cloud-init

EC2: Do not retry on disabled IMDSv2 api/token route returning a 403

Bug #1866290 reported by Chad Smith
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cloud-init
Fix Released
High
Unassigned

Bug Description

The Ec2 IMDSv2 latest/api/token route can be set as disabled and return a 403 indefinitely for an instance.

When receiving any HTTP status codes >= 400 from IMDSv2 on AWS' Ec2 cloud, 2 minutes of retries on the api/token route will not result in a successful Ec2 datasource detection.

Quickly fail Ec2 datasource detection to allow the instance to potentially discover other datasources.

See original description
Revision history for this message
Chad Smith (chad.smith) wrote :

Upstream commit landed which addresses this issue

https://github.com/canonical/cloud-init/commit/1f860e5ac7ebb5b809c72d8703a0b7cb3e84ccd0

Changed in cloud-init:
status: New → Fix Committed
importance: Undecided → High
description: updated
description: updated
Revision history for this message
Frederick Lefebvre (fredlefebvre) wrote :

Chad, Thanks for merging this. I was surprised to see that you set yourself as the author of the commit, rather than only the committer? Is that a by-product of squashing the 2 commits from the PR? Should I have handled the pull request differently?

information type: Public → Public Security
information type: Public Security → Public
Revision history for this message
Chad Smith (chad.smith) wrote :

Ugh, Fred I'm sorry about that merge request, I'll look at what happened there. Generally that squash-and-merge should have given the PR author ownership. I'll see if I did something wrong there :/ as other merges I've landed did give proper authorship.

Revision history for this message
Chad Smith (chad.smith) wrote :

maybe github squashed it and attributed to me due to the last commit on the branch having the reference

Test provided by: Chad Smith <email address hidden>

I'll make sure if I see top-most commits with other attributions that we also place a trailing
Authored-by: <the-real-author> footer on the commit message to inform github to make the right decision on squash merge

Changed in cloud-init:
status: Fix Committed → Fix Released
Revision history for this message
Chad Smith (chad.smith) wrote :

A version of cloud-init containing this fix was published to Ubuntu Focal (20.04) cloud-init 20.1-9-g1f860e5a-0ubuntu1.

If this is still a problem for you, please re-open this bug or submit a new bug with related context.

Revision history for this message
Dan Watkins (oddbloke) wrote : Re: [Bug 1866290] Re: EC2: Do not retry on disabled IMDSv2 api/token route returning a 403

Hey Fred,

On Fri, Mar 06, 2020 at 06:16:10AM -0000, Frederick Lefebvre wrote:
> Chad, Thanks for merging this. I was surprised to see that you set
> yourself as the author of the commit, rather than only the committer?
> Is that a by-product of squashing the 2 commits from the PR? Should I
> have handled the pull request differently?

Just wanted to follow up on this. It turns out GitHub changed their
squash-merging behaviour[0] for ~4 days before reverting it[1], and you
were caught up in that. Frustrating, but hopefully GitHub won't make
the same mistake again!

As a follow-up, I've filed a feature request with GitHub to improve the
UI around squash-merging by displaying the intended Author/Committer of
the yet-to-be-created commit. That would at least give us a chance of
noticing these things in future, if/when the behaviour does change
again.

Cheers,

Dan

[0] https://github.com/isaacs/github/issues/1303#issuecomment-595231303
[1] https://github.com/isaacs/github/issues/1303#issuecomment-595595284

Revision history for this message
James Falcon (falcojr) wrote :

Tracked in Github Issues as https://github.com/canonical/cloud-init/issues/3617

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.