Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ec2-metadata requires IPv4 access to IMDS #27

Open
nmeyerhans opened this issue Apr 10, 2023 · 2 comments
Open

ec2-metadata requires IPv4 access to IMDS #27

nmeyerhans opened this issue Apr 10, 2023 · 2 comments
Labels
enhancement New feature or request

Comments

@nmeyerhans
Copy link
Contributor

ec2-metadata currently uses 169.254.169.254 unconditionally. In the case that an instance has disabled its IPv4 stack, it has no access to IMDS, even in environments that do provide a v6 endpoint.
@nmeyerhans nmeyerhans added the enhancement New feature or request label Apr 10, 2023
@guikcd
Copy link
Contributor

guikcd commented May 30, 2024

Surprisingly, I've tested ec2-metadata in an IPv6 only instance and i noticed the IPv4 local stack of my instance was functional to reach IPv4 metadata endpoint with an inet 169.254.X.X address:

$ ip addr show ens5
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
    link/ether 06:35:0a:8d:18:ed brd ff:ff:ff:ff:ff:ff
    altname enp0s5
    altname eni-0eccb2cb65c8f7fae
    altname device-number-0
    inet 169.254.49.58/32 metric 512 scope global dynamic ens5
       valid_lft 3142sec preferred_lft 3142sec
    inet6 2a05:d012:900:9c9e:ec7a:xxxx:xxxx:xxx/128 scope global dynamic noprefixroute
       valid_lft 433sec preferred_lft 123sec
    inet6 fe80::435:aff:fe8d:18ed/64 scope link
       valid_lft forever preferred_lft forever

To enable IPv6, I was thinking of the following:

  • Detection of IPv6: I propose to verify that a global address exist on the instance: ip addr | grep --perl-regexp --only-matching "(?<=inet6\s).+(?=scope\sglobal)". No dependency.
  • Try to reach IPv6 metadata endpoint http://[fd00:ec2::254]. The IPv6 endpoint metadata is not enabled by default are requires to be enabled. The instance itself can't verify it (unless having IAM policy to do modify-instance-metadata-options). My first idea was to test reachability of the endpoint with curl --connect-timeout option, but this will introduce some delay in IPv4 only instances. Or we can imagine that people setting IPv6 are aware of this setting and don't check reachability of the endpoint itself, just the global scope presence.

This could be as simple as:

METADATA_BASEURL="http://169.254.169.254"

global_ipv6_addr=$(ip addr | grep --perl-regexp --only-matching "(?<=inet6\s).+(?=scope\sglobal)")
if [ ! -z "${global_ipv6_addr}" ]; then
     METADATA_BASEURL="http://[fd00:ec2::254]"
fi

What do you think?

@retpolanne
Copy link

Unrelated, but quite related, I've opened a PR to allow for overriding the METADATA_BASEURL#39

I needed it for running a mock metadata server, but can be useful for your case. :)

@commiterate commiterate mentioned this issue Sep 6, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nmeyerhans @guikcd @retpolanne