-
Notifications
You must be signed in to change notification settings - Fork 119
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EC2 Metadata Setting not working with latest packer version(1.8.6) #357
Comments
Hi @sumitgaur26 the provided metadata options specified relate to the instance being built. I believe you need to also specify the "imds_support":"v2.0" in your template to force IMDSv2 on the result AMI. Please give it a try and let me know if the resulting build is what you are looking for. |
There is an error when attempting to use "imds_support":"v2.0" with a policy in place to force only imds v2 instances. Disabling the force imdsV2 policy allows the builder to work correctly. This is on version 1.8.6. |
Hi @nywilken, I have used the option you suggested, it's not working. When packer launches it has the V2 version enabled but when the AMI is created, that AMI doesn't have the this option enabled |
I'm also having this issue. |
Same issue, instance_metadata_tags enabled is not reflected |
I'm also having this issue. I have tried including "imds_support":"v2.0" but we're using JSON instead of HCL and when I validate the packer JSON it says it's not supported. The version of Packer is v.1.9.4. |
+1 on this issue, hopefully after 3 years or so this will be resolved by the hashicorp turbo top development team |
+1 |
Hey folks thanks for bubbling up this issue. Looking at the additional comments it looks like we have two issues being reported:
Both of which will be resolved by installing the latest version of the Amazon Packer plugin. For JSON folks running into the issue To resolve your issue I recommend installing the latest version of the Amazon plugin by running
You can validate the installed version with the command below
The Packer team has moved away from bundling updated plugins with Packer since 1.8.x in favor of using Once you have the latest version of the Amazon plugin installed please update your configurations either JSON or HCL to include the metadata_options block and the imds_support attribute. Below is a full build template written in HCL. Example Configuration using HCL and plugin version 1.2.7packer {
required_plugins {
amazon = {
version = "~>1"
source = "github.com/hashicorp/amazon"
}
}
}
data "amazon-ami" "ubuntu-amd64" {
filters = {
name = "ubuntu/images/*ubuntu-*-22.04-amd64-server-*"
root-device-type = "ebs"
virtualization-type = "hvm"
}
most_recent = true
owners = ["099720109477"]
}
locals { timestamp = regex_replace(timestamp(), "[- TZ:]", "") }
source "amazon-ebs" "basic-example" {
ami_name = "packer-example-${local.timestamp}"
communicator = "ssh"
instance_type = "t2.micro"
source_ami = data.amazon-ami.ubuntu-amd64.id
ssh_username = "ubuntu"
metadata_options {
http_endpoint = "enabled"
http_tokens = "required"
http_put_response_hop_limit = 1
}
imds_support = "v2.0"
}
build {
sources = ["source.amazon-ebs.basic-example"]
# Lets query the instance metadata service running v2
provisioner "shell" {
inline = ["TOKEN=`curl -s -X PUT \"http://169.254.169.254/latest/api/token\" -H \"X-aws-ec2-metadata-token-ttl-seconds: 21600\"` && curl -H \"X-aws-ec2-metadata-token: $TOKEN\" -s http://169.254.169.254/latest/meta-data/"]
}
}
Metadata version Validation ChecksQuerying the instance metadata via curl on running instance. ==> amazon-ebs.basic-example: > GET /latest/meta-data/ HTTP/1.1
==> amazon-ebs.basic-example: Connected to 169.254.169.254 (169.254.169.254) port 80 (#0)
amazon-ebs.basic-example: ami-id
amazon-ebs.basic-example: ami-launch-index
amazon-ebs.basic-example: ami-manifest-path
amazon-ebs.basic-example: block-device-mapping/
amazon-ebs.basic-example: events/
amazon-ebs.basic-example: hostname
amazon-ebs.basic-example: identity-credentials/
amazon-ebs.basic-example: instance-action
amazon-ebs.basic-example: instance-id
amazon-ebs.basic-example: instance-life-cycle
amazon-ebs.basic-example: instance-type
amazon-ebs.basic-example: local-hostname
amazon-ebs.basic-example: local-ipv4
amazon-ebs.basic-example: mac
amazon-ebs.basic-example: metrics/
amazon-ebs.basic-example: network/
amazon-ebs.basic-example: placement/
amazon-ebs.basic-example: profile
amazon-ebs.basic-example: public-hostname
amazon-ebs.basic-example: public-ipv4
amazon-ebs.basic-example: public-keys/
amazon-ebs.basic-example: reservation-id
amazon-ebs.basic-example: security-groups
amazon-ebs.basic-example: services/
amazon-ebs.basic-example: system
Running Describe on created AMI ~> aws ec2 describe-images --image-ids=ami-0042263517a113537
{
"Images": [
{
"Architecture": "x86_64",
"CreationDate": "2023-11-03T01:35:41.000Z",
"ImageId": "ami-0042263517a113537",
"ImageLocation": "746700064644/packer-example-20231103013415",
"ImageType": "machine",
"Public": false,
"OwnerId": "746700064644",
"PlatformDetails": "Linux/UNIX",
"UsageOperation": "RunInstances",
"State": "available",
"BlockDeviceMappings": [
{
"DeviceName": "/dev/sda1",
"Ebs": {
"DeleteOnTermination": true,
"SnapshotId": "snap-0db7ceed7e4b40ea5",
"VolumeSize": 8,
"VolumeType": "gp2",
"Encrypted": false
}
},
{
"DeviceName": "/dev/sdb",
"VirtualName": "ephemeral0"
},
{
"DeviceName": "/dev/sdc",
"VirtualName": "ephemeral1"
}
],
"EnaSupport": true,
"Hypervisor": "xen",
"Name": "packer-example-20231103013415",
"RootDeviceName": "/dev/sda1",
"RootDeviceType": "ebs",
"SriovNetSupport": "simple",
"VirtualizationType": "hvm",
"ImdsSupport": "v2.0"
}
]
} |
I opened a PR to add a working example of this code to the repository and added a section to the documentation for enabling imdsv2 on the running instance and generated AMI. |
@nywilken thanks for the help. this does not work for me.. i'm using packer json templates and i'm running it from hashicorp/packer docker image.. i just tried using hashicorp/packer:full but it made no diff example: 13:38:41 Status: Downloaded newer image for hashicorp/packer:full source doc: https://hub.docker.com/r/hashicorp/packer |
@tivanov-qb thanks for the quick response. It looks like you are overwriting the plugins installed in the container by setting the PACKER_PLUGIN_PATH environment variable. Did you validate which version of the plugin is being loaded from Running the command below should give show what plugins were loaded. If the Amazon plugin is not within the output then you are still using the bundled plugin within the Packer binary.
To confirm the container works I ran a few commands without overriding Plugins installed into packer:full ~> docker run -v `pwd`:/workspace -w /workspace hashicorp/packer:full plugins installed
/root/.config/packer/plugins/github.com/hashicorp/vagrant/packer-plugin-vagrant_v1.0.3_x5.0_linux_arm64
/root/.config/packer/plugins/github.com/hashicorp/virtualbox/packer-plugin-virtualbox_v1.0.5_x5.0_linux_arm64
/root/.config/packer/plugins/github.com/hashicorp/docker/packer-plugin-docker_v1.0.8_x5.0_linux_arm64
/root/.config/packer/plugins/github.com/hashicorp/qemu/packer-plugin-qemu_v1.0.9_x5.0_linux_arm64
/root/.config/packer/plugins/github.com/hashicorp/ansible/packer-plugin-ansible_v1.1.0_x5.0_linux_arm64
/root/.config/packer/plugins/github.com/hashicorp/googlecompute/packer-plugin-googlecompute_v1.1.1_x5.0_linux_arm64
/root/.config/packer/plugins/github.com/hashicorp/vsphere/packer-plugin-vsphere_v1.2.1_x5.0_linux_arm64
/root/.config/packer/plugins/github.com/hashicorp/amazon/packer-plugin-amazon_v1.2.6_x5.0_linux_arm64
/root/.config/packer/plugins/github.com/hashicorp/azure/packer-plugin-azure_v2.0.0_x5.0_linux_arm64 Running a validated on the json templated - available in #429
|
* update packer * as per hashicorp/packer-plugin-amazon#357
When filing a bug, please include the following headings if possible. Any
example text in this template can be deleted.
Overview of the Issue
I am using latest version of packer for linux and added below code to my packer.json file to make the IMDSv2 enabled by default.
"metadata_options": {
"http_endpoint": "enabled",
"http_tokens": "required",
"http_put_response_hop_limit": 1
}
As per the packer documentation, using this option should create a AMI which would have IMDSv2 enabled by default when a instance is spin up. But when I am running the packer build the instance created by Packer is having IMDSv2 enabled but the AMI produced is not having it enabled.
Reproduction Steps
Use the metadata setting block in packer.json and see if the AMI created is having IMDSv2 enforced or not
Plugin and Packer version
From
packer version
1.8.6
Simplified Packer Buildfile
Operating system and Environment details
Running in a container based on alpine3.7 and amd_64 is the arch.
Log Fragments and crash.log files
No log and nothing failing
Set the env var
PACKER_LOG=1
for maximum log detail.The text was updated successfully, but these errors were encountered: