mirror of
https://github.com/ipxe/ipxe
synced 2026-05-08 15:02:55 +03:00
Michael Brown
09c17f76c3
Importing images into Alibaba Cloud currently relies upon using a temporary Function Compute function to work around Chinese state censorship laws that prevent direct access to OSS bucket contents in mainland China regions. Unfortunately, Alibaba Cloud regions are extremely asymmetric in terms of feature support. (For example, some regions do not even support IPv6 networking.) Several mainland China regions do not support Function Compute, and so this workaround is not available for those regions. A possible alternative censorship workaround is to create temporary ECS virtual machine instances instead of temporary Function Compute functions. This requires the existence of a role that can be used by ECS instances to access OSS. We cannot use the AliyunFcDefaultRole that is currently used by Function Compute, since this role cannot be assumed by ECS instances. Creating roles is a privileged operation, and it would be sensible to assume that the image importer (which may be running as part of a GitHub Actions workflow) may not have permission to itself create a suitable temporary role. The censorship bypass role must therefore be set up once in advance by a suitably privileged user. Add the ability to create a suitable censorship bypass role to the Alibaba Cloud setup utility. Signed-off-by: Michael Brown <mcb30@ipxe.org>