07b6f5cc82
This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/ignition.git#f27cf37ade8120c1a6a7e5ccf2f730d2a40d1d08
77 lines
3.2 KiB
Diff
77 lines
3.2 KiB
Diff
From 74ffe3749d70b9d115a9b9790969b8dcb4a76e12 Mon Sep 17 00:00:00 2001
|
|
From: Stephen Lowrie <stephen.lowrie@gmail.com>
|
|
Date: Mon, 11 Jan 2021 11:27:12 -0600
|
|
Subject: [PATCH] internal/providers/aws: probe the IMDS token URL
|
|
|
|
Probing the `/latest` path causes a 401 Unauthorized when running with
|
|
IMDSv2 only. Instead ping the token URL.
|
|
---
|
|
internal/providers/aws/aws.go | 37 +++++++++++++++++++----------------
|
|
1 file changed, 20 insertions(+), 17 deletions(-)
|
|
|
|
diff --git a/internal/providers/aws/aws.go b/internal/providers/aws/aws.go
|
|
index 54373dbb..4a6655f0 100644
|
|
--- a/internal/providers/aws/aws.go
|
|
+++ b/internal/providers/aws/aws.go
|
|
@@ -40,11 +40,6 @@ var (
|
|
Host: "169.254.169.254",
|
|
Path: "2019-10-01/user-data",
|
|
}
|
|
- metadataServiceProbeURL = url.URL{
|
|
- Scheme: "http",
|
|
- Host: "169.254.169.254",
|
|
- Path: "latest",
|
|
- }
|
|
imdsTokenURL = url.URL{
|
|
Scheme: "http",
|
|
Host: "169.254.169.254",
|
|
@@ -78,17 +73,17 @@ func NewFetcher(l *log.Logger) (resource.Fetcher, error) {
|
|
// Init prepares the fetcher for this platform
|
|
func Init(f *resource.Fetcher) error {
|
|
// During the fetch stage we might be running before the networking
|
|
- // is fully ready. Perform an HTTP fetch against the metadata probe
|
|
- // URL to ensure that networking is up before we attempt to fetch
|
|
- // the region hint from ec2metadata.
|
|
+ // is fully ready. Perform an HTTP fetch against the IMDS token URL
|
|
+ // to ensure that networking is up before we attempt to fetch the
|
|
+ // region hint from ec2metadata.
|
|
//
|
|
- // NOTE: the FetchToBuffer call against the metadata service probe
|
|
- // URL is a temporary solution to handle waiting for networking
|
|
- // before fetching from the AWS API. We do this instead of an
|
|
- // infinite retry loop on the API call because, without a clear
|
|
- // understanding of the failure cases, that would risk provisioning
|
|
- // failures due to quirks of the ec2metadata API. Additionally a
|
|
- // finite retry loop would have to time out quickly enough to avoid
|
|
+ // NOTE: the FetchToBuffer call against the IMDS token URL is a
|
|
+ // temporary solution to handle waiting for networking before
|
|
+ // fetching from the AWS API. We do this instead of an infinite
|
|
+ // retry loop on the API call because, without a clear understanding
|
|
+ // of the failure cases, that would risk provisioning failures due
|
|
+ // to quirks of the ec2metadata API. Additionally a finite retry
|
|
+ // loop would have to time out quickly enough to avoid
|
|
// extraordinarily long boots on failure (since this code runs in
|
|
// every stage) but that would risk premature timeouts if the
|
|
// network takes a while to come up.
|
|
@@ -102,8 +97,16 @@ func Init(f *resource.Fetcher) error {
|
|
// NOTE: FetchToBuffer is handling the ErrNeedNet case. If we move
|
|
// to an alternative method, we will need to handle the detection in
|
|
// this function.
|
|
- _, err := f.FetchToBuffer(metadataServiceProbeURL, resource.FetchOptions{})
|
|
- if err != nil {
|
|
+ opts := resource.FetchOptions{
|
|
+ Headers: http.Header{
|
|
+ "x-aws-ec2-metadata-token-ttl-seconds": []string{"21600"},
|
|
+ },
|
|
+ HTTPVerb: "PUT",
|
|
+ }
|
|
+ _, err := f.FetchToBuffer(imdsTokenURL, opts)
|
|
+ // ErrNotFound would just mean that the instance might not have
|
|
+ // IMDSv2 enabled
|
|
+ if err != nil && err != resource.ErrNotFound {
|
|
return err
|
|
}
|
|
|
|
--
|
|
2.29.2
|