Skip to content

[DRAFT] mmds: Smoother migration from v1 to v2 #5290

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 10 commits into
base: main
Choose a base branch
from
Draft

[DRAFT] mmds: Smoother migration from v1 to v2 #5290

wants to merge 10 commits into from

Conversation

zulinx86
Copy link
Contributor

@zulinx86 zulinx86 commented Jul 4, 2025
edited
Loading

Reason / Changes

To allow easier migration from MMDS v1 to v2, made the following changes:

  • Extended MMDS to support EC2 IMDS-compatible token headers (i.e. X-aws-ec2-metadata-token and X-aws-ec2-metadata-token-ttl-seconds).
  • Added an integration test that checks AWS SDK for Python (boto3) is able to get AWS credentials via MMDS out of the box.
  • Made MMDS versions 1 support token generation for the session-oriented method as in MMDS version 2. Note that MMDS version 1 continues to accept GET requests with invalid tokens or no token.
  • Added mmds.rx_invalid_token and mmds.rx_no_token metrics to allow users to keep track of the number of GET requests that were rejected in MMDS version 2. Even with MMDS version 1 configured, they also count GET requests that would be rejected under MMDS version 1.

Fixed some minor things

  • Validated X-metadata-token-ttl-seconds header only if it is a PUT request to /latest/api/token.
  • Rejected X-Forwarded-For header in a case-insensitive way.

License Acceptance

By submitting this pull request, I confirm that my contribution is made under
the terms of the Apache 2.0 license. For more information on following Developer
Certificate of Origin and signing off your commits, please check
CONTRIBUTING.md.

PR Checklist

  • I have read and understand CONTRIBUTING.md.
  • I have run tools/devtool checkstyle to verify that the PR passes the
    automated style checks.
  • I have described what is done in these changes, why they are needed, and
    how they are solving the problem in a clear and encompassing way.
  • I have updated any relevant documentation (both in code and in the docs)
    in the PR.
  • I have mentioned all user-facing changes in CHANGELOG.md.
  • [ ] If a specific issue led to this PR, this PR closes the issue.
  • [ ] When making API changes, I have followed the
    Runbook for Firecracker API changes.
  • I have tested all new and changed functionalities in unit tests and/or
    integration tests.
  • [ ] I have linked an issue to every new TODO.
  • This functionality cannot be added in rust-vmm.

@codecov Codecov
Copy link

codecov bot commented Jul 4, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 97.45763% with 3 lines in your changes missing coverage. Please review.

Project coverage is 82.93%. Comparing base (68ed647) to head (fc485e6).

Files with missing lines Patch % Lines
src/vmm/src/rpc_interface.rs 84.61% 2 Missing ⚠️
src/vmm/src/device_manager/persist.rs 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #5290      +/-   ##
==========================================
+ Coverage   82.86%   82.93%   +0.07%     
==========================================
  Files         250      250              
  Lines       26897    26855      -42     
==========================================
- Hits        22288    22272      -16     
+ Misses       4609     4583      -26
Flag Coverage Δ
5.10-c5n.metal 83.37% <97.45%> (+0.02%) ⬆️
5.10-m5n.metal 83.37% <97.45%> (+0.02%) ⬆️
5.10-m6a.metal 82.59% <97.45%> (+0.02%) ⬆️
5.10-m6g.metal 79.19% <97.45%> (+0.01%) ⬆️
5.10-m6i.metal 83.36% <97.45%> (+0.02%) ⬆️
5.10-m7a.metal-48xl 82.57% <97.45%> (?)
5.10-m7g.metal 79.19% <97.45%> (+0.01%) ⬆️
5.10-m7i.metal-24xl 83.32% <97.45%> (?)
5.10-m7i.metal-48xl 83.32% <97.45%> (?)
5.10-m8g.metal-24xl 79.18% <97.45%> (?)
5.10-m8g.metal-48xl 79.18% <97.45%> (?)
6.1-c5n.metal 83.42% <97.45%> (+0.02%) ⬆️
6.1-m5n.metal 83.41% <97.45%> (+0.02%) ⬆️
6.1-m6a.metal 82.63% <97.45%> (+0.02%) ⬆️
6.1-m6g.metal 79.18% <97.45%> (+0.01%) ⬆️
6.1-m6i.metal 83.41% <97.45%> (+0.02%) ⬆️
6.1-m7a.metal-48xl 82.62% <97.45%> (?)
6.1-m7g.metal 79.19% <97.45%> (+0.01%) ⬆️
6.1-m7i.metal-24xl 83.43% <97.45%> (?)
6.1-m7i.metal-48xl 83.43% <97.45%> (?)
6.1-m8g.metal-24xl 79.18% <97.45%> (?)
6.1-m8g.metal-48xl 79.18% <97.45%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@zulinx86 zulinx86 force-pushed the mmds_compat branch 13 times, most recently from b1d6593 to d7021ce Compare July 7, 2025 07:02
@zulinx86
refactor(test): Tiny cleanup of MMDS unit tests
9016f54 
* Insert a line break with "\" after "\r\n" if another line follows
* Make multi-line strings start at the same column.
* Eliminate unneeded variable assignments (`request_bytes`).
* Use test utility function if possible
* Remove duplicate test cases

Signed-off-by: Takahiro Itazuri <[email protected]>
zulinx86 added 6 commits July 7, 2025 08:10
@zulinx86
fix(mmds): Validate X-metadata-token-ttl-seconds header only if needed
0dc6aec 
We checked that "X-metadata-token-ttl-seconds" has a valid positive
number regardless of the request type. On the oher hand, EC2 IMDS only
validates it only if it is a PUT request to "/latest/api/token". Such
a behavioral difference from EC2 IMDS could result in unexpected issues.

To line up with EC2 IMDS, breaks `TokenHeaders` down to dedicated
structs (`XMetadataToken` and `XMetadataTokenTtlSeconds`) and parses
"X-metadata-token" only for GET requests and
"X-metadata-token-ttl-seconds" only for PUT requests to
"latest/api/token".

Signed-off-by: Takahiro Itazuri <[email protected]>
@zulinx86
feat(mmds): Accept EC2 IMDS-compatible custom headers
2f9f7cc 
The custom headers supported by MMDS (X-metadata-token and
X-metadata-token-ttl-seconds) are different from what EC2 IMDS supports
(X-aws-ec2-metadata-token and X-aws-ec2-metadata-token-ttl-seconds).
Supporting EC2 IMDS-compatible custom headers in MMDS, users become able
to make their workloads work with MMDS out of the box.

Signed-off-by: Takahiro Itazuri <[email protected]>
@zulinx86
test: Check AWS SDK credential provider work with MMDS
0627b15 
Add an integration test that checks AWS SDK for Python (boto3) is able
to get credentials via MMDS without modification.

CI artifacts (guest rootfs) update was needed to install AWS SDK for
Python.

Signed-off-by: Takahiro Itazuri <[email protected]>
@zulinx86
refactor(mmds): Rename new() to try_new()
80b5b61 
The constructor for TokenAuthority can fail and returns Result.

Signed-off-by: Takahiro Itazuri <[email protected]>
@zulinx86
feat(mmds): Support token generation via PUT in MMDS v1
549502e 
To enable smoother migration from v1 to v2, make MMDS v1 support PUT
request to /latest/api/token for token generation.

We do NOT make MMDS v1 deny GET requests even with invalid tokens not
to break existing workloads. It does not validate a given toekn at this
point, but it will validate to increment a metric that will be added to
count such requests having invalid tokens.

Signed-off-by: Takahiro Itazuri <[email protected]>
@zulinx86
feat(mmds): Add metric to count GET requests with invalid tokens
d426149 
In the previous commit, MMDS v1 was made to support token generation but
a given token to GET request was not validated. Validates the token and
increments a new metric `rx_invalid_token` if it is not valid.

Signed-off-by: Takahiro Itazuri <[email protected]>
zulinx86 added 3 commits July 7, 2025 08:27
@zulinx86
feat(mmds): Add metric to count GET requests without tokens
f49cdc0 
The metric is useful for users to track whether v1-style requests are
issued or not inside a guest.

Signed-off-by: Takahiro Itazuri <[email protected]>
@zulinx86
refactor(test): Organize unit tests
9b14116 
* Move out version-independent parts to dedicated tests
* Test happy path first, and then test error cases

No test cases are dropped.

Signed-off-by: Takahiro Itazuri <[email protected]>
@zulinx86
fix(mmds): Reject X-Forwarded-For in case-insensitive way
fc485e6 
As EC2 IMDS does, MMDS denies PUT requests if X-Forwarded-For header is
included, but it was validated only in a case-sensitive way. However, it
is defined that  HTTP headers are case-insensitive. We should deny it
regardless of its case.

Signed-off-by: Takahiro Itazuri <[email protected]>
@zulinx86 zulinx86 force-pushed the mmds_compat branch 2 times, most recently from d1f34a0 to fc485e6 Compare July 7, 2025 08:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xmarcalx xmarcalx Awaiting requested review from xmarcalx xmarcalx will be requested when the pull request is marked ready for review xmarcalx is a code owner

@kalyazin kalyazin Awaiting requested review from kalyazin kalyazin will be requested when the pull request is marked ready for review kalyazin is a code owner

@pb8o pb8o Awaiting requested review from pb8o pb8o will be requested when the pull request is marked ready for review pb8o is a code owner

@Manciukic Manciukic Awaiting requested review from Manciukic Manciukic will be requested when the pull request is marked ready for review Manciukic is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@zulinx86