From 61cec34a754017537c61e79cd1212f2688c32429 Mon Sep 17 00:00:00 2001 From: harshkiprofile <83770157+harshkiprofile@users.noreply.github.com> Date: Mon, 4 Nov 2024 12:19:10 +0530 Subject: [PATCH 1/7] Introduce a new shell function to reuse IMDS token --- heartbeat/ocf-shellfuncs.in | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/heartbeat/ocf-shellfuncs.in b/heartbeat/ocf-shellfuncs.in index 5c4bb3264..0c4632cf9 100644 --- a/heartbeat/ocf-shellfuncs.in +++ b/heartbeat/ocf-shellfuncs.in @@ -1111,3 +1111,34 @@ ocf_is_true "$OCF_TRACE_RA" && ocf_start_trace if ocf_is_true "$HA_use_logd"; then : ${HA_LOGD:=yes} fi + +# File to store the token and timestamp +TOKEN_FILE="/tmp/.imds_token" +TOKEN_LIFETIME=21600 # Token lifetime in seconds (6 hours) +TOKEN_EXPIRY_THRESHOLD=3600 # Renew token if less than 60 minutes (1 hour) remaining + +# Function to fetch a new token +fetch_new_token() { + TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: $TOKEN_LIFETIME") + echo "$TOKEN $(date +%s)" > "$TOKEN_FILE" + echo "$TOKEN" +} + +# Function to retrieve or renew the token +get_token() { + if [[ -f "$TOKEN_FILE" ]]; then + read -r STORED_TOKEN STORED_TIMESTAMP < "$TOKEN_FILE" + CURRENT_TIME=$(date +%s) + ELAPSED_TIME=$((CURRENT_TIME - STORED_TIMESTAMP)) + + if (( ELAPSED_TIME < (TOKEN_LIFETIME - TOKEN_EXPIRY_THRESHOLD) )); then + # Token is still valid + echo "$STORED_TOKEN" + return + fi + fi + # Fetch a new token if not valid + fetch_new_token +} + + From 00629fa44cb7a8dd1045fc8cad755e1d0c808476 Mon Sep 17 00:00:00 2001 From: harshkiprofile <83770157+harshkiprofile@users.noreply.github.com> Date: Mon, 4 Nov 2024 12:21:18 +0530 Subject: [PATCH 2/7] Utilize the get_token function to reuse the token --- heartbeat/aws-vpc-move-ip | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/heartbeat/aws-vpc-move-ip b/heartbeat/aws-vpc-move-ip index 6115e5ba8..fbeb2ee64 100755 --- a/heartbeat/aws-vpc-move-ip +++ b/heartbeat/aws-vpc-move-ip @@ -270,7 +270,7 @@ ec2ip_validate() { fi fi - TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'" "http://169.254.169.254/latest/api/token") + TOKEN=$(get_token) [ $? -ne 0 ] && exit $OCF_ERR_GENERIC EC2_INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id") [ $? -ne 0 ] && exit $OCF_ERR_GENERIC From 36126cdcb90ad617ecfce03d986550907732aa4f Mon Sep 17 00:00:00 2001 From: harshkiprofile <83770157+harshkiprofile@users.noreply.github.com> Date: Mon, 4 Nov 2024 12:22:16 +0530 Subject: [PATCH 3/7] Utilize to get_token function to reuse the token --- heartbeat/awsvip | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/heartbeat/awsvip b/heartbeat/awsvip index f2b238a0f..ca19ac086 100755 --- a/heartbeat/awsvip +++ b/heartbeat/awsvip @@ -266,7 +266,7 @@ if [ -n "${OCF_RESKEY_region}" ]; then AWSCLI_CMD="$AWSCLI_CMD --region ${OCF_RESKEY_region}" fi SECONDARY_PRIVATE_IP="${OCF_RESKEY_secondary_private_ip}" -TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'" "http://169.254.169.254/latest/api/token") +TOKEN=$(get_token) [ $? -ne 0 ] && exit $OCF_ERR_GENERIC INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id") [ $? -ne 0 ] && exit $OCF_ERR_GENERIC From dcd0050df5ba94905bc71d38b05cbb93f5687b61 Mon Sep 17 00:00:00 2001 From: harshkiprofile Date: Mon, 4 Nov 2024 20:05:33 +0530 Subject: [PATCH 4/7] Move token renewal function to aws.sh for reuse in AWS agent scripts --- heartbeat/Makefile.am | 1 + heartbeat/aws-vpc-move-ip | 1 + heartbeat/aws-vpc-route53.in | 3 ++- heartbeat/aws.sh | 46 ++++++++++++++++++++++++++++++++++++ heartbeat/awseip | 3 ++- heartbeat/awsvip | 1 + heartbeat/ocf-shellfuncs.in | 33 +------------------------- 7 files changed, 54 insertions(+), 34 deletions(-) create mode 100644 heartbeat/aws.sh diff --git a/heartbeat/Makefile.am b/heartbeat/Makefile.am index 409847970..655740f14 100644 --- a/heartbeat/Makefile.am +++ b/heartbeat/Makefile.am @@ -218,6 +218,7 @@ ocfcommon_DATA = ocf-shellfuncs \ ocf-rarun \ ocf-distro \ apache-conf.sh \ + aws.sh \ http-mon.sh \ sapdb-nosha.sh \ sapdb.sh \ diff --git a/heartbeat/aws-vpc-move-ip b/heartbeat/aws-vpc-move-ip index fbeb2ee64..f4b0492f2 100755 --- a/heartbeat/aws-vpc-move-ip +++ b/heartbeat/aws-vpc-move-ip @@ -33,6 +33,7 @@ : ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/lib/heartbeat} . ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs +. ${OCF_FUNCTIONS_DIR}/aws.sh # Defaults OCF_RESKEY_awscli_default="/usr/bin/aws" diff --git a/heartbeat/aws-vpc-route53.in b/heartbeat/aws-vpc-route53.in index eba2ed95c..f7e756782 100644 --- a/heartbeat/aws-vpc-route53.in +++ b/heartbeat/aws-vpc-route53.in @@ -43,6 +43,7 @@ : ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/lib/heartbeat} . ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs +. ${OCF_FUNCTIONS_DIR}/aws.sh # Defaults OCF_RESKEY_awscli_default="/usr/bin/aws" @@ -377,7 +378,7 @@ r53_monitor() { _get_ip() { case $OCF_RESKEY_ip in local|public) - TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'" "http://169.254.169.254/latest/api/token") + TOKEN=$(get_token) [ $? -ne 0 ] && exit $OCF_ERR_GENERIC IPADDRESS=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/${OCF_RESKEY_ip}-ipv4") [ $? -ne 0 ] && exit $OCF_ERR_GENERIC diff --git a/heartbeat/aws.sh b/heartbeat/aws.sh new file mode 100644 index 000000000..fc557109c --- /dev/null +++ b/heartbeat/aws.sh @@ -0,0 +1,46 @@ +#!/bin/sh +# +# +# AWS Helper Scripts +# +# + +: ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/lib/heartbeat} +. ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs + +# Defaults +OCF_RESKEY_curl_retries_default="3" +OCF_RESKEY_curl_sleep_default="1" + +: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}} +: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}} + +# Function to enable reusable IMDS token retrieval for efficient repeated access +# File to store the token and timestamp +TOKEN_FILE="/tmp/.imds_token" +TOKEN_LIFETIME=21600 # Token lifetime in seconds (6 hours) +TOKEN_EXPIRY_THRESHOLD=3600 # Renew token if less than 60 minutes (1 hour) remaining + +# Function to fetch a new token +fetch_new_token() { + TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: $TOKEN_LIFETIME'" "http://169.254.169.254/latest/api/token") + echo "$TOKEN $(date +%s)" > "$TOKEN_FILE" + echo "$TOKEN" +} + +# Function to retrieve or renew the token +get_token() { + if [ -f "$TOKEN_FILE" ]; then + read -r STORED_TOKEN STORED_TIMESTAMP < "$TOKEN_FILE" + CURRENT_TIME=$(date +%s) + ELAPSED_TIME=$((CURRENT_TIME - STORED_TIMESTAMP)) + + if (( ELAPSED_TIME < (TOKEN_LIFETIME - TOKEN_EXPIRY_THRESHOLD) )); then + # Token is still valid + echo "$STORED_TOKEN" + return + fi + fi + # Fetch a new token if not valid + fetch_new_token +} \ No newline at end of file diff --git a/heartbeat/awseip b/heartbeat/awseip index ffb6223a1..049c2e566 100755 --- a/heartbeat/awseip +++ b/heartbeat/awseip @@ -38,6 +38,7 @@ : ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/lib/heartbeat} . ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs +. ${OCF_FUNCTIONS_DIR}/aws.sh ####################################################################### @@ -306,7 +307,7 @@ fi ELASTIC_IP="${OCF_RESKEY_elastic_ip}" ALLOCATION_ID="${OCF_RESKEY_allocation_id}" PRIVATE_IP_ADDRESS="${OCF_RESKEY_private_ip_address}" -TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'" "http://169.254.169.254/latest/api/token") +TOKEN=$(get_token) [ $? -ne 0 ] && exit $OCF_ERR_GENERIC INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id") [ $? -ne 0 ] && exit $OCF_ERR_GENERIC diff --git a/heartbeat/awsvip b/heartbeat/awsvip index ca19ac086..de67981d8 100755 --- a/heartbeat/awsvip +++ b/heartbeat/awsvip @@ -37,6 +37,7 @@ : ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/lib/heartbeat} . ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs +. ${OCF_FUNCTIONS_DIR}/aws.sh ####################################################################### diff --git a/heartbeat/ocf-shellfuncs.in b/heartbeat/ocf-shellfuncs.in index 0c4632cf9..922c6ea45 100644 --- a/heartbeat/ocf-shellfuncs.in +++ b/heartbeat/ocf-shellfuncs.in @@ -1110,35 +1110,4 @@ ocf_is_true "$OCF_TRACE_RA" && ocf_start_trace # pacemaker sets HA_use_logd, some others use HA_LOGD :/ if ocf_is_true "$HA_use_logd"; then : ${HA_LOGD:=yes} -fi - -# File to store the token and timestamp -TOKEN_FILE="/tmp/.imds_token" -TOKEN_LIFETIME=21600 # Token lifetime in seconds (6 hours) -TOKEN_EXPIRY_THRESHOLD=3600 # Renew token if less than 60 minutes (1 hour) remaining - -# Function to fetch a new token -fetch_new_token() { - TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: $TOKEN_LIFETIME") - echo "$TOKEN $(date +%s)" > "$TOKEN_FILE" - echo "$TOKEN" -} - -# Function to retrieve or renew the token -get_token() { - if [[ -f "$TOKEN_FILE" ]]; then - read -r STORED_TOKEN STORED_TIMESTAMP < "$TOKEN_FILE" - CURRENT_TIME=$(date +%s) - ELAPSED_TIME=$((CURRENT_TIME - STORED_TIMESTAMP)) - - if (( ELAPSED_TIME < (TOKEN_LIFETIME - TOKEN_EXPIRY_THRESHOLD) )); then - # Token is still valid - echo "$STORED_TOKEN" - return - fi - fi - # Fetch a new token if not valid - fetch_new_token -} - - +fi \ No newline at end of file From 9f7be201923c8eab1b121f2067ed74a69841cf8a Mon Sep 17 00:00:00 2001 From: harshkiprofile Date: Tue, 5 Nov 2024 19:12:34 +0530 Subject: [PATCH 5/7] Refactor to use common temp path and update shell syntax --- heartbeat/Makefile.am | 2 +- heartbeat/aws.sh | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/heartbeat/Makefile.am b/heartbeat/Makefile.am index 655740f14..8352f3a3d 100644 --- a/heartbeat/Makefile.am +++ b/heartbeat/Makefile.am @@ -218,7 +218,7 @@ ocfcommon_DATA = ocf-shellfuncs \ ocf-rarun \ ocf-distro \ apache-conf.sh \ - aws.sh \ + aws.sh \ http-mon.sh \ sapdb-nosha.sh \ sapdb.sh \ diff --git a/heartbeat/aws.sh b/heartbeat/aws.sh index fc557109c..c77f93b91 100644 --- a/heartbeat/aws.sh +++ b/heartbeat/aws.sh @@ -17,7 +17,7 @@ OCF_RESKEY_curl_sleep_default="1" # Function to enable reusable IMDS token retrieval for efficient repeated access # File to store the token and timestamp -TOKEN_FILE="/tmp/.imds_token" +TOKEN_FILE="${HA_RSCTMP}/.aws_imds_token" TOKEN_LIFETIME=21600 # Token lifetime in seconds (6 hours) TOKEN_EXPIRY_THRESHOLD=3600 # Renew token if less than 60 minutes (1 hour) remaining @@ -35,7 +35,7 @@ get_token() { CURRENT_TIME=$(date +%s) ELAPSED_TIME=$((CURRENT_TIME - STORED_TIMESTAMP)) - if (( ELAPSED_TIME < (TOKEN_LIFETIME - TOKEN_EXPIRY_THRESHOLD) )); then + if [ "$ELAPSED_TIME" -lt "$((TOKEN_LIFETIME - TOKEN_EXPIRY_THRESHOLD))" ]; then # Token is still valid echo "$STORED_TOKEN" return From 4f61048064d1df3bebdb5c1441cf0020f213c01b Mon Sep 17 00:00:00 2001 From: harshkiprofile Date: Tue, 5 Nov 2024 19:30:15 +0530 Subject: [PATCH 6/7] Consolidate curl_retry and curl_sleep variable to a single location in aws.sh --- heartbeat/aws-vpc-move-ip | 4 ---- heartbeat/aws-vpc-route53.in | 4 ---- heartbeat/awseip | 4 ---- heartbeat/awsvip | 4 ---- 4 files changed, 16 deletions(-) diff --git a/heartbeat/aws-vpc-move-ip b/heartbeat/aws-vpc-move-ip index f4b0492f2..3aa9ceb02 100755 --- a/heartbeat/aws-vpc-move-ip +++ b/heartbeat/aws-vpc-move-ip @@ -48,8 +48,6 @@ OCF_RESKEY_interface_default="eth0" OCF_RESKEY_iflabel_default="" OCF_RESKEY_monapi_default="false" OCF_RESKEY_lookup_type_default="InstanceId" -OCF_RESKEY_curl_retries_default="3" -OCF_RESKEY_curl_sleep_default="1" : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}} : ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}} @@ -63,8 +61,6 @@ OCF_RESKEY_curl_sleep_default="1" : ${OCF_RESKEY_iflabel=${OCF_RESKEY_iflabel_default}} : ${OCF_RESKEY_monapi=${OCF_RESKEY_monapi_default}} : ${OCF_RESKEY_lookup_type=${OCF_RESKEY_lookup_type_default}} -: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}} -: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}} ####################################################################### diff --git a/heartbeat/aws-vpc-route53.in b/heartbeat/aws-vpc-route53.in index f7e756782..85c8de3c1 100644 --- a/heartbeat/aws-vpc-route53.in +++ b/heartbeat/aws-vpc-route53.in @@ -54,8 +54,6 @@ OCF_RESKEY_hostedzoneid_default="" OCF_RESKEY_fullname_default="" OCF_RESKEY_ip_default="local" OCF_RESKEY_ttl_default=10 -OCF_RESKEY_curl_retries_default="3" -OCF_RESKEY_curl_sleep_default="1" : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}} : ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}} @@ -65,8 +63,6 @@ OCF_RESKEY_curl_sleep_default="1" : ${OCF_RESKEY_fullname:=${OCF_RESKEY_fullname_default}} : ${OCF_RESKEY_ip:=${OCF_RESKEY_ip_default}} : ${OCF_RESKEY_ttl:=${OCF_RESKEY_ttl_default}} -: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}} -: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}} usage() { cat <<-EOT diff --git a/heartbeat/awseip b/heartbeat/awseip index 049c2e566..4b1c3bc6a 100755 --- a/heartbeat/awseip +++ b/heartbeat/awseip @@ -50,16 +50,12 @@ OCF_RESKEY_auth_type_default="key" OCF_RESKEY_profile_default="default" OCF_RESKEY_region_default="" OCF_RESKEY_api_delay_default="3" -OCF_RESKEY_curl_retries_default="3" -OCF_RESKEY_curl_sleep_default="1" : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}} : ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}} : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}} : ${OCF_RESKEY_region=${OCF_RESKEY_region_default}} : ${OCF_RESKEY_api_delay=${OCF_RESKEY_api_delay_default}} -: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}} -: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}} meta_data() { cat < Date: Tue, 5 Nov 2024 20:50:24 +0530 Subject: [PATCH 7/7] aws.sh needs to added to be symlinkstargets in doc/man/Makefile.am --- doc/man/Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/man/Makefile.am b/doc/man/Makefile.am index ef7639bff..447f5cba3 100644 --- a/doc/man/Makefile.am +++ b/doc/man/Makefile.am @@ -42,7 +42,7 @@ radir = $(abs_top_builddir)/heartbeat # required for out-of-tree build symlinkstargets = \ ocf-distro ocf.py ocf-rarun ocf-returncodes \ - findif.sh apache-conf.sh http-mon.sh mysql-common.sh \ + findif.sh apache-conf.sh aws.sh http-mon.sh mysql-common.sh \ nfsserver-redhat.sh ora-common.sh preptree: