Special casing of default QEMU MAC address

[gicmo]

I managed to compose and boot an Fedora IoT like image via osbuild (yay). When I booted it I was suprised to find that an ssh key got provisioned via zezere-ignition. This is of course because the qemu uses one very specific mac address (52:54:00:12:34:56) as the default if non is specified (qemu net/net.c:182).

I think it would make sense to special case that MAC address. Maybe set the root password to a well known one, or require a token for that MAC address (like in issue #54).

[   32.379983] zezere-ignition[811]: INFO     : Ignition 2.2.1
[   32.380961] zezere-ignition[811]: INFO     : Stage: fetch
[   32.381654] zezere-ignition[811]: INFO     : reading system config file "/usr/lib/ignition/base.ign"
[   32.382636] zezere-ignition[811]: INFO     : no config at "/usr/lib/ignition/base.ign"
[   32.383773] zezere-ignition[811]: DEBUG    : parsed url from cmdline: ""
[   32.384571] zezere-ignition[811]: INFO     : no config URL provided
[   32.385354] zezere-ignition[811]: INFO     : reading system config file "/usr/lib/ignition/user.ign"
[   32.386324] zezere-ignition[811]: INFO     : no config at "/usr/lib/ignition/user.ign"
[   32.387456] zezere-ignition[811]: INFO     : using config file at "/tmp/zezere-ignition-config-207rzhn4.ign"
[   32.388618] zezere-ignition[811]: DEBUG    : parsing config with SHA512: 03362215218551e13ca5128b2fc167dea1be823ff6a1b9b099a1d33b61c1e56be637fd13a47bc57966e8b76b2a1a6d8eb0d2a9e120897e1d9798b5c36ddca757
[   32.392943] zezere-ignition[811]: INFO     : GET https://provision.fedoraproject.org/netboot/x86_64/ignition/52:54:00:12:34:56: attempt #1
[   32.771984] zezere-ignition[811]: INFO     : GET result: OK
[   32.776870] zezere-ignition[811]: DEBUG    : fetched referenced config at https://provision.fedoraproject.org/netboot/x86_64/ignition/52:54:00:12:34:56 with SHA512: e1e98e22de4283245568a1cac4999f080025a2f7fae97eb8d655962c579e73bcb2b46e3a71825c64f957ab7eacc84bcef4f68d32eb7f53c3a30bf32fc5d62b84
[   32.798113] zezere-ignition[811]: WARNING  : warning at $.ignition.config.merges, line 1 col 46: Unused key merges
[   32.823535] zezere-ignition[811]: INFO     : fetch: fetch complete
[   32.826372] zezere-ignition[811]: INFO     : fetch: fetch passed
[   32.828564] zezere-ignition[811]: INFO     : Ignition finished successfully
[   32.848494] zezere-ignition[816]: INFO     : Ignition 2.2.1
[   32.851747] zezere-ignition[816]: INFO     : Stage: disks
[   32.852989] zezere-ignition[816]: INFO     : reading system config file "/usr/lib/ignition/base.ign"
[   32.854551] zezere-ignition[816]: INFO     : no config at "/usr/lib/ignition/base.ign"
[   32.857755] zezere-ignition[816]: INFO     : disks: disks passed
[   32.859102] zezere-ignition[816]: INFO     : Ignition finished successfully
[   32.877105] zezere-ignition[821]: INFO     : Ignition 2.2.1
[   32.878287] zezere-ignition[821]: INFO     : Stage: mount
[   32.879419] zezere-ignition[821]: INFO     : reading system config file "/usr/lib/ignition/base.ign"
[   32.880970] zezere-ignition[821]: INFO     : no config at "/usr/lib/ignition/base.ign"
[   32.883847] zezere-ignition[821]: INFO     : mount: mount passed
[   32.884979] zezere-ignition[821]: INFO     : Ignition finished successfully
[   32.899478] zezere-ignition[826]: INFO     : Ignition 2.2.1
[   32.901771] zezere-ignition[826]: INFO     : Stage: files
[   32.903407] zezere-ignition[826]: INFO     : reading system config file "/usr/lib/ignition/base.ign"
[   32.904822] zezere-ignition[826]: INFO     : no config at "/usr/lib/ignition/base.ign"
[   32.909160] zezere-ignition[826]: INFO     : files: createUsers: op(1): [started]  creating or modifying user "root"
[   32.910668] zezere-ignition[826]: DEBUG    : files: createUsers: op(1): executing: "usermod" "--root" "/" "root"
[   32.925344] zezere-ignition[826]: INFO     : files: createUsers: op(1): [finished] creating or modifying user "root"
[   32.927007] zezere-ignition[826]: INFO     : files: createUsers: op(2): [started]  adding ssh keys to user "root"
[   32.930316] zezere-ignition[826]: INFO     : files: createUsers: op(2): [finished] adding ssh keys to user "root"
[   32.933782] zezere-ignition[826]: INFO     : files: op(3): [started]  relabeling 9 patterns
[   32.935544] zezere-ignition[826]: DEBUG    : files: op(3): executing: "setfiles" "-vFi0" "-r" "/" "/etc/selinux/targeted/contexts/files/file_contexts" "-f" "-"
[   32.942152] zezere-ignition[826]: CRITICAL : files: op(3): [failed]   relabeling 9 patterns: exit status 255: Cmd: "setfiles" "-vFi0" "-r" "/" "/etc/selinux/targeted/contexts/files/file_contexts" "-f" "-" Stdout: "" Stderr: "setfiles:  invalid alt_rootpath: /\n"
[   32.945206] zezere-ignition[826]: files failedFull config:
[   32.947613] zezere-ignition[826]: {
[   32.948520] zezere-ignition[826]:   "ignition": {
[   32.949472] zezere-ignition[826]:     "config": {
[   32.950396] zezere-ignition[826]:       "replace": {
[   32.951357] zezere-ignition[826]:         "source": null,
[   32.952294] zezere-ignition[826]:         "verification": {}
[   32.953260] zezere-ignition[826]:       }
[   32.954104] zezere-ignition[826]:     },
[   32.955167] zezere-ignition[826]:     "proxy": {},
[   32.956016] zezere-ignition[826]:     "security": {
[   32.956820] zezere-ignition[826]:       "tls": {}
[   32.958588] zezere-ignition[826]:     },
[   32.959394] zezere-ignition[826]:     "timeouts": {},
[   32.961208] zezere-ignition[826]:     "version": "3.1.0-experimental"
[   32.963560] zezere-ignition[826]:   },
[   32.964348] zezere-ignition[826]:   "passwd": {
[   32.966148] zezere-ignition[826]:     "users": [
[   32.966996] zezere-ignition[826]:       {
[   32.967749] zezere-ignition[826]:         "name": "root",
[   32.969629] zezere-ignition[826]:         "sshAuthorizedKeys": [
[   32.970569] zezere-ignition[826]:           "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCx0fw08yAmuQ7Ql91pzjxwDhW6jpt2/0wkWjECGVFSgSry6bxk99B35PxsKOSGXOX61fvLEyYxjmrFOhzoBl+t55ssdGdrW8ARoHWhFLWCuxwDnVcabjEIEclUkPsNZLm65ixzeZkuq051n9I2ZvrZnkPFbcx0sHrLW8PNeiw/+jdBXSG6Mt9B8ANY1teA7Oy/l9P6uqooH8HPqc7nhJGllNLCqt/leL0mtcz6/BD9i7Kr50nbqTSnHOlt/4Zt8OfdjIiAP575Vd83+JoiSBLcMvdGFhe1SdlkpMKAunjuaMr8CH70hEruga+HL0DvwDj2g0qV5lwVppyvNoUSMkr5 yortnoswad@gmail.com"
[   32.974133] zezere-ignition[826]:         ]
[   32.974862] zezere-ignition[826]:       }
[   32.976655] zezere-ignition[826]:     ]
[   32.977411] zezere-ignition[826]:   },
[   32.978165] zezere-ignition[826]:   "storage": {},
[   32.980002] zezere-ignition[826]:   "systemd": {}
[   32.980931] zezere-ignition[826]: }CRITICAL : Ignition failed: failed to handle relabeling: exit status 255: Cmd: "setfiles" "-vFi0" "-r" "/" "/etc/selinux/targeted/contexts/files/file_contexts" "-f" "-" Stdout: "" Stderr: "setfiles:  invalid alt_rootpath: /\n"
[   32.991349] zezere-ignition[837]: INFO     : Ignition 2.2.1
[   32.992541] zezere-ignition[837]: INFO     : Stage: umount
[   33.000340] zezere-ignition[837]: INFO     : reading system config file "/usr/lib/ignition/base.ign"
[   33.002575] zezere-ignition[837]: INFO     : no config at "/usr/lib/ignition/base.ign"
[   33.004861] zezere-ignition[837]: INFO     : umount: umount passed
[   33.005797] zezere-ignition[837]: INFO     : Ignition finished successfully
[   33.008592] zezere-ignition[809]: Running stage fetch with config file /tmp/zezere-ignition-config-207rzhn4.ign
[   33.009857] zezere-ignition[809]: Running stage disks with config file /tmp/zezere-ignition-config-207rzhn4.ign
[   33.012194] zezere-ignition[809]: Running stage mount with config file /tmp/zezere-ignition-config-207rzhn4.ign
[   33.013429] zezere-ignition[809]: Running stage files with config file /tmp/zezere-ignition-config-207rzhn4.ign
[   33.014729] zezere-ignition[809]: Running stage umount with config file /tmp/zezere-ignition-config-207rzhn4.ign

[puiterwijk]

I think the only sane way to deal with this is to just blacklist this MAC address and refuse to let it be claimed or configured. At least until we have another system ID. Because the problem here is that the MAC has been claimed at some point, and we need to allow a MAC address to be configured from multiple IPs, in case a device is connected to a place without a static public IP.

[puiterwijk]

That MAC address has been blacklisted and removed from provision.fedoraproject.org Thanks for the report!