New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ec2-metadata-fetcher: use IMDSv2, fetch public-ipv4 as well #96593
Conversation
c4dff4f
to
d96d529
Compare
Couple of things that need to happen:
|
https://docs.openstack.org/nova/ussuri/user/metadata.html#metadata-ec2-format note for my reference |
b09c0cd
to
ccc9575
Compare
Okay, this is ready now. I have tested the images by building Haven't done any OpenStack testing, but I reworked the metadata fetcher to use an IMDS API version that's documented as compatible with OpenStack compute. (The original version in this file — @copumpkin FYI since I've seen your name on a bunch of cloud stuff in this part of nixpkgs. |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
ccc9575
to
4c8cebb
Compare
@garbas I know you had an interest in supporting ec2 instances |
I have found it completely impossible to test the openstack side of this: I can't find a provider that will give me openstack access at an affordable price, asking in I have done the next best thing I could think of: I built EC2 images with I am curious to see what will happen if this script runs on an EC2 instance with no public IPv4 address (i.e., isolated VPC), but my AWS-fu is not good enough to set that up yet. |
@jonringer I'm interested in automated the upload of the images :) NixOS/nixos-homepage#447 |
This allows us to retain OpenStack compatiblity.
Busybox wget will overwrite the files if they exist, and re-fetching user-data and meta-data avoids surprising behaviour when an instance references stale data on reboot. Example: Without this commit, it's possible to: 1. Create an EC2 image with configuration in user data; 2. Stop that image; 3. Change the user data in the EC2 Management Console; 4. Restart the image; 5. Note that the original user data is re-applied, not the new user data.
This dodges a mysterious quoting problem that stops requests that use the IMDSv2 token from parsing properly.
4c8cebb
to
c733138
Compare
Okay, I have learned enough about VPCs to do the test I wanted. I built a nixos AMI with the changes in this PR, booted that AMI into a private subnet. The fetch of Other things from the metadata fetcher work (e.g., I can SSH in with the keypair I tell AWS to use). Given that the openstack side of things is impossible to test (see above), I'm now calling this ready-to-merge. What else do I need to do? |
@AmineChikhaoui do you mind taking a look at this? |
'' | ||
imds=http://169.254.169.254/2009-04-04 | ||
metaDir=${targetRoot}etc/ec2-metadata | ||
mkdir -m 0755 -p "$metaDir" | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should I be doing a rm -f $metaDir/*
here? Otherwise, files that might exist in certain conditions only (e.g. /etc/ec2-metadata/public-ipv4
) might persist when they should be removed (if the public ipv4 goes away for some reason).
Closing as this was resolved by #104193. |
I'd love to have this change make it to the 20.09 NixOS AMIs.
Motivation for this change
readFile /etc/ec2-metadata/public-ipv4
in the configuration I push as instance userdata, so that I can launch EC2 instances running this server.Things done
nix-build ./nixos/release.nix -A amazonImage --arg supportedSystems '["x86_64-linux"]'
in the nixpkgs root;