Add drop-in to prevent race with sshd-keygen service
BZ: 2002492
TESTED: by me
BREW: 39836171
It looks like that at least in AWS RHEL 9 images there is
a race between cloud-init and sshd-keygen.
In particular, they both create /etc/ssh/ssh_host_*key*
at first boot, causing sometimes warning in cloud-init:
cloudinit.subp.ProcessExecutionError: Unexpected error while running command.
Command: ['ssh-keygen', '-t', 'rsa', '-N', '', '-f', '/etc/ssh/ssh_host_rsa_key']
Exit code: 1
Reason: -
Stdout: Generating public/private rsa key pair.
/etc/ssh/ssh_host_rsa_key already exists.
Overwrite (y/n)?
Stderr:
What happens is:
1) cloud-init checks if /etc/ssh/ssh_host_rsa_key exist
2) it does not exist, so it continues the logic in cc_ssh line 234
3) sshd-keygen in the meanwhile creates /etc/ssh/ssh_host_rsa_key
4) cloud-init issues
'ssh-keygen -t rsa -N '' -f /etc/ssh/ssh_host_rsa_key',
failing
Masking the service with `systemctl mask sshd-keygen.target` fixes
the bug, but it is not the right solution.
As suggested upstream, creating a drop-in with ConditionPathExists
allows checking if cloud-init is enabled, and disable sshd-keygen
preventing it from racing with cloud-init when creating host keys.
Conflicts: minor conflict in setup.py (line 253), where we still use
"/usr/lib/" instead of LIB.
In addition, patch 2 ("add the drop-in also in the %files section of cloud-init.spec")
is a downstream-only addition, and adds the drop-in to the right cloud-init.spec used
by our package builder, otherwise package build fails.
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Edited by Emanuele Giuseppe Esposito