Merged update from upstream sources
This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/ignition.git#f27cf37ade8120c1a6a7e5ccf2f730d2a40d1d08
This commit is contained in:
DistroBaker
parent
ce84629811
commit
07b6f5cc82
@ -61,11 +61,14 @@
|
||||
|
||||
Name: ignition
|
||||
Version: 2.9.0
|
||||
Release: 1.git%{shortcommit}%{?dist}
|
||||
Release: 2.git%{shortcommit}%{?dist}
|
||||
Summary: First boot installer and configuration tool
|
||||
License: ASL 2.0
|
||||
URL: https://%{provider_prefix}
|
||||
Source0: https://%{provider_prefix}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz
|
||||
# Fix AWS probing by using the IMDS token URL to ensure that networking is up
|
||||
# https://github.com/coreos/ignition/pull/1161
|
||||
Patch0: internal-providers-aws-probe-the-IMDS-token-URL.patch
|
||||
|
||||
%define gopath %{_datadir}/gocode
|
||||
ExcludeArch: ppc64
|
||||
@ -606,6 +609,9 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Jan 12 2021 Sohan Kunkerkar <skunkerk@redhat.com> - 2.9.0-2.git1d56dc8
|
||||
- Fix AWS probing by using the IMDS token URL to ensure that networking is up
|
||||
|
||||
* Fri Jan 08 2021 Sohan Kunkerkar <skunkerk@redhat.com> - 2.9.0-1.git1d56dc8
|
||||
- New release
|
||||
|
||||
|
||||
76
internal-providers-aws-probe-the-IMDS-token-URL.patch
Normal file
76
internal-providers-aws-probe-the-IMDS-token-URL.patch
Normal file
@ -0,0 +1,76 @@
|
||||
From 74ffe3749d70b9d115a9b9790969b8dcb4a76e12 Mon Sep 17 00:00:00 2001
|
||||
From: Stephen Lowrie <stephen.lowrie@gmail.com>
|
||||
Date: Mon, 11 Jan 2021 11:27:12 -0600
|
||||
Subject: [PATCH] internal/providers/aws: probe the IMDS token URL
|
||||
|
||||
Probing the `/latest` path causes a 401 Unauthorized when running with
|
||||
IMDSv2 only. Instead ping the token URL.
|
||||
---
|
||||
internal/providers/aws/aws.go | 37 +++++++++++++++++++----------------
|
||||
1 file changed, 20 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/internal/providers/aws/aws.go b/internal/providers/aws/aws.go
|
||||
index 54373dbb..4a6655f0 100644
|
||||
--- a/internal/providers/aws/aws.go
|
||||
+++ b/internal/providers/aws/aws.go
|
||||
@@ -40,11 +40,6 @@ var (
|
||||
Host: "169.254.169.254",
|
||||
Path: "2019-10-01/user-data",
|
||||
}
|
||||
- metadataServiceProbeURL = url.URL{
|
||||
- Scheme: "http",
|
||||
- Host: "169.254.169.254",
|
||||
- Path: "latest",
|
||||
- }
|
||||
imdsTokenURL = url.URL{
|
||||
Scheme: "http",
|
||||
Host: "169.254.169.254",
|
||||
@@ -78,17 +73,17 @@ func NewFetcher(l *log.Logger) (resource.Fetcher, error) {
|
||||
// Init prepares the fetcher for this platform
|
||||
func Init(f *resource.Fetcher) error {
|
||||
// During the fetch stage we might be running before the networking
|
||||
- // is fully ready. Perform an HTTP fetch against the metadata probe
|
||||
- // URL to ensure that networking is up before we attempt to fetch
|
||||
- // the region hint from ec2metadata.
|
||||
+ // is fully ready. Perform an HTTP fetch against the IMDS token URL
|
||||
+ // to ensure that networking is up before we attempt to fetch the
|
||||
+ // region hint from ec2metadata.
|
||||
//
|
||||
- // NOTE: the FetchToBuffer call against the metadata service probe
|
||||
- // URL is a temporary solution to handle waiting for networking
|
||||
- // before fetching from the AWS API. We do this instead of an
|
||||
- // infinite retry loop on the API call because, without a clear
|
||||
- // understanding of the failure cases, that would risk provisioning
|
||||
- // failures due to quirks of the ec2metadata API. Additionally a
|
||||
- // finite retry loop would have to time out quickly enough to avoid
|
||||
+ // NOTE: the FetchToBuffer call against the IMDS token URL is a
|
||||
+ // temporary solution to handle waiting for networking before
|
||||
+ // fetching from the AWS API. We do this instead of an infinite
|
||||
+ // retry loop on the API call because, without a clear understanding
|
||||
+ // of the failure cases, that would risk provisioning failures due
|
||||
+ // to quirks of the ec2metadata API. Additionally a finite retry
|
||||
+ // loop would have to time out quickly enough to avoid
|
||||
// extraordinarily long boots on failure (since this code runs in
|
||||
// every stage) but that would risk premature timeouts if the
|
||||
// network takes a while to come up.
|
||||
@@ -102,8 +97,16 @@ func Init(f *resource.Fetcher) error {
|
||||
// NOTE: FetchToBuffer is handling the ErrNeedNet case. If we move
|
||||
// to an alternative method, we will need to handle the detection in
|
||||
// this function.
|
||||
- _, err := f.FetchToBuffer(metadataServiceProbeURL, resource.FetchOptions{})
|
||||
- if err != nil {
|
||||
+ opts := resource.FetchOptions{
|
||||
+ Headers: http.Header{
|
||||
+ "x-aws-ec2-metadata-token-ttl-seconds": []string{"21600"},
|
||||
+ },
|
||||
+ HTTPVerb: "PUT",
|
||||
+ }
|
||||
+ _, err := f.FetchToBuffer(imdsTokenURL, opts)
|
||||
+ // ErrNotFound would just mean that the instance might not have
|
||||
+ // IMDSv2 enabled
|
||||
+ if err != nil && err != resource.ErrNotFound {
|
||||
return err
|
||||
}
|
||||
|
||||
--
|
||||
2.29.2
|
||||
Loading…
Reference in New Issue
Block a user