En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

Why doesn't ec2-instance-connect work on AWS-Parallel-Cluster

0

I know Parallel Cluster3 doesn't officially support ec2-instance-connect and SSM but I'm trying to figure out why. It seems to be failing in /usr/share/ec2-instance-connect/eic_curl_authorized_keys more accurately, it fails when it tries to fetch instance metadata. In that script calling /usr/bin/curl 169.254.169.254/latest/meta-data/ returns nothing When logged in the instance using pcluster ssh, it returns the expected data.

How does this happen?

Thanks.

Balises
AWS ParallelCluster
Langue
English
Louis Letourneau
demandé il y a 2 ans326 vues
1 réponse
0

Finally figured it out. There are iptables rules on parallel-cluster

$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N PARALLELCLUSTER_IMDS
-A OUTPUT -d 169.254.169.254/32 -j PARALLELCLUSTER_IMDS
-A OUTPUT -d 169.254.169.254/32 -m owner --uid-owner 129 -j ACCEPT
-A PARALLELCLUSTER_IMDS -d 169.254.169.254/32 -m owner --uid-owner 0 -j ACCEPT
-A PARALLELCLUSTER_IMDS -d 169.254.169.254/32 -m owner --uid-owner 400 -j ACCEPT
-A PARALLELCLUSTER_IMDS -d 169.254.169.254/32 -m owner --uid-owner 1000 -j ACCEPT
-A PARALLELCLUSTER_IMDS -d 169.254.169.254/32 -j REJECT --reject-with icmp-port-unreachable

This blocks the ec2-instance-connect user from accessing the meta-data

Louis Letourneau
répondu il y a 2 ans

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents