Ubuntu
fence-agents package

[SRU] Backport the fence_aws support for IMDSv2

  1. Bionic (18.04)
  2. Bug #1915190
Bug #1915190 reported by Lucas Kanashiro
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
fence-agents (Ubuntu)
Fix Committed
Undecided
Lucas Kanashiro
Bionic
In Progress
Undecided
Lucas Kanashiro
Focal
In Progress
Undecided
Lucas Kanashiro
Groovy
Won't Fix
Undecided
Lucas Kanashiro

Bug Description

[Impact]

This update is considered as a hardware enablement feature which will allow AWS users to make use of the IMDSv2 support recently added to fence-agents. This is an important security related feature recently introduced by AWS.

[Test Case]

TBD

[Where problems could occur]

All the patches needed change only the fence_aws.py file, so if a problem could occur it would affect only fence_aws.

[Original Description]

Last year, AWS released "IMDSv2" in an effort to protect customers against some potentially severe information leaks related to accidentally proxying this local data to the network. Details
at https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/

IMDSv2 makes use of a session-based protocol, requiring clients to first retrieve a time-limited session token, and then to include that token with subsequent requests.

Because the intended purpose of IMDSv2 is to provide an additional layer of defense against network abuses, customers utilizing it may choose to disable IMDSv1. Disabling IMDSv2 today causes fence_aws to fail.

See original description

Related branches

~lucaskanashiro/ubuntu/+source/fence-agents:backport_aws_imdsv2_bionic
Christian Ehrhardt  (community): Approve
Canonical Server: Pending requested
Diff: 636 lines (+578/-0)
9 files modified
debian/changelog (+14/-0)
debian/patches/aws-IMDSv2-support/0013-fence_aws-improve-logging-and-metadata-usage-text.patch (+132/-0)
debian/patches/aws-IMDSv2-support/0014-fence_aws-improve-connect-parameter-logic-so-region-.patch (+51/-0)
debian/patches/aws-IMDSv2-support/0015-fence_aws-Fix-fence-race-logging-improvement-and-new.patch (+196/-0)
debian/patches/aws-IMDSv2-support/0016-fence_aws-fix-Python-3-encoding-issue.patch (+24/-0)
debian/patches/aws-IMDSv2-support/0017-fence_aws-catch-ConnectionError-and-suppress-traceba.patch (+58/-0)
debian/patches/aws-IMDSv2-support/0018-fence_aws-improve-boto3_debug-boolean-handling.patch (+54/-0)
debian/patches/aws-IMDSv2-support/0019-fence_aws-add-support-for-IMDSv2.patch (+42/-0)
debian/patches/series (+7/-0)
~lucaskanashiro/ubuntu/+source/fence-agents:backport_aws_imdsv2_focal
Christian Ehrhardt  (community): Needs Fixing
Canonical Server: Pending requested
Diff: 649 lines (+580/-1)
10 files modified
debian/changelog (+14/-0)
debian/control (+2/-1)
debian/patches/aws-IMDSv2-support/0003-fence_aws-improve-logging-and-metadata-usage-text.patch (+132/-0)
debian/patches/aws-IMDSv2-support/0004-fence_aws-improve-connect-parameter-logic-so-region-.patch (+51/-0)
debian/patches/aws-IMDSv2-support/0005-fence_aws-Fix-fence-race-logging-improvement-and-new.patch (+196/-0)
debian/patches/aws-IMDSv2-support/0006-fence_aws-fix-Python-3-encoding-issue.patch (+24/-0)
debian/patches/aws-IMDSv2-support/0007-fence_aws-catch-ConnectionError-and-suppress-traceba.patch (+58/-0)
debian/patches/aws-IMDSv2-support/0008-fence_aws-improve-boto3_debug-boolean-handling.patch (+54/-0)
debian/patches/aws-IMDSv2-support/0009-fence_aws-add-support-for-IMDSv2.patch (+42/-0)
debian/patches/series (+7/-0)
~lucaskanashiro/ubuntu/+source/fence-agents:backport_aws_imdsv2_groovy
Christian Ehrhardt  (community): Needs Fixing
Canonical Server: Pending requested
Diff: 85 lines (+52/-1)
4 files modified
debian/changelog (+7/-0)
debian/control (+2/-1)
debian/patches/fence_aws-add-support-for-IMDSv2.patch (+42/-0)
debian/patches/series (+1/-0)
Lucas Kanashiro (lucaskanashiro)
Changed in fence-agents (Ubuntu):
status: New → Fix Committed
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

PPA with proposed packages:

https://launchpad.net/~lucaskanashiro/+archive/ubuntu/ha-stack-aws

description: updated
summary: - Backport the fence_aws support for IMDSv2
+ [SRU] Backport the fence_aws support for IMDSv2
Changed in fence-agents (Ubuntu Bionic):
status: New → In Progress
Changed in fence-agents (Ubuntu Focal):
status: New → In Progress
Changed in fence-agents (Ubuntu Groovy):
status: New → In Progress
Changed in fence-agents (Ubuntu Bionic):
assignee: nobody → Lucas Kanashiro (lucaskanashiro)
Changed in fence-agents (Ubuntu Focal):
assignee: nobody → Lucas Kanashiro (lucaskanashiro)
Changed in fence-agents (Ubuntu Groovy):
assignee: nobody → Lucas Kanashiro (lucaskanashiro)
Changed in fence-agents (Ubuntu):
assignee: nobody → Lucas Kanashiro (lucaskanashiro)
Revision history for this message
Brian Murray (brian-murray) wrote :

The Groovy Gorilla has reached end of life, so this bug will not be fixed for that release

Changed in fence-agents (Ubuntu Groovy):
status: In Progress → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.