Cannot get EC2 user data after enabled IMDSv2 #498

vincentwenatsa · 2023-12-20T16:54:17Z

Dec 19 15:38:09 ip-172-19-20-73 scylla_post_start.py[3760]: 2023-12-19 15:38:09,968 - [user_data] - WARNING - Error getting user data: HTTP Error 401: Unauthorized. Will use defaults!

Dec 19 15:38:09 ip-172-19-20-73 scylla_post_start.py[3760]: Error getting user data: HTTP Error 401: Unauthorized. Will use defaults!

the scylla_post_start.py script failed to fetch user data after enabled IMDSv2. It needs to fetch a IMDSv2 token https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html

The text was updated successfully, but these errors were encountered:

fruch · 2023-12-20T17:06:20Z

it was introduced a year ago in:
b1c8990

which version of scylla AMI you are using ?

vincentwenatsa · 2023-12-20T17:26:38Z

5.2.10 @fruch

vincentwenatsa · 2023-12-20T17:58:07Z

Will it be backport to any 5.2 version?

marqueurs404 · 2023-12-21T03:29:00Z

I am encountering this on 5.4.0 scylla AMI as well, on both the scylla_post_start and scylla-image-setup services

marqueurs404 · 2023-12-21T03:53:48Z

I presume it's because the fetched token wasn't used in

scylla-machine-image/lib/scylla_cloud.py

Line 819 in 26b93d5

base_contents = curl(self.META_DATA_BASE_URL).splitlines()

and

scylla-machine-image/lib/scylla_cloud.py

Line 821 in 26b93d5

return curl(self.META_DATA_BASE_URL + 'user-data')

This bug was likely only noticed recently as EC2 defaults to IMDSv2-only since November 2023 https://aws.amazon.com/blogs/aws/amazon-ec2-instance-metadata-service-imdsv2-by-default/

fruch · 2023-12-21T05:42:07Z

@syuu1228

We should consider setting the v2 usage in the AMI once this issue is fixed

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-new-instances.html

fruch · 2023-12-21T05:43:50Z

@marqueurs404

Thanks for spotting it out, seems you are correct, and some calls were missed

mykaul · 2023-12-21T07:41:31Z

scylladb/seastar#1051
scylladb/scylla-manager#3244

(and we have some others, that are not completely IMDSv2 friendly)

fruch · 2023-12-21T08:27:26Z

scylladb/seastar#1051 scylladb/scylla-manager#3244

(and we have some others, that are not completely IMDSv2 friendly)

exactly why I've suggested enabling in the AMI, to flush all those out.

vincentwenatsa · 2024-01-16T00:28:45Z

Will this issue get fixed any time soon?

yaronkaikov · 2024-01-30T19:33:24Z

@syuu1228 ping

user_data() is mistakenly unsupported IMDSv2, since it's not using __instance_metadata(). Fixed the code to use __instance_metadata(). Fixes scylladb#498

user_data() is mistakenly unsupported IMDSv2, since it's not using __instance_metadata(). Fixed the code to use __instance_metadata(). Also, while testing this code, scylla_configure.py causes "binascii.Error: Incorrect padding" on base64.b64decode(post_configuration_script). It seems because running b64decode() on already decoded string, so dropped the line and just use post_configuration_script directly. Fixes scylladb#498

user_data() is mistakenly unsupported IMDSv2, since it's not using __instance_metadata(). Fixed the code to use __instance_metadata(). Fixes scylladb#498

user_data() is mistakenly unsupported IMDSv2, since it's not using __instance_metadata(). Fixed the code to use __instance_metadata(). Fixes #498

yaronkaikov · 2024-02-06T18:56:01Z

@vincentwenatsa once this fix is promoted. we will backport to 5.4 and 5.2, it will be part of next release

user_data() is mistakenly unsupported IMDSv2, since it's not using __instance_metadata(). Fixed the code to use __instance_metadata(). Fixes #498 (cherry picked from commit 6e92623)

On scylladb#498, status of scylla-image-post-start.service is NOT "failed" even the script causing error, because scylla_post_start.py catches all exceptions and just logging it, so the script finishes without error. To getting notify users the script failed operation during running, we should sys.exit(1) when the exception catched. fixes scylladb#505

On scylladb#498, status of scylla-image-post-start.service is NOT "failed" even the script causing error, because scylla_post_start.py catches all exceptions and just logging it, so the script finishes without error. To getting notify users the script failed operation during running, we should sys.exit(1) when the exception catched. fixes scylladb#505 Signed-off-by: Takuya ASADA <[email protected]>

On #498, status of scylla-image-post-start.service is NOT "failed" even the script causing error, because scylla_post_start.py catches all exceptions and just logging it, so the script finishes without error. To getting notify users the script failed operation during running, we should sys.exit(1) when the exception catched. fixes #505

perftune's __check_host_type method uses IMDSv1 for retrieving instance metadata. It turns out that - as described in scylladb/scylladb#10490 - Ec2 instances may have only IMDSv2 HTTP calls allowed. When requests to IMDSv1 fail, calling is_aws_i3_non_metal_instance() will evaluate to False, which means that i3.nonmetal instance types will get tuned as if they weren't i3 instances. To fix the problem, import IMDSv2 implementation from scylla-machine-image. Fixes scylladb#1051 related scylladb/scylla-machine-image#498 related scylladb/scylladb#10490

fruch assigned yaronkaikov Dec 20, 2023

yaronkaikov assigned syuu1228 and unassigned yaronkaikov Dec 20, 2023

yaronkaikov added the P2 label Dec 21, 2023

syuu1228 mentioned this issue Feb 5, 2024

scylla_post_start.py and scylla_configure.py should not exit with 0 when HTTP Error occurs #505

Closed

syuu1228 mentioned this issue Feb 6, 2024

aws_instance: fix broken user_data() #507

Merged

yaronkaikov pushed a commit that referenced this issue Feb 6, 2024

aws_instance: fix broken user_data()

6e92623

user_data() is mistakenly unsupported IMDSv2, since it's not using __instance_metadata(). Fixed the code to use __instance_metadata(). Fixes #498

yaronkaikov closed this as completed in #507 Feb 6, 2024

syuu1228 mentioned this issue Mar 18, 2024

exit with 1 when Exception catched and raise exception when HTTP error code is client error #511

Merged

syuu1228 mentioned this issue Nov 27, 2024

scripts/perftune.py: Implement AWS IMDSv2 call scylladb/seastar#2560

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Cannot get EC2 user data after enabled IMDSv2 #498

Cannot get EC2 user data after enabled IMDSv2 #498

vincentwenatsa commented Dec 20, 2023 •

edited

Loading

fruch commented Dec 20, 2023

vincentwenatsa commented Dec 20, 2023

vincentwenatsa commented Dec 20, 2023

marqueurs404 commented Dec 21, 2023 •

edited

Loading

marqueurs404 commented Dec 21, 2023 •

edited

Loading

fruch commented Dec 21, 2023

fruch commented Dec 21, 2023

mykaul commented Dec 21, 2023

fruch commented Dec 21, 2023

vincentwenatsa commented Jan 16, 2024

yaronkaikov commented Jan 30, 2024

yaronkaikov commented Feb 6, 2024

Cannot get EC2 user data after enabled IMDSv2 #498

Cannot get EC2 user data after enabled IMDSv2 #498

Comments

vincentwenatsa commented Dec 20, 2023 • edited Loading

fruch commented Dec 20, 2023

vincentwenatsa commented Dec 20, 2023

vincentwenatsa commented Dec 20, 2023

marqueurs404 commented Dec 21, 2023 • edited Loading

marqueurs404 commented Dec 21, 2023 • edited Loading

fruch commented Dec 21, 2023

fruch commented Dec 21, 2023

mykaul commented Dec 21, 2023

fruch commented Dec 21, 2023

vincentwenatsa commented Jan 16, 2024

yaronkaikov commented Jan 30, 2024

yaronkaikov commented Feb 6, 2024

vincentwenatsa commented Dec 20, 2023 •

edited

Loading

marqueurs404 commented Dec 21, 2023 •

edited

Loading

marqueurs404 commented Dec 21, 2023 •

edited

Loading