Enable IMDSv2 in AWS Windows stemcell #29
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When the bosh-linux-stemcell-builder was updated to add IMDSv2 support to AWS Linux stemcells in commit 86bb00e0b64ea7ece71ed2775358fbab99cef033 (see: <cloudfoundry/bosh-linux-stemcell-builder@86bb00e>), stembuild was not updated with the corresponding change. This commit makes that change. It looks like without this change, Bosh Agents running in Windows on IMDSv2-only VMs will be unable to talk to the AWS Metadata Server, and will be unable to start. JIRA ticket BOSHWIN-43 was opened with a customer complaining of this very problem. Commentary from the bosh-linux-stemcell-builder commit mentioned above follows: - TokenPath must be set in `agent.json` in order for the bosh-agent to load metadata using the IMDSv2 protocol. - This commit adds that field. It will be ignored unless the agent has been updated to expect it. [#180052419] [TAS-94] Convert the Agent on AWS to use IMDSv2
|
Do note that I didn't have a pair when working on this, so I'd appreciate some thorough review. I didn't notice any tests that tested the contents of |
jpalermo
approved these changes
Apr 4, 2024
There was a problem hiding this comment.
Even though stembuild doesn't currently support building aws stemcells, these files are kept in sync with the psmodules copy, so this is a copy of cloudfoundry/bosh-psmodules#1
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When the bosh-linux-stemcell-builder was updated to add IMDSv2 support to AWS Linux stemcells in commit
86bb00e0b64ea7ece71ed2775358fbab99cef033 (see:
cloudfoundry/bosh-linux-stemcell-builder@86bb00e), stembuild was not updated with the corresponding change.
This commit makes that change. It looks like without this change, Bosh Agents running in Windows on IMDSv2-only VMs will be unable to talk to the AWS Metadata Server, and will be unable to start. JIRA ticket BOSHWIN-43 was opened with a customer complaining of this very problem.
Commentary from the bosh-linux-stemcell-builder commit mentioned above follows:
agent.jsonin order for the bosh-agent to load metadata using the IMDSv2 protocol.[#180052419] [TAS-94] Convert the Agent on AWS to use IMDSv2