Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ohai][ec2][looks_like_ec2] Do not depend on metadata endpoint #1768

Merged
merged 7 commits into from
Oct 11, 2022
Merged

[ohai][ec2][looks_like_ec2] Do not depend on metadata endpoint #1768

merged 7 commits into from
Oct 11, 2022

Conversation

gbatye
Copy link
Contributor

@gbatye gbatye commented Aug 31, 2022
edited
Loading

For environments where full tunnel VPN is used, requiring a connection to the local metadata endpoint causes node['cloud'] = nil. At a minimum node['cloud']['provided'] attribute should be populated even if metadata can not be fetched.

Signed-off-by: Greg Batye gbatye@gmail.com

Related Issue

#1767

Types of changes

  • [ X] Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Chore (non-breaking change that does not add functionality or fix an issue)

Checklist:

  • I have read the CONTRIBUTING document.
  • I have run the pre-merge tests locally and they pass.
  • I have updated the documentation accordingly.
  • I have added tests to cover my changes.
  • All new and existing tests passed.
  • All commits have been signed-off for the Developer Certificate of Origin.

@gbatye
[ohai][ec2][looks_like_ec2] Do not depend metadata endpoint
e7049f1 
For environments where full tunnel VPN is used,  requiring a connection to the local metadata endpoint causes node['cloud'] = nil.  At a minimum node['cloud']['provided'] attribute should be populated even if metadata can not be fetched.
@gbatye gbatye requested review from a team as code owners August 31, 2022 06:14
@gbatye
Copy link
Contributor Author

gbatye commented Aug 31, 2022
edited
Loading

before

C:\Windows> ohai cloud
C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai/system.rb:185:in `attributes_print': I cannot find an attribute named cloud! (ArgumentError)
        from C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai/application.rb:151:in `block in run_application'
        from C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai/application.rb:150:in `each'
        from C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai/application.rb:150:in `run_application'
        from C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai/application.rb:92:in `block in run'
        from C:/opscode/chef/embedded/lib/ruby/3.0.0/benchmark.rb:308:in `realtime'
        from C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai/application.rb:90:in `run'
        from C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/bin/ohai:25:in `<top (required)>'
        from C:/opscode/chef/bin/ohai:173:in `load'
        from C:/opscode/chef/bin/ohai:173:in `<main>'

after

C:\Windows> ohai cloud
{
 "provider": "ec2"
}

@gbatye gbatye changed the title [ohai][ec2][looks_like_ec2] Do not depend metadata endpoint [ohai][ec2][looks_like_ec2] Do not depend on metadata endpoint Aug 31, 2022
nishchintraina
nishchintraina suggested changes Sep 1, 2022
View reviewed changes
Copy link

@nishchintraina nishchintraina left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks dangerous, EC2 metadata service is pretty standard service and should always be available to any process running on the local network to pull important metadata from.

jaymzh
jaymzh requested changes Sep 6, 2022
View reviewed changes
Copy link
Collaborator

@jaymzh jaymzh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After discussion in the PR review meeting, we believe this is a Good Change(TM). Here's the rationale:

  1. All the other tests are REALLY GOOD indicators that we're on EC2, checking if the MD endpoint is not necessary
  2. What if I configure my, say, IP space based on is-EC2, then that metadata endpoint goes down and I reconfigure all my VMs into the wrong IP space?
  3. There are options in EC2 to not allow your VMs to talk to to the MD endpoint because it can be sensitive

So the change seems good, but tests will fail now, so please update the tests accordingly.

@gbatye
Copy link
Contributor Author

gbatye commented Sep 9, 2022
edited
Loading

@jaymzh I believe the current test cover this code change: https://github.com/chef/ohai/blob/main/spec/unit/plugins/ec2_spec.rb#L316

All unit test pass locally

Finished in 14.45 seconds (files took 1.27 seconds to load)
2155 examples, 0 failures, 1 pending

Running RuboCop...
Inspecting 323 files
...................................................................................................................................................................................................................................................................................................................................

323 files inspected, no offenses detected

@marcparadise
Copy link
Member

marcparadise commented Sep 20, 2022
edited
Loading

Thanks @gbatye , this looks good. If you can update it correct the lint failure, we'll get it merged.

@jaymzh jaymzh self-requested a review September 20, 2022 19:58
jaymzh
jaymzh requested changes Sep 20, 2022
View reviewed changes
Copy link
Collaborator

@jaymzh jaymzh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lint updates requested above.

@kcbraunschweig
Copy link
Contributor

For the record it looks like the socket test was added in:
60dd6c8

Always try the quick to timeout socket "can_connect_metadata?" method if we think we're on EC2. We're often wrong

Not a lot of detail as to why the other tests were often wrong and this is a while ago so kinda hard to prove conclusively if this is more reliable now without the socket test.

kcbraunschweig
kcbraunschweig reviewed Sep 20, 2022
View reviewed changes
Copy link
Contributor

@kcbraunschweig kcbraunschweig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

when you remove can_socket_connect? I think you can remove lines 31 and 34 referring to http_helper

@gbatye
Update ec2.rb
fccb83a 
Attempt chef#2 to fix linters
jaymzh
jaymzh requested changes Sep 27, 2022
View reviewed changes
Copy link
Collaborator

@jaymzh jaymzh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kcbraunschweig 's request to remove the unneeded require's makes sense, can we do that before we merge?

Also, we're missing DCO on some of your committs.

@jaymzh jaymzh added the Status: Waiting on Contributor A pull request that has unresolved requested actions from the author. label Oct 4, 2022
@gbatye
Removing include for http_helper
4a35765 
per kcbraunschweig suggestion

Signed-off-by: Greg Batye <gbatye@gmail.com>
gbatye
gbatye commented Oct 10, 2022
View reviewed changes
Copy link
Contributor Author

@gbatye gbatye left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Signed-off-by: Greg Batye gbatye@gmail.com

@gbatye
Copy link
Contributor Author

gbatye commented Oct 10, 2022

@jaymzh , any pointers on how-to update DCO for all the commits?

@gbatye
Update ec2.rb
dd35565 
Attempt chef#2 to fix linters

Signed-off-by: Greg Batye <gbatye@gmail.com>
@sonarcloud
Copy link

sonarcloud bot commented Oct 10, 2022

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
20.9% 20.9% Duplication

@tpowell-progress tpowell-progress merged commit d3c4775 into chef:main Oct 11, 2022
@jaymzh jaymzh mentioned this pull request Jan 24, 2023
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kcbraunschweig kcbraunschweig kcbraunschweig left review comments

@nishchintraina nishchintraina nishchintraina requested changes

@jaymzh jaymzh jaymzh requested changes

Assignees
No one assigned
Labels
Status: Waiting on Contributor A pull request that has unresolved requested actions from the author.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@gbatye @marcparadise @kcbraunschweig @jaymzh @nishchintraina @tpowell-progress