ec2-metadata-fetcher: use IMDSv2, fetch public-ipv4 as well #96593
Conversation
endgame
force-pushed
the
ec2-metadata-imds-v2
branch
from
c4dff4f
to
d96d529
Compare
|
Couple of things that need to happen:
|
|
https://docs.openstack.org/nova/ussuri/user/metadata.html#metadata-ec2-format note for my reference |
endgame
force-pushed
the
ec2-metadata-imds-v2
branch
from
b09c0cd
to
ccc9575
Compare
|
Okay, this is ready now. I have tested the images by building Haven't done any OpenStack testing, but I reworked the metadata fetcher to use an IMDS API version that's documented as compatible with OpenStack compute. (The original version in this file — @copumpkin FYI since I've seen your name on a bunch of cloud stuff in this part of nixpkgs. |
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
endgame
force-pushed
the
ec2-metadata-imds-v2
branch
from
ccc9575
to
4c8cebb
Compare
|
@garbas I know you had an interest in supporting ec2 instances |
|
I have found it completely impossible to test the openstack side of this: I can't find a provider that will give me openstack access at an affordable price, asking in I have done the next best thing I could think of: I built EC2 images with I am curious to see what will happen if this script runs on an EC2 instance with no public IPv4 address (i.e., isolated VPC), but my AWS-fu is not good enough to set that up yet. |
|
@jonringer I'm interested in automated the upload of the images :) NixOS/nixos-homepage#447 |
This allows us to retain OpenStack compatiblity.
Busybox wget will overwrite the files if they exist, and re-fetching user-data and meta-data avoids surprising behaviour when an instance references stale data on reboot. Example: Without this commit, it's possible to: 1. Create an EC2 image with configuration in user data; 2. Stop that image; 3. Change the user data in the EC2 Management Console; 4. Restart the image; 5. Note that the original user data is re-applied, not the new user data.
This dodges a mysterious quoting problem that stops requests that use the IMDSv2 token from parsing properly.
endgame
force-pushed
the
ec2-metadata-imds-v2
branch
from
4c8cebb
to
c733138
Compare
|
Okay, I have learned enough about VPCs to do the test I wanted. I built a nixos AMI with the changes in this PR, booted that AMI into a private subnet. The fetch of Other things from the metadata fetcher work (e.g., I can SSH in with the keypair I tell AWS to use). Given that the openstack side of things is impossible to test (see above), I'm now calling this ready-to-merge. What else do I need to do? |
|
@AmineChikhaoui do you mind taking a look at this? |
| '' | ||
| imds=http://169.254.169.254/2009-04-04 | ||
| metaDir=${targetRoot}etc/ec2-metadata | ||
| mkdir -m 0755 -p "$metaDir" | ||
|
|
There was a problem hiding this comment.
Should I be doing a rm -f $metaDir/* here? Otherwise, files that might exist in certain conditions only (e.g. /etc/ec2-metadata/public-ipv4) might persist when they should be removed (if the public ipv4 goes away for some reason).
|
Closing as this was resolved by #104193. |
I'd love to have this change make it to the 20.09 NixOS AMIs.
Motivation for this change
readFile /etc/ec2-metadata/public-ipv4in the configuration I push as instance userdata, so that I can launch EC2 instances running this server.Things done
nix-build ./nixos/release.nix -A amazonImage --arg supportedSystems '["x86_64-linux"]'in the nixpkgs root;