Add ftp support to NoCloud

[holmanb]

Proposed Commit Message

feat: Add support for FTP and FTP over TLS

Use Python's ftplib to connect to and read instance configurations from a
remove server. Like the current http support, nocloud's configuration URI
is defined via kernel command line or dmi product serial.

Notes on FTP and FTP over TLS
=============================

FTP is insecure, use at your own risk.

The FTP over TLS implementation follows library best practices[1][2].
From the ssl documentation regarding create_default_context():

> It will load the system’s trusted CA certificates, enable certificate
> validation and hostname checking, and try to choose reasonably secure
> protocol and cipher settings.

Test Changes
============

tests/i/util.py
---------------

- new helper function verify_clean_boot() to verify cloud-init state
- acquire override_kernel_cmdline() for reuse in other tests
- acquire restart_cloud_init() for reuse in other tests

tests/i/datasources/test_nocloud.py
-----------------------------------

- new test class for FTP/FTPS uses pyftpdlib for server, mkcert for test certs
- 2 test additions for FTP
- 2 test additions for FTPS

Implements via ftplib
=====================

RFC 959 - File Transfer Protocol
RFC 2640 - FTP Internationalization (UTF-8)
RFC 4217 - FTP over TLS

[1] https://docs.python.org/3/library/ftplib.html#ftp-tls-objects
[2] https://docs.python.org/3/library/ssl.html#ssl-security

Additional Context

Test Steps

PLATFORM="lxd_vm" CLOUD_INIT_SOURCE="./cloud-init_all.deb" python -m
pytest -vv --log-cli-level=INFO --durations 10 tests/integration_tests/datasources/test_nocloud.py::TestFTP

Merge type

• Squash merge using "Proposed Commit Message"
• Rebase and merge unique commits. Requires commit messages per-commit each referencing the pull request number (#<PR_NUM>)

[TheRealFalcon]

Bwahaha!

[TheRealFalcon]

@holmanb this still WIP?

[holmanb]

@holmanb this still WIP?

I'm working on an integration test for it currently, but I think it is ready for review.

[TheRealFalcon]

Besides the test issues, I wanted to provide my other comments here now

[TheRealFalcon]

This seems like an overly targeted exception for a large block of code in the try block. E.g., if we fail on the ftp_tls.retrbinary(f"RETR {url_parts.path}", callback=buffer.write) line, that wouldn't be because of the error being raised here, correct?

Can just the connect line be in the try block while letting all other exceptions escape?

Similar comment for the try after this one

[holmanb]

Can just the connect line be in the try block while letting all other exceptions escape?

I'm hesitant to do that in the first try/except block, but I'm fine with doing it in the second.

If prot_p() throws an exception and we're using ftp:// (which permits unencrypted ftp) I think we should try to recover so we can attempt unencrypted.

[holmanb]

@TheRealFalcon I think I've done what you asked, but I'm not certain I fully understood. Let me know.

[holmanb]

@TheRealFalcon I think I've addressed your comments. I've added integration tests and updated the commit message.

Ready for re-review.

[setharnold]

I added some nitpicks, feel free to disregard if you disagree strongly enough. Thanks

[setharnold]

This changes where this can be run, and how safe it is to run this test. Could we package a fixed cert.pem and key.pem (set to expire in a hundred years or so?) to skip this download, compile, and execute?

[holmanb]

Could we package a fixed cert.pem and key.pem (set to expire in a hundred years or so?) to skip this download, compile, and execute?

Given that this will be dropped as soon as we are no longer releasing to focal, I'm not sure that it is worth it. Also, I could use help with cert generation for that.

The challenging bit wasn't actually getting a cert.pem and key.pem, it was building a root cert and getting it into the CA store so that the client would trust it - self signed certs won't work for that. I'm not very well versed in the openssl commandline, but if someone is able to generate a test root CA, cert, and key I'd be happy to use that rather than using mkcert.

[setharnold]

"no longer releasing to focal" may be a very long way away.

The security team has some rough-and-ready python for testing OpenSSL that might be suitable for stealing:

https://git.launchpad.net/qa-regression-testing/tree/scripts/test-openssl.py#n238

[setharnold]

These loops are more complex than I'd like. They might work perfectly well, but it isn't obvious to me that they do. I would find set operations easier, eg:

missing_errors = require_errors.subtract(status["errors"])
surplus_errors = status["errors"].subtract(require_errors).subtract(ignore_errors)

(or whatever would actually run.)

[holmanb]

I agree that this would be easier logic to follow, however set operations require exact matches rather than allowing substring matches (what the code currently does), or regex matches (what we probably want in the future). I haven't yet thought of an elegant way to accomplish this using sets.

[TheRealFalcon]

Generally LGTM...just mostly test requests inline.

[TheRealFalcon]

It is possible for this function to fail and raise an error. I can't think of any possible way that would happen on input that wouldn't also fail on one of the later functions, but have you considered all of the possible failure cases? I don't think the code needs to change, but just an ask to double-check any possible exceptions and ensure we won't newly fail on them.

[holmanb]

Addressed with exception handling

[TheRealFalcon]

verify_clean_log has gotten pretty crusty, and this is a much nicer direction to replace it.

That said, verify_clean_log was never intended to be a collection of problems that might appear for this particular test setup. Rather, it's supposed to be a collection of problems that can appear for any test based on the platform.

E.g., every test on Azure has to work around No lease found. Every test that runs on Oracle has to work around Stderr: RTNETLINK answers: File exists.

It's obviously grown into something grosser than that, but the behavior is still required.

This happens to work for your test because you've limited your test to LXD_VMs, but if we want a general purpose utility function, we need both behaviors. At the very least I think the new function should call verify_clean_log for now. Then we can either later clean up verify_clean_log or refactor the needed pieces into this one.

[holmanb]

At the very least I think the new function should call verify_clean_log for now.

I think that at the moment, verify_clean_log just won't work unless you pass matching expected failures. This is the result of the "Found unexpected errors/warnings" code paths - it just won't work unless you've passed everything that you expect to see in the ignored_warnings and ignored_errors keys. I don't think that calling verify_clean_log() inside of verify_clean_boot() will fix that - in fact we can't because we require failures in some of our tests, but I'm happy to call that manually as well in the integration tests that we expect a clean log in.

One idea that I envision for this helper is a matrix of platforms and series that allows us to specify exactly when an expected warning message that will be seen. This would be more precise than the current "ignore this pattern everywhere" paradigm that verify_clean_log() uses. That said, I'm not sure that I want to include that refactor in this PR, which has already grown sizeable.

[holmanb]

@TheRealFalcon I believe that I've addressed all of your comments.

I have one more review item left to address, which is the request to include a manually generated cert rather than installing mkcert from source for focal. I won't be able to work on that request until Friday at the earliest, so if you'd like to re-review the non-test code, I don't have any more planned changes there.

[TheRealFalcon]

Nit: still some c variables in function signatures, but otherwise LGTM

[github-actions]

Hello! Thank you for this proposed change to cloud-init. This pull request is now marked as stale as it has not seen any activity in 14 days. If no activity occurs within the next 7 days, this pull request will automatically close.

If you are waiting for code review and you are seeing this message, apologies! Please reply, tagging TheRealFalcon, and he will ensure that someone takes a look soon.

(If the pull request is closed and you would like to continue working on it, please do tag TheRealFalcon to reopen it.)

[holmanb]

rebased and force pushed - addressed remaining comment from @TheRealFalcon and merging