Commit aed1f8d5 authored by Yuan Gao's avatar Yuan Gao
Browse files

Use IMDSv1 by default, and use IMDSv2 where required

parent cf26fbd3
......@@ -6,6 +6,12 @@ executors:
type: string
docker:
- image: << parameters.image >>
linux:
parameters:
image:
type: string
docker:
- image: << parameters.image >>
commands:
runtest:
steps:
......@@ -23,6 +29,52 @@ commands:
command: |
source ~/efs-utils-virtualenv/bin/activate
make test
build-deb:
steps:
- checkout
- run:
name: Repo update
command: |
apt-get update
- run:
name: Install dependencies
command: |
apt-get -y install binutils
- run:
name: Build DEB
command: |
./build-deb.sh
- run:
name: Install package
command: |
apt-get -y install ./build/amazon-efs-utils*deb
- run:
name: Check installed successfully
command: |
mount.efs --version
build-rpm:
steps:
- checkout
- run:
name: Install dependencies
command: |
yum -y install rpm-build make
- run:
name: Build RPM
command: |
make rpm
- run:
name: Install package
command: |
yum -y install build/amazon-efs-utils*rpm
- run:
name: Check installed successfully
command: |
mount.efs --version
- run:
name: Check changelog
command: |
rpm -q --changelog amazon-efs-utils
jobs:
test:
parameters:
......@@ -33,6 +85,24 @@ jobs:
image: << parameters.image >>
steps:
- runtest
build-deb-package:
parameters:
image:
type: string
executor:
name: linux
image: << parameters.image >>
steps:
- build-deb
build-rpm-package:
parameters:
image:
type: string
executor:
name: linux
image: << parameters.image >>
steps:
- build-rpm
workflows:
workflow:
jobs:
......@@ -53,4 +123,34 @@ workflows:
image: circleci/python:3.4.9
- test:
name: python27
image: circleci/python:2.7.13
\ No newline at end of file
image: circleci/python:2.7.13
- build-deb-package:
name: ubuntu16
image: ubuntu:16.04
- build-deb-package:
name: ubuntu18
image: ubuntu:18.04
- build-deb-package:
name: debian9
image: debian:9
- build-rpm-package:
name: centos7
image: centos:centos7
- build-rpm-package:
name: amazon-linux-2
image: amazonlinux:2
- build-rpm-package:
name: amazon-linux
image: amazonlinux:1
- build-rpm-package:
name: fedora30
image: fedora:30
- build-rpm-package:
name: fedora31
image: fedora:31
- build-rpm-package:
name: fedora32
image: fedora:32
- build-rpm-package:
name: fedora33
image: fedora:33
\ No newline at end of file
......@@ -8,4 +8,4 @@
[global]
version=1.24
release=2
release=3
......@@ -120,6 +120,9 @@ fi
%clean
%changelog
* Fri Mar 27 2020 Yuan Gao <ygaochn@amazon.com> - 1.24-3
- Use IMDSv1 by default, and use IMDSv2 where required
* Tue Mar 10 2020 Yuan Gao <ygaochn@amazon.com> - 1.24-2
- List which as dependency
......@@ -127,7 +130,7 @@ fi
- Enable efs-utils to source region from config file for sigv4 auth
- Fix the issue that stunnel bin exec cannot be found in certain linux distributions
* Tue Mar 02 2020 Yuan Gao <ygaochn@amazon.com> - 1.23-2
* Tue Mar 03 2020 Yuan Gao <ygaochn@amazon.com> - 1.23-2
- Support new option: netns, enable file system to mount in given network namespace
- Support new option: awscredsuri, enable sourcing iam authorization from aws credentials relative uri
- List openssl and util-linux as package dependency for IAM/AP authorization and command nsenter to mount file system to given network namespace
......@@ -240,14 +240,20 @@ def get_target_region(config):
def get_region_from_instance_metadata():
err_msg = None
try:
token = get_aws_ec2_metadata_token()
headers = {}
if token:
headers = {'X-aws-ec2-metadata-token': token}
instance_identity = get_aws_ec2_metadata(headers)
return instance_identity['region']
except (HTTPError, URLError) as e:
err_msg = 'Unable to reach instance metadata service at %s: status=%d' % (INSTANCE_METADATA_SERVICE_URL, e.code)
except HTTPError as e:
# 401:Unauthorized, the GET request uses an invalid token, so generate a new one
if e.code == 401:
token = get_aws_ec2_metadata_token()
headers = {'X-aws-ec2-metadata-token': token}
instance_identity = get_aws_ec2_metadata(headers)
return instance_identity['region']
err_msg = 'Unable to reach instance metadata service at %s: status=%d, reason is %s' \
% (INSTANCE_METADATA_SERVICE_URL, e.code, e.reason)
except URLError as e:
err_msg = 'Unable to reach instance metadata service at %s, reason is %s' % (INSTANCE_METADATA_SERVICE_URL, e.reason)
except ValueError as e:
err_msg = 'Error parsing json: %s' % (e,)
except KeyError as e:
......
......@@ -11,6 +11,8 @@ import json
import pytest
from .. import utils
try:
import ConfigParser
except ImportError:
......@@ -96,6 +98,21 @@ def test_get_target_region_without_token(mocker):
assert 'us-east-1' == get_target_region_helper()
def test_get_target_region_metadata_endpoint_unauthorized(mocker):
mocker.patch('mount_efs.get_aws_ec2_metadata_token', return_value='ABCDEFG==')
mocker.patch('mount_efs.urlopen', side_effect=[HTTPError('url', 401, 'Unauthorized', None, None), MockUrlLibResponse()])
assert 'us-east-1' == get_target_region_helper()
# Reproduce https://github.com/aws/efs-utils/issues/46
def test_get_target_region_token_endpoint_not_allowed(mocker):
get_aws_ec2_metadata_token_mock = mocker.patch('mount_efs.get_aws_ec2_metadata_token',
side_effect=HTTPError('url', 405, 'Not allowed', None, None))
mocker.patch('mount_efs.urlopen', return_value=MockUrlLibResponse())
assert 'us-east-1' == get_target_region_helper()
utils.assert_not_called(get_aws_ec2_metadata_token_mock)
def test_get_target_region_py3_no_charset(mocker):
mocker.patch('mount_efs.get_aws_ec2_metadata_token', return_value=None)
mocker.patch('mount_efs.urlopen', return_value=MockUrlLibResponse(data=bytearray(INSTANCE_DOCUMENT, 'us-ascii')))
......@@ -128,6 +145,7 @@ def test_get_target_region_config_metadata_unavailable(mocker, capsys):
out, err = capsys.readouterr()
assert 'Error retrieving region' in err
def _test_get_target_region_error(mocker, capsys, response=None, error=None):
mocker.patch('mount_efs.get_aws_ec2_metadata_token', return_value=None)
if (response and error) or (not response and not error):
......@@ -145,6 +163,7 @@ def _test_get_target_region_error(mocker, capsys, response=None, error=None):
out, err = capsys.readouterr()
assert 'Error retrieving region' in err
def test_get_target_region_bad_response(mocker, capsys):
_test_get_target_region_error(mocker, capsys, error=HTTPError('url', 400, 'Bad Request Error', None, None))
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment