From 766ae754928d1731f852859ebb6239d2e2690a43 Mon Sep 17 00:00:00 2001
From: bixiaoyan <bixiaoyan@kylinos.cn>
Date: Fri, 6 Dec 2024 15:00:11 +0800
Subject: [PATCH] aws.sh: chmod 600 $TOKEN_FILE, add get_instance_id() with DMI
 support, and use get_instance_id() in AWS agents aws.sh/ocf-shellfuncs: add
 ability to fresh token if it's invalid

---
 ...-TOKEN_FILE-add-get_instance_id-with.patch | 113 ++++++++++++++++++
 ...funcs-add-ability-to-fresh-token-if-.patch |  53 ++++++++
 resource-agents.spec                          |   8 +-
 3 files changed, 173 insertions(+), 1 deletion(-)
 create mode 100644 backport-aws.sh-chmod-600-TOKEN_FILE-add-get_instance_id-with.patch
 create mode 100644 backport-aws.sh-ocf-shellfuncs-add-ability-to-fresh-token-if-.patch

diff --git a/backport-aws.sh-chmod-600-TOKEN_FILE-add-get_instance_id-with.patch b/backport-aws.sh-chmod-600-TOKEN_FILE-add-get_instance_id-with.patch
new file mode 100644
index 0000000..86348ea
--- /dev/null
+++ b/backport-aws.sh-chmod-600-TOKEN_FILE-add-get_instance_id-with.patch
@@ -0,0 +1,113 @@
+From cc5ffa5e599c974c426e93faa821b342e96b916d Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Mon, 11 Nov 2024 12:46:27 +0100
+Subject: [PATCH 2/8] aws.sh: chmod 600 $TOKEN_FILE, add get_instance_id() with
+ DMI support, and use get_instance_id() in AWS agents
+
+---
+ heartbeat/aws-vpc-move-ip |  2 +-
+ heartbeat/aws.sh          | 30 +++++++++++++++++++++++++++---
+ heartbeat/awseip          |  2 +-
+ heartbeat/awsvip          |  2 +-
+ 4 files changed, 30 insertions(+), 6 deletions(-)
+
+diff --git a/heartbeat/aws-vpc-move-ip b/heartbeat/aws-vpc-move-ip
+index 3aa9ceb0..09ae68b5 100755
+--- a/heartbeat/aws-vpc-move-ip
++++ b/heartbeat/aws-vpc-move-ip
+@@ -269,7 +269,7 @@ ec2ip_validate() {
+ 
+ 	TOKEN=$(get_token)
+ 	[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+-	EC2_INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id")
++	EC2_INSTANCE_ID=$(get_instance_id)
+ 	[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+ 
+ 	if [ -z "${EC2_INSTANCE_ID}" ]; then
+diff --git a/heartbeat/aws.sh b/heartbeat/aws.sh
+index c77f93b9..9cd343c1 100644
+--- a/heartbeat/aws.sh
++++ b/heartbeat/aws.sh
+@@ -9,8 +9,8 @@
+ . ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs
+ 
+ # Defaults
+-OCF_RESKEY_curl_retries_default="3"
+-OCF_RESKEY_curl_sleep_default="1"
++OCF_RESKEY_curl_retries_default="4"
++OCF_RESKEY_curl_sleep_default="3"
+ 
+ : ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
+ : ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
+@@ -20,11 +20,13 @@ OCF_RESKEY_curl_sleep_default="1"
+ TOKEN_FILE="${HA_RSCTMP}/.aws_imds_token"
+ TOKEN_LIFETIME=21600  # Token lifetime in seconds (6 hours)
+ TOKEN_EXPIRY_THRESHOLD=3600  # Renew token if less than 60 minutes (1 hour) remaining
++DMI_FILE="/sys/devices/virtual/dmi/id/board_asset_tag" # Only supported on nitro-based instances.
+ 
+ # Function to fetch a new token
+ fetch_new_token() {
+     TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: $TOKEN_LIFETIME'" "http://169.254.169.254/latest/api/token")
+     echo "$TOKEN $(date +%s)" > "$TOKEN_FILE"
++    chmod 600 "$TOKEN_FILE"
+     echo "$TOKEN"
+ }
+ 
+@@ -43,4 +45,26 @@ get_token() {
+     fi
+     # Fetch a new token if not valid
+     fetch_new_token
+-}
+\ No newline at end of file
++}
++
++get_instance_id() {
++    local INSTANCE_ID
++
++    # Try to get the EC2 instance ID from DMI first before falling back to IMDS.
++    ocf_log debug "EC2: Attempt to get EC2 Instance ID from local file."
++    if [ -r "$DMI_FILE" ] && [ -s "$DMI_FILE" ]; then
++        INSTANCE_ID="$(cat "$DMI_FILE")"
++        case "$INSTANCE_ID" in
++            i-0*) echo "$INSTANCE_ID"; return "$OCF_SUCCESS" ;;
++        esac
++    fi
++
++    INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id")
++    if [ $? -ne 0 ]; then
++        ocf_exit_reason "Failed to get EC2 Instance ID"
++        exit $OCF_ERR_GENERIC
++    fi
++
++    echo "$INSTANCE_ID"
++    return "$OCF_SUCCESS"
++}
+diff --git a/heartbeat/awseip b/heartbeat/awseip
+index 4b1c3bc6..7f38376d 100755
+--- a/heartbeat/awseip
++++ b/heartbeat/awseip
+@@ -305,7 +305,7 @@ ALLOCATION_ID="${OCF_RESKEY_allocation_id}"
+ PRIVATE_IP_ADDRESS="${OCF_RESKEY_private_ip_address}"
+ TOKEN=$(get_token)
+ [ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+-INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id")
++INSTANCE_ID=$(get_instance_id)
+ [ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+ 
+ case $__OCF_ACTION in
+diff --git a/heartbeat/awsvip b/heartbeat/awsvip
+index 8c71e7fa..0856ac5e 100755
+--- a/heartbeat/awsvip
++++ b/heartbeat/awsvip
+@@ -265,7 +265,7 @@ fi
+ SECONDARY_PRIVATE_IP="${OCF_RESKEY_secondary_private_ip}"
+ TOKEN=$(get_token)
+ [ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+-INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id")
++INSTANCE_ID=$(get_instance_id)
+ [ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+ MAC_ADDRESS=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/mac")
+ [ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+-- 
+2.25.1
+
diff --git a/backport-aws.sh-ocf-shellfuncs-add-ability-to-fresh-token-if-.patch b/backport-aws.sh-ocf-shellfuncs-add-ability-to-fresh-token-if-.patch
new file mode 100644
index 0000000..8011822
--- /dev/null
+++ b/backport-aws.sh-ocf-shellfuncs-add-ability-to-fresh-token-if-.patch
@@ -0,0 +1,53 @@
+From b8d3ecc6a8ce4baf4b28d02978dd573728ccf5fa Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Mon, 18 Nov 2024 11:10:42 +0100
+Subject: [PATCH 3/8] aws.sh/ocf-shellfuncs: add ability to fresh token if it's
+ invalid
+
+---
+ heartbeat/aws.sh            |  1 +
+ heartbeat/ocf-shellfuncs.in | 11 ++++++++++-
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/heartbeat/aws.sh b/heartbeat/aws.sh
+index 9cd343c1..64f2e13a 100644
+--- a/heartbeat/aws.sh
++++ b/heartbeat/aws.sh
+@@ -18,6 +18,7 @@ OCF_RESKEY_curl_sleep_default="3"
+ # Function to enable reusable IMDS token retrieval for efficient repeated access 
+ # File to store the token and timestamp
+ TOKEN_FILE="${HA_RSCTMP}/.aws_imds_token"
++TOKEN_FUNC="fetch_new_token"  # Used by curl_retry() if saved token is invalid
+ TOKEN_LIFETIME=21600  # Token lifetime in seconds (6 hours)
+ TOKEN_EXPIRY_THRESHOLD=3600  # Renew token if less than 60 minutes (1 hour) remaining
+ DMI_FILE="/sys/devices/virtual/dmi/id/board_asset_tag" # Only supported on nitro-based instances.
+diff --git a/heartbeat/ocf-shellfuncs.in b/heartbeat/ocf-shellfuncs.in
+index 922c6ea4..8e51fa3c 100644
+--- a/heartbeat/ocf-shellfuncs.in
++++ b/heartbeat/ocf-shellfuncs.in
+@@ -697,6 +697,15 @@ curl_retry()
+ 
+ 		ocf_log debug "result: $result"
+ 		[ $rc -eq 0 ] && break
++		if [ -n "$TOKEN" ] && [ -n "$TOKEN_FILE" ] && \
++		   [ -f "$TOKEN_FILE" ] && [ -n "$TOKEN_FUNC" ] && \
++		   echo "$result" | grep -q "The requested URL returned error: 401$"; then
++			local OLD_TOKEN="$TOKEN"
++			ocf_log err "Token invalid. Getting new token."
++			TOKEN=$($TOKEN_FUNC)
++			[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
++			args=$(echo "$args" | sed "s/$OLD_TOKEN/$TOKEN/")
++		fi
+ 		sleep $sleep
+ 	done
+ 
+@@ -1110,4 +1119,4 @@ ocf_is_true "$OCF_TRACE_RA" && ocf_start_trace
+ # pacemaker sets HA_use_logd, some others use HA_LOGD :/
+ if ocf_is_true "$HA_use_logd"; then
+ 	: ${HA_LOGD:=yes}
+-fi
+\ No newline at end of file
++fi
+-- 
+2.25.1
+
diff --git a/resource-agents.spec b/resource-agents.spec
index 83c65af..3e5ebec 100644
--- a/resource-agents.spec
+++ b/resource-agents.spec
@@ -1,7 +1,7 @@
 Name:                resource-agents
 Summary:             Open Source HA Reusable Cluster Resource Scripts
 Version:             4.16.0
-Release:             3
+Release:             4
 License:             GPLv2+ and LGPLv2+
 URL:                 https://github.com/ClusterLabs/resource-agents
 Source0:             https://github.com/ClusterLabs/resource-agents/releases/tag/v%{version}.tar.gz
@@ -9,6 +9,8 @@ Patch0000:           backport-High-storage-mon-Correct-the-timing-of-setting-not
 Patch0001:           backport-storage_mon-remove-unused-macro-variables-1994.patch
 Patch0002:           backport-Mid-storage-mon-RA-Wait-until-monitor-confirms-the-s.patch
 Patch0003:           backport-AWS-agents-reuse-IMDS-token-until-it-expires-issue-1.patch
+Patch0004:           backport-aws.sh-chmod-600-TOKEN_FILE-add-get_instance_id-with.patch
+Patch0005:           backport-aws.sh-ocf-shellfuncs-add-ability-to-fresh-token-if-.patch
 Obsoletes:           heartbeat-resources <= %{version}
 Provides:            heartbeat-resources = %{version}
 BuildRequires:       automake autoconf pkgconfig gcc perl-interpreter perl-generators python3-devel
@@ -106,6 +108,10 @@ export CFLAGS="$(echo '%{optflags}')"
 %{_mandir}/man8/{ocf-tester.8*,ldirectord.8*}
 
 %changelog
+* Fri Dec 06 2024 bixiaoyan <bixiaoyan@kylinos.cn> - 4.16.0-4
+- aws.sh: chmod 600 $TOKEN_FILE, add get_instance_id() with DMI support, and use get_instance_id() in AWS agents
+- aws.sh/ocf-shellfuncs: add ability to fresh token if it's invalid
+
 * Fri Dec 06 2024 liupei <liupei@kylinos.cn> - 4.16.0-3
 - AWS agents: reuse IMDS token until it expires
 
-- 
Gitee