Permalink
Browse files

[cloud] Add ability to retrieve Google Compute Engine metadata

For some unspecified "security" reason, the Google Compute Engine
metadata server will refuse any requests that do not include the
non-standard HTTP header "Metadata-Flavor: Google".

Attempt to autodetect such requests (by comparing the hostname against
"metadata.google.internal"), and add the "Metadata-Flavor: Google"
header if applicable.

Enable this feature in the CONFIG=cloud build, and include a sample
embedded script allowing iPXE to boot from a script configured as
metadata via e.g.

  # Create shared boot image
  make bin/ipxe.usb CONFIG=cloud EMBED=config/cloud/gce.ipxe

  # Configure per-instance boot script
  gcloud compute instances add-metadata <instance> \
         --metadata-from-file ipxeboot=boot.ipxe

Signed-off-by: Michael Brown <mcb30@ipxe.org>
  • Loading branch information...
mcb30 committed Jan 23, 2017
1 parent 0dc4814 commit de85336abb7861e4ea4df2e296eb33d179c7c9bd
Showing with 87 additions and 0 deletions.
  1. +7 −0 src/config/cloud/gce.ipxe
  2. +4 −0 src/config/cloud/general.h
  3. +3 −0 src/config/config_http.c
  4. +1 −0 src/config/general.h
  5. +72 −0 src/net/tcp/httpgce.c
@@ -0,0 +1,7 @@
#!ipxe
echo Google Compute Engine - iPXE boot via metadata
ifstat ||
dhcp ||
route ||
chain -ar http://metadata.google.internal/computeMetadata/v1/instance/attributes/ipxeboot
@@ -0,0 +1,4 @@
/* Allow retrieval of metadata (such as an iPXE boot script) from
* Google Compute Engine metadata server.
*/
#define HTTP_HACK_GCE
@@ -43,3 +43,6 @@ REQUIRE_OBJECT ( httpdigest );
#ifdef HTTP_ENC_PEERDIST
REQUIRE_OBJECT ( peerdist );
#endif
#ifdef HTTP_HACK_GCE
REQUIRE_OBJECT ( httpgce );
#endif
@@ -78,6 +78,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
#define HTTP_AUTH_BASIC /* Basic authentication */
#define HTTP_AUTH_DIGEST /* Digest authentication */
//#define HTTP_ENC_PEERDIST /* PeerDist content encoding */
//#define HTTP_HACK_GCE /* Google Compute Engine hacks */
/*
* 802.11 cryptosystems and handshaking protocols
@@ -0,0 +1,72 @@
/*
* Copyright (C) 2017 Michael Brown <mbrown@fensystems.co.uk>.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation; either version 2 of the
* License, or any later version.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*
* You can also choose to distribute this program under the terms of
* the Unmodified Binary Distribution Licence (as given in the file
* COPYING.UBDL), provided that you have satisfied its requirements.
*/
FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
/**
* @file
*
* Google Compute Engine (GCE) metadata retrieval
*
* For some unspecified "security" reason, the Google Compute Engine
* metadata server will refuse any requests that do not include the
* non-standard HTTP header "Metadata-Flavor: Google".
*/
#include <strings.h>
#include <stdio.h>
#include <ipxe/http.h>
/** Metadata host name
*
* This is used to identify metadata requests, in the absence of any
* more robust mechanism.
*/
#define GCE_METADATA_HOST_NAME "metadata.google.internal"
/**
* Construct HTTP "Metadata-Flavor" header
*
* @v http HTTP transaction
* @v buf Buffer
* @v len Length of buffer
* @ret len Length of header value, or negative error
*/
static int http_format_metadata_flavor ( struct http_transaction *http,
char *buf, size_t len ) {
/* Do nothing unless this appears to be a Google Compute
* Engine metadata request.
*/
if ( strcasecmp ( http->request.host, GCE_METADATA_HOST_NAME ) != 0 )
return 0;
/* Construct host URI */
return snprintf ( buf, len, "Google" );
}
/** HTTP "Metadata-Flavor" header */
struct http_request_header http_request_metadata_flavor __http_request_header ={
.name = "Metadata-Flavor",
.format = http_format_metadata_flavor,
};

0 comments on commit de85336

Please sign in to comment.