IMDSv2 in yum (Amazon Linux 2)

Question

Hi,  
  
We're trying to track down and eliminate usage of the old instance metadata service (IMDSv1) on our instances so that we can set the metadata options to require HTTP tokens going forward. Using newer AMIs or updating packages like cloud-init takes care of most of it, but there was still one stubborn case coming from yum.  
  
We have installed yum-3.4.3-158.amzn2.0.4.noarch which seems to be the latest available.  
In /usr/lib/python2.7/site-packages/yum/yumRepo.py, in function _get_instance_info it is requesting the INSTANCE_IDENTITY_URI without first generating a token and providing the X-aws-ec2-metadata-token header.  
  
Does anyone know if there is an updated version that supports IMDSv2? Or somewhere I could contribute a patch? Or any other workaround?  
  
Thanks!  
-cw

Accepted Answer

Hi chadawagner, thanks for the report.  
  
Switching your instances to IMDSv2-only will not break yum, since this is an optional code path that has a fallback.  
  
If you want, you can disable this code by setting
 `report_instanceid=no`
 in /etc/yum.repos.d/amzn2-core.repo, which should cause yum to avoid making requests without tokens. We'll work on an update to yum to fix this.  
  
Thanks for using Amazon Linux!

Answer

Thanks! I won't worry about it then, good to know. I'll turn off the instance reporting so that I can continue to monitor the MetadataNoToken metric in CloudWatch.

Answer

Hi,  
Unfortunately the "report_instanceid=no" setting doesn't seem to be disabling it. I'll go ahead and patch my local yumRepo.py file to disable the tokenless queries.  
  
Edit: oops, I had missed the amzn2-graphics.repo config file on GPU instance. That ought to do it...  
  
Edited by: chadawagner on Aug 12, 2020 10:05 PM

IMDSv2 in yum (Amazon Linux 2)

Relevanter Inhalt