Bug 2151986

Summary: [RFE] Add support for IMDSv2 to nm-cloud-setup
Product: Red Hat Enterprise Linux 9 Reporter: Sara Ferguson <sferguso>
Component: NetworkManagerAssignee: NetworkManager Development Team <nm-team>
Status: CLOSED ERRATA QA Contact: David Jaša <djasa>
Severity: medium Docs Contact: Mayur Patil <maypatil>
Priority: medium    
Version: 9.1CC: bgalvani, fguilher, jklech, libhe, linl, lrintel, maypatil, qzhang, rkhan, sfaye, sukulkar, thaller, till, vbenes, xiliang, ymao
Target Milestone: rcKeywords: FutureFeature, Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: NetworkManager-1.43.3-1.el9 Doc Type: Enhancement
Doc Text:
.The `nm-cloud-setup` utility now supports IMDSv2 configuration Users can configure an AWS Red Hat Enterprise Linux EC2 instance with Instance Metadata Service Version 2 (IMDSv2) with the `nm-cloud-setup` utility. To comply with improved security that restricts unauthorized access to EC2 metadata and new features, integration between AWS and Red Hat services is necessary to provide advanced features. This enhancement enables the `nm-cloud-setup` utility to fetch and save the IMDSv2 tokens, verify an EC2 environment, and retrieve information about available interfaces and IP configuration by using the secured IMDSv2 tokens.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-07 08:37:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2183217    

Comment 8 libhe 2023-03-20 03:29:36 UTC 
It seems that it has introduced a regression bug 2179718.
Comment 12 David Jaša 2023-05-01 17:10:18 UTC 
VERIFIED using NetworkManager-1.43.6-1.el9:



Token is acquired:
    [Request URI: http://169.254.169.254/latest/api/token]
    File Data: 56 bytes
    Data (56 bytes)

0000  41 51 41 41 41 4c 48 2d 6b 37 69 31 38 4a 4d 6b   AQAAALH-k7i18JMk
0010  4b 2d 4f 52 4c 5a 51 66 41 61 37 6e 6b 4e 6a 51   K-ORLZQfAa7nkNjQ
0020  62 4b 77 70 51 50 45 78 4e 48 71 7a 6b 31 6f 4c   bKwpQPExNHqzk1oL
0030  5f 37 65 68 2d 41 3d 3d                           _7eh-A==



And then used:
Hypertext Transfer Protocol
    GET /2018-09-24/meta-data/network/interfaces/macs/ HTTP/1.1\r\n
        [Expert Info (Chat/Sequence): GET /2018-09-24/meta-data/network/interfaces/macs/ HTTP/1.1\r\n]
            [GET /2018-09-24/meta-data/network/interfaces/macs/ HTTP/1.1\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Request Method: GET
        Request URI: /2018-09-24/meta-data/network/interfaces/macs/
        Request Version: HTTP/1.1
    Host: 169.254.169.254\r\n
    Accept: */*\r\n
    X-aws-ec2-metadata-token: AQAAALH-k7i18JMkK-ORLZQfAa7nkNjQbKwpQPExNHqzk1oL_7eh-A==\r\n
    \r\n
    [Full request URI: http://169.254.169.254/2018-09-24/meta-data/network/interfaces/macs/]
Comment 18 errata-xmlrpc 2023-11-07 08:37:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (NetworkManager bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6585