| 22 Oct 2024 |
 nh2 | Completely independent question:
When I try to use NixOps to launch any newer AMI (it uses RunInstances), AWS errors with HTTP 400:
The parameter MetadataOptions is not recognized
I was puzzled by this, because I reproduced it curl where it also failed, and the request does not include the word MetadataOptions at all.
I just figured out that it seems to depend on the AMI launched.
AMIs for which this works/fails:
ami-0d6ee9d5e1c985df6 23.05.eu-central-1.x86_64-linux.hvm-ebs WORKS
ami-0e7d1823ac80520e6 nixos/23.11.4976.79baff8812a0-x86_64-linux ERRORS with `The parameter MetadataOptions is not recognized`
ami-0909c997a483185ec nixos/23.11.7329.59a450646ec8-x86_64-linux ERRORS with `The parameter MetadataOptions is not recognized`
ami-067999b24522c01c1 nixos/24.05.5809.4eb33fe664af-x86_64-linux ERRORS with `The parameter MetadataOptions is not recognized`
Does anybody know what in the AMI could cause this?
| 00:03:44 |
 Arian | I thought NixOps is unmaintained. I think they even removed the AWS plugin recently | 00:16:31 |
| Arian | Metadata options is part of the AMI. Sec | 00:16:47 |
| Arian | I wonder if it's related to this line:
ImdsSupport="v2.0", | 00:17:47 |
| Arian | https://github.com/NixOS/amis/blob/main/upload-ami/src/upload_ami/upload_ami.py#L173 | 00:17:53 |
| Arian | Hmm actually I think maybe NixOps uses a very old version of the AWS SDK that is maybe incompatible with the AWS API? | 00:19:26 |
| Arian | Can you show me the raw curl command? | 00:19:43 |
| Arian | The only hit on google is this one stack overflow issue : https://stackoverflow.com/questions/76495875/cant-provision-ec2-instance-with-ansible | 00:23:03 |
| Arian | You're not on EC2 classic or something weird right? (The old VPC-less EC2) | 00:25:59 |
| Arian | So yeh because the AMI sets that option, i think that causes an implicit MetadataOptions to be passed. However IMDSv2 is new. So maybe you're using a very old SDK. The EC2 API is versioned (See the Version parameter in the curl request) | 00:36:06 |
| Arian | So maybe if you are trying to spawn an instance with IMDSv2 enabled using the older API version you get this error | 00:36:35 |
| Arian | Advice here is: update boto3 | 00:39:34 |
| Arian | * Advice here is: update boto3 dependency of nixops | 00:39:44 |
| Arian | To quote the Amazon docs:
> The latest versions of the AWS CLI and AWS SDKs support IMDSv2. To use IMDSv2, make sure that your EC2 instances have the latest versions of the CLI and SDKs. | 00:44:06 |
| Arian | It'd be interesting to look at both `aws EC2 run-instances` and nixops in debug mode to see the exact request. But I'm pretty sure it's gonna be the API version parameter that is causing issues | 00:53:28 |
| Arian | * It'd be interesting to look at both `aws EC2 run-instances` and nixops in debug mode to see the exact request differences. But I'm pretty sure it's gonna be the API version parameter that is causing issues | 00:53:44 |
| nh2 | In reply to @arianvp:matrix.org
I thought NixOps is unmaintained. I think they even removed the AWS plugin recently Oh sure it is. Doesn't mean that all the startups using it to manage their infra evaporate though :D
With NixOps 2 never getting a real release and NixOps 4 already being the next "when it's done" software (I have some doubts that rewriting in Rust will solve community maintenance; it would certainly make debugging this stuff a lot harder than pdb allowed) ... NixOS 1.7 is the latest official stable release (TM) 🙃
Still works pretty well though.
I'm checking your replies now, very helpful, one moment
| 00:53:45 |
| Arian | If updating nixops is not an option I'm afraid you'll have to upload a custom AMI with that setting unset :( | 00:57:09 |
| Arian | But that'll get you into trouble as well as the ec2 nixos modules rely on IMDSv2 these days | 00:59:38 |
| Arian | Wait nah that's fine | 01:00:52 |
| Arian | IMDSv2 works on IMDSv1 images. | 01:01:02 |
| Arian | Just not the other way around | 01:01:06 |
| nh2 | In reply to @arianvp:matrix.org
The only hit on google is this one stack overflow issue : https://stackoverflow.com/questions/76495875/cant-provision-ec2-instance-with-ansible Yes, I saw that. My plan is to answer that StackOverflow question eventually.
maybe NixOps uses a very old version of the AWS SDK that is maybe incompatible with the AWS API?
The key thing is it can't' just be NixOps alone. Because NixOps (and the same curl command) launches the old instance but not the new. So it's not a plain AWS API removal.
I suspect it's something like "if you use an AMI that uses new feature X, you need to give some extra launch options".
This is the curl (credentials removed):
curl https://ec2.eu-west-1.amazonaws.com -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'Authorization: AWS4-HMAC-SHA256 Credential=.../20241021/eu-west-1/ec2/aws4_request,SignedHeaders=host;x-amz-date,Signature=...' -H 'X-Amz-Date: 20241021T013814Z' --data 'Action=RunInstances&BlockDeviceMapping.1.DeviceName=%2Fdev%2Fxvda&BlockDeviceMapping.1.Ebs.DeleteOnTermination=true&BlockDeviceMapping.1.Ebs.Encrypted=false&BlockDeviceMapping.1.Ebs.SnapshotId=snap-0e6c56ddc0453c75a&BlockDeviceMapping.1.Ebs.VolumeSize=100&BlockDeviceMapping.1.Ebs.VolumeType=gp3&ClientToken=...&ImageId=ami-0e7d1823ac80520e6&InstanceInitiatedShutdownBehavior=stop&InstanceType=t2.medium&KeyName=my-nixops&MaxCount=1&MinCount=1&SecurityGroup.1=nixops-corp-test-2&UserData=...this only contains the SSH private key in base64...&Version=2014-10-01' -D -
Indeed Version=2014-10-01.
So what you're suggesting is quite likely.
| 01:01:15 |
| nh2 | In reply to @arianvp:matrix.org
The only hit on google is this one stack overflow issue : https://stackoverflow.com/questions/76495875/cant-provision-ec2-instance-with-ansible * Yes, I saw that. My plan is to answer that StackOverflow question eventually.
maybe NixOps uses a very old version of the AWS SDK that is maybe incompatible with the AWS API?
The key thing is it can't' just be NixOps alone. Because NixOps (and the same curl command) launches the old instance but not the new. So it's not a plain AWS API removal.
I suspect it's something like "if you use an AMI that uses new feature X, you need to give some extra launch options" (what you're suggesting, as I read along).
This is the curl (credentials removed):
curl https://ec2.eu-west-1.amazonaws.com -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'Authorization: AWS4-HMAC-SHA256 Credential=.../20241021/eu-west-1/ec2/aws4_request,SignedHeaders=host;x-amz-date,Signature=...' -H 'X-Amz-Date: 20241021T013814Z' --data 'Action=RunInstances&BlockDeviceMapping.1.DeviceName=%2Fdev%2Fxvda&BlockDeviceMapping.1.Ebs.DeleteOnTermination=true&BlockDeviceMapping.1.Ebs.Encrypted=false&BlockDeviceMapping.1.Ebs.SnapshotId=snap-0e6c56ddc0453c75a&BlockDeviceMapping.1.Ebs.VolumeSize=100&BlockDeviceMapping.1.Ebs.VolumeType=gp3&ClientToken=...&ImageId=ami-0e7d1823ac80520e6&InstanceInitiatedShutdownBehavior=stop&InstanceType=t2.medium&KeyName=my-nixops&MaxCount=1&MinCount=1&SecurityGroup.1=nixops-corp-test-2&UserData=...this only contains the SSH private key in base64...&Version=2014-10-01' -D -
Indeed Version=2014-10-01.
So what you're suggesting is quite likely.
| 01:01:54 |
| nh2 | So I think you pinpointed it exactly | 01:02:06 |
| Arian | In reply to @nh2:matrix.org
Yes, I saw that. My plan is to answer that StackOverflow question eventually.
maybe NixOps uses a very old version of the AWS SDK that is maybe incompatible with the AWS API?
The key thing is it can't' just be NixOps alone. Because NixOps (and the same curl command) launches the old instance but not the new. So it's not a plain AWS API removal.
I suspect it's something like "if you use an AMI that uses new feature X, you need to give some extra launch options".
This is the curl (credentials removed):
curl https://ec2.eu-west-1.amazonaws.com -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'Authorization: AWS4-HMAC-SHA256 Credential=.../20241021/eu-west-1/ec2/aws4_request,SignedHeaders=host;x-amz-date,Signature=...' -H 'X-Amz-Date: 20241021T013814Z' --data 'Action=RunInstances&BlockDeviceMapping.1.DeviceName=%2Fdev%2Fxvda&BlockDeviceMapping.1.Ebs.DeleteOnTermination=true&BlockDeviceMapping.1.Ebs.Encrypted=false&BlockDeviceMapping.1.Ebs.SnapshotId=snap-0e6c56ddc0453c75a&BlockDeviceMapping.1.Ebs.VolumeSize=100&BlockDeviceMapping.1.Ebs.VolumeType=gp3&ClientToken=...&ImageId=ami-0e7d1823ac80520e6&InstanceInitiatedShutdownBehavior=stop&InstanceType=t2.medium&KeyName=my-nixops&MaxCount=1&MinCount=1&SecurityGroup.1=nixops-corp-test-2&UserData=...this only contains the SSH private key in base64...&Version=2014-10-01' -D -
Indeed Version=2014-10-01.
So what you're suggesting is quite likely. That Imdssupport:V2 Option on the AMI causes an implicit MetadataOptions parameter to be passed to RunInstances, and i guess the API version of nixops doesn't support that parameter | 01:02:44 |
| Arian | * That Imdssupport:V2 Option on the AMI causes an implicit MetadataOptions parameter to be passed to RunInstances when you use the AMi, and i guess the API version of nixops doesn't support that parameter | 01:03:06 |
| Arian | The old AMI doesn't have that option set, so there is no implicit unsupported parameter | 01:05:54 |
| nh2 | Right.
Bit of a brutal error message, The parameter MetadataOptions is not recognized; AWS could at least say it's an implicit parameter added by the Version. | 01:06:05 |
| Arian | Yeh this is something somewhere internally going wrong and then that error bubbling up 😅 | 01:07:09 |
