Get an AWS RHUI Client Package Supporting IMDSv2

Solution Verified - Updated -

Environment

AWS

Issue

If you enable IMDSv2 for an AWS instance, you will only be able to access RHUI repositories if the instance has a recent version of the rh-amazon-rhui-client package—version 3.0.24 and later. If the instance is running an older version of this package and with IMDSv2 enabled, you will not even be able to update this package because it is also available from a RHUI repository.

Resolution

To allow Yum on the IMDSv2-enabled instance to work correctly again, take the following steps:

  1. Launch an instance of the same RHEL version. You can, but you don't have to, use the same AMI.
  2. Make sure IMDSv2 is not enabled for this instance.
  3. Download the latest RHUI client configuration package on this instance. For example, run the following command on your workstation: ssh EC2-HOSTNAME-2 "sudo yumdownloader rh-amazon-rhui-client"
  4. Copy the package from the instance to your workstation. For example, run the following command on your workstation: scp EC2-HOSTNAME-2:rh-amazon-rhui-client\* .
  5. Copy the file from your workstation to the IMDSv2-enabled instance. For example, run the following command on your workstation: scp rh-amazon-rhui-client* EC2-HOSTNAME-1:/tmp
  6. Update the package on the IMDSv2-enabled instance. For example, run the following command on your workstation: ssh EC2-HOSTNAME-1 "sudo rpm -U /tmp/rh-amazon-rhui-client\*"

You should now able to access RHUI repositories on the IMDSv2-enabled instance.

Terminate the temporary instance as you see fit.

Note: the ssh / scp commands in the procedure above assume that your SSH client is configured to use the ec2-user remote user and the appropriate SSH key by default.

Root Cause

This is a chicken-and-egg problem. Your Yum repositories are unavailable, and to make them available, you need a package which is (normally) in one of your Yum repositories.

Diagnostic Steps

Yum reports the following failure:

Could not resolve host: rhui3.REGION.aws.ce.redhat.com; Unknown error

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments