Ubuntu
fence-agents package

Merge ~lucaskanashiro/ubuntu/+source/fence-agents:backport_aws_imdsv2_groovy into ubuntu/+source/fence-agents:ubuntu/groovy-devel

  1. Git
  2. lp:~lucaskanashiro/ubuntu/+source/fence-agents
  3. backport_aws_imdsv2_groovy
  4. Merge into ubuntu/groovy-devel
Proposed by Lucas Kanashiro
Status: Work in progress
Proposed branch: ~lucaskanashiro/ubuntu/+source/fence-agents:backport_aws_imdsv2_groovy
Merge into: ubuntu/+source/fence-agents:ubuntu/groovy-devel
Diff against target: 85 lines (+52/-1)
4 files modified
debian/changelog (+7/-0)
debian/control (+2/-1)
debian/patches/fence_aws-add-support-for-IMDSv2.patch (+42/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  (community) Needs Fixing
Canonical Server Pending
Review via email: mp+397844@code.launchpad.net

Description of the change

Backport fence_aws with IMDSv2 support to Groovy. This is the upstream commit:

https://github.com/ClusterLabs/fence-agents/commit/c9f8890264e0257197b31124dbb26c1046475314

The SRU bug description is still incomplete because we are going to ask AWS folks on how to test it properly, but this MP is for reviewing the packaging work.

PPA:

https://launchpad.net/~lucaskanashiro/+archive/ubuntu/ha-stack-aws

autopkgtest:

autopkgtest [13:02:30]: @@@@@@@@@@@@@@@@@@@@ summary
metadata PASS
delay PASS
fence-dummy PASS
fence-aws SKIP exit status 77 and marked as skippable

To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

here as well 4.6.0-1ubuntu1 -> 4.6.0-1ubuntu0.1

Reply
Revision history for this message
Christian Ehrhardt  (paelzer) :
review: Needs Fixing
Reply
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Other than the version number everything else LGTM.
The patch matches what is upstream and on this version applied fine.

Reply
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

For my thoughts on resource agents, you see here they gracefully catch the "HTTP error occurred while trying to access EC2 metadata server" and log an error but otherwise continue.
So if that being unavailable is a thing, how gracefully (or not) will that be in resource agents?

Reply
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Thanks for the review. Version is already fixed.

I'll be following up the other question with AWS.

Reply
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hi Lucas,
I know that some of these wait for the MIR, but can we set them either to merged (if uploaded) or to WIP (if waiting) to clear the view of MRs the Team has to do?

Reply
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

The proposed changes are waiting for some testing from AWS side (available in the mentioned PPA), so I'll be marking this as WIP until we get a reply.

Reply

Unmerged commits

25e24d1... by Lucas Kanashiro

update-maintainer

78c06cd... by Lucas Kanashiro

Update changelog

c2fd544... by Lucas Kanashiro

Backport patch to make fence_aws support IMDSv2 (LP: #1915190)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 20cd619..dc6c361 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,10 @@
6+fence-agents (4.6.0-1ubuntu0.1) groovy; urgency=medium
7+
8+ * Backport patch to make fence_aws support IMDSv2 (LP: #1915190).
9+ - d/p/fence_aws-add-support-for-IMDSv2.patch
10+
11+ -- Lucas Kanashiro <kanashiro@ubuntu.com> Tue, 09 Feb 2021 16:14:17 -0300
12+
13 fence-agents (4.6.0-1) unstable; urgency=medium
14
15 * New upstream version 4.6.0
16diff --git a/debian/control b/debian/control
17index 90528e8..6befa96 100644
18--- a/debian/control
19+++ b/debian/control
20@@ -1,7 +1,8 @@
21 Source: fence-agents
22 Section: admin
23 Priority: optional
24-Maintainer: Debian HA Maintainers <debian-ha-maintainers@alioth-lists.debian.net>
25+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
26+XSBC-Original-Maintainer: Debian HA Maintainers <debian-ha-maintainers@alioth-lists.debian.net>
27 Uploaders: Adrian Vondendriesch <adrian.vondendriesch@credativ.de>,
28 Valentin Vidic <vvidic@debian.org>
29 Build-Depends: autoconf,
30diff --git a/debian/patches/fence_aws-add-support-for-IMDSv2.patch b/debian/patches/fence_aws-add-support-for-IMDSv2.patch
31new file mode 100644
32index 0000000..ec9b728
33--- /dev/null
34+++ b/debian/patches/fence_aws-add-support-for-IMDSv2.patch
35@@ -0,0 +1,42 @@
36+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
37+Date: Fri, 13 Nov 2020 14:30:43 +0100
38+Subject: fence_aws: add support for IMDSv2
39+
40+Origin: upstream, https://github.com/ClusterLabs/fence-agents/commit/c9f8890264e0257197b31
41+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/fence-agents/+bug/1915190
42+Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com>
43+---
44+ agents/aws/fence_aws.py | 8 +++++---
45+ 1 file changed, 5 insertions(+), 3 deletions(-)
46+
47+diff --git a/agents/aws/fence_aws.py b/agents/aws/fence_aws.py
48+index 483a299..e2a2391 100644
49+--- a/agents/aws/fence_aws.py
50++++ b/agents/aws/fence_aws.py
51+@@ -3,12 +3,13 @@
52+ import sys, re
53+ import logging
54+ import atexit
55+-import requests
56+ sys.path.append("@FENCEAGENTSLIBDIR@")
57+ from fencing import *
58+ from fencing import fail, fail_usage, run_delay, EC_STATUS, SyslogLibHandler
59+
60++import requests
61+ import boto3
62++from requests import HTTPError
63+ from botocore.exceptions import ConnectionError, ClientError, EndpointConnectionError, NoRegionError
64+
65+ logger = logging.getLogger("fence_aws")
66+@@ -19,8 +20,9 @@ logging.getLogger('botocore.vendored').propagate = False
67+
68+ def get_instance_id():
69+ try:
70+- r = requests.get('http://169.254.169.254/latest/meta-data/instance-id')
71+- return r.content.decode("UTF-8")
72++ token = requests.put('http://169.254.169.254/latest/api/token', headers={"X-aws-ec2-metadata-token-ttl-seconds" : "21600"}).content.decode("UTF-8")
73++ r = requests.get('http://169.254.169.254/latest/meta-data/instance-id', headers={"X-aws-ec2-metadata-token" : token}).content.decode("UTF-8")
74++ return r
75+ except HTTPError as http_err:
76+ logger.error('HTTP error occurred while trying to access EC2 metadata server: %s', http_err)
77+ except Exception as err:
78diff --git a/debian/patches/series b/debian/patches/series
79index 3ec598e..a21ade7 100644
80--- a/debian/patches/series
81+++ b/debian/patches/series
82@@ -1,2 +1,3 @@
83 disable-network-access
84 spelling
85+fence_aws-add-support-for-IMDSv2.patch

Subscribers

People subscribed via source and target branches