yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1896532] [NEW] Ec2Datasource fails in environments without IMDSv2

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Patrick Oyarzun <1896532@xxxxxxxxxxxxxxxxxx>
Date: Mon, 21 Sep 2020 19:17:08 -0000
Reply-to: Bug 1896532 <1896532@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

On AWS regions that do not have IMDSv2 available, cloud-init fails to
read user-data via the Ec2Datasource.

This bug was introduced in the following change:
https://bugs.launchpad.net/cloud-init/+bug/1866290

The change in that bug incorrectly assumes that a status code of 403
means the IMDS is disabled entirely.

> The Ec2 IMDSv2 latest/api/token route can be set as disabled and
return a 403 indefinitely for an instance.

In reality, there are some regions where IMDSv2 is currently
unsupported. In those regions, a 403 is still returned, but IMDSv1 is
enabled and working. The end result is that cloud-init versions later
than 20.1-9-g1f860e5a-0ubuntu1 are unable to retrieve user-data from the
IMDS in affected regions.

I am unable to attach the requested log because the region where I
observed this behavior is physically disconnected from the internet.

** Affects: cloud-init
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1896532

Title:
  Ec2Datasource fails in environments without IMDSv2

Status in cloud-init:
  New

Bug description:
  On AWS regions that do not have IMDSv2 available, cloud-init fails to
  read user-data via the Ec2Datasource.

  This bug was introduced in the following change:
  https://bugs.launchpad.net/cloud-init/+bug/1866290

  The change in that bug incorrectly assumes that a status code of 403
  means the IMDS is disabled entirely.

  > The Ec2 IMDSv2 latest/api/token route can be set as disabled and
  return a 403 indefinitely for an instance.

  In reality, there are some regions where IMDSv2 is currently
  unsupported. In those regions, a 403 is still returned, but IMDSv1 is
  enabled and working. The end result is that cloud-init versions later
  than 20.1-9-g1f860e5a-0ubuntu1 are unable to retrieve user-data from
  the IMDS in affected regions.

  I am unable to attach the requested log because the region where I
  observed this behavior is physically disconnected from the internet.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1896532/+subscriptions

Follow ups

[Bug 1896532] Re: Ec2Datasource fails in environments without IMDSv2
From: Dan Watkins, 2021-01-05