cloud-init

GCE data source should disregard expired SSH keys

Bug #1707039 reported by Dan Watkins
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cloud-init
Fix Released
Medium
Max Illfelder
cloud-init (Ubuntu)
Fix Released
Medium
Max Illfelder

Bug Description

GCE supports the expiration of SSH keys. It does so by including the expiry time in a JSON blob in the comment section of the SSH key. As per [0], the format is:

ssh-rsa [KEY_VALUE] google-ssh {"userName":"[USERNAME]","expireOn":"[EXPIRE_TIME]"}

Keys can remain in metadata after expiry, so cloud-init should know how to filter them out itself.

[0] https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys

Related branches

~chad.smith/cloud-init:ubuntu/devel
Server Team CI bot: Approve (continuous-integration)
Scott Moser: Pending requested
Diff: 955 lines (+415/-129)
14 files modified
cloudinit/sources/DataSourceConfigDrive.py (+2/-2)
cloudinit/sources/DataSourceGCE.py (+95/-39)
cloudinit/util.py (+51/-43)
debian/changelog (+14/-0)
tests/cloud_tests/platforms/ec2/instance.py (+8/-2)
tests/cloud_tests/platforms/ec2/platform.py (+30/-3)
tests/cloud_tests/releases.yaml (+0/-16)
tests/cloud_tests/testcases/modules/ntp_pools.yaml (+1/-1)
tests/cloud_tests/testcases/modules/ntp_servers.yaml (+1/-1)
tests/unittests/test_datasource/test_configdrive.py (+6/-0)
tests/unittests/test_datasource/test_gce.py (+172/-21)
tests/unittests/test_ds_identify.py (+17/-0)
tests/unittests/test_util.py (+15/-0)
tools/ds-identify (+3/-1)
~illfelder/cloud-init:master
Scott Moser: Approve
Server Team CI bot: Approve (continuous-integration)
Dan Watkins: Pending requested
Diff: 548 lines (+267/-60)
2 files modified
cloudinit/sources/DataSourceGCE.py (+95/-39)
tests/unittests/test_datasource/test_gce.py (+172/-21)
Chad Smith (chad.smith)
Changed in cloud-init:
status: New → Fix Committed
Changed in cloud-init (Ubuntu):
status: New → Fix Committed
status: Fix Committed → New
Changed in cloud-init:
status: Fix Committed → New
Max Illfelder (illfelder)
Changed in cloud-init (Ubuntu):
status: New → Fix Committed
assignee: nobody → Max Illfelder (illfelder)
Changed in cloud-init:
status: New → Fix Committed
assignee: nobody → Max Illfelder (illfelder)
Scott Moser (smoser)
Changed in cloud-init:
importance: Undecided → Medium
Changed in cloud-init (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cloud-init - 17.2-20-g32a6a176-0ubuntu1

---------------
cloud-init (17.2-20-g32a6a176-0ubuntu1) bionic; urgency=medium

  * New upstream snapshot.
    - tests: Fix EC2 Platform to return console output as bytes.
    - tests: Fix attempted use of /run in a test case.
    - GCE: Improvements and changes to ssh key behavior for default user.
      [Max Illfelder] (LP: #1670456, #1707033, #1707037, #1707039)
    - subp: make ProcessExecutionError have expected types in stderr, stdout.
    - tests: when querying ntp server, do not do dns resolution.
    - Recognize uppercase vfat disk labels [James Penick] (LP: #1598783)
    - tests: remove zesty as supported OS to test

 -- Chad Smith <email address hidden> Tue, 23 Jan 2018 20:10:44 -0700

Changed in cloud-init (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Scott Moser (smoser) wrote : Fixed in Cloud-init 18.1

This bug is believed to be fixed in cloud-init in 18.1. If this is still a problem for you, please make a comment and set the state back to New

Thank you.

Changed in cloud-init:
status: Fix Committed → Fix Released
Revision history for this message
James Falcon (falcojr) wrote :

Tracked in Github Issues as https://github.com/canonical/cloud-init/issues/2966

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.