fluent-bit icon indicating copy to clipboard operation
fluent-bit copied to clipboard

Published 20 hours ago verified publisher icon fluent

IMDSv2 calls have no timeouts

Open sylr opened this issue 9 months ago • 3 comments

Bug Report

Describe the bug

In order to harden our security in our kubernetes clusters we recently set the http-put-response-hop-limit to 1 instead of 2 on our instances so that containers wouldn't be able to assume the host instance's role.

This caused fluentbit (running in containers without host networking) to silently stop sending logs because the calls to imdsv2 are dropped by AWS if the number of hops are greater than the limit and because the aws filter calls to imdsv2 have no timeouts making fluentbit wait forever.

To Reproduce

Use the AWS filter in a container running on an instance having http-put-response-hop-limit set to 1.

Expected behavior

AWS filter fails with error if it is not able to reach imdsv2 endpoint.

Screenshots

Your Environment

  • Version used: 2.32.5
  • Configuration:
  • Environment name and version (e.g. Kubernetes? What version?):
  • Server type and version:
  • Operating System and version:
  • Filters and plugins:

Additional context

sylr avatar Mar 06 '25 10:03 sylr

The version provided is not an OSS version, I'm guessing you're on an AWS specific version so I would raise it there or use an OSS version: https://github.com/aws/aws-for-fluent-bit

Please also follow the template, there is no actual config included.

patrick-stephens avatar Mar 07 '25 10:03 patrick-stephens

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days. Maintainers can add the exempt-stale label.

github-actions[bot] avatar Jun 06 '25 02:06 github-actions[bot]

@patrick-stephens you're right, I am using aws-for-fluent-bit v2.35.5 which uses fluentbit v1.9.10.

I've looked at fluentbit code and it seems fluentbit has its own HTTP client implementation, hasn't it ?

I've looked and I did not find any mention of timeout.

sylr avatar Jun 06 '25 07:06 sylr

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days. Maintainers can add the exempt-stale label.

github-actions[bot] avatar Sep 07 '25 02:09 github-actions[bot]

This issue was closed because it has been stalled for 5 days with no activity.

github-actions[bot] avatar Oct 25 '25 02:10 github-actions[bot]