Skip to content

fix: Add IPv6 IMDS support for IPv6-only subnets#70

Merged
dpakpak merged 1 commit intoaws:masterfrom
dpakpak:ipv6-imds-support
Mar 7, 2026
Merged

fix: Add IPv6 IMDS support for IPv6-only subnets#70
dpakpak merged 1 commit intoaws:masterfrom
dpakpak:ipv6-imds-support

Conversation

@dpakpak
Copy link
Contributor

@dpakpak dpakpak commented Mar 6, 2026

Problem

macOS instances launched in IPv6-only subnets fail to initialize. SSH key injection,
metadata retrieval, and all IMDS-dependent operations silently fail because the IMDS
base URL is hardcoded to the IPv4 link-local address (169.254.169.254), which is
unreachable in IPv6-only networks.

Solution

Replace the hardcoded IMDS base URL with runtime endpoint resolution:

  1. Two IMDS base URLs — IPv4 (169.254.169.254) and IPv6 (fd00:ec2::254)
  2. Auto-detection — probes IPv4 first (200ms timeout), falls back to IPv6
  3. Environment variable override — supports EC2_METADATA_SERVICE_ENDPOINT_MODE
    (ipv4 | ipv6), consistent with the AWS SDK convention
  4. Graceful early boot handling — returns IPv4 default without caching if neither
    endpoint is reachable, preserving the existing retry loop behavior

Behavior

Subnet Type Before After
IPv4-only ✅ Works ✅ Works (resolves to IPv4)
Dual-stack ✅ Works ✅ Works (resolves to IPv4)
IPv6-only ❌ Fails ✅ Works (resolves to IPv6)

Testing

  • Verified on mac2.metal with IMDS disabled: init retries correctly, recovers
    when IMDS re-enabled, no crash or panic
  • Build and unit tests pass

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@dpakpak
fix: Add IPv6 IMDS support for IPv6-only subnets
dc7238a 
The IMDS base URL was hardcoded to the IPv4 link-local address
(169.254.169.254), causing instance initialization to fail on
IPv6-only networks. SSH key injection and metadata retrieval
would silently fail since the endpoint was unreachable.

Resolve the IMDS endpoint at runtime by trying IPv4 first and
falling back to the IPv6 endpoint (fd00:ec2::254). Also support
the EC2_METADATA_SERVICE_ENDPOINT_MODE environment variable for
explicit override, consistent with the AWS SDK convention.
@dpakpak dpakpak requested review from jahkeup, mattcataws and mjbala March 6, 2026 00:55
jahkeup
jahkeup approved these changes Mar 6, 2026
View reviewed changes
lib/ec2macosinit/imds.go

// Neither endpoint confirmed reachable yet — return IPv4 default
// without caching so we re-probe on the next call.
return imdsIPv4Base
Copy link
Member

@jahkeup jahkeup Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! Thanks for handling the retry loop gracefully 🌮

@dpakpak dpakpak merged commit bb783d5 into aws:master Mar 7, 2026
2 of 3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jahkeup jahkeup jahkeup approved these changes

@mattcataws mattcataws mattcataws approved these changes

@mjbala mjbala mjbala approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@dpakpak @jahkeup @mattcataws @mjbala