canonical
cc_disable_ec2_metadata only handles IPv6 address
Bug report
The cc_disable_ec2_metadata only blocks access to the EC2 IPv4 metadata server address (169.254.169.254), it does not block access to the IPv6 address, fd00:ec2::254.
Steps to reproduce the problem
Set the following in user-data:
disable_ec2_metadata: true
Environment details
- Cloud-init version: any
- Operating System Distribution: any
- Cloud provider, platform or installer type: AWS
cloud-init logs
Hi @TheRealFalcon , if this is still relevant, I'd like to contribute. Since this is tagged as a bug, and the fix involves a "breaking change" of blocking fd00:ec2::254 in addition to 169.254.169.254, is backwards required here? Or is it okay to add blocking fd00:ec2::254 ipv6 as part of disable_ec2_metadata Boolean flag and update appropriate documentation?
@prasanthnarasimha , thanks for signing up to contribute!
I don't think that we need to worry about breaking changes here. The purpose of the module is to block access to the metadata server, so doing that on both ipv4 and ipv6 is reasonable to expect.
Hi @TheRealFalcon , quick update. I'm all set with this for the 'ip' command but I encountered couple bugs with 'route' command and ipv6 manipulation. I've encountered #openrc-312 which was resolved by a workaround mentioned in that issue. But I've encountered further issues with 'route' and ipv6 manipulation and I've asked a question here to get some help. The core of the issue seems to be, Linux suggests using 'rtnetlink' to do the ipv6 manipulation but 'route' is using 'ioctl' which appears to only work well for ipv4 manipulation.
@prasanthnarasimha why use "route" on Linux distros? use "ip route", and leave "route" for BSDs' use?