You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The distribution is wanted to be kept minimal, but I would be suggesting adding Instance Metadata Service version 2 (IMDSv2) support for ucd-data-fetch.
Motivation
If IMDSv2 cannot be enabled, it causes a critical / high open security recommandation "EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)" on AWS. At some point, this maybe needs to be implemented anyway (if e.g. IMDSv1 would be deprecated).
Current behavior
When I set instance metadata option for IMDSv2 from "Optional" to "Required", it seems that the systemd service [email protected] fails with an error:
systemd[1]: Starting [email protected]...
ucd-data-fetch[155]: parse_headers(): Network is unreachable
systemd[1]: [email protected]: Main process exited, code=exited, status=1/FAILURE
systemd[1]: [email protected]: Failed with result 'exit-code'.
systemd[1]: Failed to start [email protected].
Suggestion
Support for IMDSv2 could be the default behavior for the ucd-data-fetch in case of AWS. As with a quick testing it looks for me that also IMDSv1 works even if the token (from http://169.254.169.254/latest/api/token) is provided with the instance metadata request.
--
Thank you.
The text was updated successfully, but these errors were encountered:
Hi,
The distribution is wanted to be kept minimal, but I would be suggesting adding Instance Metadata Service version 2 (IMDSv2) support for
ucd-data-fetch.Motivation
If IMDSv2 cannot be enabled, it causes a critical / high open security recommandation "EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)" on AWS. At some point, this maybe needs to be implemented anyway (if e.g. IMDSv1 would be deprecated).
Current behavior
When I set instance metadata option for IMDSv2 from "Optional" to "Required", it seems that the systemd service
[email protected]fails with an error:Suggestion
Support for IMDSv2 could be the default behavior for the
ucd-data-fetchin case of AWS. As with a quick testing it looks for me that also IMDSv1 works even if the token (from http://169.254.169.254/latest/api/token) is provided with the instance metadata request.--
Thank you.
The text was updated successfully, but these errors were encountered: