Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix/disable IMDSv1 #2174

Merged
merged 4 commits into from
Jun 28, 2024
Merged

Fix/disable IMDSv1 #2174

merged 4 commits into from
Jun 28, 2024

Conversation

Akendo
Copy link
Contributor

@Akendo Akendo commented Jun 27, 2024

What this PR does / why we need it:

We have to disable the IMDSv1. The test will fail without a token. So we request a token from IMDSv2 and provide it for our current test case.

Akendo added 2 commits June 27, 2024 19:20
@Akendo
Fetch a token for the metadata test
fafa2eb 
Signed-off-by: Akendo <akendo@akendo.eu>

We need to provide for access to the metadata service a token now.
Hence, try to fetch one token *before* making the test in a subshell.
Not a clean solution, but one that should work.

Solves: Security-2
@Akendo
Add variables and timeout.
f7c5722 
Signed-off-by: Akendo <akendo@akendo.eu>
@Akendo Akendo requested a review from a team as a code owner June 27, 2024 17:26
@Akendo Akendo changed the title Fix/disable imd sv1 Fix/disable IMDSv1 Jun 27, 2024
fwilhe
fwilhe reviewed Jun 28, 2024
View reviewed changes
features/base/test/test_metadata_connection.py Outdated
@@ -5,7 +5,9 @@
def test_metadata_connection(client, non_azure, non_ali, non_chroot, non_kvm):
metadata_host = "169.254.169.254"
(exit_code, output, error) = client.execute_command(
f"wget --timeout 5 http://{metadata_host}"
f"wget --timeout 5 \
--header=\"X-aws-ec2-metadata-token: $(curl -sqX PUT 'http://{metadata_host}/latest/api/token' -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600')\" \
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From the perspective of readability, i would prefer not to get this token value in a subshell command.
Any reason against splitting this into two? Might make it more readable and more easy to debug in case of failure. Also this can include an assertion on the expected return value of the api/token endpoint.

fwilhe
fwilhe approved these changes Jun 28, 2024
View reviewed changes
Copy link
Member

@fwilhe fwilhe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving, I have limited context on this change. If the comment provided on the subshell is useful, feel free to change this and merge then, otherwise ignore it and just merge.

Akendo added 2 commits June 28, 2024 11:07
@Akendo
Make the code more readable
68692df 
Signed-off-by: Akendo <akendo@akendo.eu>
@Akendo
Remove unnecessary header for the wget request.
5f915a9 
Signed-off-by: Akendo <akendo@akendo.eu>
@Akendo Akendo merged commit ef453bf into main Jun 28, 2024
83 checks passed
@Akendo Akendo deleted the fix/Disable_IMDSv1 branch June 28, 2024 09:15
@fwilhe
Copy link
Member

fwilhe commented Jun 28, 2024

@Akendo Thanks for taking care. Porting it to rel-1312 now, and I've noticed you merged with a merge commit. I'm used to squash merge which makes it easier to cherry pick PRs. This is a thing where github remembers what you did last, I'd ask you to do squash merges in the future.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fwilhe fwilhe fwilhe approved these changes

Assignees
No one assigned
Labels
features test
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Akendo @fwilhe