Browse Source

[cloud] Add ability to retrieve Google Compute Engine metadata

For some unspecified "security" reason, the Google Compute Engine
metadata server will refuse any requests that do not include the
non-standard HTTP header "Metadata-Flavor: Google".

Attempt to autodetect such requests (by comparing the hostname against
"metadata.google.internal"), and add the "Metadata-Flavor: Google"
header if applicable.

Enable this feature in the CONFIG=cloud build, and include a sample
embedded script allowing iPXE to boot from a script configured as
metadata via e.g.

  # Create shared boot image
  make bin/ipxe.usb CONFIG=cloud EMBED=config/cloud/gce.ipxe

  # Configure per-instance boot script
  gcloud compute instances add-metadata <instance> \
         --metadata-from-file ipxeboot=boot.ipxe

Signed-off-by: Michael Brown <mcb30@ipxe.org>
tags/v1.20.1
Michael Brown 8 years ago
parent
commit
de85336abb
5 changed files with 87 additions and 0 deletions
  1. 7
    0
      src/config/cloud/gce.ipxe
  2. 4
    0
      src/config/cloud/general.h
  3. 3
    0
      src/config/config_http.c
  4. 1
    0
      src/config/general.h
  5. 72
    0
      src/net/tcp/httpgce.c

+ 7
- 0
src/config/cloud/gce.ipxe View File

@@ -0,0 +1,7 @@
1
+#!ipxe
2
+
3
+echo Google Compute Engine - iPXE boot via metadata
4
+ifstat ||
5
+dhcp ||
6
+route ||
7
+chain -ar http://metadata.google.internal/computeMetadata/v1/instance/attributes/ipxeboot

+ 4
- 0
src/config/cloud/general.h View File

@@ -0,0 +1,4 @@
1
+/* Allow retrieval of metadata (such as an iPXE boot script) from
2
+ * Google Compute Engine metadata server.
3
+ */
4
+#define HTTP_HACK_GCE

+ 3
- 0
src/config/config_http.c View File

@@ -43,3 +43,6 @@ REQUIRE_OBJECT ( httpdigest );
43 43
 #ifdef HTTP_ENC_PEERDIST
44 44
 REQUIRE_OBJECT ( peerdist );
45 45
 #endif
46
+#ifdef HTTP_HACK_GCE
47
+REQUIRE_OBJECT ( httpgce );
48
+#endif

+ 1
- 0
src/config/general.h View File

@@ -78,6 +78,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
78 78
 #define HTTP_AUTH_BASIC		/* Basic authentication */
79 79
 #define HTTP_AUTH_DIGEST	/* Digest authentication */
80 80
 //#define HTTP_ENC_PEERDIST	/* PeerDist content encoding */
81
+//#define HTTP_HACK_GCE		/* Google Compute Engine hacks */
81 82
 
82 83
 /*
83 84
  * 802.11 cryptosystems and handshaking protocols

+ 72
- 0
src/net/tcp/httpgce.c View File

@@ -0,0 +1,72 @@
1
+/*
2
+ * Copyright (C) 2017 Michael Brown <mbrown@fensystems.co.uk>.
3
+ *
4
+ * This program is free software; you can redistribute it and/or
5
+ * modify it under the terms of the GNU General Public License as
6
+ * published by the Free Software Foundation; either version 2 of the
7
+ * License, or any later version.
8
+ *
9
+ * This program is distributed in the hope that it will be useful, but
10
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
11
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
12
+ * General Public License for more details.
13
+ *
14
+ * You should have received a copy of the GNU General Public License
15
+ * along with this program; if not, write to the Free Software
16
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17
+ * 02110-1301, USA.
18
+ *
19
+ * You can also choose to distribute this program under the terms of
20
+ * the Unmodified Binary Distribution Licence (as given in the file
21
+ * COPYING.UBDL), provided that you have satisfied its requirements.
22
+ */
23
+
24
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
25
+
26
+/**
27
+ * @file
28
+ *
29
+ * Google Compute Engine (GCE) metadata retrieval
30
+ *
31
+ * For some unspecified "security" reason, the Google Compute Engine
32
+ * metadata server will refuse any requests that do not include the
33
+ * non-standard HTTP header "Metadata-Flavor: Google".
34
+ */
35
+
36
+#include <strings.h>
37
+#include <stdio.h>
38
+#include <ipxe/http.h>
39
+
40
+/** Metadata host name
41
+ *
42
+ * This is used to identify metadata requests, in the absence of any
43
+ * more robust mechanism.
44
+ */
45
+#define GCE_METADATA_HOST_NAME "metadata.google.internal"
46
+
47
+/**
48
+ * Construct HTTP "Metadata-Flavor" header
49
+ *
50
+ * @v http		HTTP transaction
51
+ * @v buf		Buffer
52
+ * @v len		Length of buffer
53
+ * @ret len		Length of header value, or negative error
54
+ */
55
+static int http_format_metadata_flavor ( struct http_transaction *http,
56
+					 char *buf, size_t len ) {
57
+
58
+	/* Do nothing unless this appears to be a Google Compute
59
+	 * Engine metadata request.
60
+	 */
61
+	if ( strcasecmp ( http->request.host, GCE_METADATA_HOST_NAME ) != 0 )
62
+		return 0;
63
+
64
+	/* Construct host URI */
65
+	return snprintf ( buf, len, "Google" );
66
+}
67
+
68
+/** HTTP "Metadata-Flavor" header */
69
+struct http_request_header http_request_metadata_flavor __http_request_header ={
70
+	.name = "Metadata-Flavor",
71
+	.format = http_format_metadata_flavor,
72
+};

Loading…
Cancel
Save