packages/nixos: add IMDS setup script #988
Conversation
msanft
force-pushed
the
msanft/podvm-image/imds-setup
branch
from
692bfe7 to
86784fe
Compare
msanft
force-pushed
the
msanft/podvm-image/imds-setup
branch
from
86784fe to
f48bf81
Compare
packages/nixos/azure.nix
Outdated
| # TODO: Find out why just ordering this after network-online.target | ||
| # isn't sufficient. (Errors with saying that the network is unreachable) |
There was a problem hiding this comment.
Do you know what step produces these errors? One dependency that's not declared is the podns existence.
There was a problem hiding this comment.
Would make sense, since iirc, this fails
There was a problem hiding this comment.
If the netns exists but routing is not set up yet, that would explain it.
There was a problem hiding this comment.
Verifying that hypothesis right now.
There was a problem hiding this comment.
Still fails at the very same line. Ordering is correct though:
...
195ms setup-nat-for-imds.service
193ms systemd-udevd.service
190ms systemd-oomd.service
154ms [email protected]
...
There was a problem hiding this comment.
setup-nat should go after netns, is that actually what your snippet shows?
There was a problem hiding this comment.
Actually, having the podns is not enough, it also needs routes set up, which might only happen in the agent-protocol-forwarder.
There was a problem hiding this comment.
Good point, it doesn't! systemd-analyze blame does not order by execution but by time the unit took to execute.
However, the ordering still seems to be correct. [email protected] executes (exits) 10s before setup-nat-for-imds.service starts.
There was a problem hiding this comment.
As stated above, this requires route setup.
There was a problem hiding this comment.
Can you elaborate? This works as-is. I don't know what I should change.
msanft
force-pushed
the
msanft/podvm-image/imds-setup
branch
from
f48bf81 to
e96d1cb
Compare
|
We should add an e2e test step to check imds functionality before merging this. |
msanft
force-pushed
the
msanft/podvm-image/imds-setup
branch
4 times, most recently
from
0ad96aa to
63cabf1
Compare
packages/nixos/azure.nix
Outdated
| # TODO: Find out why just ordering this after network-online.target | ||
| # isn't sufficient. (Errors with saying that the network is unreachable) |
There was a problem hiding this comment.
As stated above, this requires route setup.
msanft
force-pushed
the
msanft/podvm-image/imds-setup
branch
from
63cabf1 to
130137e
Compare
Azure needs special care for enabling IMDS within Peerpods. This adds a script to setup IMDS through Proxy ARP (from Peerpods upstream, see https://github.com/confidential-containers/cloud-api-adaptor/blob/main/src/cloud-api-adaptor/podvm/files/usr/local/bin/setup-nat-for-imds.sh), so that all requests to the IMDS from within the pod are routed through an interface that is peered to the Pod VM. Verified to work in 2 distinct Azure peer pods.
This adds a verification of IMDS functionality to the peer-pods smoke test.
msanft
force-pushed
the
msanft/podvm-image/imds-setup
branch
from
130137e to
b6abc8d
Compare
Azure needs special care for enabling IMDS within Peerpods. This adds a script to setup IMDS through Proxy ARP (from Peerpods upstream, see https://github.com/confidential-containers/cloud-api-adaptor/blob/main/src/cloud-api-adaptor/podvm/files/usr/local/bin/setup-nat-for-imds.sh), so that all requests to the IMDS from within the pod are routed through an interface that is peered to the Pod VM. Verified to work in 2 distinct Azure peer pods.
It also makes a simplification by excluding
basic.targetin thewantedBylist of the Azure readiness report, as it's already contained in the default dependencies.