The present version of the EC2 metadata API (IMDSv2) requires a header
with a token to be present in all requests. The token is essentially a
cookie that's not actually a cookie that's obtained with a PUT call that
doesn't put anything. Apparently it's too easy to trick someone into
calling a GET method.
EC2 now supports IMDSv2 everywhere with IMDSv1 being optional, so let's
just use IMDSv2 unconditionally. Also, the presence of a token API can
be used to detect the AWS EC2 cloud.
Conflicts:
- variable alignments
- missing 494819bbbf ("cloud-setup: move common code for get_config()
to base class and improve cancellation"). From it we only needed
the `get_config_data->self` part, but used g_task_get_source_object
instead.
- missing 5fb2f7e717 ("cloud-setup/trivial: rename "response_data"
variable")
https://bugzilla.redhat.com/show_bug.cgi?id=2151986
(cherry picked from commit 8b7e12c2d6)
(cherry picked from commit 429f36cd81)
(cherry picked from commit e3ac982b32)
(cherry picked from commit c5a3e739b1)
(cherry picked from commit ee157ad48b)
(cherry picked from commit ae3ec36462)
(cherry picked from commit 865fe0732e)
(cherry picked from commit d75e307ebc)
We'll need to be able to issue PUT calls.
Conflicts: variable alignments only, missing nmcs-provider-aliyun,
missing commit 494819bbbf ("cloud-setup: move common code for
get_config() to base class and improve cancellation")
(cherry picked from commit cd74d75002)
(cherry picked from commit eff4372045)
(cherry picked from commit aaf66e9174)
(cherry picked from commit 3d94f4fdf9)
(cherry picked from commit 181466c6da)
(cherry picked from commit 7243307bb8)
(cherry picked from commit 1aa88024cb)
(cherry picked from commit 59b5a8fdcb)
We're going to extend those to issue methods other than GET.
Also, "request" would've been too long, "req" looks nicer.
Conflicts: variable alignments, missing trivial commit in,
provider-azure, missing 494819bbbf ("cloud-setup: move common
code for get_config() to base class and improve cancellation")
(cherry picked from commit 85ce088616)
(cherry picked from commit 6e8cfbae32)
(cherry picked from commit 20cd11ee49)
(cherry picked from commit 9ce530fa7a)
(cherry picked from commit d6d161a31d)
(cherry picked from commit 977fc2c8c5)
(cherry picked from commit 89ee76409b)
Run:
./contrib/scripts/nm-code-format.sh -i
./contrib/scripts/nm-code-format.sh -i
Yes, it needs to run twice because the first run doesn't yet produce the
final result.
Signed-off-by: Antonio Cardace <acardace@redhat.com>
Make the error handling similar to the other provider implementations.
- only actually return once all callbacks completed.
- cache the first error and report it.
nm_http_client_poll_get_finish() can only either succeed (returning TRUE
and setting no GError), or failing (returning FALSE and setting GError).
Checking for both is redundant and unnecessary.
The behavior is documented at various places, so this assert is less
to actually assert it, but as making this condition obvious to the
reader of the code.
It's not a severe issue, because the GetConfigMetadataData struct is
larger than GetConfigMetadataMac.
Fixes: 69f048bf0c ('cloud-setup: add tool for automatic IP configuration in cloud')
Most callers would pass FALSE to nm_utils_error_is_cancelled(). That's
not very useful. Split the two functions and have nm_utils_error_is_cancelled()
and nm_utils_error_is_cancelled_is_disposing().
"nm-cloud-setup" can by configured via environment variables. Mark all the
names of such variables with NMCS_ENV_VARIABLE() macro. This allows to grep
for them.
(cherry picked from commit 7b24d6e2dc)
"nm-cloud-setup" is supposed to work without configuration.
However, it (obviously) fetches data from the network you are connected to (which
might be untrusted or controlled by somebody malicious). The tool cannot
protect you against that, also because the meta data services uses HTTP and not
HTTPS. It means, you should run the tool only when it's suitable for your
environment, that is: in the right cloud.
Usually, the user/admin/distributor would know for which cloud the enable the tool.
It's also wasteful to repeatedly probe for the unavailable cloud.
So, instead disable all providers by default and require to opt-in by setting an
environment variable.
This can be conveniently done via `systemctl edit nm-cloud-provider.service` to
set Environment=. Of course, a image can also pre-deploy such am override file.
(cherry picked from commit ff816dec17)
