Fix AWS probing by using the IMDS token URL
This commit is contained in:
Sohan Kunkerkar
Sohan Kunkerkar
parent
ec21a27d4c
commit
f27cf37ade
@ -61,11 +61,14 @@
|
|||||||
|
|
||||||
Name: ignition
|
Name: ignition
|
||||||
Version: 2.9.0
|
Version: 2.9.0
|
||||||
Release: 1.git%{shortcommit}%{?dist}
|
Release: 2.git%{shortcommit}%{?dist}
|
||||||
Summary: First boot installer and configuration tool
|
Summary: First boot installer and configuration tool
|
||||||
License: ASL 2.0
|
License: ASL 2.0
|
||||||
URL: https://%{provider_prefix}
|
URL: https://%{provider_prefix}
|
||||||
Source0: https://%{provider_prefix}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz
|
Source0: https://%{provider_prefix}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz
|
||||||
|
# Fix AWS probing by using the IMDS token URL to ensure that networking is up
|
||||||
|
# https://github.com/coreos/ignition/pull/1161
|
||||||
|
Patch0: internal-providers-aws-probe-the-IMDS-token-URL.patch
|
||||||
|
|
||||||
%define gopath %{_datadir}/gocode
|
%define gopath %{_datadir}/gocode
|
||||||
ExcludeArch: ppc64
|
ExcludeArch: ppc64
|
||||||
@ -606,6 +609,9 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jan 12 2021 Sohan Kunkerkar <skunkerk@redhat.com> - 2.9.0-2.git1d56dc8
|
||||||
|
- Fix AWS probing by using the IMDS token URL to ensure that networking is up
|
||||||
|
|
||||||
* Fri Jan 08 2021 Sohan Kunkerkar <skunkerk@redhat.com> - 2.9.0-1.git1d56dc8
|
* Fri Jan 08 2021 Sohan Kunkerkar <skunkerk@redhat.com> - 2.9.0-1.git1d56dc8
|
||||||
- New release
|
- New release
|
||||||
|
|
||||||
|
|||||||
76
internal-providers-aws-probe-the-IMDS-token-URL.patch
Normal file
76
internal-providers-aws-probe-the-IMDS-token-URL.patch
Normal file
@ -0,0 +1,76 @@
|
|||||||
|
From 74ffe3749d70b9d115a9b9790969b8dcb4a76e12 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stephen Lowrie <stephen.lowrie@gmail.com>
|
||||||
|
Date: Mon, 11 Jan 2021 11:27:12 -0600
|
||||||
|
Subject: [PATCH] internal/providers/aws: probe the IMDS token URL
|
||||||
|
|
||||||
|
Probing the `/latest` path causes a 401 Unauthorized when running with
|
||||||
|
IMDSv2 only. Instead ping the token URL.
|
||||||
|
---
|
||||||
|
internal/providers/aws/aws.go | 37 +++++++++++++++++++----------------
|
||||||
|
1 file changed, 20 insertions(+), 17 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/internal/providers/aws/aws.go b/internal/providers/aws/aws.go
|
||||||
|
index 54373dbb..4a6655f0 100644
|
||||||
|
--- a/internal/providers/aws/aws.go
|
||||||
|
+++ b/internal/providers/aws/aws.go
|
||||||
|
@@ -40,11 +40,6 @@ var (
|
||||||
|
Host: "169.254.169.254",
|
||||||
|
Path: "2019-10-01/user-data",
|
||||||
|
}
|
||||||
|
- metadataServiceProbeURL = url.URL{
|
||||||
|
- Scheme: "http",
|
||||||
|
- Host: "169.254.169.254",
|
||||||
|
- Path: "latest",
|
||||||
|
- }
|
||||||
|
imdsTokenURL = url.URL{
|
||||||
|
Scheme: "http",
|
||||||
|
Host: "169.254.169.254",
|
||||||
|
@@ -78,17 +73,17 @@ func NewFetcher(l *log.Logger) (resource.Fetcher, error) {
|
||||||
|
// Init prepares the fetcher for this platform
|
||||||
|
func Init(f *resource.Fetcher) error {
|
||||||
|
// During the fetch stage we might be running before the networking
|
||||||
|
- // is fully ready. Perform an HTTP fetch against the metadata probe
|
||||||
|
- // URL to ensure that networking is up before we attempt to fetch
|
||||||
|
- // the region hint from ec2metadata.
|
||||||
|
+ // is fully ready. Perform an HTTP fetch against the IMDS token URL
|
||||||
|
+ // to ensure that networking is up before we attempt to fetch the
|
||||||
|
+ // region hint from ec2metadata.
|
||||||
|
//
|
||||||
|
- // NOTE: the FetchToBuffer call against the metadata service probe
|
||||||
|
- // URL is a temporary solution to handle waiting for networking
|
||||||
|
- // before fetching from the AWS API. We do this instead of an
|
||||||
|
- // infinite retry loop on the API call because, without a clear
|
||||||
|
- // understanding of the failure cases, that would risk provisioning
|
||||||
|
- // failures due to quirks of the ec2metadata API. Additionally a
|
||||||
|
- // finite retry loop would have to time out quickly enough to avoid
|
||||||
|
+ // NOTE: the FetchToBuffer call against the IMDS token URL is a
|
||||||
|
+ // temporary solution to handle waiting for networking before
|
||||||
|
+ // fetching from the AWS API. We do this instead of an infinite
|
||||||
|
+ // retry loop on the API call because, without a clear understanding
|
||||||
|
+ // of the failure cases, that would risk provisioning failures due
|
||||||
|
+ // to quirks of the ec2metadata API. Additionally a finite retry
|
||||||
|
+ // loop would have to time out quickly enough to avoid
|
||||||
|
// extraordinarily long boots on failure (since this code runs in
|
||||||
|
// every stage) but that would risk premature timeouts if the
|
||||||
|
// network takes a while to come up.
|
||||||
|
@@ -102,8 +97,16 @@ func Init(f *resource.Fetcher) error {
|
||||||
|
// NOTE: FetchToBuffer is handling the ErrNeedNet case. If we move
|
||||||
|
// to an alternative method, we will need to handle the detection in
|
||||||
|
// this function.
|
||||||
|
- _, err := f.FetchToBuffer(metadataServiceProbeURL, resource.FetchOptions{})
|
||||||
|
- if err != nil {
|
||||||
|
+ opts := resource.FetchOptions{
|
||||||
|
+ Headers: http.Header{
|
||||||
|
+ "x-aws-ec2-metadata-token-ttl-seconds": []string{"21600"},
|
||||||
|
+ },
|
||||||
|
+ HTTPVerb: "PUT",
|
||||||
|
+ }
|
||||||
|
+ _, err := f.FetchToBuffer(imdsTokenURL, opts)
|
||||||
|
+ // ErrNotFound would just mean that the instance might not have
|
||||||
|
+ // IMDSv2 enabled
|
||||||
|
+ if err != nil && err != resource.ErrNotFound {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.29.2
|
||||||
Loading…
Reference in New Issue
Block a user