[cloud] Add ability to retrieve Google Compute Engine metadata

For some unspecified "security" reason, the Google Compute Engine
metadata server will refuse any requests that do not include the
non-standard HTTP header "Metadata-Flavor: Google".

Attempt to autodetect such requests (by comparing the hostname against
"metadata.google.internal"), and add the "Metadata-Flavor: Google"
header if applicable.

Enable this feature in the CONFIG=cloud build, and include a sample
embedded script allowing iPXE to boot from a script configured as
metadata via e.g.

  # Create shared boot image
  make bin/ipxe.usb CONFIG=cloud EMBED=config/cloud/gce.ipxe

  # Configure per-instance boot script
  gcloud compute instances add-metadata <instance> \
         --metadata-from-file ipxeboot=boot.ipxe

Signed-off-by: Michael Brown <mcb30@ipxe.org>

diff --git a/src/config/cloud/gce.ipxe b/src/config/cloud/gce.ipxe
new file mode 100644 (file)
index 0000000..95330d7
--- /dev/null
+++ b/src/config/cloud/gce.ipxe
@@ -0,0 +1,7 @@
+#!ipxe
+
+echo Google Compute Engine - iPXE boot via metadata
+ifstat ||
+dhcp ||
+route ||
+chain -ar http://metadata.google.internal/computeMetadata/v1/instance/attributes/ipxeboot

diff --git a/src/config/cloud/general.h b/src/config/cloud/general.h
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..99028c1473e5f90ce52ee304266d6ac3a974e000 100644 (file)
--- a/src/config/cloud/general.h
+++ b/src/config/cloud/general.h
@@ -0,0 +1,4 @@
+/* Allow retrieval of metadata (such as an iPXE boot script) from
+ * Google Compute Engine metadata server.
+ */
+#define HTTP_HACK_GCE

diff --git a/src/config/config_http.c b/src/config/config_http.c
index 3f198d228453bb8f306e3c8eb0f4c09589fffa89..3c0e78028fe39403a1d369335a7c77ea331ba40d 100644 (file)
--- a/src/config/config_http.c
+++ b/src/config/config_http.c
@@ -43,3 +43,6 @@ REQUIRE_OBJECT ( httpdigest );
 #ifdef HTTP_ENC_PEERDIST
 REQUIRE_OBJECT ( peerdist );
 #endif
+#ifdef HTTP_HACK_GCE
+REQUIRE_OBJECT ( httpgce );
+#endif

diff --git a/src/config/general.h b/src/config/general.h
index be0845f68da4736cf733f2736213ba71500ba924..fb1ac93f43e59ab5aeb2a8ba2b4237c893e8029a 100644 (file)
--- a/src/config/general.h
+++ b/src/config/general.h
@@ -78,6 +78,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 #define HTTP_AUTH_BASIC                /* Basic authentication */
 #define HTTP_AUTH_DIGEST       /* Digest authentication */
 //#define HTTP_ENC_PEERDIST    /* PeerDist content encoding */
+//#define HTTP_HACK_GCE                /* Google Compute Engine hacks */
 
 /*
  * 802.11 cryptosystems and handshaking protocols

diff --git a/src/net/tcp/httpgce.c b/src/net/tcp/httpgce.c
new file mode 100644 (file)
index 0000000..c5d8790
--- /dev/null
+++ b/src/net/tcp/httpgce.c
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) 2017 Michael Brown <mbrown@fensystems.co.uk>.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ *
+ * You can also choose to distribute this program under the terms of
+ * the Unmodified Binary Distribution Licence (as given in the file
+ * COPYING.UBDL), provided that you have satisfied its requirements.
+ */
+
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+
+/**
+ * @file
+ *
+ * Google Compute Engine (GCE) metadata retrieval
+ *
+ * For some unspecified "security" reason, the Google Compute Engine
+ * metadata server will refuse any requests that do not include the
+ * non-standard HTTP header "Metadata-Flavor: Google".
+ */
+
+#include <strings.h>
+#include <stdio.h>
+#include <ipxe/http.h>
+
+/** Metadata host name
+ *
+ * This is used to identify metadata requests, in the absence of any
+ * more robust mechanism.
+ */
+#define GCE_METADATA_HOST_NAME "metadata.google.internal"
+
+/**
+ * Construct HTTP "Metadata-Flavor" header
+ *
+ * @v http             HTTP transaction
+ * @v buf              Buffer
+ * @v len              Length of buffer
+ * @ret len            Length of header value, or negative error
+ */
+static int http_format_metadata_flavor ( struct http_transaction *http,
+                                        char *buf, size_t len ) {
+
+       /* Do nothing unless this appears to be a Google Compute
+        * Engine metadata request.
+        */
+       if ( strcasecmp ( http->request.host, GCE_METADATA_HOST_NAME ) != 0 )
+               return 0;
+
+       /* Construct host URI */
+       return snprintf ( buf, len, "Google" );
+}
+
+/** HTTP "Metadata-Flavor" header */
+struct http_request_header http_request_metadata_flavor __http_request_header ={
+       .name = "Metadata-Flavor",
+       .format = http_format_metadata_flavor,
+};