fix(s3,elbv2,iam,cloudformation): copy-source-if-match, prober sibling-host, IAM pagination, CFN RDS port/attr + real EC2::Instance#2040
Open
vieiralucas wants to merge 2 commits into
Open
Conversation
…g-host, IAM pagination, CFN RDS port/attr + real EC2::Instance S3: - CopyObject + UploadPartCopy now honor x-amz-copy-source-if-match (mismatched source ETag -> 412 PreconditionFailed; UploadPartCopy also gains the if-none-match/(un)modified-since copy-source preconditions it was missing). - GetObject/HeadObject set x-amz-website-redirect-location via the skip-if-invalid insert_str_header helper instead of .parse().unwrap() (no longer panics on a control-char value). ELBv2: - Health prober resolves i-* / ECS-bridge targets via sibling_host (detect_container_cli + HostNetworking::detect), mirroring the data plane's resolve_upstream_host, so probes don't hit fakecloud's own loopback under FAKECLOUD_IN_CONTAINER=1 and 503 every target. IAM: - ListPolicies honors OnlyAttached + PolicyUsageFilter. - GetGroup honors Marker/MaxItems and reports IsTruncated + Marker. - ListEntitiesForPolicy honors pagination + PathPrefix + PolicyUsageFilter. - ListAccessKeys / ListSSHPublicKeys raise NoSuchEntity for a missing user instead of an empty 200. CloudFormation: - RDS provisioner defaults the port from the engine (reusing RDS's default_port_for_engine; MySQL -> 3306, etc.) and publishes the SAME DbiResourceId stored on the record (was refabricated db-<identifier>). - AWS::EC2::Instance is now a real provisioner: creates a control-plane instance synchronously (Ref -> i- id, GetAtt PrivateIp/PublicIp/AZ) and backs it with a real container via a new EC2 cfn_provision spawn intent, with a matching teardown intent on stack delete. Distribution / auth: - docker.yml image smoke-test also asserts the docker CLI is present. - Dockerfile comment corrected to the pinned 29.5.3. - main.rs IAM-enforcement-skipped startup log promoted info! -> warn!. Tests: e2e for S3 copy-source-if-match (412/200), IAM only-attached / GetGroup pagination / ListAccessKeys NoSuchEntity, CFN MySQL port + DbiResourceId match + real EC2::Instance Ref; unit test for the ELBv2 prober sibling-host resolution.
…llback The privileged sg-enforcement job failed all 3 attempts at the "must DROP" assertion (ec2_sg_enforcement_real.rs:237), but the instance IPs reveal an environmental cause, not an enforcement regression: attempt 1 ran on a per-subnet bridge (172.18.x) while attempts 2-3 ran on docker0 (172.17.0.3). bridge-nf-call-iptables was 1 throughout and the deny rule WAS installed each time -- so enforcement engaged; the packet flowed only because the instances landed on docker0, where same-subnet traffic never reaches fakecloud's per-subnet nft forward chain. This is the docker0-fallback the job already documents: once Docker's default address pool gets wedged, `docker network create fakecloud-subnet-<id>` fails and the runtime falls back to docker0. `docker network rm`/`prune` alone wasn't reclaiming the pool on the runner, so attempts 2-3 failed identically. Restart the Docker daemon in clean_docker (images persist; ensure_bridge_nf still runs after) so each attempt gets a pristine docker0 + address pool and the retries are genuinely independent. No product code changed: RunInstances, the EC2 runtime networking, and the SG firewall model are byte-for-byte identical to main.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Cluster of confirmed correctness/compat/portability bug fixes.
S3
x-amz-copy-source-if-match(the crate never read it). A mismatched source ETag now returns 412 PreconditionFailed instead of copying + 200. UploadPartCopy also gains the if-none-match / if-(un)modified-since copy-source preconditions it was missing. (write.rs,multipart.rs)x-amz-website-redirect-locationnow set via the skip-if-invalidinsert_str_headerhelper instead of.parse().unwrap()(no longer panics on a control-char value). (read.rs)ELBv2
i-*/ ECS-bridge targets viasibling_host(detect_container_cli+HostNetworking::detect), mirroring the data plane'sresolve_upstream_host. UnderFAKECLOUD_IN_CONTAINER=1probes no longer hit fakecloud's own loopback and 503 every EC2/bridge target. (prober.rs)IAM
OnlyAttached+PolicyUsageFilter.Marker/MaxItemsand reportsIsTruncated+Marker.PathPrefix+PolicyUsageFilter.NoSuchEntityfor a nonexistent user instead of an empty 200 (matching ListSigningCertificates).CloudFormation
default_port_for_engine; MySQL -> 3306, Oracle -> 1521, etc.) and publishes the SAMEDbiResourceIdstored on the record (was refabricatingdb-<identifier>while DescribeDBInstances returneddb-<uuid>).AWS::EC2::Instanceis now a real provisioner instead of the accept-and-ignore catch-all: creates a control-plane instance synchronously soRefresolves to thei-...id andFn::GetAttPrivateIp/PublicIp/AvailabilityZone resolve, then backs it with a real container via a new EC2cfn_provisionspawn-intent (mirroring ASG), with a matching teardown intent on stack delete.Distribution / auth
docker.ymlimage smoke-test also asserts thedockerCLI is present (the Lambdas on macOS #1539 Bug-4 regression vector), alongside the existingnftcheck.Dockerfilecomment corrected to the pinned29.5.3.main.rsIAM-enforcement-skipped startup log promotedinfo!->warn!so the "skipped services allow any authorized caller" gap is as loud as the SigV4 caveat.Tests
resolve_probe_host(i-*/127.0.0.1 -> sibling, real IP verbatim).Validation
Summary by cubic
Fixes correctness and compatibility gaps across S3, ELBv2, IAM, and CloudFormation, and makes CloudFormation
AWS::EC2::Instancecreate real instances backed by containers. Also improves RDS defaults and tightens distribution checks and IAM enforcement warnings.New Features
AWS::EC2::Instance: creates a real instance (Ref/GetAtt resolve toi-*, IPs, AZ) and then backs it with a container; matching teardown on stack delete.Bug Fixes
x-amz-copy-source-if-match(412 on ETag mismatch); add copy-source preconditions toUploadPartCopy; avoid panic when settingx-amz-website-redirect-location.i-*and127.0.0.1targets via sibling host, fixing probes in containerized runs.ListPoliciesrespectsOnlyAttachedandPolicyUsageFilter;GetGrouppaginates withMarker/MaxItems;ListEntitiesForPolicyadds pagination,PathPrefix, andPolicyUsageFilter;ListAccessKeys/ListSSHPublicKeysreturnNoSuchEntityfor missing users.DbiResourceIdmatchesDescribeDBInstances.nftanddockerCLIs are in the image; startup logs promote skipped IAM enforcement towarn; e2e job restarts Docker per attempt to avoid docker0 fallback and make retries independent.Written for commit 7d6c4ec. Summary will update on new commits.