Fix AWS probing by using the IMDS token URL
This commit is contained in:
Sohan Kunkerkar
Sohan Kunkerkar
parent
ec21a27d4c
commit
f27cf37ade
@ -61,11 +61,14 @@
|
||||
|
||||
Name: ignition
|
||||
Version: 2.9.0
|
||||
Release: 1.git%{shortcommit}%{?dist}
|
||||
Release: 2.git%{shortcommit}%{?dist}
|
||||
Summary: First boot installer and configuration tool
|
||||
License: ASL 2.0
|
||||
URL: https://%{provider_prefix}
|
||||
Source0: https://%{provider_prefix}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz
|
||||
# Fix AWS probing by using the IMDS token URL to ensure that networking is up
|
||||
# https://github.com/coreos/ignition/pull/1161
|
||||
Patch0: internal-providers-aws-probe-the-IMDS-token-URL.patch
|
||||
|
||||
%define gopath %{_datadir}/gocode
|
||||
ExcludeArch: ppc64
|
||||
@ -606,6 +609,9 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Jan 12 2021 Sohan Kunkerkar <skunkerk@redhat.com> - 2.9.0-2.git1d56dc8
|
||||
- Fix AWS probing by using the IMDS token URL to ensure that networking is up
|
||||
|
||||
* Fri Jan 08 2021 Sohan Kunkerkar <skunkerk@redhat.com> - 2.9.0-1.git1d56dc8
|
||||
- New release
|
||||
|
||||
|
||||
76
internal-providers-aws-probe-the-IMDS-token-URL.patch
Normal file
76
internal-providers-aws-probe-the-IMDS-token-URL.patch
Normal file
@ -0,0 +1,76 @@
|
||||
From 74ffe3749d70b9d115a9b9790969b8dcb4a76e12 Mon Sep 17 00:00:00 2001
|
||||
From: Stephen Lowrie <stephen.lowrie@gmail.com>
|
||||
Date: Mon, 11 Jan 2021 11:27:12 -0600
|
||||
Subject: [PATCH] internal/providers/aws: probe the IMDS token URL
|
||||
|
||||
Probing the `/latest` path causes a 401 Unauthorized when running with
|
||||
IMDSv2 only. Instead ping the token URL.
|
||||
---
|
||||
internal/providers/aws/aws.go | 37 +++++++++++++++++++----------------
|
||||
1 file changed, 20 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/internal/providers/aws/aws.go b/internal/providers/aws/aws.go
|
||||
index 54373dbb..4a6655f0 100644
|
||||
--- a/internal/providers/aws/aws.go
|
||||
+++ b/internal/providers/aws/aws.go
|
||||
@@ -40,11 +40,6 @@ var (
|
||||
Host: "169.254.169.254",
|
||||
Path: "2019-10-01/user-data",
|
||||
}
|
||||
- metadataServiceProbeURL = url.URL{
|
||||
- Scheme: "http",
|
||||
- Host: "169.254.169.254",
|
||||
- Path: "latest",
|
||||
- }
|
||||
imdsTokenURL = url.URL{
|
||||
Scheme: "http",
|
||||
Host: "169.254.169.254",
|
||||
@@ -78,17 +73,17 @@ func NewFetcher(l *log.Logger) (resource.Fetcher, error) {
|
||||
// Init prepares the fetcher for this platform
|
||||
func Init(f *resource.Fetcher) error {
|
||||
// During the fetch stage we might be running before the networking
|
||||
- // is fully ready. Perform an HTTP fetch against the metadata probe
|
||||
- // URL to ensure that networking is up before we attempt to fetch
|
||||
- // the region hint from ec2metadata.
|
||||
+ // is fully ready. Perform an HTTP fetch against the IMDS token URL
|
||||
+ // to ensure that networking is up before we attempt to fetch the
|
||||
+ // region hint from ec2metadata.
|
||||
//
|
||||
- // NOTE: the FetchToBuffer call against the metadata service probe
|
||||
- // URL is a temporary solution to handle waiting for networking
|
||||
- // before fetching from the AWS API. We do this instead of an
|
||||
- // infinite retry loop on the API call because, without a clear
|
||||
- // understanding of the failure cases, that would risk provisioning
|
||||
- // failures due to quirks of the ec2metadata API. Additionally a
|
||||
- // finite retry loop would have to time out quickly enough to avoid
|
||||
+ // NOTE: the FetchToBuffer call against the IMDS token URL is a
|
||||
+ // temporary solution to handle waiting for networking before
|
||||
+ // fetching from the AWS API. We do this instead of an infinite
|
||||
+ // retry loop on the API call because, without a clear understanding
|
||||
+ // of the failure cases, that would risk provisioning failures due
|
||||
+ // to quirks of the ec2metadata API. Additionally a finite retry
|
||||
+ // loop would have to time out quickly enough to avoid
|
||||
// extraordinarily long boots on failure (since this code runs in
|
||||
// every stage) but that would risk premature timeouts if the
|
||||
// network takes a while to come up.
|
||||
@@ -102,8 +97,16 @@ func Init(f *resource.Fetcher) error {
|
||||
// NOTE: FetchToBuffer is handling the ErrNeedNet case. If we move
|
||||
// to an alternative method, we will need to handle the detection in
|
||||
// this function.
|
||||
- _, err := f.FetchToBuffer(metadataServiceProbeURL, resource.FetchOptions{})
|
||||
- if err != nil {
|
||||
+ opts := resource.FetchOptions{
|
||||
+ Headers: http.Header{
|
||||
+ "x-aws-ec2-metadata-token-ttl-seconds": []string{"21600"},
|
||||
+ },
|
||||
+ HTTPVerb: "PUT",
|
||||
+ }
|
||||
+ _, err := f.FetchToBuffer(imdsTokenURL, opts)
|
||||
+ // ErrNotFound would just mean that the instance might not have
|
||||
+ // IMDSv2 enabled
|
||||
+ if err != nil && err != resource.ErrNotFound {
|
||||
return err
|
||||
}
|
||||
|
||||
--
|
||||
2.29.2
|
||||
Loading…
Reference in New Issue
Block a user