diff options
author | Jack Kelly <jack@jackkelly.name> | 2020-11-21 11:44:25 +1000 |
---|---|---|
committer | Jack Kelly <jack@jackkelly.name> | 2020-11-22 11:04:46 +1000 |
commit | 43bfd7e5b1a70fe4be9b9c077eccb15fd50f6edc (patch) | |
tree | 1a0f0824cabb78f26278e18f541fadf55dbed3d0 /nixos | |
parent | 8c39655de3f0ae5adbbfb3b9c5be412c4c3801d6 (diff) |
{ec2,openstack}-metadata-fetcher: unconditionally fetch metadata
The metadata fetcher scripts run each time an instance starts, and it is not safe to assume that responses from the instance metadata service (IMDS) will be as they were on first boot. Example: an EC2 instance can have its user data changed while the instance is stopped. When the instance is restarted, we want to see the new user data applied.
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/virtualisation/ec2-metadata-fetcher.nix | 24 | ||||
-rw-r--r-- | nixos/modules/virtualisation/openstack-metadata-fetcher.nix | 24 |
2 files changed, 18 insertions, 30 deletions
diff --git a/nixos/modules/virtualisation/ec2-metadata-fetcher.nix b/nixos/modules/virtualisation/ec2-metadata-fetcher.nix index 0b110d375a411..dca5c2abd4e0c 100644 --- a/nixos/modules/virtualisation/ec2-metadata-fetcher.nix +++ b/nixos/modules/virtualisation/ec2-metadata-fetcher.nix @@ -8,9 +8,14 @@ # Make sure that every package you depend on here is already listed as # a channel blocker for both the full-sized and small channels. # Otherwise, we risk breaking user deploys in released channels. +# +# Also note: OpenStack's metadata service for its instances aims to be +# compatible with the EC2 IMDS. Where possible, try to keep the set of +# fetched metadata in sync with ./openstack-metadata-fetcher.nix . '' metaDir=${targetRoot}etc/ec2-metadata mkdir -m 0755 -p "$metaDir" + rm -f "$metaDir/*" get_imds_token() { # retry-delay of 1 selected to give the system a second to get going, @@ -65,19 +70,8 @@ wget ${wgetExtraOptions} --header "X-aws-ec2-metadata-token: $IMDS_TOKEN" "$@"; } - if ! [ -e "$metaDir/ami-manifest-path" ]; then - wget_imds -O "$metaDir/ami-manifest-path" http://169.254.169.254/1.0/meta-data/ami-manifest-path - fi - - if ! [ -e "$metaDir/user-data" ]; then - wget_imds -O "$metaDir/user-data" http://169.254.169.254/1.0/user-data && chmod 600 "$metaDir/user-data" - fi - - if ! [ -e "$metaDir/hostname" ]; then - wget_imds -O "$metaDir/hostname" http://169.254.169.254/1.0/meta-data/hostname - fi - - if ! [ -e "$metaDir/public-keys-0-openssh-key" ]; then - wget_imds -O "$metaDir/public-keys-0-openssh-key" http://169.254.169.254/1.0/meta-data/public-keys/0/openssh-key - fi + wget_imds -O "$metaDir/ami-manifest-path" http://169.254.169.254/1.0/meta-data/ami-manifest-path + wget_imds -O "$metaDir/user-data" http://169.254.169.254/1.0/user-data && chmod 600 "$metaDir/user-data" + wget_imds -O "$metaDir/hostname" http://169.254.169.254/1.0/meta-data/hostname + wget_imds -O "$metaDir/public-keys-0-openssh-key" http://169.254.169.254/1.0/meta-data/public-keys/0/openssh-key '' diff --git a/nixos/modules/virtualisation/openstack-metadata-fetcher.nix b/nixos/modules/virtualisation/openstack-metadata-fetcher.nix index 2aff8ccd2c26f..8c191397cf9a5 100644 --- a/nixos/modules/virtualisation/openstack-metadata-fetcher.nix +++ b/nixos/modules/virtualisation/openstack-metadata-fetcher.nix @@ -1,7 +1,12 @@ { targetRoot, wgetExtraOptions }: + +# OpenStack's metadata service aims to be EC2-compatible. Where +# possible, try to keep the set of fetched metadata in sync with +# ./ec2-metadata-fetcher.nix . '' metaDir=${targetRoot}etc/ec2-metadata mkdir -m 0755 -p "$metaDir" + rm -f "$metaDir/*" echo "getting instance metadata..." @@ -9,19 +14,8 @@ wget ${wgetExtraOptions} "$@" } - if ! [ -e "$metaDir/ami-manifest-path" ]; then - wget_imds -O "$metaDir/ami-manifest-path" http://169.254.169.254/1.0/meta-data/ami-manifest-path - fi - - if ! [ -e "$metaDir/user-data" ]; then - wget_imds -O "$metaDir/user-data" http://169.254.169.254/1.0/user-data && chmod 600 "$metaDir/user-data" - fi - - if ! [ -e "$metaDir/hostname" ]; then - wget_imds -O "$metaDir/hostname" http://169.254.169.254/1.0/meta-data/hostname - fi - - if ! [ -e "$metaDir/public-keys-0-openssh-key" ]; then - wget_imds -O "$metaDir/public-keys-0-openssh-key" http://169.254.169.254/1.0/meta-data/public-keys/0/openssh-key - fi + wget_imds -O "$metaDir/ami-manifest-path" http://169.254.169.254/1.0/meta-data/ami-manifest-path + wget_imds -O "$metaDir/user-data" http://169.254.169.254/1.0/user-data && chmod 600 "$metaDir/user-data" + wget_imds -O "$metaDir/hostname" http://169.254.169.254/1.0/meta-data/hostname + wget_imds -O "$metaDir/public-keys-0-openssh-key" http://169.254.169.254/1.0/meta-data/public-keys/0/openssh-key '' |