Re: svn commit: r361143 - head/release/tools

[Ravi Pokala]

-Original Message-
From:  on behalf of Colin Percival 

Date: 2020-05-17, Sunday at 18:30
To: Oliver Pinter 
Cc: "src-committ...@freebsd.org" , 
"svn-src-...@freebsd.org" , "svn-src-head@freebsd.org" 

Subject: Re: svn commit: r361143 - head/release/tools

> On 2020-05-17 16:48, Oliver Pinter wrote:
>> On Sunday, May 17, 2020, Colin Percival > <mailto:cperc...@freebsd.org>> wrote:
>> +REGION=`fetch -qo-
>> http://169.254.169.254/latest/meta-data/placement/availability-zone
>> <http://169.254.169.254/latest/meta-data/placement/availability-zone> |
>> sed -e 's/[a-z]$//'`
>> 
>> What will be this hard-coded ip address without any verification or at least
>> https?
> 
> That's a magic IP address which connects to the EC2 "instance metadata
> service".  It doesn't actually go out over the network.

A comment would be appreciated, e.g. "Amazon uses this link-local address for 
the EC2 instance metadata service"

Thanks,

Ravi (rpokala@)

> -- 
> Colin Percival
> Security Officer Emeritus, FreeBSD | The power to serve
> Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid


___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

Re: svn commit: r361143 - head/release/tools

[Rodney W. Grimes]

> On Sun, 17 May 2020 at 20:24, Conrad Meyer  wrote:
> >
> > On Sun, May 17, 2020 at 4:49 PM Oliver Pinter  wrote:
> > > On Sunday, May 17, 2020, Colin Percival  wrote:
> > >> +# Provide instructions on how to mount the requested filesystem.
> > >> +FS=$1
> > >> +REGION=`fetch -qo- 
> > >> http://169.254.169.254/latest/meta-data/placement/availability-zone | 
> > >> sed -e 's/[a-z]$//'`
> > >
> > >
> > > What will be this hard-coded ip address without any verification or at 
> > > least https?
> >
> > It's a special non-routable IP that is used in at least AWS and Azure
> > to provide some VM services.  Traffic to and from it never leaves the
> > virtual overlay network, which by design VM instances already trust to
> > provide privacy.  It doesn't require functioning DNS to access the raw
> > IP.
> 
> And, more information at
> https://en.wikipedia.org/wiki/Link-local_address

And the definative document(s)
https://www.rfc-editor.org/rfc/rfc3927.txt
https://who.is/whois-ip/ip-address/169.254.0.0

-- 
Rod Grimes rgri...@freebsd.org
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

Re: svn commit: r361143 - head/release/tools

[Mark Linimon]

Defining it to MAGIC_UNROUTED_IP_ADDRESS or something would have obviated
our questions :-)

mcl
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

Re: svn commit: r361143 - head/release/tools

[Colin Percival]

On 2020-05-17 16:48, Oliver Pinter wrote:
> On Sunday, May 17, 2020, Colin Percival  > wrote:
> +REGION=`fetch -qo-
> http://169.254.169.254/latest/meta-data/placement/availability-zone
>  |
> sed -e 's/[a-z]$//'`
> 
> What will be this hard-coded ip address without any verification or at least
> https?

That's a magic IP address which connects to the EC2 "instance metadata
service".  It doesn't actually go out over the network.

-- 
Colin Percival
Security Officer Emeritus, FreeBSD | The power to serve
Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

Re: svn commit: r361143 - head/release/tools

[Ed Maste]

On Sun, 17 May 2020 at 20:24, Conrad Meyer  wrote:
>
> On Sun, May 17, 2020 at 4:49 PM Oliver Pinter  wrote:
> > On Sunday, May 17, 2020, Colin Percival  wrote:
> >> +# Provide instructions on how to mount the requested filesystem.
> >> +FS=$1
> >> +REGION=`fetch -qo- 
> >> http://169.254.169.254/latest/meta-data/placement/availability-zone | sed 
> >> -e 's/[a-z]$//'`
> >
> >
> > What will be this hard-coded ip address without any verification or at 
> > least https?
>
> It's a special non-routable IP that is used in at least AWS and Azure
> to provide some VM services.  Traffic to and from it never leaves the
> virtual overlay network, which by design VM instances already trust to
> provide privacy.  It doesn't require functioning DNS to access the raw
> IP.

And, more information at
https://en.wikipedia.org/wiki/Link-local_address
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

Re: svn commit: r361143 - head/release/tools

[Conrad Meyer]

On Sun, May 17, 2020 at 4:49 PM Oliver Pinter  wrote:
> On Sunday, May 17, 2020, Colin Percival  wrote:
>> +# Provide instructions on how to mount the requested filesystem.
>> +FS=$1
>> +REGION=`fetch -qo- 
>> http://169.254.169.254/latest/meta-data/placement/availability-zone | sed -e 
>> 's/[a-z]$//'`
>
>
> What will be this hard-coded ip address without any verification or at least 
> https?

It's a special non-routable IP that is used in at least AWS and Azure
to provide some VM services.  Traffic to and from it never leaves the
virtual overlay network, which by design VM instances already trust to
provide privacy.  It doesn't require functioning DNS to access the raw
IP.

Conrad
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

Re: svn commit: r361143 - head/release/tools

[Oliver Pinter]

On Sunday, May 17, 2020, Colin Percival  wrote:

> Author: cperciva
> Date: Sun May 17 21:54:59 2020
> New Revision: 361143
> URL: https://svnweb.freebsd.org/changeset/base/361143
>
> Log:
>   Add /etc/autofs/special_efs to EC2 AMIs
>
>   Since Amazon Elastic File System is only available within AWS, it seems
>   more appropriate to have this added only in EC2 AMIs rather than
>   "polluting" non-EC2 images with it.
>
>   Reviewed by:  gjb
>   MFC after:7 days
>   Relnotes: Amazon EFS filesystems can be automounted by enabling
> autofs
> and placing "/efs -efs" into /etc/auto_master.
>   Sponsored by: https://www.patreon.com/cperciva
>   Differential Revision:https://reviews.freebsd.org/D24791
>
> Modified:
>   head/release/tools/ec2.conf
>
> Modified: head/release/tools/ec2.conf
> 
> ==
> --- head/release/tools/ec2.conf Sun May 17 21:29:45 2020(r361142)
> +++ head/release/tools/ec2.conf Sun May 17 21:54:59 2020(r361143)
> @@ -113,6 +113,23 @@ vm_extra_pre_umount() {
> -e '1,/^#server/s/^#server.*/server 169.254.169.123
> iburst/' \
> ${DESTDIR}/etc/ntp.conf
>
> +   # Provide a map for accessing Elastic File System mounts
> +   cat > ${DESTDIR}/etc/autofs/special_efs <<'EOF'
> +#!/bin/sh
> +
> +if [ $# -eq 0 ]; then
> +# No way to know which EFS filesystems exist and are
> +# accessible to this EC2 instance.
> +exit 0
> +fi
> +
> +# Provide instructions on how to mount the requested filesystem.
> +FS=$1
> +REGION=`fetch -qo- http://169.254.169.254/latest/meta-data/placement/
> availability-zone | sed -e 's/[a-z]$//'`


What will be this hard-coded ip address without any verification or at
least https?


> +echo "-nfsv4,minorversion=1,oneopenown ${FS}.efs.${REGION}.amazonaws.
> com:/"
> +EOF
> +   chmod 755 ${DESTDIR}/etc/autofs/special_efs
> +
> # The first time the AMI boots, the installed "first boot" scripts
> # should be allowed to run:
> # * ec2_configinit (download and process EC2 user-data)
> ___
> svn-src-head@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/svn-src-head
> To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
>
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"