diff options
author | Jake Buchholz <tomalok@gmail.com> | 2020-05-01 15:00:36 -0700 |
---|---|---|
committer | Mike Crute <mike@crute.us> | 2020-05-05 15:03:03 -0700 |
commit | 07a0b9f3c881f3efdc7ef31aa179047be835262a (patch) | |
tree | 795a86001820d12c853ca7da9fbc54a9eeb8b4fb | |
parent | 080517315494517a1085aea7ea372421ca7220f3 (diff) | |
download | tiny-ec2-bootstrap-07a0b9f3c881f3efdc7ef31aa179047be835262a.tar.bz2 tiny-ec2-bootstrap-07a0b9f3c881f3efdc7ef31aa179047be835262a.tar.xz tiny-ec2-bootstrap-07a0b9f3c881f3efdc7ef31aa179047be835262a.zip |
Support IMDSv2 / Make shellcheck Happierrelease-1.3.2
* get/use Instance MetaData Service v2 token, thanks @junkb (resolves #6)
* make shellcheck happier
* fix installation of multiple SSH keys for EC2_USER
* use 'grep -q' to detect shebang in user_data
-rw-r--r-- | tiny-ec2-bootstrap | 23 |
1 files changed, 15 insertions, 8 deletions
diff --git a/tiny-ec2-bootstrap b/tiny-ec2-bootstrap index 9c62afb..a8dea2e 100644 --- a/tiny-ec2-bootstrap +++ b/tiny-ec2-bootstrap | |||
@@ -5,15 +5,22 @@ description="Provides EC2 cloud bootstrap" | |||
5 | 5 | ||
6 | # override in /etc/conf.d/tiny-ec2-bootstrap | 6 | # override in /etc/conf.d/tiny-ec2-bootstrap |
7 | EC2_USER=${EC2_USER:-alpine} | 7 | EC2_USER=${EC2_USER:-alpine} |
8 | IMDS2_TOKEN_TTL=${IMDS2_TOKEN_TTL:-5} | ||
8 | 9 | ||
9 | depend() { | 10 | depend() { |
10 | need net | 11 | need net |
11 | provide cloud-final | 12 | provide cloud-final |
12 | } | 13 | } |
13 | 14 | ||
15 | _get_metadata_token() { | ||
16 | echo -ne "PUT /latest/api/token HTTP/1.0\r\nX-aws-ec2-metadata-token-ttl-seconds: $IMDS2_TOKEN_TTL\r\n\r\n" | | ||
17 | nc 169.254.169.254 80 | tail -n 1 | ||
18 | } | ||
19 | |||
14 | _get_metadata() { | 20 | _get_metadata() { |
15 | local uri="$1" | 21 | local uri="$1" |
16 | wget -qO - "http://169.254.169.254/latest/$uri" 2>/dev/null | 22 | wget -qO - --header "X-aws-ec2-metadata-token: $(_get_metadata_token)" \ |
23 | "http://169.254.169.254/latest/$uri" 2>/dev/null | ||
17 | } | 24 | } |
18 | 25 | ||
19 | _update_hostname() { | 26 | _update_hostname() { |
@@ -26,8 +33,8 @@ _update_hostname() { | |||
26 | 33 | ||
27 | _set_ssh_keys() { | 34 | _set_ssh_keys() { |
28 | local user="$1" | 35 | local user="$1" |
29 | local group="$(getent passwd $user | cut -d: -f4)" | 36 | local group="$(getent passwd "$user" | cut -d: -f4)" |
30 | local ssh_dir="$(getent passwd $user | cut -d: -f6)/.ssh" | 37 | local ssh_dir="$(getent passwd "$user" | cut -d: -f6)/.ssh" |
31 | local keys_file="$ssh_dir/authorized_keys" | 38 | local keys_file="$ssh_dir/authorized_keys" |
32 | 39 | ||
33 | if [ ! -d "$ssh_dir" ]; then | 40 | if [ ! -d "$ssh_dir" ]; then |
@@ -39,16 +46,16 @@ _set_ssh_keys() { | |||
39 | 46 | ||
40 | touch "$keys_file" | 47 | touch "$keys_file" |
41 | chmod 600 "$keys_file" | 48 | chmod 600 "$keys_file" |
42 | chown -R $user:$group "$ssh_dir" | 49 | chown -R "$user:$group" "$ssh_dir" |
43 | 50 | ||
44 | for key in "$(_get_metadata meta-data/public-keys/)"; do | 51 | for key in $(_get_metadata meta-data/public-keys/); do |
45 | echo $(_get_metadata "meta-data/public-keys/${key%=*}/openssh-key/") >> "$keys_file" | 52 | _get_metadata "meta-data/public-keys/${key%=*}/openssh-key/" >> "$keys_file" |
46 | done | 53 | done |
47 | } | 54 | } |
48 | 55 | ||
49 | _run_userdata() { | 56 | _run_userdata() { |
50 | user_data=$(_get_metadata user-data) | 57 | user_data=$(_get_metadata user-data) |
51 | if echo $user_data | grep '^#!/' 2>&1 >/dev/null; then | 58 | if echo "$user_data" | grep -q '^#!/'; then |
52 | echo "$user_data" > /var/lib/cloud/user-data.sh | 59 | echo "$user_data" > /var/lib/cloud/user-data.sh |
53 | chmod +x /var/lib/cloud/user-data.sh | 60 | chmod +x /var/lib/cloud/user-data.sh |
54 | /var/lib/cloud/user-data.sh 2>&1 | tee /var/log/cloud-bootstrap.log | 61 | /var/lib/cloud/user-data.sh 2>&1 | tee /var/log/cloud-bootstrap.log |
@@ -57,7 +64,7 @@ _run_userdata() { | |||
57 | } | 64 | } |
58 | 65 | ||
59 | _resize_root_partition() { | 66 | _resize_root_partition() { |
60 | resize2fs $(mountpoint -n / | cut -d' ' -f1) | 67 | resize2fs "$(mountpoint -n / | cut -d' ' -f1)" |
61 | } | 68 | } |
62 | 69 | ||
63 | _disable_password() { | 70 | _disable_password() { |