Google Cloud Linux虛擬機發生gce-workload-cert-refresh HTTP 404問題之暫時解決方案

由於自己的機器Linux OS版本與升級狀況差異, 一直忽略了syslog中每十分鐘的錯誤訊息如下:

Aug 24 18:59:21 my-instance systemd[1]: Starting GCE Workload Certificate refresh...
Aug 24 18:59:22 my-instance gce_workload_cert_refresh[30354]: 2023/08/24 18:59:22: Error getting config status, workload certificates may not be configured: HTTP 404
Aug 24 18:59:22 my-instance gce_workload_cert_refresh[30354]: 2023/08/24 18:59:22: Done
Aug 24 18:59:22 my-instance systemd[1]: gce-workload-cert-refresh.service: Succeeded.
Aug 24 18:59:22 my-instance systemd[1]: Started GCE Workload Certificate refresh.

用錯誤訊息可以找到GitHub上Google的google-guest-agent有同樣的問題, 雖然從討論串中得知是可以忽略的錯誤, 但syslog塞滿了這些無用的訊息, 就想辦法清除它

另外也用Google Search找到了原始碼: https://github.com/GoogleCloudPlatform/guest-agent/blob/5cbbd3dc7ba2/gce_workload_cert_refresh/main.go

會嘗試連結http://169.254.169.254/computeMetadata/v1/instance/workload-certificates-config-status
這169.254.169.254是個特別保留的IP位址, 在AWS, Azure與Google Cloud Platform都是, 用在取得虛擬機Metadata(中繼資料)

就"GCE Workload Certificate refresh"字面意義來看, 是Google Compute Engine(GCP虛擬機)嘗試更新Workload Certificate(不知怎麼才能翻譯得信達雅, 就用原文吧), 但是會發生HTTP 404問題

使用curl工具來實際驗證

curl http://169.254.169.254/computeMetadata/v1/instance/workload-certificates-config-status -H "Metadata-Flavor:Google"

返回一串HTML, 看來的確是HTTP 404了

(以上省略)...<meta charset="utf-8">
  <meta name="viewport" content="initial-scale=1, minimum-scale=1, width=device-width">
  <title>Error 404 (Not Found)!!1</title>...(以下省略)

從實測中發現workload-certificates-config-status此Endpoint已經消失, 也難怪會報HTTP 404

curl http://169.254.169.254/computeMetadata/v1/instance/ -H "Metadata-Flavor:Google"

返回可用Endpoint

attributes/
cpu-platform
description
disks/
guest-attributes/
hostname
id
image
licenses/
machine-type
maintenance-event
name
network-interfaces/
preempted
remaining-cpu-time
scheduling/
service-accounts/
tags
virtual-clock/
zone

workload-certificates-config-status不在其中, 好奇的是Google Cloud也不修正這個問題...

既然從討論串知道可以忽略, 還是決定把它關掉, 當然先從不重要的測試虛擬機先試驗

systemctl stop gce-workload-cert-refresh.timer
systemctl stop gce-workload-cert-refresh

這個辦法只是先關掉gce-workload-cert-refresh定時去抓http://169.254.169.254/computeMetadata/v1/instance/workload-certificates-config-status, 若是虛擬機重新開機又會恢復, 可以選擇永久disable, 但我還是等看看Google Cloud推出修正...