kola: Disable the public update server by default

This might have been an oversight: for release tests we used the public
Nebraska server. This was already disabled for FCOS but not for the
original CoreOS/Flatcar CL.
Disable the public update server by default. The update tests overwrite
it with their specific setting. In case a future test needs the default
the usual test flag escape hatch in the form of NoDisableUpdates is
added.

kola/harness.go

@@ -565,6 +565,7 @@ func runTest(h *harness.H, t *register.Test, pltfrm string, flight platform.Flig
 		NoSSHKeyInUserData: t.HasFlag(register.NoSSHKeyInUserData),
 		NoSSHKeyInMetadata: t.HasFlag(register.NoSSHKeyInMetadata),
 		NoEnableSelinux:    t.HasFlag(register.NoEnableSelinux),
+		NoDisableUpdates:   t.HasFlag(register.NoDisableUpdates),
 		SSHRetries:         Options.SSHRetries,
 		SSHTimeout:         Options.SSHTimeout,
 		DefaultUser:        t.DefaultUser,

kola/register/register.go

@@ -33,6 +33,7 @@ const (
 	NoEnableSelinux                     // don't enable selinux when starting or rebooting a machine
 	NoKernelPanicCheck                  // don't check console output for kernel panic
 	NoVerityCorruptionCheck             // don't check console output for verity corruption
+	NoDisableUpdates                    // don't disable usage of the public update server
 )
 
 // Test provides the main test abstraction for kola. The run function is

kola/tests/ignition/empty.go

@@ -32,7 +32,11 @@ func init() {
 		ClusterSize:      1,
 		ExcludePlatforms: []string{"qemu", "esx"},
 		Distros:          []string{"cl"},
-		UserData:         conf.Empty(),
+		// Ensure that nothing gets added.
+		// This means the instance will ping the public Nebraska server
+		// and possibly update if the instance deletion is too slow.
+		Flags:    []register.Flag{register.NoDisableUpdates, register.NoSSHKeyInUserData},
+		UserData: conf.Empty(),
 		// Should run on all cloud environments
 	})
 	// Tests for https://github.com/coreos/bugs/issues/1981

kola/tests/locksmith/locksmith.go

@@ -39,8 +39,13 @@ func init() {
 		ClusterSize: 3,
 		// When cl.etcd-member.discovery runs on all clouds to test CLC IP templating, we can skip running this
 		Platforms: []string{"qemu", "qemu-unpriv"},
+		// This test already specifies the update.conf file in the userdata.
+		// Disabling of the public server is done explicitly.
+		Flags: []register.Flag{register.NoDisableUpdates},
 		UserData: conf.ContainerLinuxConfig(`locksmith:
   reboot_strategy: etcd-lock
+update:
+  server: disabled
 etcd:
   version:                     3.5.0
   listen_client_urls:          http://0.0.0.0:2379
@@ -60,8 +65,11 @@ etcd:
 		Distros:   []string{"cl"},
 	})
 	register.Register(&register.Test{
-		Name:        "coreos.locksmith.tls",
-		Run:         locksmithTLS,
+		Name: "coreos.locksmith.tls",
+		Run:  locksmithTLS,
+		// This test already specifies the update.conf file in the userdata.
+		// Disabling of the public server is done explicitly.
+		Flags:       []register.Flag{register.NoDisableUpdates},
 		ClusterSize: 1,
 		// This test is normally not related to the cloud environment
 		Platforms: []string{"qemu", "qemu-unpriv"},
@@ -95,7 +103,7 @@ etcd:
       {
         "filesystem": "root",
         "path": "/etc/coreos/update.conf",
-        "contents": { "source": "data:,REBOOT_STRATEGY=etcd-lock%0A" },
+        "contents": { "source": "data:,REBOOT_STRATEGY=etcd-lock%0ASERVER=disabled%0A" },
         "mode": 420
       },
       {

kola/tests/misc/omaha.go

@@ -31,6 +31,8 @@ func init() {
 		Run:         OmahaPing,
 		ClusterSize: 0,
 		Name:        "cl.omaha.ping",
+		// This test already sets its own update server in the userdata
+		Flags: []register.Flag{register.NoDisableUpdates},
 		// This test is normally not related to the cloud environment
 		Platforms:        []string{"qemu"},
 		ExcludePlatforms: []string{"qemu-unpriv"},

platform/cluster.go

@@ -191,6 +191,12 @@ func (bc *BaseCluster) RenderUserData(userdata *conf.UserData, ignitionVars map[
 		conf.CopyKeys(keys)
 	}
 
+	// disable the public update server by default
+	if !bc.rconf.NoDisableUpdates {
+		conf.AddFile("/etc/flatcar/update.conf", "root", `SERVER=disabled
+`, 0644)
+	}
+
 	// disable Zincati & Pinger by default
 	if bc.Distribution() == "fcos" {
 		conf.AddFile("/etc/fedora-coreos-pinger/config.d/90-disable-reporting.toml", "root", `[reporting]

platform/conf/conf.go

@@ -585,7 +585,8 @@ func (c *Conf) addFileV3(path, filesystem, contents string, mode int) {
 			Files: []v3types.File{
 				{
 					Node: v3types.Node{
-						Path: path,
+						Path:      path,
+						Overwrite: &[]bool{true}[0],
 					},
 					FileEmbedded1: v3types.FileEmbedded1{
 						Contents: v3types.FileContents{
@@ -610,7 +611,8 @@ func (c *Conf) addFileV31(path, filesystem, contents string, mode int) {
 			Files: []v31types.File{
 				{
 					Node: v31types.Node{
-						Path: path,
+						Path:      path,
+						Overwrite: &[]bool{true}[0],
 					},
 					FileEmbedded1: v31types.FileEmbedded1{
 						Contents: v31types.Resource{
@@ -635,7 +637,8 @@ func (c *Conf) addFileV32(path, filesystem, contents string, mode int) {
 			Files: []v32types.File{
 				{
 					Node: v32types.Node{
-						Path: path,
+						Path:      path,
+						Overwrite: &[]bool{true}[0],
 					},
 					FileEmbedded1: v32types.FileEmbedded1{
 						Contents: v32types.Resource{
@@ -660,7 +663,8 @@ func (c *Conf) addFileV33(path, filesystem, contents string, mode int) {
 			Files: []v33types.File{
 				{
 					Node: v33types.Node{
-						Path: path,
+						Path:      path,
+						Overwrite: &[]bool{true}[0],
 					},
 					FileEmbedded1: v33types.FileEmbedded1{
 						Contents: v33types.Resource{
@@ -707,6 +711,41 @@ func (c *Conf) addFileCloudConfig(path, filesystem, contents string, mode int) {
 	})
 }
 
+func (c *Conf) addFileScript(path, filesystem, contents string, mode int) {
+	c.script += fmt.Sprintf(`
+cat <<EOF > %s
+%s
+EOF
+chmod %o %s
+`, path, contents, mode, path)
+}
+
+func (c *Conf) addFileMultipartMime(path, filesystem, contents string, mode int) {
+	header := textproto.MIMEHeader{
+		"Content-Type":              []string{"text/cloud-config; charset=\"us-ascii\""},
+		"MIME-Version":              []string{"1.0"},
+		"Content-Transfer-Encoding": []string{"7bit"},
+		"Content-Disposition":       []string{"attachment; filename=\"testing-keys.yaml\""},
+	}
+	cc := cci.CloudConfig{
+		WriteFiles: []cci.File{
+			cci.File{
+				Content:            contents,
+				Owner:              "root",
+				Path:               path,
+				RawFilePermissions: fmt.Sprintf("%#o", mode),
+			},
+		},
+	}
+	asYaml, err := yaml.Marshal(cc)
+	if err != nil {
+		plog.Errorf("failed to marshal yaml: %v", err)
+		return
+	}
+	c.multipartMime.AddPart(header, asYaml)
+
+}
+
 func (c *Conf) AddFile(path, filesystem, contents string, mode int) {
 	if c.ignitionV33 != nil {
 		c.addFileV33(path, filesystem, contents, mode)
@@ -728,6 +767,10 @@ func (c *Conf) AddFile(path, filesystem, contents string, mode int) {
 		c.addFileV1(path, filesystem, contents, mode)
 	} else if c.cloudconfig != nil {
 		c.addFileCloudConfig(path, filesystem, contents, mode)
+	} else if c.multipartMime != nil {
+		c.addFileMultipartMime(path, filesystem, contents, mode)
+	} else if c.script != "" {
+		c.addFileScript(path, filesystem, contents, mode)
 	} else {
 		panic(fmt.Errorf("unimplemented case in AddFile"))
 	}

platform/platform.go

@@ -175,6 +175,7 @@ type RuntimeConfig struct {
 	NoSSHKeyInUserData bool          // don't inject SSH key into Ignition/cloud-config
 	NoSSHKeyInMetadata bool          // don't add SSH key to platform metadata
 	NoEnableSelinux    bool          // don't enable selinux when starting or rebooting a machine
+	NoDisableUpdates   bool          // don't disable usage of the public update server
 	AllowFailedUnits   bool          // don't fail CheckMachine if a systemd unit has failed
 	SSHRetries         int           // see SSHRetries field in Options
 	SSHTimeout         time.Duration // see SSHTimeout field in Options