guikcd
commented
5 months ago Surprisingly, I've tested ec2-metadata in an IPv6 only instance and i noticed the IPv4 local stack of my instance was functional to reach IPv4 metadata endpoint with an inet 169.254.X.X address:
$ ip addr show ens5
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
link/ether 06:35:0a:8d:18:ed brd ff:ff:ff:ff:ff:ff
altname enp0s5
altname eni-0eccb2cb65c8f7fae
altname device-number-0
inet 169.254.49.58/32 metric 512 scope global dynamic ens5
valid_lft 3142sec preferred_lft 3142sec
inet6 2a05:d012:900:9c9e:ec7a:xxxx:xxxx:xxx/128 scope global dynamic noprefixroute
valid_lft 433sec preferred_lft 123sec
inet6 fe80::435:aff:fe8d:18ed/64 scope link
valid_lft forever preferred_lft foreverTo enable IPv6, I was thinking of the following:
- Detection of IPv6: I propose to verify that a global address exist on the instance:
ip addr | grep --perl-regexp --only-matching "(?<=inet6\s).+(?=scope\sglobal)". No dependency. - Try to reach IPv6 metadata endpoint
http://[fd00:ec2::254]. The IPv6 endpoint metadata is not enabled by default are requires to be enabled. The instance itself can't verify it (unless having IAM policy to domodify-instance-metadata-options). My first idea was to test reachability of the endpoint with curl--connect-timeoutoption, but this will introduce some delay in IPv4 only instances. Or we can imagine that people setting IPv6 are aware of this setting and don't check reachability of the endpoint itself, just the global scope presence.
This could be as simple as:
METADATA_BASEURL="http://169.254.169.254"
global_ipv6_addr=$(ip addr | grep --perl-regexp --only-matching "(?<=inet6\s).+(?=scope\sglobal)")
if [ ! -z "${global_ipv6_addr}" ]; then
METADATA_BASEURL="http://[fd00:ec2::254]"
fiWhat do you think?
retpolanne
ec2-metadatacurrently uses 169.254.169.254 unconditionally. In the case that an instance has disabled its IPv4 stack, it has no access to IMDS, even in environments that do provide a v6 endpoint.