Add imdsclient library for querying IMDS

[jpculp]

Issue number:

N/A

Description of changes:

This adds an imdsclient library for tools and setting generators to leverage for fetching user-data, meta-data, and dynamic data from the AWS Instance Metadata Service.

shibaken was also updated by removing the stand-alone IMDS logic in favor of the shared imdsclient library.
Some of the log messages in shibaken were also tweaked for more clarity.

pluto and early-boot-config have also been updated by removing the stand-alone IMDS logic in favor of the shared imdsclient library.

Packages that need to be updated:

• shibaken
• pluto
• early-boot-config

Issues:

• Add testing (Add tests to imdsclient #1398)

Testing done:

• Built aws-k8s-1.19 ami and launched instance.
• Instance connected to eks cluster.
• Connected to control container via ssm session.
• Verified that host-containers.admin.user-data contained a base64-encoded block.
• Connected to admin container via ssh.
• Verified that /.bottlerocket/host-containers/admin/user-data contained JSON.
• Ran sudo sheltie to verify root shell was still available.
• Checked for failed systemd units.
• Ran pluto with it's sub-commands to verify functionality.

Also built and launched vmware-k8s-1.20 (x86_64) and aws-ecs-1 (aarch64).
Verified that they booted correctly and connected to their respective clusters.

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

[jpculp]

Seems like the examples in the Doc strings aren't tight enough to pass Doc-tests. Will post another revision.

[jpculp]

Since sundog only prints stderr in the event of an error, would it make sense for me to change default log level to Debug? It would make it easier to troubleshoot, but might be somewhat ugly if someone ran shibaken in a shell.

[tjkirch]

Do we not have enough information in error/warn/info to get a sense of the problem when it fails? It seems like we should be adding information there, not just promoting all of the debug messages, if you think there's not enough to understand the problem.

[jpculp]

It's kind of an edge-case, but the current IMDS logic in Bottlerocket treats a 404 as an Ok(None) and that's what we want 99% of the time. However, in shibaken we decided to actually error out if it receives a 404 when it is collecting the data from the individual keys in IMDS. Since the imdsclient isn't returning an error on 404, some context is lost.

At an error level shibaken would return something like:

Error retrieving 'public-keys/1/openssh-key' from IMDS metadata

but the debug message would show the full uri like this:

(2) reqwest::async_impl::client: response '404 Not Found' for http://169.254.169.254/2020-10-27/meta-data/public-keys/1/openssh-key

I can update the error to say 404 for clarity, but I'm not quite sure if there is a simple way to pass the full uri. One option is to re-construct the uri via public constants, but I'm not a fan of that since it's not a guarantee that that was the uri that was reqwest'd

[tjkirch]

I don't think the full URI is super helpful, since there's only one thing it could possibly be, given you know the version you're running. And this case could seemingly only crop up if EC2 listed erroneous keys, or if the user changed the registered keys after the list was retrieved. I don't think it's possible to change the keys associated in EC2 while an instance is running, so I don't expect that particular issue to come up. The error seems fine to me...

[webern]

I think the error message Error retrieving 'public-keys/1/openssh-key' from IMDS metadata is clear enough. If you really do have a reproducible case where you need to know whether it was a 404 or something else, then you are really in the weeds anyway and it seems reasonable to expect the user/developer to turn on debugging for something that deep.

[zmrow]

Posting what I have for now, will be back with a few more!

[webern]

Can tests be written with a mock server? You would need another constructor (which could be private) that takes the URLs. If this constructor were public, you could also use it in your doc example for a passing doc test. You could then implement Default for the real clients to use.

[jpculp]

• Removed examples from docstrings.
• Made the ImdsClient struct mutable.
• Added refresh_token function. When receiving a 401 response from IMDS, the token will be refreshed, and the IMDS fetch be re-attempted 1 time.
• Tweaked README wording.
• Removed extraneous generate_constants from build.rs

[jpculp]

• Add docstring to refresh_token
• Tweaked ImdsData error in shibaken to be more visually consistent with ImdsClient error.

[webern]

I think the error message Error retrieving 'public-keys/1/openssh-key' from IMDS metadata is clear enough. If you really do have a reproducible case where you need to know whether it was a 404 or something else, then you are really in the weeds anyway and it seems reasonable to expect the user/developer to turn on debugging for something that deep.

[etungsten]

LGTM assuming all the existing comments are addressed.

[zmrow]

I'm a bit worried about this API since we're not handling these strings as URLs and we're not doing any handling of slashes, etc. Ideally we'd at least try to parse the string as a URL so we at least know it's valid.

[jpculp]

I was going to rely on the str -> Url parse in Reqwest's get function, but it probably makes sense to parse the uri just before the loop.

[jpculp]

Can tests be written with a mock server? You would need another constructor (which could be private) that takes the URLs. If this constructor were public, you could also use it in your doc example for a passing doc test. You could then implement Default for the real clients to use. -@webern

I've gone ahead and added an issue (#1398) for this so that we can revisit it at a later date.

[jpculp]

• Replaced &str with AsRef<str> for public functions
• Changed attempt from u16 to u8
• Created max_attempts variable
• Changed session token expired message from warn to info
• Tweaked a description string in shibaken for a clearer log message.

[zmrow]

🔑

[jpculp]

Fixed and tested vmware and aws-ecs builds.

[jpculp]

Added tests to imdsclient.

[jpculp]

• In collaboration with @webern, moved IMDS functions from shibaken, pluto, and early-boot-config, and replaced them with more abstracted functions like fetch_mac_addresses.
• Replaced fetch_metadata / fetch_dynamic with fetch_string / fetch_bytes.
• Made refresh_token private.
• Removed requirement to always add a description value.
• @webern added some additional tests for printable strings and parsing public keys.

[webern]

Nice refactor with new test code. 👍

[jpculp]

Tweaked the two error messages from @webern's feedback.

[jpculp]

imdsclient

• Changed number of retries.
• Added 100ms delay between retries.
• Added logic to retry on request timeouts (instead of just expired tokens).

[jpculp]

imdsclient

• Removed extraneous semicolon.