diff --git a/SOURCES/bz1896827-fence_aws-add-imdsv2-support.patch b/SOURCES/bz1896827-fence_aws-add-imdsv2-support.patch new file mode 100644 index 0000000..a5bdad3 --- /dev/null +++ b/SOURCES/bz1896827-fence_aws-add-imdsv2-support.patch @@ -0,0 +1,40 @@ +From c9f8890264e0257197b31124dbb26c1046475314 Mon Sep 17 00:00:00 2001 +From: Oyvind Albrigtsen +Date: Fri, 13 Nov 2020 14:30:43 +0100 +Subject: [PATCH] fence_aws: add support for IMDSv2 + +--- + agents/aws/fence_aws.py | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/agents/aws/fence_aws.py b/agents/aws/fence_aws.py +index 483a2991..e2a2391f 100644 +--- a/agents/aws/fence_aws.py ++++ b/agents/aws/fence_aws.py +@@ -3,12 +3,13 @@ + import sys, re + import logging + import atexit +-import requests + sys.path.append("@FENCEAGENTSLIBDIR@") + from fencing import * + from fencing import fail, fail_usage, run_delay, EC_STATUS, SyslogLibHandler + ++import requests + import boto3 ++from requests import HTTPError + from botocore.exceptions import ConnectionError, ClientError, EndpointConnectionError, NoRegionError + + logger = logging.getLogger("fence_aws") +@@ -19,8 +20,9 @@ + + def get_instance_id(): + try: +- r = requests.get('http://169.254.169.254/latest/meta-data/instance-id') +- return r.content.decode("UTF-8") ++ token = requests.put('http://169.254.169.254/latest/api/token', headers={"X-aws-ec2-metadata-token-ttl-seconds" : "21600"}).content.decode("UTF-8") ++ r = requests.get('http://169.254.169.254/latest/meta-data/instance-id', headers={"X-aws-ec2-metadata-token" : token}).content.decode("UTF-8") ++ return r + except HTTPError as http_err: + logger.error('HTTP error occurred while trying to access EC2 metadata server: %s', http_err) + except Exception as err: diff --git a/SPECS/fence-agents.spec b/SPECS/fence-agents.spec index 18d8721..57a8d55 100644 --- a/SPECS/fence-agents.spec +++ b/SPECS/fence-agents.spec @@ -29,7 +29,7 @@ Name: fence-agents Summary: Set of unified programs capable of host isolation ("fencing") Version: 4.2.1 -Release: 61%{?alphatag:.%{alphatag}}%{?dist} +Release: 62%{?alphatag:.%{alphatag}}%{?dist} License: GPLv2+ and LGPLv2+ Group: System Environment/Base URL: https://github.com/ClusterLabs/fence-agents @@ -119,6 +119,7 @@ Patch77: bz1470813-fencing-2-fix-power-timeout.patch Patch78: bz1470813-fencing-3-make-timeout-0-mean-forever.patch Patch79: bz1470813-fencing-4-make-timeout-0-mean-forever.patch Patch80: bz1841087-fence_scsi-dont-write-key-device-to-file.patch +Patch81: bz1896827-fence_aws-add-imdsv2-support.patch %if 0%{?fedora} || 0%{?rhel} > 7 %global supportedagents amt_ws apc apc_snmp bladecenter brocade cisco_mds cisco_ucs compute drac5 eaton_snmp emerson eps evacuate hds_cb hpblade ibmblade ifmib ilo ilo_moonshot ilo_mp ilo_ssh intelmodular ipdu ipmilan kdump lpar mpath redfish rhevm rsa rsb sbd scsi vmware_rest vmware_soap wti @@ -277,6 +278,7 @@ BuildRequires: python3-google-api-client %patch78 -p1 %patch79 -p1 %patch80 -p1 +%patch81 -p1 # prevent compilation of something that won't get used anyway sed -i.orig 's|FENCE_ZVM=1|FENCE_ZVM=0|' configure.ac @@ -1165,10 +1167,13 @@ Fence agent for IBM z/VM over IP. %endif %changelog +* Fri Nov 13 2020 Oyvind Albrigtsen - 4.2.1-62 +- fence_aws: add support for IMDSv2 + Resolves: rhbz#1896827 + * Tue Nov 10 2020 Oyvind Albrigtsen - 4.2.1-61 - fence_scsi: dont write key to device if it's already registered, and dont write device to file when cluster is started again - Resolves: rhbz#1841087 * Thu Nov 5 2020 Oyvind Albrigtsen - 4.2.1-59