<feed xmlns='http://www.w3.org/2005/Atom'>
<title>vyos-cloud-init.git/cloudinit/ec2_utils.py, branch sagitta-public-unmaintained</title>
<subtitle> (mirror of https://github.com/vyos/vyos-cloud-init.git)
</subtitle>
<id>https://git.amelek.net/vyos/vyos-cloud-init.git/atom?h=sagitta-public-unmaintained</id>
<link rel='self' href='https://git.amelek.net/vyos/vyos-cloud-init.git/atom?h=sagitta-public-unmaintained'/>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-cloud-init.git/'/>
<updated>2021-12-16T02:16:38+00:00</updated>
<entry>
<title>Adopt Black and isort (SC-700) (#1157)</title>
<updated>2021-12-16T02:16:38+00:00</updated>
<author>
<name>James Falcon</name>
<email>james.falcon@canonical.com</email>
</author>
<published>2021-12-16T02:16:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-cloud-init.git/commit/?id=bae9b11da9ed7dd0b16fe5adeaf4774b7cc628cf'/>
<id>urn:sha1:bae9b11da9ed7dd0b16fe5adeaf4774b7cc628cf</id>
<content type='text'>
Applied Black and isort, fixed any linting issues, updated tox.ini
and CI.
</content>
</entry>
<entry>
<title>ec2: Do not log IMDSv2 token values, instead use REDACTED (#219)</title>
<updated>2020-02-19T21:01:09+00:00</updated>
<author>
<name>Ryan Harper</name>
<email>ryan.harper@canonical.com</email>
</author>
<published>2020-02-19T21:01:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-cloud-init.git/commit/?id=87cd040ed8fe7195cbb357ed3bbf53cd2a81436c'/>
<id>urn:sha1:87cd040ed8fe7195cbb357ed3bbf53cd2a81436c</id>
<content type='text'>
Instead of logging the token values used log the headers and replace the actual
values with the string 'REDACTED'.  This allows users to examine cloud-init.log
and see that the IMDSv2 token header is being used but avoids leaving the value
used in the log file itself.

LP: #1863943
</content>
</entry>
<entry>
<title>ec2: Add support for AWS IMDS v2 (session-oriented) (#55)</title>
<updated>2019-11-23T03:05:44+00:00</updated>
<author>
<name>Ryan Harper</name>
<email>ryan.harper@canonical.com</email>
</author>
<published>2019-11-23T03:05:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-cloud-init.git/commit/?id=4bc399e0cd0b7e9177f948aecd49f6b8323ff30b'/>
<id>urn:sha1:4bc399e0cd0b7e9177f948aecd49f6b8323ff30b</id>
<content type='text'>
* ec2: Add support for AWS IMDS v2 (session-oriented)

AWS now supports a new version of fetching Instance Metadata[1].

Update cloud-init's ec2 utility functions and update ec2 derived
datasources accordingly.  For DataSourceEc2 (versus ec2-look-alikes)
cloud-init will issue the PUT request to obtain an API token for
the maximum lifetime and then all subsequent interactions with the
IMDS will include the token in the header.

If the API token endpoint is unreachable on Ec2 platform, log a
warning and fallback to using IMDS v1 and which does not use
session tokens when communicating with the Instance metadata
service. 

We handle read errors, typically seen if the IMDS is beyond one 
etwork hop (IMDSv2 responses have a ttl=1), by setting the api token
to a disabled value and then using IMDSv1 paths.

To support token-based headers, ec2_utils functions were updated
to support custom headers_cb and exception_cb callback functions
so Ec2 could store, or refresh API tokens in the event of token
becoming stale.

[1] https://docs.aws.amazon.com/AWSEC2/latest/ \
UserGuide/ec2-instance-metadata.html \
#instance-metadata-v2-how-it-works</content>
</entry>
<entry>
<title>read_file_or_url: move to url_helper, fix bug in its FileResponse.</title>
<updated>2018-05-17T20:59:54+00:00</updated>
<author>
<name>Scott Moser</name>
<email>smoser@ubuntu.com</email>
</author>
<published>2018-05-17T20:59:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-cloud-init.git/commit/?id=30e730f7ca111487d243ba9f40c66df6d7a49953'/>
<id>urn:sha1:30e730f7ca111487d243ba9f40c66df6d7a49953</id>
<content type='text'>
The result of a read_file_or_url on a file and on a url would differ
in behavior.
  str(UrlResponse) would return UrlResponse.contents.decode('utf-8')
while
  str(FileResponse) would return str(FileResponse.contents)

The difference being "b'foo'" versus "foo".

As part of the general goal of cleaning util, move read_file_or_url
into url_helper.
</content>
</entry>
<entry>
<title>ec2: Adjust ec2 datasource after exception_cb change.</title>
<updated>2018-03-23T18:54:10+00:00</updated>
<author>
<name>Scott Moser</name>
<email>smoser@ubuntu.com</email>
</author>
<published>2018-03-23T18:54:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-cloud-init.git/commit/?id=10065b1e5f0867978bb10472f609aa9238311367'/>
<id>urn:sha1:10065b1e5f0867978bb10472f609aa9238311367</id>
<content type='text'>
The recent change to exception_cb missed this caller.
The result was a slow test.
</content>
</entry>
<entry>
<title>ec2: Use instance-identity doc for region and instance-id</title>
<updated>2017-12-11T23:18:08+00:00</updated>
<author>
<name>Andrew Jorgensen</name>
<email>ajorgens@amazon.com</email>
</author>
<published>2017-11-27T21:54:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-cloud-init.git/commit/?id=703241a3c50f2cfec21e7c8e90616c3378ebbea2'/>
<id>urn:sha1:703241a3c50f2cfec21e7c8e90616c3378ebbea2</id>
<content type='text'>
The instance identity document is a better source for region information,
partly because region isn't actually in meta-data at all, only
availability-zone, which happens to be named similarly.

Reviewed-by: Ethan Faust &lt;efaust@amazon.com&gt;
Reviewed-by: Cyle Riggs &lt;cyler@amazon.com&gt;
Reviewed-by: Tom Kirchner &lt;tjk@amazon.com&gt;
Reviewed-by: Matt Nierzwicki &lt;nierzwic@amazon.com&gt;
[ajorgens@amazon.com: rebase onto 0.7.9]
[ajorgens@amazon.com: changes per merge proposal discussions]
</content>
</entry>
<entry>
<title>pylint: fix all logging warnings</title>
<updated>2017-04-21T14:14:47+00:00</updated>
<author>
<name>Joshua Powers</name>
<email>josh.powers@canonical.com</email>
</author>
<published>2017-04-06T18:14:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-cloud-init.git/commit/?id=5afe4cd0797a12d07ea19b9715b720d47bdea401'/>
<id>urn:sha1:5afe4cd0797a12d07ea19b9715b720d47bdea401</id>
<content type='text'>
This will change all instances of LOG.warn to LOG.warning as warn
is now a deprecated method. It will also make sure any logging
uses lazy logging by passing string format arguments as function
parameters.
</content>
</entry>
<entry>
<title>ec2_utils: fix MetadataLeafDecoder that returned bytes on empty</title>
<updated>2017-02-17T03:04:37+00:00</updated>
<author>
<name>Scott Moser</name>
<email>smoser@brickies.net</email>
</author>
<published>2017-02-17T02:13:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-cloud-init.git/commit/?id=91be1d189d9348e81a4c4f1f7d5fc255df1ce6d1'/>
<id>urn:sha1:91be1d189d9348e81a4c4f1f7d5fc255df1ce6d1</id>
<content type='text'>
the MetadataLeafDecoder would return a bytes value b'' instead of
an empty string if the value of a key was empty.  In all other cases
the value would be a string.

This was discovered when trying to json.dumps(get_instance_metadata())
on a recent OpenStack, where the value of 'public-ipv4' was empty.
The attempt to dump that with json would raise
 TypeError: b'' is not JSON serializable
</content>
</entry>
<entry>
<title>EC2: Do not cache security credentials on disk</title>
<updated>2017-01-20T18:48:08+00:00</updated>
<author>
<name>Andrew Jorgensen</name>
<email>ajorgens@amazon.com</email>
</author>
<published>2016-11-01T14:54:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-cloud-init.git/commit/?id=b71592ce0e0a9f9f9f225315015ca57b312ad30d'/>
<id>urn:sha1:b71592ce0e0a9f9f9f225315015ca57b312ad30d</id>
<content type='text'>
On EC2, instance metadata can include credentials that remain valid for as
much as 6 hours. Reading these and allowing them to be pickled represents
a potential vulnerability if a snapshot of the disk is taken and shared as
part of an AMI.

This skips security-credentials when walking the meta-data tree.

LP: #1638312
Reviewed-by: Ian Weller &lt;iweller@amazon.com&gt;
Reviewed-by: Ben Cressey &lt;bcressey@amazon.com&gt;
Reported-by: Kyle Barnes &lt;barnesky@amazon.com&gt;
</content>
</entry>
<entry>
<title>LICENSE: Allow dual licensing GPL-3 or Apache 2.0</title>
<updated>2016-12-22T22:04:28+00:00</updated>
<author>
<name>Jon Grimm</name>
<email>jon.grimm@canonical.com</email>
</author>
<published>2016-11-22T23:09:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-cloud-init.git/commit/?id=b2a9f33616c806ae6e052520a8589113308f567c'/>
<id>urn:sha1:b2a9f33616c806ae6e052520a8589113308f567c</id>
<content type='text'>
This has been a recurring ask and we had initially just made the change to
the cloud-init 2.0 codebase.  As the current thinking is we'll just
continue to enhance the current codebase, its desirable to relicense to
match what we'd intended as part of the 2.0 plan here.

- put a brief description of license in LICENSE file
- put full license versions in LICENSE-GPLv3 and LICENSE-Apache2.0
- simplify the per-file header to reference LICENSE
- tox: ignore H102 (Apache License Header check)

Add license header to files that ship.
Reformat headers, make sure everything has vi: at end of file.

Non-shipping files do not need the copyright header,
but at the moment tests/ have it.
</content>
</entry>
</feed>
