update version to 23.2.2

2023-07-12 15:58:59 +08:00 · 2023-07-12 15:58:59 +08:00 · e498205290
commit e498205290
parent f709011d0f
13 changed files with 123 additions and 913 deletions
--- a/Fix-the-error-level-logs-displayed-for-the-cloud-init-local-service.patch
+++ b/Fix-the-error-level-logs-displayed-for-the-cloud-init-local-service.patch
@ -13,17 +13,18 @@ Reference:https://bugs.almalinux.org/view.php?id=32&nbn=1
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/cloudinit/net/sysconfig.py b/cloudinit/net/sysconfig.py
-index 90a4eb9..443a5da 100644
+index 8a60c95..5c81748 100644
 --- a/cloudinit/net/sysconfig.py
 +++ b/cloudinit/net/sysconfig.py
-@@ -28,7 +28,7 @@ KNOWN_DISTROS = [
+@@ -27,7 +27,7 @@ KNOWN_DISTROS = [
     "eurolinux",
     "fedora",
     "miraclelinux",
 -    "openEuler",
 +    "openeuler",
     "OpenCloudOS",
     "openmandriva",
     "rhel",
-     "rocky",
+-- 
-     "suse",
+2.27.0
--
+
 2.33.0
--- a/add-variable-to-forbid-tmp-dir.patch
+++ b/add-variable-to-forbid-tmp-dir.patch
@ -11,21 +11,21 @@ Signed-off-by: chengquan <chengquan3@huawei.com>
 1 file changed, 11 insertions(+), 3 deletions(-)
 diff --git a/setup.py b/setup.py
-index a81c1e9..e4e5fdb 100755
+index 55b929a..34fb29b 100644
 --- a/setup.py
 +++ b/setup.py
-@@ -79,6 +79,8 @@ def read_requires():
+@@ -90,6 +90,8 @@ def read_requires():
     deps = subprocess.check_output(cmd)
     return deps.decode("utf-8").splitlines()
-
+ 
 +# add variable to forbid tmp dir
 +num = 0
-
+ 
 def render_tmpl(template, mode=None):
     """render template into a tmpdir under same dir as setup.py
-@@ -100,7 +102,10 @@ def render_tmpl(template, mode=None):
+@@ -110,7 +112,10 @@ def render_tmpl(template, mode=None):
         return template
-
+ 
     topdir = os.path.dirname(sys.argv[0])
 -    tmpd = tempfile.mkdtemp(dir=topdir, prefix=RENDERED_TMPD_PREFIX)
 +    global num
@ -35,17 +35,17 @@ index a81c1e9..e4e5fdb 100755
     atexit.register(shutil.rmtree, tmpd)
     bname = os.path.basename(template).rstrip(tmpl_ext)
     fpath = os.path.join(tmpd, bname)
-@@ -124,6 +129,9 @@ def render_tmpl(template, mode=None):
+@@ -136,6 +141,9 @@ def render_tmpl(template, mode=None):
     # return path relative to setup.py
     return os.path.join(os.path.basename(tmpd), bname)
-
+ 
 +def sort_files(file_list):
 +    file_list.sort()
 +    return file_list
-
+ 
 # User can set the variant for template rendering
 if "--distro" in sys.argv:
-@@ -142,11 +150,11 @@ INITSYS_FILES = {
+@@ -153,11 +161,11 @@ INITSYS_FILES = {
     "systemd": [
         render_tmpl(f)
         for f in (
@ -59,5 +59,6 @@ index a81c1e9..e4e5fdb 100755
         if (is_f(f) and not is_generator(f))
     ],
     "systemd.generators": [
--
+-- 
-2.27.0
+2.27.0
--- a/backport-CVE-2022-2084.patch
+++ b/backport-CVE-2022-2084.patch
@ -1,159 +0,0 @@
 From 4d467b14363d800b2185b89790d57871f11ea88c Mon Sep 17 00:00:00 2001
 From: James Falcon <james.falcon@canonical.com>
 Date: Wed, 29 Jun 2022 17:27:44 -0500
 Subject: [PATCH] Remove schema errors from log (#1551)
 When schema errors are encountered, the section of userdata in question
 gets printed to the cloud-init log. As this could contain sensitive
 data, so log a generic warning instead and redirect user to run
 cloud-init schema --system as root.
 LP: #1978422
 CVE: 2022-2084
 ---
 cloudinit/cmd/main.py         |  4 +++-
 cloudinit/config/schema.py    | 15 +++++++++---
 integration_tests/modules/test_cli.py     | 20 +++++++++++-----
 tests/unittests/config/test_schema.py     | 23 ++++++++++++++++++-
 4 files changed, 51 insertions(+), 11 deletions(-)
 diff --git a/cloudinit/cmd/main.py b/cloudinit/cmd/main.py
 index fcdaf72..bc7149d 100644
 --- a/cloudinit/cmd/main.py
 +++ b/cloudinit/cmd/main.py
@@ -454,7 +454,9 @@ def main_init(name, args):
     # Validate user-data adheres to schema definition
     if os.path.exists(init.paths.get_ipath_cur("userdata_raw")):
 -        validate_cloudconfig_schema(config=init.cfg, strict=False)
 +        validate_cloudconfig_schema(
 +                    config=init.cfg, strict=False, log_details=False
 +                )
     else:
         LOG.debug("Skipping user-data validation. No user-data found.")
 diff --git a/cloudinit/config/schema.py b/cloudinit/config/schema.py
 index 7a6ecf0..d2861e9 100644
 --- a/cloudinit/config/schema.py
 +++ b/cloudinit/config/schema.py
@@ -196,6 +196,7 @@ def validate_cloudconfig_schema(
     schema: dict = None,
     strict: bool = False,
     strict_metaschema: bool = False,
 +    log_details: bool = True,
 ):
     """Validate provided config meets the schema definition.
@@ -208,6 +209,9 @@ def validate_cloudconfig_schema(
        logging warnings.
     @param strict_metaschema: Boolean, when True validates schema using strict
        metaschema definition at runtime (currently unused)
 +    @param log_details: Boolean, when True logs details of validation errors.
 +           If there are concerns about logging sensitive userdata, this should
 +           be set to False.
     @raises: SchemaValidationError when provided config does not validate
         against the provided schema.
@@ -232,12 +236,17 @@ def validate_cloudconfig_schema(
         errors += ((path, error.message),)
     if errors:
         if strict:
 +            # This could output/log sensitive data
             raise SchemaValidationError(errors)
 -        else:
 +        if log_details:
             messages = ["{0}: {1}".format(k, msg) for k, msg in errors]
 -            LOG.warning(
 -                "Invalid cloud-config provided:\n%s", "\n".join(messages)
 +            details = "\n" + "\n".join(messages)
 +        else:
 +            details = (
 +                "Please run 'sudo cloud-init schema --system' to "
 +                "see the schema errors."
             )
 +        LOG.warning("Invalid cloud-config provided: %s", details)
 def annotated_cloudconfig_file(
 diff --git a/tests/integration_tests/modules/test_cli.py b/tests/integration_tests/modules/test_cli.py
 index e878176..4b8f53a 100644
 --- a/tests/integration_tests/modules/test_cli.py
 +++ b/tests/integration_tests/modules/test_cli.py
@@ -18,11 +18,18 @@ runcmd:
   - echo 'hi' > /var/tmp/test
 """
 +# The '-' in 'hashed-password' fails schema validation
 INVALID_USER_DATA_SCHEMA = """\
 #cloud-config
 -updates:
 - notnetwork: -1
 -apt_pipelining: bogus
 +users:
 +  - default
 +  - name: newsuper
 +    gecos: Big Stuff
 +    groups: users, admin
 +    sudo: ALL=(ALL) NOPASSWD:ALL
 +    hashed-password: asdfasdf
 +    shell: /bin/bash
 +    lock_passwd: true
 """
@@ -69,11 +76,12 @@ def test_invalid_userdata_schema(client: IntegrationInstance):
     assert result.ok
     log = client.read_from_file("/var/log/cloud-init.log")
     warning = (
 -        "[WARNING]: Invalid cloud-config provided:\napt_pipelining: 'bogus'"
 -        " is not valid under any of the given schemas\nupdates: Additional"
 -        " properties are not allowed ('notnetwork' was unexpected)"
 +        "[WARNING]: Invalid cloud-config provided: Please run "
 +        "'sudo cloud-init schema --system' to see the schema errors."
     )
     assert warning in log
 +    assert "asdfasdf" not in log
 +
     result = client.execute("cloud-init status --long")
     if not result.ok:
         raise AssertionError(
 diff --git a/tests/unittests/config/test_schema.py b/tests/unittests/config/test_schema.py
 index c75b722..1fa91ad 100644
 --- a/tests/unittests/config/test_schema.py
 +++ b/tests/unittests/config/test_schema.py
@@ -304,10 +304,31 @@ class TestValidateCloudConfigSchema:
         assert "cloudinit.config.schema" == module
         assert logging.WARNING == log_level
         assert (
 -            "Invalid cloud-config provided:\np1: -1 is not of type 'string'"
 +            "Invalid cloud-config provided: \np1: -1 is not of type 'string'"
             == log_msg
         )
 +    @skipUnlessJsonSchema()
 +    def test_validateconfig_schema_sensitive(self, caplog):
 +        """When log_details=False, ensure details are omitted"""
 +        schema = {
 +            "properties": {"hashed_password": {"type": "string"}},
 +            "additionalProperties": False,
 +        }
 +        validate_cloudconfig_schema(
 +            {"hashed-password": "secret"},
 +            schema,
 +            strict=False,
 +            log_details=False,
 +        )
 +        [(module, log_level, log_msg)] = caplog.record_tuples
 +        assert "cloudinit.config.schema" == module
 +        assert logging.WARNING == log_level
 +        assert (
 +            "Invalid cloud-config provided: Please run 'sudo cloud-init "
 +            "schema --system' to see the schema errors." == log_msg
 +        )
 +
     @skipUnlessJsonSchema()
     def test_validateconfig_schema_emits_warning_on_missing_jsonschema(
         self, caplog
 -- 
 2.33.1.windows.1
--- a/backport-CVE-2023-1786.patch
+++ b/backport-CVE-2023-1786.patch
@ -1,295 +0,0 @@
 From a378b7e4f47375458651c0972e7cd813f6fe0a6b Mon Sep 17 00:00:00 2001
 From: James Falcon <james.falcon@canonical.com>
 Date: Wed, 26 Apr 2023 15:11:55 -0500
 Subject: [PATCH] Make user/vendor data sensitive and remove log permissions
 (#2144)
 Because user data and vendor data may contain sensitive information,
 this commit ensures that any user data or vendor data written to
 instance-data.json gets redacted and is only available to root user.
 Also, modify the permissions of cloud-init.log to be 640, so that
 sensitive data leaked to the log isn't world readable.
 Additionally, remove the logging of user data and vendor data to
 cloud-init.log from the Vultr datasource.
 LP: #2013967
 CVE: CVE-2023-1786
 ---
 cloudinit/sources/DataSourceLXD.py   |  8 ++++++--
 cloudinit/sources/DataSourceVultr.py | 14 ++++++--------
 cloudinit/sources/__init__.py        | 28 +++++++++++++++++++++++++---
 cloudinit/stages.py                  |  4 +++-
 tests/unittests/sources/test_init.py | 27 ++++++++++++++++++++++++++-
 tests/unittests/test_stages.py       | 18 +++++++++++-------
 6 files changed, 77 insertions(+), 22 deletions(-)
 diff --git a/cloudinit/sources/DataSourceLXD.py b/cloudinit/sources/DataSourceLXD.py
 index 640348f..8f21a1b 100644
 --- a/cloudinit/sources/DataSourceLXD.py
 +++ b/cloudinit/sources/DataSourceLXD.py
@@ -13,6 +13,7 @@ import os
 import socket
 import stat
 from json.decoder import JSONDecodeError
 +from typing import Tuple
 import requests
 from requests.adapters import HTTPAdapter
@@ -145,11 +146,14 @@ class DataSourceLXD(sources.DataSource):
     _network_config = sources.UNSET
     _crawled_metadata = sources.UNSET
 -    sensitive_metadata_keys = (
 -        "merged_cfg",
 +    sensitive_metadata_keys: Tuple[
 +        str, ...
 +    ] = sources.DataSource.sensitive_metadata_keys + (
         "user.meta-data",
         "user.vendor-data",
         "user.user-data",
 +        "cloud-init.user-data",
 +        "cloud-init.vendor-data",
     )
     def _is_platform_viable(self) -> bool:
 diff --git a/cloudinit/sources/DataSourceVultr.py b/cloudinit/sources/DataSourceVultr.py
 index 8c2e82c..8e5253f 100644
 --- a/cloudinit/sources/DataSourceVultr.py
 +++ b/cloudinit/sources/DataSourceVultr.py
@@ -5,6 +5,8 @@
 # Vultr Metadata API:
 # https://www.vultr.com/metadata/
 +from typing import Tuple
 +
 import cloudinit.sources.helpers.vultr as vultr
 from cloudinit import log as log
 from cloudinit import sources, util, version
@@ -28,6 +30,10 @@ class DataSourceVultr(sources.DataSource):
     dsname = "Vultr"
 +    sensitive_metadata_keys: Tuple[
 +        str, ...
 +    ] = sources.DataSource.sensitive_metadata_keys + ("startup-script",)
 +
     def __init__(self, sys_cfg, distro, paths):
         super(DataSourceVultr, self).__init__(sys_cfg, distro, paths)
         self.ds_cfg = util.mergemanydict(
@@ -60,13 +66,8 @@ class DataSourceVultr(sources.DataSource):
         self.get_datasource_data(self.metadata)
         # Dump some data so diagnosing failures is manageable
 -        LOG.debug("Vultr Vendor Config:")
 -        LOG.debug(util.json_dumps(self.metadata["vendor-data"]))
         LOG.debug("SUBID: %s", self.metadata["instance-id"])
         LOG.debug("Hostname: %s", self.metadata["local-hostname"])
 -        if self.userdata_raw is not None:
 -            LOG.debug("User-Data:")
 -            LOG.debug(self.userdata_raw)
         return True
@@ -151,7 +152,4 @@ if __name__ == "__main__":
     config = md["vendor-data"]
     sysinfo = vultr.get_sysinfo()
 -    print(util.json_dumps(sysinfo))
 -    print(util.json_dumps(config))
 -
 # vi: ts=4 expandtab
 diff --git a/cloudinit/sources/__init__.py b/cloudinit/sources/__init__.py
 index fff760f..b678cc8 100644
 --- a/cloudinit/sources/__init__.py
 +++ b/cloudinit/sources/__init__.py
@@ -113,7 +113,10 @@ def process_instance_metadata(metadata, key_path="", sensitive_keys=()):
             sub_key_path = key_path + "/" + key
         else:
             sub_key_path = key
 -        if key in sensitive_keys or sub_key_path in sensitive_keys:
 +        if (
 +            key.lower() in sensitive_keys
 +            or sub_key_path.lower() in sensitive_keys
 +        ):
             sens_keys.append(sub_key_path)
         if isinstance(val, str) and val.startswith("ci-b64:"):
             base64_encoded_keys.append(sub_key_path)
@@ -135,6 +138,12 @@ def redact_sensitive_keys(metadata, redact_value=REDACT_SENSITIVE_VALUE):
     Replace any keys values listed in 'sensitive_keys' with redact_value.
     """
 +    # While 'sensitive_keys' should already sanitized to only include what
 +    # is in metadata, it is possible keys will overlap. For example, if
 +    # "merged_cfg" and "merged_cfg/ds/userdata" both match, it's possible that
 +    # "merged_cfg" will get replaced first, meaning "merged_cfg/ds/userdata"
 +    # no longer represents a valid key.
 +    # Thus, we still need to do membership checks in this function.
     if not metadata.get("sensitive_keys", []):
         return metadata
     md_copy = copy.deepcopy(metadata)
@@ -142,9 +151,14 @@ def redact_sensitive_keys(metadata, redact_value=REDACT_SENSITIVE_VALUE):
         path_parts = key_path.split("/")
         obj = md_copy
         for path in path_parts:
 -            if isinstance(obj[path], dict) and path != path_parts[-1]:
 +            if (
 +                path in obj
 +                and isinstance(obj[path], dict)
 +                and path != path_parts[-1]
 +            ):
                 obj = obj[path]
 -        obj[path] = redact_value
 +        if path in obj:
 +            obj[path] = redact_value
     return md_copy
@@ -247,6 +261,14 @@ class DataSource(CloudInitPickleMixin, metaclass=abc.ABCMeta):
     sensitive_metadata_keys = (
         "merged_cfg",
         "security-credentials",
 +        "userdata",
 +        "user-data",
 +        "user_data",
 +        "vendordata",
 +        "vendor-data",
 +        # Provide ds/vendor_data to avoid redacting top-level
 +        #  "vendor_data": {enabled: True}
 +        "ds/vendor_data",
     )
     _ci_pkl_version = 1
 diff --git a/cloudinit/stages.py b/cloudinit/stages.py
 index 27af605..88c8e68 100644
 --- a/cloudinit/stages.py
 +++ b/cloudinit/stages.py
@@ -204,7 +204,9 @@ class Init(object):
         util.ensure_dirs(self._initial_subdirs())
         log_file = util.get_cfg_option_str(self.cfg, "def_log_file")
         if log_file:
 -            util.ensure_file(log_file, mode=0o640, preserve_mode=True)
 +            # At this point the log file should have already been created
 +            # in the setupLogging function of log.py
 +            util.ensure_file(log_file, mode=0o640, preserve_mode=False)
             perms = self.cfg.get("syslog_fix_perms")
             if not perms:
                 perms = {}
 diff --git a/tests/unittests/sources/test_init.py b/tests/unittests/sources/test_init.py
 index ce8fc97..e21c9d6 100644
 --- a/tests/unittests/sources/test_init.py
 +++ b/tests/unittests/sources/test_init.py
@@ -447,12 +447,24 @@ class TestDataSource(CiTestCase):
                         "cred2": "othersekret",
                     }
                 },
 +                "someother": {
 +                    "nested": {
 +                        "userData": "HIDE ME",
 +                    }
 +                },
 +                "VENDOR-DAta": "HIDE ME TOO",
             },
         )
         self.assertCountEqual(
             (
                 "merged_cfg",
                 "security-credentials",
 +                "userdata",
 +                "user-data",
 +                "user_data",
 +                "vendordata",
 +                "vendor-data",
 +                "ds/vendor_data",
             ),
             datasource.sensitive_metadata_keys,
         )
@@ -479,7 +491,9 @@ class TestDataSource(CiTestCase):
             "base64_encoded_keys": [],
             "merged_cfg": REDACT_SENSITIVE_VALUE,
             "sensitive_keys": [
 +                "ds/meta_data/VENDOR-DAta",
                 "ds/meta_data/some/security-credentials",
 +                "ds/meta_data/someother/nested/userData",
                 "merged_cfg",
             ],
             "sys_info": sys_info,
@@ -489,6 +503,7 @@ class TestDataSource(CiTestCase):
                 "availability_zone": "myaz",
                 "cloud-name": "subclasscloudname",
                 "cloud_name": "subclasscloudname",
 +                "cloud_id": "subclasscloudname",
                 "distro": "ubuntu",
                 "distro_release": "focal",
                 "distro_version": "20.04",
@@ -511,14 +526,18 @@ class TestDataSource(CiTestCase):
             "ds": {
                 "_doc": EXPERIMENTAL_TEXT,
                 "meta_data": {
 +                    "VENDOR-DAta": REDACT_SENSITIVE_VALUE,
                     "availability_zone": "myaz",
                     "local-hostname": "test-subclass-hostname",
                     "region": "myregion",
                     "some": {"security-credentials": REDACT_SENSITIVE_VALUE},
 +                    "someother": {
 +                        "nested": {"userData": REDACT_SENSITIVE_VALUE}
 +                    },
                 },
             },
         }
 -        self.assertCountEqual(expected, redacted)
 +        self.assertEqual(expected, redacted)
         file_stat = os.stat(json_file)
         self.assertEqual(0o644, stat.S_IMODE(file_stat.st_mode))
@@ -563,6 +582,12 @@ class TestDataSource(CiTestCase):
             (
                 "merged_cfg",
                 "security-credentials",
 +                "userdata",
 +                "user-data",
 +                "user_data",
 +                "vendordata",
 +                "vendor-data",
 +                "ds/vendor_data",
             ),
             datasource.sensitive_metadata_keys,
         )
 diff --git a/tests/unittests/test_stages.py b/tests/unittests/test_stages.py
 index 9fa2e62..138d79b 100644
 --- a/tests/unittests/test_stages.py
 +++ b/tests/unittests/test_stages.py
@@ -606,19 +606,23 @@ class TestInit_InitializeFilesystem:
         # Assert we create it 0o640  by default if it doesn't already exist
         assert 0o640 == stat.S_IMODE(log_file.stat().mode)
 -    def test_existing_file_permissions_are_not_modified(self, init, tmpdir):
 -        """If the log file already exists, we should not modify its permissions
 +    def test_existing_file_permissions(self, init, tmpdir):
 +        """Test file permissions are set as expected.
 +
 +        CIS Hardening requires 640 permissions. These permissions are
 +        currently hardcoded on every boot, but if there's ever a reason
 +        to change this, we need to then ensure that they
 +        are *not* set every boot.
         See https://bugs.launchpad.net/cloud-init/+bug/1900837.
         """
 -        # Use a mode that will never be made the default so this test will
 -        # always be valid
 -        mode = 0o606
         log_file = tmpdir.join("cloud-init.log")
         log_file.ensure()
 -        log_file.chmod(mode)
 +        # Use a mode that will never be made the default so this test will
 +        # always be valid
 +        log_file.chmod(0o606)
         init._cfg = {"def_log_file": str(log_file)}
         init._initialize_filesystem()
 -        assert mode == stat.S_IMODE(log_file.stat().mode)
 +        assert 0o640 == stat.S_IMODE(log_file.stat().mode)
 -- 
 2.33.0
--- a/backport-Cleanup-ephemeral-IP-routes-on-exception.patch
+++ b/backport-Cleanup-ephemeral-IP-routes-on-exception.patch
@ -1,161 +0,0 @@
 From 0273712c90d6facfc0fbf8d6def352f9810902a3 Mon Sep 17 00:00:00 2001
 From: sxt1001 <shixuantong1@huawei.com>
 Date: Mon, 3 Apr 2023 23:52:15 +0800
 Subject: [PATCH] Cleanup ephemeral IP routes on exception (#2100)
 If an exception occurs during EphemeralIPv4Network setup, any routes
 that were setup need to be torn down. This wasn't happening, and this
 commit adds the teardown.
 ---
 cloudinit/net/__init__.py        | 43 +++++++++++--------
 tests/unittests/net/test_init.py | 73 ++++++++++++++++++++++++++++++++
 2 files changed, 99 insertions(+), 17 deletions(-)
 diff --git a/cloudinit/net/__init__.py b/cloudinit/net/__init__.py
 index 3297a31..fc9668e 100644
 --- a/cloudinit/net/__init__.py
 +++ b/cloudinit/net/__init__.py
@@ -1370,23 +1370,32 @@ class EphemeralIPv4Network(object):
                 )
                 return
 -        self._bringup_device()
 -
 -        # rfc3442 requires us to ignore the router config *if* classless static
 -        # routes are provided.
 -        #
 -        # https://tools.ietf.org/html/rfc3442
 -        #
 -        # If the DHCP server returns both a Classless Static Routes option and
 -        # a Router option, the DHCP client MUST ignore the Router option.
 -        #
 -        # Similarly, if the DHCP server returns both a Classless Static Routes
 -        # option and a Static Routes option, the DHCP client MUST ignore the
 -        # Static Routes option.
 -        if self.static_routes:
 -            self._bringup_static_routes()
 -        elif self.router:
 -            self._bringup_router()
 +        try:
 +            self._bringup_device()
 +
 +            # rfc3442 requires us to ignore the router config *if*
 +            # classless static routes are provided.
 +            #
 +            # https://tools.ietf.org/html/rfc3442
 +            #
 +            # If the DHCP server returns both a Classless Static Routes
 +            # option and a Router option, the DHCP client MUST ignore
 +            # the Router option.
 +            #
 +            # Similarly, if the DHCP server returns both a Classless
 +            # Static Routes option and a Static Routes option, the DHCP
 +            # client MUST ignore the Static Routes option.
 +            if self.static_routes:
 +                self._bringup_static_routes()
 +            elif self.router:
 +                self._bringup_router()
 +        except subp.ProcessExecutionError:
 +            LOG.error(
 +                "Error bringing up EphemeralIPv4Network. "
 +                "Datasource setup cannot continue"
 +            )
 +            self.__exit__(None, None, None)
 +            raise
     def __exit__(self, excp_type, excp_value, excp_traceback):
         """Teardown anything we set up."""
 diff --git a/tests/unittests/net/test_init.py b/tests/unittests/net/test_init.py
 index 768cc11..5da1232 100644
 --- a/tests/unittests/net/test_init.py
 +++ b/tests/unittests/net/test_init.py
@@ -13,6 +13,7 @@ import pytest
 import requests
 import cloudinit.net as net
 +from cloudinit import subp
 from cloudinit.subp import ProcessExecutionError
 from cloudinit.util import ensure_file, write_file
 from tests.unittests.helpers import CiTestCase, HttprettyTestCase
@@ -853,6 +854,78 @@ class TestEphemeralIPV4Network(CiTestCase):
             self.assertEqual(expected_setup_calls, m_subp.call_args_list)
         m_subp.assert_has_calls(expected_teardown_calls)
 +    def test_teardown_on_enter_exception(self, m_subp):
 +        """Ensure ephemeral teardown happens.
 +
 +        Even though we're using a context manager, we need to handle any
 +        exceptions raised in __enter__ manually and do the appropriate
 +        teardown.
 +        """
 +
 +        def side_effect(args, **kwargs):
 +            if args[3] == "append" and args[4] == "3.3.3.3/32":
 +                raise subp.ProcessExecutionError("oh no!")
 +
 +        m_subp.side_effect = side_effect
 +
 +        with pytest.raises(subp.ProcessExecutionError):
 +            with net.EphemeralIPv4Network(
 +                interface="eth0",
 +                ip="1.1.1.1",
 +                prefix_or_mask="255.255.255.0",
 +                broadcast="1.1.1.255",
 +                static_routes=[
 +                    ("2.2.2.2/32", "9.9.9.9"),
 +                    ("3.3.3.3/32", "8.8.8.8"),
 +                ],
 +            ):
 +                pass
 +
 +        expected_teardown_calls = [
 +            mock.call(
 +                [
 +                    "ip",
 +                    "-4",
 +                    "route",
 +                    "del",
 +                    "2.2.2.2/32",
 +                    "via",
 +                    "9.9.9.9",
 +                    "dev",
 +                    "eth0",
 +                ],
 +                capture=True,
 +            ),
 +            mock.call(
 +                [
 +                    "ip",
 +                    "-family",
 +                    "inet",
 +                    "link",
 +                    "set",
 +                    "dev",
 +                    "eth0",
 +                    "down",
 +                ],
 +                capture=True,
 +            ),
 +            mock.call(
 +                [
 +                    "ip",
 +                    "-family",
 +                    "inet",
 +                    "addr",
 +                    "del",
 +                    "1.1.1.1/24",
 +                    "dev",
 +                    "eth0",
 +                ],
 +                capture=True,
 +            ),
 +        ]
 +        for teardown in expected_teardown_calls:
 +            assert teardown in m_subp.call_args_list
 +
     @mock.patch("cloudinit.net.readurl")
     def test_ephemeral_ipv4_no_network_if_url_connectivity(
         self, m_readurl, m_subp
 -- 
 2.33.0
--- a/backport-Do-not-change-permissions-of-netrules-target.patch
+++ b/backport-Do-not-change-permissions-of-netrules-target.patch
@ -1,109 +0,0 @@
 From 56c88cafd1b3606e814069a79f4ec265fc427c87 Mon Sep 17 00:00:00 2001
 From: James Falcon <james.falcon@canonical.com>
 Date: Thu, 23 Mar 2023 10:21:56 -0500
 Subject: [PATCH] Don't change permissions of netrules target (#2076)
 Set permissions if file doesn't exist. Leave them if it does.
 LP: #2011783
 Co-authored-by: Chad Smith <chad.smith@canonical.com>
 ---
 cloudinit/net/eni.py                      |  4 +++-
 cloudinit/net/sysconfig.py                |  7 ++++++-
 tests/unittests/distros/test_netconfig.py | 20 ++++++++++++++++++--
 3 files changed, 27 insertions(+), 4 deletions(-)
 diff --git a/cloudinit/net/eni.py b/cloudinit/net/eni.py
 index b0ec67b..f6398e3 100644
 --- a/cloudinit/net/eni.py
 +++ b/cloudinit/net/eni.py
@@ -571,7 +571,9 @@ class Renderer(renderer.Renderer):
             netrules = subp.target_path(target, self.netrules_path)
             util.ensure_dir(os.path.dirname(netrules))
             util.write_file(
 -                netrules, self._render_persistent_net(network_state)
 +                netrules,
 +                content=self._render_persistent_net(network_state),
 +                preserve_mode=True,
             )
 diff --git a/cloudinit/net/sysconfig.py b/cloudinit/net/sysconfig.py
 index 07f474d..d22354c 100644
 --- a/cloudinit/net/sysconfig.py
 +++ b/cloudinit/net/sysconfig.py
@@ -1008,7 +1008,12 @@ class Renderer(renderer.Renderer):
         if self.netrules_path:
             netrules_content = self._render_persistent_net(network_state)
             netrules_path = subp.target_path(target, self.netrules_path)
 -            util.write_file(netrules_path, netrules_content, file_mode)
 +            util.write_file(
 +                netrules_path,
 +                content=netrules_content,
 +                mode=file_mode,
 +                preserve_mode=True,
 +            )
         sysconfig_path = subp.target_path(target, templates.get("control"))
         # Distros configuring /etc/sysconfig/network as a file e.g. Centos
 diff --git a/tests/unittests/distros/test_netconfig.py b/tests/unittests/distros/test_netconfig.py
 index a25be48..8760975 100644
 --- a/tests/unittests/distros/test_netconfig.py
 +++ b/tests/unittests/distros/test_netconfig.py
@@ -376,8 +376,16 @@ class TestNetCfgDistroUbuntuEni(TestNetCfgDistroBase):
     def eni_path(self):
         return "/etc/network/interfaces.d/50-cloud-init.cfg"
 +    def rules_path(self):
 +        return "/etc/udev/rules.d/70-persistent-net.rules"
 +
     def _apply_and_verify_eni(
 -        self, apply_fn, config, expected_cfgs=None, bringup=False
 +        self,
 +        apply_fn,
 +        config,
 +        expected_cfgs=None,
 +        bringup=False,
 +        previous_files=(),
     ):
         if not expected_cfgs:
             raise ValueError("expected_cfg must not be None")
@@ -385,7 +393,11 @@ class TestNetCfgDistroUbuntuEni(TestNetCfgDistroBase):
         tmpd = None
         with mock.patch("cloudinit.net.eni.available") as m_avail:
             m_avail.return_value = True
 +            path_modes = {}
             with self.reRooted(tmpd) as tmpd:
 +                for previous_path, content, mode in previous_files:
 +                    util.write_file(previous_path, content, mode=mode)
 +                    path_modes[previous_path] = mode
                 apply_fn(config, bringup)
         results = dir2dict(tmpd)
@@ -396,17 +408,21 @@ class TestNetCfgDistroUbuntuEni(TestNetCfgDistroBase):
             print(results[cfgpath])
             print("----------")
             self.assertEqual(expected, results[cfgpath])
 -            self.assertEqual(0o644, get_mode(cfgpath, tmpd))
 +            self.assertEqual(
 +                path_modes.get(cfgpath, 0o644), get_mode(cfgpath, tmpd)
 +            )
     def test_apply_network_config_eni_ub(self):
         expected_cfgs = {
             self.eni_path(): V1_NET_CFG_OUTPUT,
 +            self.rules_path(): "",
         }
         # ub_distro.apply_network_config(V1_NET_CFG, False)
         self._apply_and_verify_eni(
             self.distro.apply_network_config,
             V1_NET_CFG,
             expected_cfgs=expected_cfgs.copy(),
 +            previous_files=((self.rules_path(), "something", 0o660),),
         )
     def test_apply_network_config_ipv6_ub(self):
 -- 
 2.39.1
--- a/backport-Fix-permission-of-SSH-host-keys-1971.patch
+++ b/backport-Fix-permission-of-SSH-host-keys-1971.patch
@ -1,60 +0,0 @@
 From 94a00492b11995dd9278605eb29ee4b096ce3a90 Mon Sep 17 00:00:00 2001
 From: Ron Gebauer <Mazorius@users.noreply.github.com>
 Date: Wed, 25 Jan 2023 22:40:32 +0100
 Subject: [PATCH] Fix permission of SSH host keys (#1971)
 If the host-keys are provided the private key permissions have 0600
 which is indeed correct. But the public key has 0600 which should
 instead be 0644.
 With this change the public key is always 0644 and the private key
 is 0600 if provided or 640 if generated (to match sshd-keygen
 functionality).
 ---
 cloudinit/config/cc_ssh.py            | 4 ++--
 tests/unittests/config/test_cc_ssh.py | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)
 diff --git a/cloudinit/config/cc_ssh.py b/cloudinit/config/cc_ssh.py
 index 33c1fd0..6210627 100644
 --- a/cloudinit/config/cc_ssh.py
 +++ b/cloudinit/config/cc_ssh.py
@@ -185,8 +185,8 @@ for k in GENERATE_KEY_NAMES:
     CONFIG_KEY_TO_FILE.update(
         {
             f"{k}_private": (KEY_FILE_TPL % k, 0o600),
 -            f"{k}_public": (f"{KEY_FILE_TPL % k}.pub", 0o600),
 -            f"{k}_certificate": (f"{KEY_FILE_TPL % k}-cert.pub", 0o600),
 +            f"{k}_public": (f"{KEY_FILE_TPL % k}.pub", 0o644),
 +            f"{k}_certificate": (f"{KEY_FILE_TPL % k}-cert.pub", 0o644),
         }
     )
     PRIV_TO_PUB[f"{k}_private"] = f"{k}_public"
 diff --git a/tests/unittests/config/test_cc_ssh.py b/tests/unittests/config/test_cc_ssh.py
 index 47c0c77..c41a50b 100644
 --- a/tests/unittests/config/test_cc_ssh.py
 +++ b/tests/unittests/config/test_cc_ssh.py
@@ -311,17 +311,17 @@ class TestHandleSsh:
                     mock.call(
                         "/etc/ssh/ssh_host_{}_key".format(key_type),
                         private_value,
 -                        384,
 +                        0o600,
                     ),
                     mock.call(
                         "/etc/ssh/ssh_host_{}_key.pub".format(key_type),
                         public_value,
 -                        384,
 +                        0o644,
                     ),
                     mock.call(
                         "/etc/ssh/ssh_host_{}_key-cert.pub".format(key_type),
                         cert_value,
 -                        384,
 +                        0o644,
                     ),
                     mock.call(
                         "/etc/ssh/sshd_config",
 -- 
 2.39.1
--- a/bugfix-cloud-init-add-os-support.patch
+++ b/bugfix-cloud-init-add-os-support.patch
@ -8,7 +8,7 @@ reason: add oe into distros
 Signed-off-by: chengquan <chengquan3@huawei.com>
 ---
 cloudinit/config/cc_ntp.py             |  2 +-
- cloudinit/config/cc_resolv_conf.py     |  2 +-
+ cloudinit/config/cc_resolv_conf.py     |  1 +
 cloudinit/config/cc_rh_subscription.py |  2 +-
 cloudinit/config/cc_spacewalk.py       |  2 +-
 cloudinit/config/cc_yum_add_repo.py    |  2 +-
@ -19,40 +19,39 @@ Signed-off-by: chengquan <chengquan3@huawei.com>
 systemd/cloud-init.service.tmpl        |  2 +-
 tests/unittests/test_cli.py            |  2 +-
 tools/render-cloudcfg                  |  2 +-
- 12 files changed, 26 insertions(+), 14 deletions(-)
+ 12 files changed, 26 insertions(+), 13 deletions(-)
 create mode 100644 cloudinit/distros/openeuler.py
 diff --git a/cloudinit/config/cc_ntp.py b/cloudinit/config/cc_ntp.py
-index 3bc1d30..6b0f302 100644
+index 8d83433..508f1ed 100644
 --- a/cloudinit/config/cc_ntp.py
 +++ b/cloudinit/config/cc_ntp.py
-@@ -29,7 +29,7 @@ distros = [
+@@ -35,7 +35,7 @@ distros = [
-     "eurolinux",
+     "mariner",
     "fedora",
     "miraclelinux",
     "openbsd",
 -    "openEuler",
 +    "openeuler",
     "OpenCloudOS",
     "openmandriva",
     "opensuse",
     "photon",
     "rhel",
 diff --git a/cloudinit/config/cc_resolv_conf.py b/cloudinit/config/cc_resolv_conf.py
-index bbf6807..845e793 100644
+index d8a7bfa..b642640 100644
 --- a/cloudinit/config/cc_resolv_conf.py
 +++ b/cloudinit/config/cc_resolv_conf.py
-@@ -52,7 +52,7 @@ meta: MetaSchema = {
+@@ -69,6 +69,7 @@ meta: MetaSchema = {
-     "name": "Resolv Conf",
+         "sle_hpc",
-     "title": "Configure resolv.conf",
+         "sle-micro",
-     "description": MODULE_DESCRIPTION,
+         "sles",
-    "distros": ["alpine", "fedora", "opensuse", "photon", "rhel", "sles"],
+        "openeuler",
-+    "distros": ["alpine", "fedora", "opensuse", "photon", "rhel", "sles", "openeuler"],
+     ],
     "frequency": PER_INSTANCE,
     "examples": [
         dedent(
 diff --git a/cloudinit/config/cc_rh_subscription.py b/cloudinit/config/cc_rh_subscription.py
-index b742cb9..4d8244f 100644
+index 533862a..d92f760 100644
 --- a/cloudinit/config/cc_rh_subscription.py
 +++ b/cloudinit/config/cc_rh_subscription.py
-@@ -30,7 +30,7 @@ meta: MetaSchema = {
+@@ -32,7 +32,7 @@ meta: MetaSchema = {
     "name": "Red Hat Subscription",
     "title": "Register Red Hat Enterprise Linux based system",
     "description": MODULE_DESCRIPTION,
@ -62,10 +61,10 @@ index b742cb9..4d8244f 100644
     "examples": [
         dedent(
 diff --git a/cloudinit/config/cc_spacewalk.py b/cloudinit/config/cc_spacewalk.py
-index 6820a81..d97da92 100644
+index c8249e6..bd7a972 100644
 --- a/cloudinit/config/cc_spacewalk.py
 +++ b/cloudinit/config/cc_spacewalk.py
-@@ -22,7 +22,7 @@ meta: MetaSchema = {
+@@ -25,7 +25,7 @@ meta: MetaSchema = {
     "name": "Spacewalk",
     "title": "Install and configure spacewalk",
     "description": MODULE_DESCRIPTION,
@ -75,31 +74,31 @@ index 6820a81..d97da92 100644
     "examples": [
         dedent(
 diff --git a/cloudinit/config/cc_yum_add_repo.py b/cloudinit/config/cc_yum_add_repo.py
-index f735719..cc787a3 100644
+index 097493b..e565a1d 100644
 --- a/cloudinit/config/cc_yum_add_repo.py
 +++ b/cloudinit/config/cc_yum_add_repo.py
-@@ -28,7 +28,7 @@ distros = [
+@@ -32,7 +32,7 @@ distros = [
     "cloudlinux",
     "eurolinux",
     "fedora",
     "mariner",
 -    "openEuler",
 +    "openeuler",
     "OpenCloudOS",
     "openmandriva",
     "photon",
     "rhel",
     "rocky",
 diff --git a/cloudinit/distros/__init__.py b/cloudinit/distros/__init__.py
-index b034e2c..be063c2 100644
+index ec14893..59bafe0 100644
 --- a/cloudinit/distros/__init__.py
 +++ b/cloudinit/distros/__init__.py
-@@ -46,7 +46,7 @@ OSFAMILIES = {
+@@ -72,7 +72,7 @@ OSFAMILIES = {
-         "eurolinux",
+         "sle-micro",
-         "fedora",
+         "sles",
-         "miraclelinux",
+     ],
-        "openEuler",
+-    "openEuler": ["openEuler"],
-+        "openeuler",
+    "openeuler": ["openeuler"],
-         "photon",
+     "OpenCloudOS": ["OpenCloudOS", "TencentOS"],
-         "rhel",
+ }
-         "rocky",
+ 
 diff --git a/cloudinit/distros/openeuler.py b/cloudinit/distros/openeuler.py
 new file mode 100644
 index 0000000..7505ca4
@ -119,97 +118,97 @@ index 0000000..7505ca4
 +
 +# vi: ts=4 expandtab
 diff --git a/config/cloud.cfg.tmpl b/config/cloud.cfg.tmpl
-index 6951a0e..8740752 100644
+index 4c05f63..e686770 100644
 --- a/config/cloud.cfg.tmpl
 +++ b/config/cloud.cfg.tmpl
-@@ -33,7 +33,7 @@ disable_root: true
+@@ -35,7 +35,7 @@ disable_root: false
 disable_root: true
 {% endif %}
- {% if variant in ["almalinux", "alpine", "amazon", "centos", "cloudlinux", "eurolinux",
+-{% if variant in ["alpine", "amazon", "fedora", "openEuler", "OpenCloudOS", "openmandriva", "photon", "TencentOS"] or is_rhel %}
-                  "fedora", "miraclelinux", "openEuler", "rhel", "rocky", "virtuozzo"] %}
+{% if variant in ["alpine", "amazon", "fedora", "openeuler", "OpenCloudOS", "openmandriva", "photon", "TencentOS"] or is_rhel %}
-+                  "fedora", "miraclelinux", "openeuler", "rhel", "rocky", "virtuozzo"] %}
+ {% if is_rhel %}
 {% if variant == "rhel" %}
 mount_default_fields: [~, ~, 'auto', 'defaults,nofail,x-systemd.requires=cloud-init.service,_netdev', '0', '2']
 {% else %}
-@@ -125,7 +125,7 @@ cloud_config_modules:
+@@ -135,7 +135,7 @@ cloud_config_modules:
- {% if variant in ["rhel"] %}
+ {% if is_rhel %}
  - rh_subscription
 {% endif %}
-{% if variant in ["rhel", "fedora", "photon"] %}
+-{% if variant in ["fedora", "mariner", "openmandriva", "photon"] or is_rhel %}
-+{% if variant in ["rhel", "fedora", "photon", "openeuler"] %}
+{% if variant in ["fedora", "mariner", "openmandriva", "photon", "openeuler"] or is_rhel %}
- {% if variant not in ["photon"] %}
+ {% if variant not in ["mariner", "photon"] %}
  - spacewalk
 {% endif %}
-@@ -191,7 +191,7 @@ cloud_final_modules:
+@@ -199,7 +199,7 @@ cloud_final_modules:
 system_info:
    # This will affect which distro class gets used
- {% if variant in ["almalinux", "alpine", "amazon", "arch", "centos", "cloudlinux", "debian",
+ {% if variant in ["alpine", "amazon", "arch", "debian", "fedora", "freebsd",
-                  "eurolinux", "fedora", "freebsd", "gentoo", "netbsd", "miraclelinux", "openbsd", "openEuler",
+-                  "gentoo", "netbsd", "mariner", "openbsd", "openEuler", "OpenCloudOS",
-+                  "eurolinux", "fedora", "freebsd", "gentoo", "netbsd", "miraclelinux", "openbsd", "openeuler",
+                  "gentoo", "netbsd", "mariner", "openbsd", "openeuler", "OpenCloudOS",
-                   "photon", "rhel", "rocky", "suse", "ubuntu", "virtuozzo"] %}
+                   "openmandriva", "photon", "suse", "TencentOS", "ubuntu"] or is_rhel %}
    distro: {{ variant }}
 {% elif variant in ["dragonfly"] %}
-@@ -245,7 +245,7 @@ system_info:
+@@ -254,7 +254,7 @@ system_info:
          security: http://ports.ubuntu.com/ubuntu-ports
    ssh_svcname: ssh
- {% elif variant in ["almalinux", "alpine", "amazon", "arch", "centos", "cloudlinux", "eurolinux",
+ {% elif variant in ["alpine", "amazon", "arch", "fedora",
-                    "fedora", "gentoo", "miraclelinux", "openEuler", "rhel", "rocky", "suse", "virtuozzo"] %}
+-                    "gentoo", "openEuler", "OpenCloudOS", "openmandriva", "suse", "TencentOS"] or is_rhel %}
-+                    "fedora", "gentoo", "miraclelinux", "openeuler", "rhel", "rocky", "suse", "virtuozzo"] %}
+                    "gentoo", "openeuler", "OpenCloudOS", "openmandriva", "suse", "TencentOS"] or is_rhel %}
    # Default user name + that default users groups (if added/used)
    default_user:
 {% if variant == "amazon" %}
 diff --git a/systemd/cloud-init-generator.tmpl b/systemd/cloud-init-generator.tmpl
-index 6689309..12aa52f 100644
+index d71e3b8..783ae76 100644
 --- a/systemd/cloud-init-generator.tmpl
 +++ b/systemd/cloud-init-generator.tmpl
@@ -21,7 +21,7 @@ CLOUD_SYSTEM_TARGET="/usr/lib/systemd/system/cloud-init.target"
 CLOUD_SYSTEM_TARGET="/lib/systemd/system/cloud-init.target"
 {% endif %}
 {% if variant in ["almalinux", "centos", "cloudlinux", "eurolinux", "fedora",
-                  "miraclelinux", "openEuler", "rhel", "rocky", "virtuozzo"] %}
+-                  "miraclelinux", "openEuler", "OpenCloudOS", "openmandriva", "rhel", "rocky", "TencentOS", "virtuozzo"] %}
-+                  "miraclelinux", "openeuler", "rhel", "rocky", "virtuozzo"] %}
+                  "miraclelinux", "openeuler", "OpenCloudOS", "openmandriva", "rhel", "rocky", "TencentOS", "virtuozzo"] %}
     dsidentify="/usr/libexec/cloud-init/ds-identify"
 {% else %}
     dsidentify="/usr/lib/cloud-init/ds-identify"
 diff --git a/systemd/cloud-init.service.tmpl b/systemd/cloud-init.service.tmpl
-index c170aef..0ec2636 100644
+index 1b1f9a8..c7a7c64 100644
 --- a/systemd/cloud-init.service.tmpl
 +++ b/systemd/cloud-init.service.tmpl
@@ -13,7 +13,7 @@ After=systemd-networkd-wait-online.service
 After=networking.service
 {% endif %}
 {% if variant in ["almalinux", "centos", "cloudlinux", "eurolinux", "fedora",
-                  "miraclelinux", "openEuler", "rhel", "rocky", "virtuozzo"] %}
+-                  "miraclelinux", "openEuler", "OpenCloudOS", "openmandriva", "rhel", "rocky",
-+                  "miraclelinux", "openeuler", "rhel", "rocky", "virtuozzo"] %}
+                  "miraclelinux", "openeuler", "OpenCloudOS", "openmandriva", "rhel", "rocky",
                   "suse", "TencentOS", "virtuozzo"] %}
 After=network.service
 After=NetworkManager.service
 {% endif %}
 diff --git a/tests/unittests/test_cli.py b/tests/unittests/test_cli.py
-index 7846d0d..0c525dd 100644
+index e3fed41..2f031ee 100644
 --- a/tests/unittests/test_cli.py
 +++ b/tests/unittests/test_cli.py
-@@ -260,7 +260,7 @@ class TestCLI(test_helpers.FilesystemMockingTestCase):
+@@ -246,7 +246,7 @@ class TestCLI:
-                 "**Supported distros:** all",
+                     "**Supported distros:** almalinux, alpine, centos, "
-                 "**Supported distros:** almalinux, alpine, centos, "
+                     "cloudlinux, cos, debian, eurolinux, fedora, freebsd, "
-                 "cloudlinux, debian, eurolinux, fedora, miraclelinux, "
+                     "mariner, miraclelinux, "
-                "openEuler, opensuse, photon, rhel, rocky, sles, ubuntu, "
+-                    "openbsd, openEuler, OpenCloudOS, openmandriva, "
-+                "openeuler, opensuse, photon, rhel, rocky, sles, ubuntu, "
+                    "openbsd, openeuler, OpenCloudOS, openmandriva, "
-                 "virtuozzo",
+                     "opensuse, opensuse-microos, opensuse-tumbleweed, "
-                 "**Config schema**:\n    **resize_rootfs:** "
+                     "opensuse-leap, photon, rhel, rocky, sle_hpc, "
-                 "(``true``/``false``/``noblock``)",
+                     "sle-micro, sles, TencentOS, ubuntu, virtuozzo",
 diff --git a/tools/render-cloudcfg b/tools/render-cloudcfg
-index afe999e..cc9f054 100755
+index 6551875..b21fdee 100755
 --- a/tools/render-cloudcfg
 +++ b/tools/render-cloudcfg
-@@ -24,7 +24,7 @@ def main():
+@@ -25,7 +25,7 @@ def main():
         "miraclelinux",
         "netbsd",
         "openbsd",
 -        "openEuler",
 +        "openeuler",
         "OpenCloudOS",
         "openmandriva",
         "photon",
         "rhel",
         "suse",
 -- 
 2.27.0
--- a/bugfix-sort-requirements.patch
+++ b/bugfix-sort-requirements.patch
@ -11,16 +11,17 @@ Signed-off-by: chengquan <chengquan3@huawei.com>
 1 file changed, 1 insertion(+)
 diff --git a/setup.py b/setup.py
-index a9132d2..a81c1e9 100755
+index d0b1c99..55b929a 100644
 --- a/setup.py
 +++ b/setup.py
-@@ -324,6 +324,7 @@ cmdclass = {
+@@ -331,6 +331,7 @@ cmdclass = {
 }
-
+ 
 requirements = read_requires()
 +requirements.sort()
-
+ 
 setuptools.setup(
     name="cloud-init",
--
+-- 
-2.27.0
+2.27.0
--- a/cloud-init-22.1-no-override-default-network.patch
+++ b/cloud-init-22.1-no-override-default-network.patch
@ -9,10 +9,10 @@ Signed-off-by: Eduardo Otubo <otubo@redhat.com>
 1 file changed, 11 insertions(+), 1 deletion(-)
 diff --git a/cloudinit/net/sysconfig.py b/cloudinit/net/sysconfig.py
-index ba85c4f..90a4eb9 100644
+index d934f66..8a60c95 100644
 --- a/cloudinit/net/sysconfig.py
 +++ b/cloudinit/net/sysconfig.py
-@@ -1039,7 +1039,17 @@ class Renderer(renderer.Renderer):
+@@ -1025,7 +1025,17 @@ class Renderer(renderer.Renderer):
         # Distros configuring /etc/sysconfig/network as a file e.g. Centos
         if sysconfig_path.endswith("network"):
             util.ensure_dir(os.path.dirname(sysconfig_path))
@ -31,5 +31,6 @@ index ba85c4f..90a4eb9 100644
             if network_state.use_ipv6:
                 netcfg.append("NETWORKING_IPV6=yes")
                 netcfg.append("IPV6_AUTOCONF=no")
--
+-- 
-2.27.0
+2.27.0
--- a/cloud-init-22.2.tar.gz
+++ b/cloud-init-22.2.tar.gz
--- a/cloud-init-23.2.2.tar.gz
+++ b/cloud-init-23.2.2.tar.gz
--- a/cloud-init.spec
+++ b/cloud-init.spec
@ -1,6 +1,6 @@
 Name: cloud-init
-Version: 22.2
+Version: 23.2.2
-Release: 10
+Release: 1
 Summary: the defacto multi-distribution package that handles early initialization of a cloud instance.
 License: ASL 2.0 or GPLv3
 URL: http://launchpad.net/cloud-init
@ -13,20 +13,13 @@ Patch1: bugfix-cloud-init-add-os-support.patch
 Patch2: bugfix-sort-requirements.patch
 Patch3: add-variable-to-forbid-tmp-dir.patch
 Patch4: Fix-the-error-level-logs-displayed-for-the-cloud-init-local-service.patch
 Patch5: backport-Fix-permission-of-SSH-host-keys-1971.patch
 Patch6: backport-Do-not-change-permissions-of-netrules-target.patch
 Patch7: backport-CVE-2022-2084.patch
 Patch8: backport-Cleanup-ephemeral-IP-routes-on-exception.patch
 Patch9: backport-CVE-2023-1786.patch
 Patch9000:     fix-permission-of-the-private-key.patch
 BuildRequires: pkgconfig(systemd) python3-devel python3-setuptools systemd
-BuildRequires: iproute python3-configobj python3-httpretty >= 0.8.14-2
+BuildRequires: iproute python3-configobj python3-responses
 BuildRequires: python3-jinja2 python3-jsonpatch python3-jsonschema
 BuildRequires: python3-mock python3-oauthlib python3-prettytable
-BuildRequires: python3-pyserial python3-PyYAML python3-requests python3-six
+BuildRequires: python3-pyserial python3-PyYAML python3-requests
-BuildRequires: python3-unittest2 dnf %{_vendor}-release python3-pytest passwd python3-netifaces
+BuildRequires: dnf %{_vendor}-release python3-pytest passwd python3-netifaces
 BuildRequires: python3-pytest-mock
 Requires: e2fsprogs iproute python3-libselinux net-tools python3-policycoreutils
@ -62,13 +55,6 @@ install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/%{name}.conf
 install -D -m 0644 tools/21-cloudinit.conf %{buildroot}/%{_sysconfdir}/rsyslog.d/21-cloudinit.conf
 %check
 rm -f $RPM_BUILD_DIR/%{name}-%{version}/tests/unittests/test_handler/test_handler_ntp.py
 rm -f $RPM_BUILD_DIR/%{name}-%{version}/tests/unittests/test_datasource/test_opennebula.py
 # nothing provides python3-responses
 rm -f $RPM_BUILD_DIR/%{name}-%{version}/tests/unittests/test_url_helper.py
 rm -f $RPM_BUILD_DIR/%{name}-%{version}/tests/unittests/sources/test_ec2.py
 python3 -m pytest tests/unittests/
 %pre
@ -103,11 +89,10 @@ fi
 %dir %{_sysconfdir}/cloud/cloud.cfg.d
 %config(noreplace) %{_sysconfdir}/cloud/cloud.cfg.d/*.cfg
 %doc %{_sysconfdir}/cloud/cloud.cfg.d/README
 %doc %{_sysconfdir}/cloud/clean.d/README
 %dir %{_sysconfdir}/rsyslog.d
 %config(noreplace) %{_sysconfdir}/rsyslog.d/21-cloudinit.conf
-%{_sysconfdir}/NetworkManager/dispatcher.d/hook-network-manager
+%{_udevrulesdir}/66-azure-ephemeral.rules
 %{_sysconfdir}/dhcp/dhclient-exit-hooks.d/hook-dhclient
 /lib/udev/rules.d/66-azure-ephemeral.rules
 %{_unitdir}/cloud-config.service
 %{_unitdir}/cloud-final.service
 %{_unitdir}/cloud-init.service
@ -116,8 +101,8 @@ fi
 %{_unitdir}/cloud-init.target
 /usr/lib/systemd/system-generators/cloud-init-generator
 %{_sysconfdir}/systemd/system/sshd-keygen@.service.d/disable-sshd-keygen-if-cloud-init-active.conf
-/usr/lib/systemd/system/cloud-init-hotplugd.service
+%{_unitdir}/cloud-init-hotplugd.service
-/usr/lib/systemd/system/cloud-init-hotplugd.socket
+%{_unitdir}/cloud-init-hotplugd.socket
 %{_tmpfilesdir}/%{name}.conf
 %{_libexecdir}/%{name}
 %{_bindir}/cloud-init*
@ -134,6 +119,12 @@ fi
 %exclude /usr/share/doc/*
 %changelog
 * Thu Aug 03 2023 shixuantong <shixuantong1@huawei.com> - 23.2.2-1
 - Type:enhancement
 - ID:NA
 - SUG:NA
 - DESC:upgrade version to 23.2.2
 * Wed May 24 2023 shixuantong <shixuantong1@huawei.com> - 22.2-10
 - Type:CVE
 - ID:CVE-2023-1786