 3d87a8389bcb8bbe088c000493b2fccb013f47f8 Mon Sep 17 00:00:00 2001 From: Max Illfelder Date: Fri, 17 Nov 2017 15:50:56 -0800 Subject: [PATCH 05/11] Fix linter errors caught by flake8. (#519) --- google_compute_engine/instance_setup/instance_setup.py | 1 - google_compute_engine/ip_forwarding/ip_forwarding_daemon.py | 1 - google_compute_engine/metadata_scripts/script_manager.py | 1 - 3 files changed, 3 deletions(-) diff --git a/google_compute_engine/instance_setup/instance_setup.py b/google_compute_engine/instance_setup/instance_setup.py index e4791c42..78f4e005 100755 --- a/google_compute_engine/instance_setup/instance_setup.py +++ b/google_compute_engine/instance_setup/instance_setup.py @@ -27,7 +27,6 @@ from google_compute_engine import file_utils from google_compute_engine import logger from google_compute_engine import metadata_watcher - from google_compute_engine.boto import boto_config from google_compute_engine.instance_setup import instance_config diff --git a/google_compute_engine/ip_forwarding/ip_forwarding_daemon.py b/google_compute_engine/ip_forwarding/ip_forwarding_daemon.py index 32c2e8b2..aa440987 100755 --- a/google_compute_engine/ip_forwarding/ip_forwarding_daemon.py +++ b/google_compute_engine/ip_forwarding/ip_forwarding_daemon.py @@ -36,7 +36,6 @@ from google_compute_engine import logger from google_compute_engine import metadata_watcher from google_compute_engine import network_utils - from google_compute_engine.ip_forwarding import ip_forwarding_utils LOCKFILE = constants.LOCALSTATEDIR + '/lock/google_ip_forwarding.lock' diff --git a/google_compute_engine/metadata_scripts/script_manager.py b/google_compute_engine/metadata_scripts/script_manager.py index 5cd0ebe2..641b29dc 100755 --- a/google_compute_engine/metadata_scripts/script_manager.py +++ b/google_compute_engine/metadata_scripts/script_manager.py @@ -23,7 +23,6 @@ from google_compute_engine import config_manager from google_compute_engine import logger - from google_compute_engine.metadata_scripts import script_executor from google_compute_engine.metadata_scripts import script_retriever From 2db69addc20cef8201924c82b22a0d5652da5ac8 Mon Sep 17 00:00:00 2001 From: Danny Jones Date: Fri, 17 Nov 2017 15:56:22 -0800 Subject: [PATCH 06/11] Fix formatting of expiration time field. (#518) --- google_compute_engine_oslogin/utils/oslogin_utils.cc | 2 +- google_compute_engine_oslogin/utils/oslogin_utils_test.cc | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/google_compute_engine_oslogin/utils/oslogin_utils.cc b/google_compute_engine_oslogin/utils/oslogin_utils.cc index 14d3f7ec..856e23e4 100644 --- a/google_compute_engine_oslogin/utils/oslogin_utils.cc +++ b/google_compute_engine_oslogin/utils/oslogin_utils.cc @@ -279,7 +279,7 @@ std::vector ParseJsonToSshKeys(string response) { } key_to_add = (char*)json_object_get_string(val); } - if (string_key == "expiration_time_usec") { + if (string_key == "expirationTimeUsec") { if (val_type == json_type_int || val_type == json_type_string) { uint64_t expiry_usec = (uint64_t)json_object_get_int64(val); struct timeval tp; diff --git a/google_compute_engine_oslogin/utils/oslogin_utils_test.cc b/google_compute_engine_oslogin/utils/oslogin_utils_test.cc index c19a285a..84f414a2 100644 --- a/google_compute_engine_oslogin/utils/oslogin_utils_test.cc +++ b/google_compute_engine_oslogin/utils/oslogin_utils_test.cc @@ -372,7 +372,7 @@ TEST(ParseJsonSshKeyTest, ParseJsonToSshKeysFiltersExpiredKeys) { string test_user = "{\"loginProfiles\":[{\"name\":\"foo@example.com\",\"sshPublicKeys\":" "{\"fingerprint\": {\"key\": \"test_key\"}, \"fingerprint2\": {\"key\": " - "\"test_key2\", \"expiration_time_usec\": 0}}}]}"; + "\"test_key2\", \"expirationTimeUsec\": 0}}}]}"; size_t buflen = 200; char* buffer = (char*)malloc(buflen * sizeof(char)); @@ -388,7 +388,7 @@ TEST(ParseJsonSshKeyTest, ParseJsonToSshKeysFiltersMalformedExpiration) { string test_user = "{\"loginProfiles\":[{\"name\":\"foo@example.com\",\"sshPublicKeys\":" "{\"fingerprint\": {\"key\": \"test_key\"}, \"fingerprint2\": {\"key\": " - "\"test_key2\", \"expiration_time_usec\": \"bad_stuff\"}}}]}"; + "\"test_key2\", \"expirationTimeUsec\": \"bad_stuff\"}}}]}"; size_t buflen = 200; char* buffer = (char*)malloc(buflen * sizeof(char)); From 146d2f36ecf5d74fd9d1e2c60da7cf609a62e10d Mon Sep 17 00:00:00 2001 From: Ludovic Gasc Date: Tue, 28 Nov 2017 00:34:46 +0100 Subject: [PATCH 07/11] Add systemd as valid ntp daemon (#523) --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index c75754fd..75754cf6 100644 --- a/debian/control +++ b/debian/control @@ -27,7 +27,7 @@ Depends: google-compute-engine-oslogin, ${misc:Depends}, python-google-compute-engine (= ${source:Version}), python3-google-compute-engine (= ${source:Version}), - chrony | ntp | time-daemon, + chrony | ntp | time-daemon | systemd, systemd Recommends: google-cloud-sdk Conflicts: google-compute-engine-jessie, From 69e6dfdd8541ce50ceac3a01758554a81938982f Mon Sep 17 00:00:00 2001 From: Max Illfelder Date: Tue, 28 Nov 2017 12:16:13 -0800 Subject: [PATCH 08/11] Latest pytest release does not support Python 2.6. (#526) The guest environment must still support Python 2.6. --- .travis.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index a3dc9114..8debce4b 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,7 +1,6 @@ language: python sudo: true python: -- 2.6 - 2.7 - 3.3 - 3.4 From 33dca785cd37a7a94011b5da3a1313cd1bb6cf0e Mon Sep 17 00:00:00 2001 From: Danny Jones Date: Tue, 28 Nov 2017 13:18:20 -0800 Subject: [PATCH 09/11] Update build to use json-c's recommended includedir. (#524) Changes inclusion of json-c's headers to #include and updates the build to add /usr/include/json-c to the search path. --- google_compute_engine_oslogin/Makefile | 11 +++++++---- google_compute_engine_oslogin/utils/oslogin_utils.cc | 2 +- google_compute_engine_oslogin/utils/run_tests.sh | 2 +- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/google_compute_engine_oslogin/Makefile b/google_compute_engine_oslogin/Makefile index 41d2dd80..771d0861 100644 --- a/google_compute_engine_oslogin/Makefile +++ b/google_compute_engine_oslogin/Makefile @@ -12,10 +12,13 @@ NSS_INSTALL_PATH = /lib PAM_INSTALL_PATH = /lib/security AUTHKEYS_INSTALL_PATH = /usr/bin +JSON_INCLUDE_PATH = /usr/include/json-c +INCLUDE_FLAGS = -I$(JSON_INCLUDE_PATH) + CXX = g++ CXXFLAGS += -fPIC# -Wall -PAMFLAGS = $(LDFLAGS) -shared -NSSFLAGS = $(LDFLAGS) -shared -Wl,-soname,$(NSS_LIBRARY_SONAME) +PAMFLAGS = $(LDFLAGS) $(INCLUDE_FLAGS) -shared +NSSFLAGS = $(LDFLAGS) $(INCLUDE_FLAGS) -shared -Wl,-soname,$(NSS_LIBRARY_SONAME) # UTILS UTILS_DIR = utils @@ -86,10 +89,10 @@ $(PAM_ADMIN_OBJ): $(PAM_ADMIN_SRC) $(CXX) $(CXXFLAGS) -c $(PAM_ADMIN_SRC) -o $(PAM_ADMIN_OBJ) $(AUTHKEYS_BIN): $(AUTHKEYS_SRC) $(UTILS_SRC) - $(CXX) $(LDFLAGS) -o $(AUTHKEYS_BIN) $(AUTHKEYS_SRC) $(UTILS_SRC) $(LIBS) + $(CXX) $(LDFLAGS) $(INCLUDE_FLAGS) -o $(AUTHKEYS_BIN) $(AUTHKEYS_SRC) $(UTILS_SRC) $(LIBS) $(UTILS): $(UTILS_SRC) - $(CXX) $(CXXFLAGS) -c $(UTILS_SRC) -o $(UTILS) + $(CXX) $(CXXFLAGS) $(INCLUDE_FLAGS) -c $(UTILS_SRC) -o $(UTILS) $(SELINUX_MOD_FILE): $(SELINUX_MODULE_SRC) checkmodule -M -m -o $(SELINUX_MOD_FILE) $(SELINUX_MODULE_SRC) diff --git a/google_compute_engine_oslogin/utils/oslogin_utils.cc b/google_compute_engine_oslogin/utils/oslogin_utils.cc index 856e23e4..8269883c 100644 --- a/google_compute_engine_oslogin/utils/oslogin_utils.cc +++ b/google_compute_engine_oslogin/utils/oslogin_utils.cc @@ -15,7 +15,7 @@ // Requires libcurl4-openssl-dev libjson0 and libjson0-dev #include #include -#include +#include #include #include #include diff --git a/google_compute_engine_oslogin/utils/run_tests.sh b/google_compute_engine_oslogin/utils/run_tests.sh index df03ecbd..b68248f4 100755 --- a/google_compute_engine_oslogin/utils/run_tests.sh +++ b/google_compute_engine_oslogin/utils/run_tests.sh @@ -14,6 +14,6 @@ # limitations under the License. # Unit tests require gtest to be installed. -g++ -o test_runner oslogin_utils_test.cc oslogin_utils.cc -lcurl -ljson -lgtest -lpthread +g++ -o test_runner oslogin_utils_test.cc oslogin_utils.cc -I/usr/include/json-c -lcurl -ljson -lgtest -lpthread ./test_runner rm ./test_runner From 6b825eccb991ba81bd22b76f4829a6b41bc1cf3e Mon Sep 17 00:00:00 2001 From: Rick Wright Date: Tue, 28 Nov 2017 13:18:34 -0800 Subject: [PATCH 10/11] Fix home directory creation pam module. (#525) For systems that don't have selinux, the old sed expression didn't work. In addition, the mkhomedir module wasn't removed when deactivating oslogin and under some circumstances, things could be added twice. --- google_compute_engine_oslogin/bin/google_oslogin_control | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/google_compute_engine_oslogin/bin/google_oslogin_control b/google_compute_engine_oslogin/bin/google_oslogin_control index 8a21a6ac..afbefbb2 100755 --- a/google_compute_engine_oslogin/bin/google_oslogin_control +++ b/google_compute_engine_oslogin/bin/google_oslogin_control @@ -85,9 +85,9 @@ add_to_nss_config() { add_to_pam_config() { remove_from_config ${pam_config} - sed -i "/pam_nologin.so/ a${added_comment}\n${pam_admin}" ${pam_config}.new - sed -i "/pam_nologin.so/ a${added_comment}\n${pam_login}" ${pam_config}.new - sed -i "/pam_selinux.so close/ a${pam_homedir}" ${pam_config}.new + sed -i "/account.*pam_nologin.so/ a${added_comment}\n${pam_admin}" ${pam_config}.new + sed -i "/account.*pam_nologin.so/ a${added_comment}\n${pam_login}" ${pam_config}.new + sed -i "/pam_loginuid.so/ a${added_comment}\n${pam_homedir}" ${pam_config}.new } restart_service() { From e89407b98f39d0f73e969ab9777c3ed3150ebace Mon Sep 17 00:00:00 2001 From: Max Illfelder Date: Wed, 29 Nov 2017 11:16:45 -0800 Subject: [PATCH 11/11] Version bump the OS Login and Python packages. (#527) --- debian/changelog | 7 +++++++ google_compute_engine_oslogin/Makefile | 2 +- google_compute_engine_oslogin/packaging/debian8/changelog | 7 +++++++ .../packaging/debian8/google-compute-engine-oslogin.links | 2 +- google_compute_engine_oslogin/packaging/debian9/changelog | 7 +++++++ .../packaging/debian9/google-compute-engine-oslogin.links | 2 +- .../rpmbuild/SPECS/google-compute-engine-oslogin.spec | 2 +- google_compute_engine_oslogin/packaging/setup_deb.sh | 2 +- google_compute_engine_oslogin/packaging/setup_rpm.sh | 2 +- setup.py | 2 +- specs/google-compute-engine.spec | 2 +- specs/python-google-compute-engine.spec | 2 +- 12 files changed, 30 insertions(+), 9 deletions(-) diff --git a/debian/changelog b/debian/changelog index a731af46..c4bea8b7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +google-compute-image-packages (2.7.2-1) stable; urgency=low + + * Generate SSH host keys when none are present. + * Improve logging when activating OS Login. + + -- Google Cloud Team Wed, 29 Nov 2017 12:00:00 -0700 + google-compute-image-packages (2.7.1-1) stable; urgency=low * Update set_hostname file name to prevent conflict. diff --git a/google_compute_engine_oslogin/Makefile b/google_compute_engine_oslogin/Makefile index 771d0861..f3c14e52 100644 --- a/google_compute_engine_oslogin/Makefile +++ b/google_compute_engine_oslogin/Makefile @@ -4,7 +4,7 @@ BASENAME = oslogin NAME = google-compute-engine-$(BASENAME) MAJOR = 1 MINOR = 1 -REVISION = 1 +REVISION = 2 NSS_LIBRARY_NAME = libnss_$(NAME)-$(MAJOR).$(MINOR).$(REVISION).so NSS_LIBRARY_SONAME = libnss_$(BASENAME).so.2 diff --git a/google_compute_engine_oslogin/packaging/debian8/changelog b/google_compute_engine_oslogin/packaging/debian8/changelog index 8ecb4e52..8532d9bc 100644 --- a/google_compute_engine_oslogin/packaging/debian8/changelog +++ b/google_compute_engine_oslogin/packaging/debian8/changelog @@ -1,3 +1,10 @@ +google-compute-engine-oslogin (1.1.2-1+deb8) unstable; urgency=low + + * Fix parsing logic for expiration time on SSH public keys. + * Fix home directory creation PAM config. + + -- MAINTAINER Wed, 29 Nov 2017 12:00:00 -0700 + google-compute-engine-oslogin (1.1.1-1+deb8) unstable; urgency=low * Remove logging when checking OS Login status. diff --git a/google_compute_engine_oslogin/packaging/debian8/google-compute-engine-oslogin.links b/google_compute_engine_oslogin/packaging/debian8/google-compute-engine-oslogin.links index 80df68f1..8f983d5d 100644 --- a/google_compute_engine_oslogin/packaging/debian8/google-compute-engine-oslogin.links +++ b/google_compute_engine_oslogin/packaging/debian8/google-compute-engine-oslogin.links @@ -1 +1 @@ -/lib/libnss_google-compute-engine-oslogin-1.1.1.so /lib/libnss_oslogin.so.2 +/lib/libnss_google-compute-engine-oslogin-1.1.2.so /lib/libnss_oslogin.so.2 diff --git a/google_compute_engine_oslogin/packaging/debian9/changelog b/google_compute_engine_oslogin/packaging/debian9/changelog index 7c8af527..de471e85 100644 --- a/google_compute_engine_oslogin/packaging/debian9/changelog +++ b/google_compute_engine_oslogin/packaging/debian9/changelog @@ -1,3 +1,10 @@ +google-compute-engine-oslogin (1.1.2-1+deb9) unstable; urgency=low + + * Fix parsing logic for expiration time on SSH public keys. + * Fix home directory creation PAM config. + + -- MAINTAINER Wed, 29 Nov 2017 12:00:00 -0700 + google-compute-engine-oslogin (1.1.1-1+deb9) unstable; urgency=low * Remove logging when checking OS Login status. diff --git a/google_compute_engine_oslogin/packaging/debian9/google-compute-engine-oslogin.links b/google_compute_engine_oslogin/packaging/debian9/google-compute-engine-oslogin.links index 80df68f1..8f983d5d 100644 --- a/google_compute_engine_oslogin/packaging/debian9/google-compute-engine-oslogin.links +++ b/google_compute_engine_oslogin/packaging/debian9/google-compute-engine-oslogin.links @@ -1 +1 @@ -/lib/libnss_google-compute-engine-oslogin-1.1.1.so /lib/libnss_oslogin.so.2 +/lib/libnss_google-compute-engine-oslogin-1.1.2.so /lib/libnss_oslogin.so.2 diff --git a/google_compute_engine_oslogin/packaging/rpmbuild/SPECS/google-compute-engine-oslogin.spec b/google_compute_engine_oslogin/packaging/rpmbuild/SPECS/google-compute-engine-oslogin.spec index 991a16f1..a29b7283 100644 --- a/google_compute_engine_oslogin/packaging/rpmbuild/SPECS/google-compute-engine-oslogin.spec +++ b/google_compute_engine_oslogin/packaging/rpmbuild/SPECS/google-compute-engine-oslogin.spec @@ -13,7 +13,7 @@ # limitations under the License. Name: google-compute-engine-oslogin -Version: 1.1.1 +Version: 1.1.2 Release: 1%{?dist} Summary: OS Login Functionality for Google Compute Engine diff --git a/google_compute_engine_oslogin/packaging/setup_deb.sh b/google_compute_engine_oslogin/packaging/setup_deb.sh index c361c22c..a79d8501 100755 --- a/google_compute_engine_oslogin/packaging/setup_deb.sh +++ b/google_compute_engine_oslogin/packaging/setup_deb.sh @@ -20,7 +20,7 @@ # Run from the top of the source directory. NAME="google-compute-engine-oslogin" -VERSION="1.1.1" +VERSION="1.1.2" working_dir=${PWD} diff --git a/google_compute_engine_oslogin/packaging/setup_rpm.sh b/google_compute_engine_oslogin/packaging/setup_rpm.sh index 3d71eebb..d26427eb 100755 --- a/google_compute_engine_oslogin/packaging/setup_rpm.sh +++ b/google_compute_engine_oslogin/packaging/setup_rpm.sh @@ -20,7 +20,7 @@ # Run from the top of the source directory. NAME="google-compute-engine-oslogin" -VERSION="1.1.1" +VERSION="1.1.2" working_dir=${PWD} rpm_working_dir=/tmp/rpmpackage/${NAME}-${VERSION} diff --git a/setup.py b/setup.py index 51223db2..91d7a9d2 100755 --- a/setup.py +++ b/setup.py @@ -32,7 +32,7 @@ packages=setuptools.find_packages(), scripts=glob.glob('scripts/*'), url='https://github.com/GoogleCloudPlatform/compute-image-packages', - version='2.7.1', + version='2.7.2', # Entry points create scripts in /usr/bin that call a function. entry_points={ 'console_scripts': [ diff --git a/specs/google-compute-engine.spec b/specs/google-compute-engine.spec index 13b71ac1..5ba516c7 100644 --- a/specs/google-compute-engine.spec +++ b/specs/google-compute-engine.spec @@ -18,7 +18,7 @@ %endif Name: google-compute-engine -Version: 2.7.1 +Version: 2.7.2 Release: 1%{?dist} Summary: Google Compute Engine guest environment. License: ASL 2.0 diff --git a/specs/python-google-compute-engine.spec b/specs/python-google-compute-engine.spec index 7a4e8e43..6d72fbf9 100644 --- a/specs/python-google-compute-engine.spec +++ b/specs/python-google-compute-engine.spec @@ -18,7 +18,7 @@ %endif Name: python-google-compute-engine -Version: 2.7.1 +Version: 2.7.2 Release: 1%{?dist} Summary: Google Compute Engine python library License: ASL 2.0