Skip to content

If IMDSv2 is available from EC2 metadata, use it automatically. #13

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 4, 2022
Merged

If IMDSv2 is available from EC2 metadata, use it automatically. #13

merged 2 commits into from
Aug 4, 2022

Conversation

nat-henderson
Copy link
Contributor

Use IMDSv2 if available.

AWS's IMDSv2 requires a token which you can fetch from the IMDS itself. If it's available, we'll fetch it and use it - if it's not, we'll revert to the previous behavior. This should be viable for both IMDSv1 and IMDSv2.

Little caveat: as it stands, if cloudinit runs for more than 6 hours, we'll wind up using an expired token. At the cost of somewhat more complex code, I can fix that - let me know.

Fixes flatcar/Flatcar#787.

How to use

Start any flatcar EC2 instance with only IMDSv2 enabled - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html. If cloudinit works, this patch works. :)

Testing done

This has been pretty tricky since I can't get go 1.6 installed and this no longer builds with modern go. If you'd accept some patches to update to go 1.18, let me know - I'd be happy to add that in. Otherwise, I'm hoping to use existing CI to test.

  • Changelog entries added in the respective changelog/ directory (user-facing change, bug fix, security fix, update)

@nat-henderson
Copy link
Contributor Author

This PR is basically equivalent to flatcar/ignition@585c029.

@nat-henderson
Copy link
Contributor Author

Here's the go 1.18 upgrade: #14.

@jepio
Copy link
Member

jepio commented Aug 2, 2022

This has been pretty tricky since I can't get go 1.6 installed and this no longer builds with modern go. If you'd accept some patches to update to go 1.18, let me know - I'd be happy to add that in. Otherwise, I'm hoping to use existing CI to test.

In Flatcar we build this with go 1.18, and the following env variables set:

export GO111MODULE=off
export GO15VENDOREXPERIMENT=1

But if we're touching the code then I'm happy to get this upgraded to normal modules. I've merged your other PR #14 , and am hoping to get github actions CI working in #16.

@jepio jepio self-assigned this Aug 2, 2022
@nat-henderson
Copy link
Contributor Author

Thanks for the quick turnaround! I'm still trying to get this running to test it manually - I haven't built a flatcar image with modified components before, and I'm on an M1 Mac which means the dev images aren't quite working right for me - lots of shared libraries that won't load - but I'll get back to you as fast as I can.

@nat-henderson
Copy link
Contributor Author

Oh, funny, it's literally you who made that possible: flatcar/Flatcar#319 (comment). :) Thanks!

@jepio
Copy link
Member

jepio commented Aug 2, 2022 via email

@nat-henderson
Copy link
Contributor Author

Sure, why don't I try that. Thank you!

@nat-henderson
Copy link
Contributor Author

nat-henderson commented Aug 2, 2022
edited
Loading

It is building and running correctly now in arm64 on AWS - let me see if I can get it to cross-compile for amd64, too, while I'm at it. After all, almost everyone's using amd64 on AWS, not a lot of Graviton use relative to regular ol' CPUs just yet.

@nat-henderson
Copy link
Contributor Author

Looks like you have that working in #16 - I'll rebase this onto that and check if it compiles.

@nat-henderson
Copy link
Contributor Author

Yep, looks like it does.

jepio added a commit to flatcar-archive/coreos-overlay that referenced this pull request Aug 3, 2022
@jepio
coreos-base/coreos-cloudinit: pull in AWS IMDSv2 and go-module support
30f1bd8 
This pulls in these PRs:
- flatcar/coreos-cloudinit#13 (imdsv2)
- flatcar/coreos-cloudinit#14 (go.mod)

Since go.mod is now present, rework the ebuild to remove unused bits and
enable go module support.
@jepio jepio mentioned this pull request Aug 3, 2022
Merged
3 tasks
@jepio
Copy link
Member

jepio commented Aug 3, 2022

I'm running integration tests in the coreos-overlay PR, will merge this as soon as those pass.
Thanks for contributing this!

@jepio jepio merged commit 6e1b14a into flatcar:flatcar-master Aug 4, 2022
jepio added a commit to flatcar-archive/coreos-overlay that referenced this pull request Aug 4, 2022
@jepio
coreos-base/coreos-cloudinit: pull in AWS IMDSv2 and go-module support
bf4125f 
This pulls in these PRs:
- flatcar/coreos-cloudinit#13 (imdsv2)
- flatcar/coreos-cloudinit#14 (go.mod)

Since go.mod is now present, rework the ebuild to remove unused bits and
enable go module support.
jepio added a commit to flatcar-archive/coreos-overlay that referenced this pull request Aug 4, 2022
@jepio
coreos-base/coreos-cloudinit: pull in AWS IMDSv2 and go-module support
bdc26e8 
This pulls in these PRs:
- flatcar/coreos-cloudinit#13 (imdsv2)
- flatcar/coreos-cloudinit#14 (go.mod)

Since go.mod is now present, rework the ebuild to remove unused bits and
enable go module support.
jepio added a commit to flatcar-archive/coreos-overlay that referenced this pull request Aug 4, 2022
@jepio
coreos-base/coreos-cloudinit: pull in AWS IMDSv2 and go-module support
54e578a 
This pulls in these PRs:
- flatcar/coreos-cloudinit#13 (imdsv2)
- flatcar/coreos-cloudinit#14 (go.mod)

Since go.mod is now present, rework the ebuild to remove unused bits and
enable go module support.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jepio jepio jepio approved these changes

Assignees

@jepio jepio

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add support for AWS IMDSv2 to coreos-cloudinit
2 participants
@nat-henderson @jepio