implement cloud-init query

Bug #1037753 reported by Scott Moser
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fix Released
Joshua Harlow

Bug Description

at one point there was a 'cloud-init-query' tool that woudl look just report data from the datasource.

This wasn't that useful though, because it only would work as root. That was because it read the pickled /var/lib/cloud/instance/obj.pkl and because that can contain sensitive information it was made 600 and root:root.

It'd be nice if we could have the datasources save off a clean version of data to world readable, and then
have a tool that could read that.

Scott Moser (smoser)
Changed in cloud-init:
status: New → Triaged
importance: Undecided → Low
Revision history for this message
Joshua Harlow (harlowja) wrote :

Cool, so possible idea here.

Have the 'root' datasource expose a 'public' (readable) copy of itself with the following restrictions.

If there is any userdata:

If there is a config option 'encrypt_queryable_user_data' : false (default true), then just leave userdata alone.

Otherwise if true, attempt to encrpyt with ssh keys (generated by previous module).

- openssl rsautl -encrypt -inkey /tmp/ -pubin -in /tmp/msg.txt -out /tmp/file.enc (or similar)
- if that fails, just remove the user-data (empty string)

Then write out that public copy to a file that can be used by this new cloud-init query tool.

The tool itself can be asked for certain datasource fields and show them back, more features here to inspect other files can be added later (?)

Revision history for this message
Joshua Harlow (harlowja) wrote :

Also possibly allow config to specify the keys?

Joshua Harlow (harlowja)
Changed in cloud-init:
assignee: nobody → Joshua Harlow (harlowja)
Revision history for this message
Dan Watkins (oddbloke) wrote :

We now have `cloud-init query`.

Changed in cloud-init:
status: Triaged → Fix Released
Revision history for this message
James Falcon (falcojr) wrote :
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.