[Bug 461156] Re: User data is not parsed correctly by Eucalyptus in some cases
thierry.carrez at ubuntu.com
Wed Dec 2 09:03:40 GMT 2009
** Description changed:
- User data supplied using "euca-run-instances --user-data-file" is not decoded before being presented to the instance.
- Inside the instance, "curl http://169.254.169.254/latest/user-data" should fetch the decoded user data, whereas eucalyptus will return a base64 and url encoded string. This breaks ec2-run-user-data from the ec2-init package, rendering instance configuration using the user-data mechanism unusable.
+ User data supplied using "euca-run-instances --user-data-file" is not decoded before being presented to the instance.
+ Inside the instance, "curl http://169.254.169.254/latest/user-data" should fetch the decoded user data, whereas eucalyptus will return a base64 and url encoded string. This breaks ec2-run-user-data from the ec2-init package, rendering instance configuration using the user-data mechanism unusable.
EC2 documentation at http://docs.amazonwebservices.com/AWSEC2/2007-03-01/DeveloperGuide/AESDG-chapter-instancedata.html states that EC2 will return decoded data (i don't have a ec2 account so i can't confirm this):
"The user data must be base64-encoded before being submitted to the API. The API command-line tools perform the base64-encoding for you. The data will be base64 decoded before being presented to the instance."
+ SRU Report (eucalyptus, euca2ools):
+ Impact: This bug makes userdata unusable in cloud images used withing
+ UEC. userdata is used for a lot of things, in particular boot-time
+ configuration of our cloud images. This works within EC2 but not within
+ UEC, due to this bug.
+ This requires a fix in euca2ools (do not b64_encode twice). But fixing
+ it in euca2ools triggers a bug in eucalyptus when certain userdata is
+ received (the previous bug was protecting eucalyptus from this), so this
+ needs a eucalyptus update as well.
+ Fix in development release: This was fixed in lucid in eucalyptus
+ (1.6.1~bzr1083-0ubuntu1) by applying the same patch. Was not fixed in
+ euca2ools yet.
+ Minimal patch for eucalyptus:
+ Minimal patch for euca2ools:
+ --- euca2ools-1.0+bzr20091007.orig/bin/euca-run-instances
+ +++ euca2ools-1.0+bzr20091007/bin/euca-run-instances
+ @@ -170,8 +170,6 @@
+ print 'Invalid user data file path'
+ user_data = read_user_data(user_data_file)
+ - if user_data:
+ - user_data = base64.urlsafe_b64encode(user_data)
+ euca_conn = euca.make_connection()
+ reservation = euca_conn.run_instances(image_id = image_id,
+ TEST CASE:
+ euca-run-instances -k $MYKEY --user-data " << FOO >" $EMI -t c1.medium
+ ssh -i $MYKEYPRIV ubuntu@$IP 'wget -q http://169.254.169.254/latest/user-data -O -'; echo
+ Expected results: should return " << FOO >"
+ Fails with affected euca2ools and eucalyptus (returns "IDw8IEZPTyA-" instead of " << FOO >")
+ Succeeds with proposed euca2ools and proposed eucalyptus.
+ Regression potential:
+ The regression potential is small, since userdata is not really usable right now. In euca2ools, only someone relying on the bug (and base64_decoding the userdata in the cloud image itself) would be affected. Regression potential is slightly higher on eucalyptus side, since the fix is about escaping special characters in userdata. Careful testing with various userdata strings (to hit the special characters in the urlsafe-base64-encoded string) is necessary.
Karmic release notes:
user-data not usable by guest instances
Starting an instance with euca-run-instances and user-data (either using
the -d, --user-data option or the -f, --user-data-file option) will
store the user data in base64 encoding. Accessing the user data from
the instance at http://169.254.169.254/latest/user-data will return the
user data in base64 encoding. Because of this bug ec2-init is unable
make use of user-data. In order to use this data it must first be
decoded. A fix for this issue is expected to be provided in a post-
release update immediately after the Ubuntu 9.10 release.
User data is not parsed correctly by Eucalyptus in some cases
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to eucalyptus in ubuntu.
More information about the Ubuntu-server-bugs