!234 [sync] PR-226: backport upstream bugfix patches

From: @openeuler-sync-bot 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen

backport-ec2-Do-not-enable-dhcp6-on-EC2.patch

@@ -0,0 +1,119 @@
+From f0fb841883b80c71618582e43e1b3cd87a0dcb58 Mon Sep 17 00:00:00 2001
+From: Major Hayden <major@redhat.com>
+Date: Mon, 1 Apr 2024 18:28:12 +0000
+Subject: [PATCH] ec2: Do not enable dhcp6 on EC2 (#5104)
+
+When cloud-init finds any ipv6 information in the instance metadata, it
+automatically enables dhcp6 for the network interface. However, this
+brings up the instance with a broken IPv6 configuration because SLAAC
+should be used for almost all situations on EC2.
+
+Red Hat BZ: https://bugzilla.redhat.com/show_bug.cgi?id=2092459
+Fedora Pagure: https://pagure.io/cloud-sig/issue/382
+Upstream: https://bugs.launchpad.net/cloud-init/+bug/1976526
+
+Fixes GH-3980
+
+Reference:https://github.com/canonical/cloud-init/commit/f0fb841883b80c71618582e43e1b3cd87a0dcb58
+Conflict:(1)Delete one more line of code. The content is "if nic_metadata.get('ipv6s'):  # Any IPv6 addresses configured"
+(2)The test cases are modified differently because the version is too early.
+
+Signed-off-by: Major Hayden <major@redhat.com>
+---
+ cloudinit/sources/DataSourceEc2.py          |  5 -----
+ tests/unittests/test_datasource/test_ec2.py | 14 +++++++-------
+ 2 files changed, 7 insertions(+), 12 deletions(-)
+
+diff --git a/cloudinit/sources/DataSourceEc2.py b/cloudinit/sources/DataSourceEc2.py
+index 700437b..2d869db 100644
+--- a/cloudinit/sources/DataSourceEc2.py
++++ b/cloudinit/sources/DataSourceEc2.py
+@@ -773,8 +773,6 @@ def convert_ec2_metadata_network_config(
+                       'match': {'macaddress': mac.lower()},
+                       'set-name': nic_name}
+         nic_metadata = macs_metadata.get(mac)
+-        if nic_metadata.get('ipv6s'):  # Any IPv6 addresses configured
+-            dev_config['dhcp6'] = True
+         netcfg['ethernets'][nic_name] = dev_config
+         return netcfg
+     # Apply network config for all nics and any secondary IPv4/v6 addresses
+@@ -791,9 +789,6 @@ def convert_ec2_metadata_network_config(
+                       'dhcp6': False,
+                       'match': {'macaddress': mac.lower()},
+                       'set-name': nic_name}
+-        if nic_metadata.get('ipv6s'):  # Any IPv6 addresses configured
+-            dev_config['dhcp6'] = True
+-            dev_config['dhcp6-overrides'] = dhcp_override
+         dev_config['addresses'] = get_secondary_addresses(nic_metadata, mac)
+         if not dev_config['addresses']:
+             dev_config.pop('addresses')  # Since we found none configured
+diff --git a/tests/unittests/test_datasource/test_ec2.py b/tests/unittests/test_datasource/test_ec2.py
+index a93f219..f932e73 100644
+--- a/tests/unittests/test_datasource/test_ec2.py
++++ b/tests/unittests/test_datasource/test_ec2.py
+@@ -399,7 +399,7 @@ class TestEc2(test_helpers.HttprettyTestCase):
+         mac1 = '06:17:04:d7:26:09'  # Defined in DEFAULT_METADATA
+         expected = {'version': 2, 'ethernets': {'eth9': {
+             'match': {'macaddress': '06:17:04:d7:26:09'}, 'set-name': 'eth9',
+-            'dhcp4': True, 'dhcp6': True}}}
++            'dhcp4': True, 'dhcp6': False}}}
+         patch_path = M_PATH_NET + 'get_interfaces_by_mac'
+         get_interface_mac_path = M_PATH_NET + 'get_interface_mac'
+         with mock.patch(patch_path) as m_get_interfaces_by_mac:
+@@ -460,7 +460,7 @@ class TestEc2(test_helpers.HttprettyTestCase):
+             'addresses': ['172.31.45.70/20',
+                           '2600:1f16:292:100:f152:2222:3333:4444/128',
+                           '2600:1f16:292:100:f153:12a3:c37c:11f9/128'],
+-            'dhcp4': True, 'dhcp6': True}}}
++            'dhcp4': True, 'dhcp6': False}}}
+         patch_path = M_PATH_NET + 'get_interfaces_by_mac'
+         get_interface_mac_path = M_PATH_NET + 'get_interface_mac'
+         with mock.patch(patch_path) as m_get_interfaces_by_mac:
+@@ -509,7 +509,7 @@ class TestEc2(test_helpers.HttprettyTestCase):
+             self.logs.getvalue())
+         expected = {'version': 2, 'ethernets': {'eth9': {
+             'match': {'macaddress': mac1}, 'set-name': 'eth9',
+-            'dhcp4': True, 'dhcp6': True}}}
++            'dhcp4': True, 'dhcp6': False}}}
+         self.assertEqual(expected, ds.network_config)
+ 
+     def test_ec2_get_instance_id_refreshes_identity_on_upgrade(self):
+@@ -825,7 +825,7 @@ class TestConvertEc2MetadataNetworkConfig(test_helpers.CiTestCase):
+         nic1_metadata.pop('public-ipv4s')
+         expected = {'version': 2, 'ethernets': {'eth9': {
+             'match': {'macaddress': self.mac1}, 'set-name': 'eth9',
+-            'dhcp4': True, 'dhcp6': True}}}
++            'dhcp4': True, 'dhcp6': False}}}
+         self.assertEqual(
+             expected,
+             ec2.convert_ec2_metadata_network_config(
+@@ -875,7 +875,7 @@ class TestConvertEc2MetadataNetworkConfig(test_helpers.CiTestCase):
+         nic1_metadata['local-ipv4s'] = '10.0.0.42'  # Local ipv4 only on vpc
+         expected = {'version': 2, 'ethernets': {'eth9': {
+             'match': {'macaddress': self.mac1}, 'set-name': 'eth9',
+-            'dhcp4': True, 'dhcp6': True}}}
++            'dhcp4': True, 'dhcp6': False}}}
+         self.assertEqual(
+             expected,
+             ec2.convert_ec2_metadata_network_config(
+@@ -897,7 +897,7 @@ class TestConvertEc2MetadataNetworkConfig(test_helpers.CiTestCase):
+             'eth9': {
+                 'match': {'macaddress': self.mac1}, 'set-name': 'eth9',
+                 'dhcp4': True, 'dhcp4-overrides': {'route-metric': 100},
+-                'dhcp6': True, 'dhcp6-overrides': {'route-metric': 100}},
++                'dhcp6': False},
+             'eth10': {
+                 'match': {'macaddress': mac2}, 'set-name': 'eth10',
+                 'dhcp4': True, 'dhcp4-overrides': {'route-metric': 200},
+@@ -916,7 +916,7 @@ class TestConvertEc2MetadataNetworkConfig(test_helpers.CiTestCase):
+         nic1_metadata['ipv6s'] = '2620:0:1009:fd00:e442:c88d:c04d:dc85/64'
+         expected = {'version': 2, 'ethernets': {'eth9': {
+             'match': {'macaddress': self.mac1}, 'set-name': 'eth9',
+-            'dhcp4': True, 'dhcp6': True}}}
++            'dhcp4': True, 'dhcp6': False}}}
+         self.assertEqual(
+             expected,
+             ec2.convert_ec2_metadata_network_config(
+-- 
+2.33.0
+

backport-fix-Don-t-loosen-the-permissions-of-the-log-file.patch

@@ -0,0 +1,118 @@
+From 2fb656fd991d788ed54e098815d93458e46f069e Mon Sep 17 00:00:00 2001
+From: Brett Holman <brett.holman@canonical.com>
+Date: Fri, 24 Nov 2023 15:54:09 +0000
+Subject: [PATCH] fix: Don't loosen the permissions of the log file (#4628)
+
+Previous implementations loosened permissions in non-default scenarios.
+
+Fixes GH-4243
+---
+ cloudinit/stages.py            | 15 +++++++++++-
+ cloudinit/tests/test_stages.py | 44 +++++++++++++++++++++++++---------
+ 2 files changed, 47 insertions(+), 12 deletions(-)
+
+diff --git a/cloudinit/stages.py b/cloudinit/stages.py
+index 502c060..6c80345 100644
+--- a/cloudinit/stages.py
++++ b/cloudinit/stages.py
+@@ -9,6 +9,7 @@ import os
+ import pickle
+ import sys
+ from collections import namedtuple
++from contextlib import suppress
+ from typing import Dict, Set  # noqa: F401
+ 
+ from cloudinit.settings import (
+@@ -200,13 +201,25 @@ class Init(object):
+     def initialize(self):
+         self._initialize_filesystem()
+ 
++    @staticmethod
++    def _get_strictest_mode(mode_1: int, mode_2: int) -> int:
++        return mode_1 & mode_2
++
+     def _initialize_filesystem(self):
++        mode = 0o640
++
+         util.ensure_dirs(self._initial_subdirs())
+         log_file = util.get_cfg_option_str(self.cfg, 'def_log_file')
+         if log_file:
+             # At this point the log file should have already been created
+             # in the setupLogging function of log.py
+-            util.ensure_file(log_file, mode=0o640, preserve_mode=False)
++            with suppress(OSError):
++                mode = self._get_strictest_mode(
++                    0o640, util.get_permissions(log_file)
++                )
++
++            # set file mode to the strictest of 0o640 and the current mode
++            util.ensure_file(log_file, mode, preserve_mode=False)
+             perms = self.cfg.get('syslog_fix_perms')
+             if not perms:
+                 perms = {}
+diff --git a/cloudinit/tests/test_stages.py b/cloudinit/tests/test_stages.py
+index aeab17a..dca78be 100644
+--- a/cloudinit/tests/test_stages.py
++++ b/cloudinit/tests/test_stages.py
+@@ -458,25 +458,47 @@ class TestInit_InitializeFilesystem:
+         # Assert we create it 0o640  by default if it doesn't already exist
+         assert 0o640 == stat.S_IMODE(log_file.stat().mode)
+ 
+-    def test_existing_file_permissions(self, init, tmpdir):
++    @pytest.mark.parametrize(
++        "input, expected",
++        [
++            (0o777, 0o640),
++            (0o640, 0o640),
++            (0o606, 0o600),
++            (0o501, 0o400),
++        ],
++    )
++    def test_existing_file_permissions(self, init, tmpdir, input, expected):
+         """Test file permissions are set as expected.
+         
+-        CIS Hardening requires 640 permissions. These permissions are
+-        currently hardcoded on every boot, but if there's ever a reason
+-        to change this, we need to then ensure that they
+-        are *not* set every boot.
++        CIS Hardening requires file mode 0o640 or stricter. Set the
++        permissions to the subset of 0o640 and the current
++        mode.
+ 
+         See https://bugs.launchpad.net/cloud-init/+bug/1900837.
+         """
+         log_file = tmpdir.join("cloud-init.log")
+         log_file.ensure()
+-        # Use a mode that will never be made the default so this test will
+-        # always be valid
+-        log_file.chmod(0o606)
++        log_file.chmod(input)
+         init._cfg = {"def_log_file": str(log_file)}
+ 
+-        init._initialize_filesystem()
+-
+-        assert 0o640 == stat.S_IMODE(log_file.stat().mode)
++        with mock.patch.object(stages.util, "ensure_file") as ensure:
++            init._initialize_filesystem()
++            assert expected == ensure.call_args[0][1]
++
++
++@pytest.mark.parametrize(
++    "mode_1, mode_2, expected",
++    [
++        (0o777, 0o640, 0o640),
++        (0o640, 0o777, 0o640),
++        (0o640, 0o541, 0o440),
++        (0o111, 0o050, 0o010),
++        (0o631, 0o640, 0o600),
++        (0o661, 0o640, 0o640),
++        (0o453, 0o611, 0o411),
++    ],
++)
++def test_strictest_permissions(mode_1, mode_2, expected):
++    assert expected == stages.Init._get_strictest_mode(mode_1, mode_2)
+ 
+ # vi: ts=4 expandtab
+-- 
+2.27.0
+

backport-fix-Logging-sensitive-data.patch

@@ -0,0 +1,43 @@
+From 2f9812e805f8e66feaf2689384ea6d669305d9a5 Mon Sep 17 00:00:00 2001
+From: Brett Holman <brett.holman@canonical.com>
+Date: Wed, 3 Apr 2024 13:51:25 -0600
+Subject: [PATCH] fix: Logging sensitive data
+
+Don't log sensitive data.
+
+Since /var/log/cloud-init.log is a priviledged file, this does not expose a
+secure system (no CVE). However, we don't want to log this information so that
+users can file reports without having to manually redact logs.
+
+Standardize log messages so that redacted and non-redacted logs match.
+
+Reference:https://github.com/canonical/cloud-init/commit/2f9812e8
+---
+ cloudinit/subp.py | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/cloudinit/subp.py b/cloudinit/subp.py
+index 267142e..749dc9c 100644
+--- a/cloudinit/subp.py
++++ b/cloudinit/subp.py
+@@ -217,13 +217,10 @@ def subp(args, data=None, rcs=None, env=None, capture=True,
+     if status_cb:
+         command = ' '.join(args) if isinstance(args, list) else args
+         status_cb('Begin run command: {command}\n'.format(command=command))
+-    if not logstring:
+-        LOG.debug(("Running command %s with allowed return codes %s"
+-                   " (shell=%s, capture=%s)"),
+-                  args, rcs, shell, 'combine' if combine_capture else capture)
+-    else:
+-        LOG.debug(("Running hidden command to protect sensitive "
+-                   "input/output logstring: %s"), logstring)
++
++    LOG.debug(("Running command %s with allowed return codes %s"
++                " (shell=%s, capture=%s)"),
++                logstring if logstring else args, rcs, shell, 'combine' if combine_capture else capture)
+ 
+     stdin = None
+     stdout = None
+-- 
+2.27.0
+

backport-fix-azure-disable-use-dns-for-secondary-nics-5314.patch

@@ -0,0 +1,101 @@
+From 42930d8459b59b22cab3f76d85d170871174b479 Mon Sep 17 00:00:00 2001
+From: Alberto Contreras <alberto.contreras@canonical.com>
+Date: Wed, 29 May 2024 09:10:53 +0200
+Subject: [PATCH] fix(azure): disable use-dns for secondary nics (#5314)
+
+Reference:https://github.com/canonical/cloud-init/commit/42930d8459b59b22cab3f76d85d170871174b479
+Conflict:(1)not change tests/integration_tests/datasources/test_azure.py
+(2)change TestParseNetworkConfig not TestGenerateNetworkConfig, other differences are significant.
+
+DNS resolution through secondary NICs is not supported on Azure. Disable
+it.
+
+Without this, we see seconds of delay resolving urls in cloud-init logs
+from Jammy+, see SF ticket.
+
+Per cjp256's comment, the first NIC under metadata.imds.network is ensured
+to be the primary one. We use this to determine primary NICs instead of
+relying on fragile driver and/or NIC names.
+
+Fixes: SF: #00380708
+
+Co-authored-by: Calvin Mwadime <calvin.mwadime@canonical.com>
+---
+ cloudinit/sources/DataSourceAzure.py          |  3 +++
+ tests/unittests/test_datasource/test_azure.py | 19 ++++++++++++-------
+ 2 files changed, 15 insertions(+), 7 deletions(-)
+
+diff --git a/cloudinit/sources/DataSourceAzure.py b/cloudinit/sources/DataSourceAzure.py
+index f1e6642..7b070b8 100755
+--- a/cloudinit/sources/DataSourceAzure.py
++++ b/cloudinit/sources/DataSourceAzure.py
+@@ -2207,6 +2207,9 @@ def _generate_network_config_from_imds_metadata(imds_metadata) -> dict:
+         # addresses.
+         nicname = 'eth{idx}'.format(idx=idx)
+         dhcp_override = {'route-metric': (idx + 1) * 100}
++        # DNS resolution through secondary NICs is not supported, disable it.
++        if idx > 0:
++            dhcp_override["use-dns"] = False
+         dev_config = {'dhcp4': True, 'dhcp4-overrides': dhcp_override,
+                       'dhcp6': False}
+         for addr_type in ('ipv4', 'ipv6'):
+diff --git a/tests/unittests/test_datasource/test_azure.py b/tests/unittests/test_datasource/test_azure.py
+index 62e657b..82d9718 100644
+--- a/tests/unittests/test_datasource/test_azure.py
++++ b/tests/unittests/test_datasource/test_azure.py
+@@ -243,12 +243,17 @@ class TestParseNetworkConfig(CiTestCase):
+                      'match': {'macaddress': '22:0d:3a:04:75:98'},
+                      'dhcp6': False,
+                      'dhcp4': True,
+-                     'dhcp4-overrides': {'route-metric': 200}},
++                     'dhcp4-overrides': {
++                         'route-metric': 200,
++                         "use-dns": False,}},
+             'eth2': {'set-name': 'eth2',
+                      'match': {'macaddress': '33:0d:3a:04:75:98'},
+                      'dhcp6': False,
+                      'dhcp4': True,
+-                     'dhcp4-overrides': {'route-metric': 300}}}, 'version': 2}
++                     'dhcp4-overrides': {
++                         'route-metric': 300,
++                         "use-dns": False,},},},
++                     'version': 2,}
+         imds_data = copy.deepcopy(NETWORK_METADATA)
+         imds_data['network']['interface'].append(SECONDARY_INTERFACE)
+         third_intf = copy.deepcopy(SECONDARY_INTERFACE)
+@@ -274,13 +279,13 @@ class TestParseNetworkConfig(CiTestCase):
+                      'match': {'macaddress': '22:0d:3a:04:75:98'},
+                      'dhcp4': True,
+                      'dhcp6': False,
+-                     'dhcp4-overrides': {'route-metric': 200}},
++                     'dhcp4-overrides': {'route-metric': 200, "use-dns": False}},
+             'eth2': {'set-name': 'eth2',
+                      'match': {'macaddress': '33:0d:3a:04:75:98'},
+                      'dhcp4': True,
+-                     'dhcp4-overrides': {'route-metric': 300},
++                     'dhcp4-overrides': {'route-metric': 300, "use-dns": False},
+                      'dhcp6': True,
+-                     'dhcp6-overrides': {'route-metric': 300}}}, 'version': 2}
++                     'dhcp6-overrides': {'route-metric': 300, "use-dns": False}}}, 'version': 2}
+         imds_data = copy.deepcopy(NETWORK_METADATA)
+         nic1 = imds_data['network']['interface'][0]
+         nic1['ipv4']['ipAddress'].append({'privateIpAddress': '10.0.0.5'})
+@@ -1184,12 +1189,12 @@ scbus-1 on xpt0 bus 0
+                          'match': {'macaddress': '22:0d:3a:04:75:98'},
+                          'dhcp6': False,
+                          'dhcp4': True,
+-                         'dhcp4-overrides': {'route-metric': 200}},
++                         'dhcp4-overrides': {'route-metric': 200, "use-dns": False}},
+                 'eth2': {'set-name': 'eth2',
+                          'match': {'macaddress': '33:0d:3a:04:75:98'},
+                          'dhcp6': False,
+                          'dhcp4': True,
+-                         'dhcp4-overrides': {'route-metric': 300}}},
++                         'dhcp4-overrides': {'route-metric': 300, "use-dns": False}}},
+             'version': 2}
+         imds_data = copy.deepcopy(NETWORK_METADATA)
+         imds_data['network']['interface'].append(SECONDARY_INTERFACE)
+-- 
+2.33.0
+
+

backport-fix-growpart-race-4618.patch

@@ -0,0 +1,113 @@
+From 598e0560d64f949369962ebbce2c53207763f5d2 Mon Sep 17 00:00:00 2001
+From: Brett Holman <brett.holman@canonical.com>
+Date: Fri, 5 Jan 2024 13:10:01 -0700
+Subject: [PATCH] fix: fix growpart race (#4618)
+
+Fixes GH-4613
+
+Reference:https://github.com/canonical/cloud-init/commit/598e0560d64f949369962ebbce2c53207763f5d2
+Conflict:(1)change tests/unittests/test_handler/test_handler_growpart.py not tests/unittests/config/test_cc_growpart.py.
+(2)Community patch:
+-from typing import Tuple
++from typing import Optional, Tuple
+Adaptation patch:
++from typing import Optional
+(3)add "import pytest" in test_handler_growpart.py
+(4)The context of the code is slightly different.
+---
+ cloudinit/config/cc_growpart.py               | 22 +++++++++++++++----
+ .../test_handler/test_handler_growpart.py     | 17 ++++++++++++++
+ 2 files changed, 35 insertions(+), 4 deletions(-)
+
+diff --git a/cloudinit/config/cc_growpart.py b/cloudinit/config/cc_growpart.py
+index 1ddc9dc..1552072 100644
+--- a/cloudinit/config/cc_growpart.py
++++ b/cloudinit/config/cc_growpart.py
+@@ -74,6 +74,7 @@ from cloudinit.settings import PER_ALWAYS
+ from cloudinit import subp
+ from cloudinit import temp_utils
+ from cloudinit import util
++from typing import Optional
+ 
+ frequency = PER_ALWAYS
+ 
+@@ -212,12 +213,16 @@ class ResizeGpart(object):
+         return (before, get_size(partdev))
+ 
+ 
+-def get_size(filename):
+-    fd = os.open(filename, os.O_RDONLY)
++def get_size(filename) -> Optional[int]:
++    fd = None
+     try:
++        fd = os.open(filename, os.O_RDONLY)
+         return os.lseek(fd, 0, os.SEEK_END)
++    except FileNotFoundError:
++        return None
+     finally:
+-        os.close(fd)
++        if fd:
++            os.close(fd)
+ 
+ 
+ def device_part_info(devpath):
+@@ -318,10 +323,19 @@ def resize_devices(resizer, devices):
+             continue
+ 
+         try:
+-            (old, new) = resizer.resize(disk, ptnum, blockdev)
++            old, new = resizer.resize(disk, ptnum, blockdev)
+             if old == new:
+                 info.append((devent, RESIZE.NOCHANGE,
+                              "no change necessary (%s, %s)" % (disk, ptnum),))
++            elif new is None or old is None:
++                info.append(
++                    (
++                        devent,
++                        RESIZE.CHANGED,
++                        "changed (%s, %s) size, new size is unknown"
++                        % (disk, ptnum),
++                    )
++                )
+             else:
+                 info.append((devent, RESIZE.CHANGED,
+                              "changed (%s, %s) from %s to %s" %
+diff --git a/tests/unittests/test_handler/test_handler_growpart.py b/tests/unittests/test_handler/test_handler_growpart.py
+index 7f039b7..2f40e86 100644
+--- a/tests/unittests/test_handler/test_handler_growpart.py
++++ b/tests/unittests/test_handler/test_handler_growpart.py
+@@ -6,6 +6,7 @@ from cloudinit import subp
+ 
+ from cloudinit.tests.helpers import TestCase
+ 
++import pytest
+ import errno
+ import logging
+ import os
+@@ -227,6 +228,22 @@ class TestResize(unittest.TestCase):
+             os.stat = real_stat
+ 
+ 
++class TestGetSize:
++    @pytest.mark.parametrize(
++        "file_exists, expected",
++        (
++            (False, None),
++            (True, 1),
++        ),
++    )
++    def test_get_size_behaves(self, file_exists, expected, tmp_path):
++        """Ensure that get_size() doesn't raise exception"""
++        tmp_file = tmp_path / "tmp.txt"
++        if file_exists:
++            tmp_file.write_bytes(b"0")
++        assert expected == cc_growpart.get_size(tmp_file)
++
++
+ def simple_device_part_info(devpath):
+     # simple stupid return (/dev/vda, 1) for /dev/vda
+     ret = re.search("([^0-9]*)([0-9]*)$", devpath)
+-- 
+2.33.0
+
+

backport-fix-net-Make-duplicate-route-add-succeed.-5343.patch

@@ -0,0 +1,61 @@
+From e432a31d6ea4263027c327559bb08adf3a91ad6d Mon Sep 17 00:00:00 2001
+From: Brett Holman <brett.holman@canonical.com>
+Date: Wed, 29 May 2024 16:03:46 -0600
+Subject: [PATCH] fix(net): Make duplicate route add succeed. (#5343)
+
+Reference:https://github.com/canonical/cloud-init/commit/e432a31d6ea4263027c327559bb08adf3a91ad6d
+Conflict:(1)change cloudinit/net/__init__.py not cloudinit/net/netops/iproute2.py.
+(2)change cloudinit/net/tests/test_init.py not tests/unittests/net/test_init.py.
+(3)change 'ip -4 route add' to 'ip -4 route replace', other differences are significant.
+
+This behaves the same but doesn't fail when adding an existing route.
+
+Fixes GH-3441
+Fixes GH-3595
+---
+ cloudinit/net/__init__.py        | 4 ++--
+ cloudinit/net/tests/test_init.py | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/cloudinit/net/__init__.py b/cloudinit/net/__init__.py
+index d3ac4c8..f05642d 100644
+--- a/cloudinit/net/__init__.py
++++ b/cloudinit/net/__init__.py
+@@ -1256,14 +1256,14 @@ class EphemeralIPv4Network(object):
+                 self.interface, out.strip())
+             return
+         subp.subp(
+-            ['ip', '-4', 'route', 'add', self.router, 'dev', self.interface,
++            ['ip', '-4', 'route', 'replace', self.router, 'dev', self.interface,
+              'src', self.ip], capture=True)
+         self.cleanup_cmds.insert(
+             0,
+             ['ip', '-4', 'route', 'del', self.router, 'dev', self.interface,
+              'src', self.ip])
+         subp.subp(
+-            ['ip', '-4', 'route', 'add', 'default', 'via', self.router,
++            ['ip', '-4', 'route', 'replace', 'default', 'via', self.router,
+              'dev', self.interface], capture=True)
+         self.cleanup_cmds.insert(
+             0, ['ip', '-4', 'route', 'del', 'default', 'dev', self.interface])
+diff --git a/cloudinit/net/tests/test_init.py b/cloudinit/net/tests/test_init.py
+index a47b7c8..6eda482 100644
+--- a/cloudinit/net/tests/test_init.py
++++ b/cloudinit/net/tests/test_init.py
+@@ -764,10 +764,10 @@ class TestEphemeralIPV4Network(CiTestCase):
+                 capture=True),
+             mock.call(
+                 ['ip', 'route', 'show', '0.0.0.0/0'], capture=True),
+-            mock.call(['ip', '-4', 'route', 'add', '192.168.2.1',
++            mock.call(['ip', '-4', 'route', 'replace', '192.168.2.1',
+                        'dev', 'eth0', 'src', '192.168.2.2'], capture=True),
+             mock.call(
+-                ['ip', '-4', 'route', 'add', 'default', 'via',
++                ['ip', '-4', 'route', 'replace', 'default', 'via',
+                  '192.168.2.1', 'dev', 'eth0'], capture=True)]
+         expected_teardown_calls = [
+             mock.call(['ip', '-4', 'route', 'del', 'default', 'dev', 'eth0'],
+-- 
+2.33.0
+
+

backport-fix-netplan-Fix-predictable-interface-rename-issue-5.patch

@@ -0,0 +1,59 @@
+From 2856f4c8a440eba1127ac09f2b411d436c62e777 Mon Sep 17 00:00:00 2001
+From: Brett Holman <brett.holman@canonical.com>
+Date: Wed, 29 May 2024 16:08:35 -0600
+Subject: [PATCH] fix(netplan): Fix predictable interface rename issue (#5339)
+
+Reference:https://github.com/canonical/cloud-init/commit/2856f4c8a440eba1127ac09f2b411d436c62e777
+Conflict:NA
+
+When predictable naming is disabled, the following command may exit with
+a non-zero exit code.
+
+    udevadm test-builtin net_setup_link
+
+This code only ran to check for udev rename races, which cannot happen
+when systemd renaming is disabled. Skip when disabled.
+
+Fixes GH-3950
+---
+ cloudinit/net/netplan.py    | 3 +++
+ tests/unittests/test_net.py | 5 ++++-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/cloudinit/net/netplan.py b/cloudinit/net/netplan.py
+index 7d6740d..7e32167 100644
+--- a/cloudinit/net/netplan.py
++++ b/cloudinit/net/netplan.py
+@@ -263,6 +263,9 @@ class Renderer(renderer.Renderer):
+         if not run:
+             LOG.debug("netplan net_setup_link postcmd disabled")
+             return
++        elif "net.ifnames=0" in util.get_cmdline():
++            LOG.debug("Predictable interface names disabled.")
++            return
+         setup_lnk = ['udevadm', 'test-builtin', 'net_setup_link']
+ 
+          # It's possible we can race a udev rename and attempt to run
+diff --git a/tests/unittests/test_net.py b/tests/unittests/test_net.py
+index 4a1d7c0..27b28ca 100644
+--- a/tests/unittests/test_net.py
++++ b/tests/unittests/test_net.py
+@@ -4531,10 +4531,13 @@ class TestNetplanPostcommands(CiTestCase):
+         mock_netplan_generate.assert_called_with(run=True)
+         mock_net_setup_link.assert_called_with(run=True)
+ 
++    @mock.patch("cloudinit.util.get_cmdline")
+     @mock.patch('cloudinit.util.SeLinuxGuard')
+     @mock.patch.object(netplan, "get_devicelist")
+     @mock.patch('cloudinit.subp.subp')
+-    def test_netplan_postcmds(self, mock_subp, mock_devlist, mock_sel):
++    def test_netplan_postcmds(
++        self, mock_subp, mock_devlist, mock_sel, m_get_cmdline
++    ):
+         mock_sel.__enter__ = mock.Mock(return_value=False)
+         mock_sel.__exit__ = mock.Mock()
+         mock_devlist.side_effect = [['lo']]
+-- 
+2.33.0
+
+

backport-handle-error-when-log-file-is-empty-4859.patch

@@ -0,0 +1,75 @@
+From ee79940717e354d26954fc4401dc5b0c38980509 Mon Sep 17 00:00:00 2001
+From: Hasan <hasan.aleeyev@gmail.com>
+Date: Tue, 13 Feb 2024 19:34:11 +0400
+Subject: [PATCH] feat: handle error when log file is empty (#4859)
+
+Fixes GH-4686
+
+Reference:https://github.com/canonical/cloud-init/commit/ee79940717e354d26954fc4401dc5b0c38980509
+Conflict:(1)not change tools/.github-cla-signers
+(2)Community patch:
++from cloudinit.analyze import analyze_show
+Adaptation patch:
++from cloudinit.analyze.__main__ import analyze_show
+---
+ cloudinit/analyze/show.py            |  4 ++++
+ tests/unittests/analyze/test_show.py | 24 ++++++++++++++++++++++++
+ 2 files changed, 28 insertions(+)
+ create mode 100644 tests/unittests/analyze/test_show.py
+
+diff --git a/cloudinit/analyze/show.py b/cloudinit/analyze/show.py
+index 01a4d3e..3cf91e1 100644
+--- a/cloudinit/analyze/show.py
++++ b/cloudinit/analyze/show.py
+@@ -8,6 +8,7 @@ import base64
+ import datetime
+ import json
+ import os
++import sys
+ import time
+ import sys
+ 
+@@ -381,6 +382,9 @@ def load_events_infile(infile):
+     :return: json version of logfile, raw file
+     '''
+     data = infile.read()
++    if not data.strip():
++        sys.stderr.write("Empty file %s\n" % infile.name)
++        sys.exit(1)
+     try:
+         return json.loads(data), data
+     except ValueError:
+diff --git a/tests/unittests/analyze/test_show.py b/tests/unittests/analyze/test_show.py
+new file mode 100644
+index 0000000..0984e90
+--- /dev/null
++++ b/tests/unittests/analyze/test_show.py
+@@ -0,0 +1,24 @@
++from collections import namedtuple
++
++import pytest
++
++from cloudinit.analyze.__main__ import analyze_show
++
++
++@pytest.fixture
++def mock_io(tmp_path):
++    """Mock args for configure_io function"""
++    infile = tmp_path / "infile"
++    outfile = tmp_path / "outfile"
++    return namedtuple("MockIO", ["infile", "outfile"])(infile, outfile)
++
++
++class TestAnalyzeShow:
++    """Test analyze_show (and/or helpers) in cloudinit/analyze/__init__.py"""
++
++    def test_empty_logfile(self, mock_io, capsys):
++        """Test analyze_show with an empty logfile"""
++        mock_io.infile.write_text("")
++        with pytest.raises(SystemExit):
++            analyze_show("dontcare", mock_io)
++        assert capsys.readouterr().err == f"Empty file {mock_io.infile}\n"
+-- 
+2.33.0
+
+

cloud-init.spec

@@ -1,6 +1,6 @@
 Name: cloud-init
 Version: 21.4
-Release: 23
+Release: 28
 Summary: the defacto multi-distribution package that handles early initialization of a cloud instance.
 License: ASL 2.0 or GPLv3
 URL: http://launchpad.net/cloud-init
@@ -71,6 +71,14 @@ Patch6036: backport-cc_mounts-Use-fallocate-to-create-swapfile-on-btrfs-.patch
 Patch6037: backport-cloud-config-honor-cloud_dir-setting-1523.patch
 Patch6038: backport-collect-logs-fix-memory-usage-SC-1590-4289.patch
 Patch6039: backport-Return-a-namedtuple-from-subp-1376.patch
+Patch6040: backport-fix-Don-t-loosen-the-permissions-of-the-log-file.patch
+Patch6041: backport-fix-growpart-race-4618.patch
+Patch6042: backport-handle-error-when-log-file-is-empty-4859.patch
+Patch6043: backport-fix-Logging-sensitive-data.patch
+Patch6044: backport-ec2-Do-not-enable-dhcp6-on-EC2.patch
+Patch6045: backport-fix-azure-disable-use-dns-for-secondary-nics-5314.patch
+Patch6046: backport-fix-net-Make-duplicate-route-add-succeed.-5343.patch
+Patch6047: backport-fix-netplan-Fix-predictable-interface-rename-issue-5.patch
 
 BuildRequires: pkgconfig(systemd) python3-devel python3-setuptools systemd
 BuildRequires: iproute python3-configobj python3-httpretty >= 0.8.14-2
@@ -181,6 +189,39 @@ fi
 %exclude /usr/share/doc/*
 
 %changelog
+* Tue Jun 11 2024 shixuantong <shixuantong1@huawei.com> - 21.4-28
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:disable use-dns for secondary nics
+       Make duplicate route add succeed
+       Fix predictable interface rename issue
+
+* Wed May 8 2024 dongyuzhen <dongyuzhen@h-partners.com> - 21.4-27
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:ec2: Do not enable dhcp6 on EC2
+
+* Fri Apr 12 2024 shixuantong <shixuantong1@huawei.com> - 21.4-26
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:fix: Logging sensitive data
+
+* Tue Mar 26 2024 shixuantong <shixuantong1@huawei.com> - 21.4-25
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:fix growpart race
+       handle error when log file is empty
+
+* Thu Dec 14 2023 shixuantong <shixuantong1@huawei.com> - 21.4-24
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:Don't loosen the permissions of the log file
+
 * Tue Nov 07 2023 shixuantong <shixuantong1@huawei.com> - 21.4-23
 - Type:bugfix
 - CVE:NA
@@ -379,3 +420,4 @@ https://github.com/canonical/cloud-init/commit/0450a1faff9e5095e6da0865916501772
 
 * Tue Sep 17 2019 openEuler Buildteam <buildteam@openeuler.org> - 17.1-8
 - Package init.
+