[Agent 1.2.1] Add fallback to IMDSv1

Prior to this change, there was no logic for falling back to IMDSv1 if IMDSv2 calls failed.

This change adds fallbacks to IMDSv1 if calls fail.

 * Unit Tests : [Y]
 * Integration Tests : Successfully had a CodeDeploy deployment using this agent.

Author: saketu-aws

bin/install

@@ -25,9 +25,29 @@ class Proxy
   end
 end
 
+log_file_path = "/tmp/codedeploy-agent.update.log"
+
+require 'logger'
+
+if($stdout.isatty)
+  # if we are being run in a terminal, log to stdout and the log file.
+  @log = Logger.new(Proxy.new(File.open(log_file_path, 'a+'), $stdout))
+else
+  # keep at most 2MB of old logs rotating out 1MB at a time
+  @log = Logger.new(log_file_path, 2, 1048576)
+  # make sure anything coming out of ruby ends up in the log file
+  $stdout.reopen(log_file_path, 'a+')
+  $stderr.reopen(log_file_path, 'a+')
+end
+
+@log.level = Logger::INFO
+
 require 'net/http'
 require 'json'
 
+TOKEN_PATH = '/latest/api/token'
+DOCUMENT_PATH = '/latest/dynamic/instance-identity/document'
+
 class IMDSV2
   def self.region
     doc['region'].strip
@@ -50,35 +70,25 @@ class IMDSV2
     http_request(request)
   end
 
-  def self.get_request(path, token)
+  def self.get_request(path, token = nil)
     request = Net::HTTP::Get.new(path)
-    request['X-aws-ec2-metadata-token'] = token
+    unless token.nil?
+      request['X-aws-ec2-metadata-token'] = token
+    end
     http_request(request)
   end
 
   def self.doc
-    token = put_request('/latest/api/token')
-    JSON.parse(get_request('/latest/dynamic/instance-identity/document', token).strip)
+    begin
+      token = put_request(TOKEN_PATH)
+      JSON.parse(get_request(DOCUMENT_PATH, token).strip)
+    rescue
+      @log.info("IMDSv2 http request failed, falling back to IMDSv1.")
+      JSON.parse(get_request(DOCUMENT_PATH).strip)
+    end
   end
 end
 
-log_file_path = "/tmp/codedeploy-agent.update.log"
-
-require 'logger'
-
-if($stdout.isatty)
-  # if we are being run in a terminal, log to stdout and the log file.
-  @log = Logger.new(Proxy.new(File.open(log_file_path, 'a+'), $stdout))
-else
-  # keep at most 2MB of old logs rotating out 1MB at a time
-  @log = Logger.new(log_file_path, 2, 1048576)
-  # make sure anything coming out of ruby ends up in the log file
-  $stdout.reopen(log_file_path, 'a+')
-  $stderr.reopen(log_file_path, 'a+')
-end
-
-@log.level = Logger::INFO
-
 begin
   require 'fileutils'
   require 'openssl'

bin/update

@@ -25,9 +25,30 @@ class Proxy
   end
 end
 
+require 'tmpdir'
+require 'logger'
+
+log_file_path = "#{Dir.tmpdir()}/codedeploy-agent.update.log"
+
+if($stdout.isatty)
+  # if we are being run in a terminal, log to stdout and the log file.
+  @log = Logger.new(Proxy.new(File.open(log_file_path, 'a+'), $stdout))
+else
+  # keep at most 2MB of old logs rotating out 1MB at a time
+  @log = Logger.new(log_file_path, 2, 1048576)
+  # make sure anything coming out of ruby ends up in the log file
+  $stdout.reopen(log_file_path, 'a+')
+  $stderr.reopen(log_file_path, 'a+')
+end
+
+@log.level = Logger::INFO
+
 require 'net/http'
 require 'json'
 
+TOKEN_PATH = '/latest/api/token'
+DOCUMENT_PATH = '/latest/dynamic/instance-identity/document'
+
 class IMDSV2
   def self.region
     doc['region'].strip
@@ -50,36 +71,25 @@ class IMDSV2
     http_request(request)
   end
 
-  def self.get_request(path, token)
+  def self.get_request(path, token = nil)
     request = Net::HTTP::Get.new(path)
-    request['X-aws-ec2-metadata-token'] = token
+    unless token.nil?
+      request['X-aws-ec2-metadata-token'] = token
+    end
     http_request(request)
   end
 
   def self.doc
-    token = put_request('/latest/api/token')
-    JSON.parse(get_request('/latest/dynamic/instance-identity/document', token).strip)
+    begin
+      token = put_request(TOKEN_PATH)
+      JSON.parse(get_request(DOCUMENT_PATH, token).strip)
+    rescue
+      @log.info("IMDSv2 http request failed, falling back to IMDSv1.")
+      JSON.parse(get_request(DOCUMENT_PATH).strip)
+    end
   end
 end
 
-require 'tmpdir'
-require 'logger'
-
-log_file_path = "#{Dir.tmpdir()}/codedeploy-agent.update.log"
-
-if($stdout.isatty)
-  # if we are being run in a terminal, log to stdout and the log file.
-  @log = Logger.new(Proxy.new(File.open(log_file_path, 'a+'), $stdout))
-else
-  # keep at most 2MB of old logs rotating out 1MB at a time
-  @log = Logger.new(log_file_path, 2, 1048576)
-  # make sure anything coming out of ruby ends up in the log file
-  $stdout.reopen(log_file_path, 'a+')
-  $stderr.reopen(log_file_path, 'a+')
-end
-
-@log.level = Logger::INFO
-
 require 'set'
 VALID_TYPES = Set.new ['rpm','zypper','deb','msi']
 

lib/instance_metadata.rb

@@ -9,12 +9,17 @@ class InstanceMetadata
   PORT = 80
   HTTP_TIMEOUT = 30
 
+  PARTITION_PATH = '/latest/meta-data/services/partition'
+  INSTANCE_ID_PATH = '/latest/meta-data/instance-id'
+  TOKEN_PATH = '/latest/api/token'
+  DOCUMENT_PATH = '/latest/dynamic/instance-identity/document'
+
   def self.host_identifier
     "arn:#{partition}:ec2:#{doc['region']}:#{doc['accountId']}:instance/#{doc['instanceId']}"
   end
 
   def self.partition
-    get_metadata_wrapper('/latest/meta-data/services/partition').strip
+    get_metadata_wrapper(PARTITION_PATH).strip
   end
 
   def self.region
@@ -23,7 +28,7 @@ def self.region
 
   def self.instance_id
     begin
-      get_metadata_wrapper('/latest/meta-data/instance-id')
+      get_metadata_wrapper(INSTANCE_ID_PATH)
     rescue
       return nil
     end
@@ -34,12 +39,18 @@ class InstanceMetadataError < StandardError
 
   private
   def self.get_metadata_wrapper(path)
-    token = put_request('/latest/api/token')
-    get_request(path, token)
+    begin
+      token = put_request(TOKEN_PATH)
+      get_request(path, token)
+    rescue
+      InstanceAgent::Log.send(:info, "IMDSv2 http request failed, falling back to IMDSv1.")
+      get_request(path)
+    end
+
   end
 
   def self.http_request(request)
-    Net::HTTP.start('169.254.169.254', 80, :read_timeout => 120, :open_timeout => 120) do |http|
+    Net::HTTP.start(IP_ADDRESS, PORT, :read_timeout => 120, :open_timeout => 120) do |http|
       response = http.request(request)
       if response.code.to_i != 200
         raise "HTTP error from metadata service: #{response.message}, code #{response.code}"
@@ -54,14 +65,21 @@ def self.put_request(path)
     http_request(request)
   end
 
-  def self.get_request(path, token)
+  def self.get_request(path, token = nil)
     request = Net::HTTP::Get.new(path)
-    request['X-aws-ec2-metadata-token'] = token
+    unless token.nil?
+      request['X-aws-ec2-metadata-token'] = token
+    end
     http_request(request)
   end
 
   def self.doc
-    token = put_request('/latest/api/token')
-    JSON.parse(get_request('/latest/dynamic/instance-identity/document', token).strip)
+    begin
+      token = put_request(TOKEN_PATH)
+      JSON.parse(get_request(DOCUMENT_PATH, token).strip)
+    rescue
+      InstanceAgent::Log.send(:info, "IMDSv2 http request failed, falling back to IMDSv1.")
+      JSON.parse(get_request(DOCUMENT_PATH).strip)
+    end
   end
 end

test/instance_metadata_test.rb

@@ -9,7 +9,6 @@ class InstanceMetadataTest < InstanceAgentTestCase
   def self.should_check_status_code(&blk)
     should 'raise unless status code is 200' do
       stub_request(:get, 'http://169.254.169.254/latest/dynamic/instance-identity/document').
-          with(headers: {'X-aws-ec2-metadata-token' => @token}).
           to_return(status: 503, body: @instance_document, headers: {})
       assert_raise(&blk)
     end
@@ -51,6 +50,26 @@ def self.should_check_status_code(&blk)
         assert_equal(@host_identifier, InstanceMetadata.host_identifier)
       end
 
+      should 'return the body if IMDSv2 http request status code is not 200' do
+        stub_request(:get, 'http://169.254.169.254/latest/dynamic/instance-identity/document').
+            with(headers: {'X-aws-ec2-metadata-token' => @token}).
+            to_return(status: 503, body: @instance_document, headers: {})
+        stub_request(:get, 'http://169.254.169.254/latest/dynamic/instance-identity/document').
+            with(headers: {'Accept'=>'*/*', 'Accept-Encoding'=>'gzip;q=1.0,deflate;q=0.6,identity;q=0.3', 'User-Agent'=>'Ruby'}).
+            to_return(status: 200, body: @instance_document, headers: {})
+        assert_equal(@host_identifier, InstanceMetadata.host_identifier)
+      end
+
+      should 'return the body if IMDSv2 http request errors out' do
+        stub_request(:get, 'http://169.254.169.254/latest/dynamic/instance-identity/document').
+            with(headers: {'X-aws-ec2-metadata-token' => @token}).
+            to_raise(StandardError)
+        stub_request(:get, 'http://169.254.169.254/latest/dynamic/instance-identity/document').
+            with(headers: {'Accept'=>'*/*', 'Accept-Encoding'=>'gzip;q=1.0,deflate;q=0.6,identity;q=0.3', 'User-Agent'=>'Ruby'}).
+            to_return(status: 200, body: @instance_document, headers: {})
+        assert_equal(@host_identifier, InstanceMetadata.host_identifier)
+      end
+
       should 'strip whitesace in the body' do
         stub_request(:get, 'http://169.254.169.254/latest/dynamic/instance-identity/document').
             with(headers: {'X-aws-ec2-metadata-token' => @token}).
@@ -74,6 +93,26 @@ def self.should_check_status_code(&blk)
         assert_equal("us-east-1", InstanceMetadata.region)
       end
 
+      should 'return the region if IMDSv2 http request status code is not 200' do
+        stub_request(:get, 'http://169.254.169.254/latest/dynamic/instance-identity/document').
+            with(headers: {'X-aws-ec2-metadata-token' => @token}).
+            to_return(status: 503, body: @instance_document, headers: {})
+        stub_request(:get, 'http://169.254.169.254/latest/dynamic/instance-identity/document').
+            with(headers: {'Accept'=>'*/*', 'Accept-Encoding'=>'gzip;q=1.0,deflate;q=0.6,identity;q=0.3', 'User-Agent'=>'Ruby'}).
+            to_return(status: 200, body: @instance_document, headers: {})
+        assert_equal("us-east-1", InstanceMetadata.region)
+      end
+
+      should 'return the region if IMDSv2 http request errors out' do
+        stub_request(:get, 'http://169.254.169.254/latest/dynamic/instance-identity/document').
+            with(headers: {'X-aws-ec2-metadata-token' => @token}).
+            to_raise(StandardError)
+        stub_request(:get, 'http://169.254.169.254/latest/dynamic/instance-identity/document').
+            with(headers: {'Accept'=>'*/*', 'Accept-Encoding'=>'gzip;q=1.0,deflate;q=0.6,identity;q=0.3', 'User-Agent'=>'Ruby'}).
+            to_return(status: 200, body: @instance_document, headers: {})
+        assert_equal("us-east-1", InstanceMetadata.region)
+      end
+
       should 'strip whitesace in the body' do
         stub_request(:get, 'http://169.254.169.254/latest/dynamic/instance-identity/document').
             with(headers: {'X-aws-ec2-metadata-token' => @token}).