alioth/nixpkgs
3
0
Fork 0
forked from mirrors/nixpkgs
Code Releases Activity

Merge pull request #104456 from endgame/refresh-instance-metadata-on-boot

Browse source 
Refresh instance metadata on boot
This commit is contained in:
Graham Christensen 2020-11-22 08:23:14 -05:00 committed by GitHub
parent 3c8c57dc33 6fd871dec4
commit 1ee1134cb1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 41 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
nixos/doc/manual/release-notes/rl-2103.xml
View file

@ -211,6 +211,22 @@
and <literal>slaptest</literal> is buggy with schemas directly in the config file. and <literal>slaptest</literal> is buggy with schemas directly in the config file.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
Amazon EC2 and OpenStack Compute (nova) images now re-fetch instance meta data and user data from the instance
metadata service (IMDS) on each boot. For example: stopping an EC2 instance, changing its user data, and
restarting the instance will now cause it to fetch and apply the new user data.
</para>
<warning>
<para>
Specifically, <literal>/etc/ec2-metadata</literal> is re-populated on each boot. Some NixOS scripts that read
from this directory are guarded to only run if the files they want to manipulate do not already exist, and so
will not re-apply their changes if the IMDS response changes. Examples: <literal>root</literal>'s SSH key is
only added if <literal>/root/.ssh/authorized_keys</literal> does not exist, and SSH host keys are only set from
user data if they do not exist in <literal>/etc/ssh</literal>.
</para>
</warning>
</listitem>
</itemizedlist> </itemizedlist>
</section> </section>

26
nixos/modules/virtualisation/ec2-metadata-fetcher.nix
View file

@ -8,9 +8,14 @@
# Make sure that every package you depend on here is already listed as # Make sure that every package you depend on here is already listed as
# a channel blocker for both the full-sized and small channels. # a channel blocker for both the full-sized and small channels.
# Otherwise, we risk breaking user deploys in released channels. # Otherwise, we risk breaking user deploys in released channels.
#
# Also note: OpenStack's metadata service for its instances aims to be
# compatible with the EC2 IMDS. Where possible, try to keep the set of
# fetched metadata in sync with ./openstack-metadata-fetcher.nix .
'' ''
metaDir=${targetRoot}etc/ec2-metadata metaDir=${targetRoot}etc/ec2-metadata
mkdir -m 0755 -p "$metaDir" mkdir -m 0755 -p "$metaDir"
rm -f "$metaDir/*"
get_imds_token() { get_imds_token() {
# retry-delay of 1 selected to give the system a second to get going, # retry-delay of 1 selected to give the system a second to get going,
@ -61,19 +66,12 @@
echo "getting EC2 instance metadata..." echo "getting EC2 instance metadata..."
if ! [ -e "$metaDir/ami-manifest-path" ]; then wget_imds() {
wget ${wgetExtraOptions} --header "X-aws-ec2-metadata-token: $IMDS_TOKEN" -O "$metaDir/ami-manifest-path" http://169.254.169.254/1.0/meta-data/ami-manifest-path wget ${wgetExtraOptions} --header "X-aws-ec2-metadata-token: $IMDS_TOKEN" "$@";
fi }
if ! [ -e "$metaDir/user-data" ]; then wget_imds -O "$metaDir/ami-manifest-path" http://169.254.169.254/1.0/meta-data/ami-manifest-path
wget ${wgetExtraOptions} --header "X-aws-ec2-metadata-token: $IMDS_TOKEN" -O "$metaDir/user-data" http://169.254.169.254/1.0/user-data && chmod 600 "$metaDir/user-data" wget_imds -O "$metaDir/user-data" http://169.254.169.254/1.0/user-data && chmod 600 "$metaDir/user-data"
fi wget_imds -O "$metaDir/hostname" http://169.254.169.254/1.0/meta-data/hostname
wget_imds -O "$metaDir/public-keys-0-openssh-key" http://169.254.169.254/1.0/meta-data/public-keys/0/openssh-key
if ! [ -e "$metaDir/hostname" ]; then
wget ${wgetExtraOptions} --header "X-aws-ec2-metadata-token: $IMDS_TOKEN" -O "$metaDir/hostname" http://169.254.169.254/1.0/meta-data/hostname
fi
if ! [ -e "$metaDir/public-keys-0-openssh-key" ]; then
wget ${wgetExtraOptions} --header "X-aws-ec2-metadata-token: $IMDS_TOKEN" -O "$metaDir/public-keys-0-openssh-key" http://169.254.169.254/1.0/meta-data/public-keys/0/openssh-key
fi
'' ''

28
nixos/modules/virtualisation/openstack-metadata-fetcher.nix
View file

@ -1,23 +1,21 @@
{ targetRoot, wgetExtraOptions }: { targetRoot, wgetExtraOptions }:
# OpenStack's metadata service aims to be EC2-compatible. Where
# possible, try to keep the set of fetched metadata in sync with
# ./ec2-metadata-fetcher.nix .
'' ''
metaDir=${targetRoot}etc/ec2-metadata metaDir=${targetRoot}etc/ec2-metadata
mkdir -m 0755 -p "$metaDir" mkdir -m 0755 -p "$metaDir"
rm -f "$metaDir/*"
echo "getting EC2 instance metadata..." echo "getting instance metadata..."
if ! [ -e "$metaDir/ami-manifest-path" ]; then wget_imds() {
wget ${wgetExtraOptions} -O "$metaDir/ami-manifest-path" http://169.254.169.254/1.0/meta-data/ami-manifest-path wget ${wgetExtraOptions} "$@"
fi }
if ! [ -e "$metaDir/user-data" ]; then wget_imds -O "$metaDir/ami-manifest-path" http://169.254.169.254/1.0/meta-data/ami-manifest-path
wget ${wgetExtraOptions} -O "$metaDir/user-data" http://169.254.169.254/1.0/user-data && chmod 600 "$metaDir/user-data" wget_imds -O "$metaDir/user-data" http://169.254.169.254/1.0/user-data && chmod 600 "$metaDir/user-data"
fi wget_imds -O "$metaDir/hostname" http://169.254.169.254/1.0/meta-data/hostname
wget_imds -O "$metaDir/public-keys-0-openssh-key" http://169.254.169.254/1.0/meta-data/public-keys/0/openssh-key
if ! [ -e "$metaDir/hostname" ]; then
wget ${wgetExtraOptions} -O "$metaDir/hostname" http://169.254.169.254/1.0/meta-data/hostname
fi
if ! [ -e "$metaDir/public-keys-0-openssh-key" ]; then
wget ${wgetExtraOptions} -O "$metaDir/public-keys-0-openssh-key" http://169.254.169.254/1.0/meta-data/public-keys/0/openssh-key
fi
'' ''