Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

shibaken: return empty key list if IMDS returns 404 #1358

Merged
merged 2 commits into from
Feb 26, 2021
Merged

shibaken: return empty key list if IMDS returns 404 #1358

merged 2 commits into from
Feb 26, 2021

Conversation

jpculp
Copy link
Member

@jpculp jpculp commented Feb 26, 2021
edited
Loading

Issue number:

N/A

Description of changes:

In the case where there are no keys available in IMDS, shibaken will create an empty public key list instead of returning an error.

This addresses a rare scenario where a user launches an instance of Bottlerocket without attaching a key to the EC2 instance. Rather than returning an empty string, the IMDS request for available keys returns a 404. The 404 status causes shibaken to return an error and prevents Bottlerocket from booting.

Testing done:

Set IMDS_PUBLIC_KEY_BASE_URI to an invalid URI and cargo ran shibaken

@webern
I have tested these changes. Before these changes an instance without a key failed to boot. With these changes the instance came up and I ran an ECS task.

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@jpculp jpculp requested review from tjkirch, zmrow and webern February 26, 2021 00:43
tjkirch
tjkirch approved these changes Feb 26, 2021
View reviewed changes
Copy link
Contributor

@tjkirch tjkirch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would you please also add a commit that adds this PR ID/link to the changelog entry for the shibaken set of changes?

@webern
Copy link
Contributor

webern commented Feb 26, 2021

I have tested these changes. Before these changes an instance without a key failed to boot. With these changes the instance came up and I ran an ECS task.

webern
webern approved these changes Feb 26, 2021
View reviewed changes
Copy link
Contributor

@webern webern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Upon most variant arches passing CI. :)

tjkirch
tjkirch reviewed Feb 26, 2021
View reviewed changes
CHANGELOG.md Show resolved Hide resolved
@jpculp jpculp force-pushed the shibaken-meets-404 branch from 63d5abe to 455fd2a Compare February 26, 2021 01:25
@jpculp
Copy link
Member Author

jpculp commented Feb 26, 2021

  • Added full link to the PR in the changelog.

@jpculp
shibaken: return empty key list if IMDS returns 404
90772e9 
In the case where there are no keys available in IMDS, shibaken will
create an empty public key list instead of returning an error.
@jpculp
Update changelog to include PR bottlerocket-os#1358
e7fbd4d
@jpculp jpculp force-pushed the shibaken-meets-404 branch from 455fd2a to e7fbd4d Compare February 26, 2021 01:30
@jpculp
Copy link
Member Author

jpculp commented Feb 26, 2021

  • Rebased and addressed merge conflict in CHANGELOG.md

@jpculp jpculp merged commit ee56d1f into bottlerocket-os:develop Feb 26, 2021
@jpculp jpculp deleted the shibaken-meets-404 branch February 26, 2021 02:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@srgothi92 srgothi92 srgothi92 approved these changes

@webern webern webern approved these changes

@bcressey bcressey bcressey approved these changes

@tjkirch tjkirch tjkirch approved these changes

@zmrow zmrow Awaiting requested review from zmrow

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@jpculp @webern @tjkirch @bcressey @srgothi92