Add systemd unit to disable the AWS metadata service by routing all requests to 1.1.1.1

While this isn't strictly a security issue, it *appears* to be and we got audited as such, so just turn it off

Fixes https://jira.coreos.com/browse/QS-83
This commit is contained in:
Joseph Schorr 2017-12-06 17:21:55 -05:00
parent d405f6f158
commit 2ffdfa1434

View file

@ -19,6 +19,11 @@ ssh_authorized_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCs9jVbzOkDg60i+TGkETit/K9h8iBkwapRa2XURJzdYKcE27fYueX37mOdTBVCi3phOV4cWzkjRwtQBz7KCMBqrr1gLaIsuUIqeFpskTuTr9k7XgZqZ6QpECrqDy9HgCLdZO40sYCOvpw+GzehlsZPZEHRROotXCKc3k98Vlb8+1QPa4s5iZrIIdFyq3ZyhoupcN2nIwMh0GnkvgwS2DymGeLd8tziI8+ti8dxWSvgILaPplv2JTf/iqRsE3xtbtjE0tSf8VyfTLIBv+hyW79Hvaf/pvrsADwJf43IWmdOwHpYNhqR/kvx6j0LkPfxWq+rtXG3Q4JqWi4nZz5w3VTH1KImMBGil2sK1AiCwEUSQzQs2apTivfTy25HFLtje6qB8ZkvelK2lOGI62gdWiOOknYn3VpfMdrPDLGNoTnntrcG/UbJoa911IxilP4idbUxXQdyIzYr6BJJccCFiLVECPHoOaDsZ0abkBvrewp+1hqsvL7zRs4EvbI7Cfvcnf9hZd+n20Bp250GbcH0HD4/9d2DMIU6c6rAjmglPfVmyphcRruWdyCZz+ps9cfpVCQSSGSnbGS7T3M4VIXrCtjNZ7Fv7YIJ8EXWlhkNEfOYuy/lhfvyMLrp5abg5HkXSgOA3kfyitLnBN/lJODSUguDPmpo7tyjplEFQ70LYxJczw== EvB Key
write_files:
- path: /root/disable-aws-metadata.sh
permission: '0655'
content: |
iptables -t nat -I PREROUTING -p tcp -d 169.254.169.254 --dport 80 -j DNAT --to-destination 1.1.1.1
- path: /etc/docker/daemon.json
permission: '0644'
content: |
@ -76,6 +81,20 @@ coreos:
after_units=['quay-builder.service']
) | indent(4) }}
{%- endif %}
- name: disable-aws-metadata.service
command: start
enable: yes
content: |
[Unit]
Description=Disable AWS metadata service
Before=network-pre.target
Wants=network-pre.target
[Service]
Type=oneshot
ExecStart=/root/disable-aws-metadata.sh
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
- name: machine-lifetime.service
command: start
enable: yes