Skip to content

fix(mmds): Set token TTL header in response to PUT /latest/api/token #5328

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 12 commits into from
Jul 25, 2025
Merged

fix(mmds): Set token TTL header in response to PUT /latest/api/token #5328

merged 12 commits into from
Jul 25, 2025

Conversation

zulinx86
Copy link
Contributor

@zulinx86 zulinx86 commented Jul 24, 2025
edited
Loading

Changes

  • Set the token TTL header in the MMDS response to "PUT /latest/api/token".
  • Add integration tests using AWS SDK for GO to ensure the token TTL header is set in the response and MMDS responds as EC2 IMDS does if imds_compat flag is true.

Reason

EC2 IMDS sets X-Aws-Ec2-Metadata-Token-Ttl-Seconds header in the
response to PUT /latest/api/token, while MMDS didn't. AWS SDK for Go
tries to parse it as integer (i.e. tries to parse an empty string "" as
integer) 4.

License Acceptance

By submitting this pull request, I confirm that my contribution is made under
the terms of the Apache 2.0 license. For more information on following Developer
Certificate of Origin and signing off your commits, please check
CONTRIBUTING.md.

PR Checklist

  • I have read and understand CONTRIBUTING.md.
  • I have run tools/devtool checkbuild --all to verify that the PR passes
    build checks on all supported architectures.
  • I have run tools/devtool checkstyle to verify that the PR passes the
    automated style checks.
  • I have described what is done in these changes, why they are needed, and
    how they are solving the problem in a clear and encompassing way.
  • I have updated any relevant documentation (both in code and in the docs)
    in the PR.
  • I have mentioned all user-facing changes in CHANGELOG.md.
  • [ ] If a specific issue led to this PR, this PR closes the issue.
  • When making API changes, I have followed the
    Runbook for Firecracker API changes.
  • I have tested all new and changed functionalities in unit tests and/or
    integration tests.
  • [ ] I have linked an issue to every new TODO.
  • This functionality cannot be added in rust-vmm.

@zulinx86 zulinx86 force-pushed the mmds_ttl_header_in_response branch from 06d768b to dfa0951 Compare July 24, 2025 19:45
@zulinx86 zulinx86 changed the title Mmds ttl header in response fix(mmds): Set token TTL header in response Jul 24, 2025
zulinx86 added 5 commits July 24, 2025 19:49
@zulinx86
fix(mmds): Set token TTL header in response to PUT /latest/api/token
81f0d26 
EC2 IMDS sets X-Aws-Ec2-Metadata-Token-Ttl-Seconds header in the
response to PUT /latest/api/token, while MMDS didn't. AWS SDK for Go
tries to parse it as integer (i.e. tries to parse an empty string "" as
integer) [1].

[1]: https://github.com/aws/aws-sdk-go-v2/blob/7a614d9fcccd492af3b87aa43c7c203cb636804e/feature/ec2/imds/api_op_GetToken.go#L82-L85
Signed-off-by: Takahiro Itazuri <itazur@amazon.com>
@zulinx86
test: Enable debug log in test for AWS SDK for Python
186cc59 
To get more details in case of test failures, enable debug logging.

Signed-off-by: Takahiro Itazuri <itazur@amazon.com>
@zulinx86
fix(tool): Do NOT install AWS CLI v2
1e3e11e 
That is a leftover installed when I tried to use AWS CLI at first for
the credential provider integration test. Let's keep the rootfs as small
as possible.

Fixes: 1fef547 ("test: Check AWS SDK credential provider work with MMDS")
Signed-off-by: Takahiro Itazuri <itazur@amazon.com>
@zulinx86
refactor(tool): Delete binaries in prepare_and_build_rootfs()
ef1e868 
Since the binaries are compiled in prepare_and_build_rootfs(), delete
them there for unity.

Signed-off-by: Takahiro Itazuri <itazur@amazon.com>
@zulinx86
refactor(tool): Delete unused variable declaration
2f3f46d 
It is no longer used in the function.

Signed-off-by: Takahiro Itazuri <itazur@amazon.com>
@zulinx86 zulinx86 force-pushed the mmds_ttl_header_in_response branch from dfa0951 to 945b2af Compare July 24, 2025 19:50
@zulinx86 zulinx86 changed the title fix(mmds): Set token TTL header in response fix(mmds): Set token TTL header in response to PUT /latest/api/token Jul 24, 2025
@codecov Codecov
Copy link

codecov bot commented Jul 24, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 83.03%. Comparing base (b820ec6) to head (24404fb).
Report is 12 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #5328      +/-   ##
==========================================
+ Coverage   82.98%   83.03%   +0.05%     
==========================================
  Files         250      250              
  Lines       26828    26837       +9     
==========================================
+ Hits        22262    22285      +23     
+ Misses       4566     4552      -14
Flag Coverage Δ
5.10-c5n.metal 83.48% <100.00%> (+<0.01%) ⬆️
5.10-m5n.metal 83.48% <100.00%> (+0.01%) ⬆️
5.10-m6a.metal 82.70% <100.00%> (+0.01%) ⬆️
5.10-m6g.metal 79.15% <100.00%> (+<0.01%) ⬆️
5.10-m6i.metal 83.47% <100.00%> (+<0.01%) ⬆️
5.10-m7a.metal-48xl 82.69% <100.00%> (?)
5.10-m7g.metal 79.15% <100.00%> (+<0.01%) ⬆️
5.10-m7i.metal-24xl 83.44% <100.00%> (?)
5.10-m7i.metal-48xl 83.43% <100.00%> (?)
5.10-m8g.metal-24xl 79.14% <100.00%> (?)
5.10-m8g.metal-48xl 79.14% <100.00%> (?)
6.1-c5n.metal 83.53% <100.00%> (+<0.01%) ⬆️
6.1-m5n.metal 83.53% <100.00%> (+<0.01%) ⬆️
6.1-m6a.metal 82.75% <100.00%> (+0.01%) ⬆️
6.1-m6g.metal 79.14% <100.00%> (-0.01%) ⬇️
6.1-m6i.metal 83.52% <100.00%> (+<0.01%) ⬆️
6.1-m7a.metal-48xl 82.73% <100.00%> (?)
6.1-m7g.metal 79.15% <100.00%> (+<0.01%) ⬆️
6.1-m7i.metal-24xl 83.54% <100.00%> (?)
6.1-m7i.metal-48xl 83.54% <100.00%> (?)
6.1-m8g.metal-24xl 79.14% <100.00%> (?)
6.1-m8g.metal-48xl 79.14% <100.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@zulinx86 zulinx86 force-pushed the mmds_ttl_header_in_response branch from 945b2af to 2a1a47e Compare July 24, 2025 20:00
@zulinx86 zulinx86 enabled auto-merge (rebase) July 24, 2025 20:06
@zulinx86 zulinx86 added the Status: Awaiting review Indicates that a pull request is ready to be reviewed label Jul 24, 2025
roypat
roypat previously approved these changes Jul 25, 2025
View reviewed changes
zulinx86 added 7 commits July 25, 2025 08:07
@zulinx86
tool: Install Go to build Go projects
018460f 
To test AWS SDK for Go, we will build Go projects and put the binaries
to the guest rootfs. Note that the Go lang and AWS SDK for Go are not
put to the guest rootfs.

Signed-off-by: Takahiro Itazuri <itazur@amazon.com>
@zulinx86
refactor(tool): Prelimiary refactor to support go compilation
69be282 
* Only pass source path to compile_and_install
* Remove unneeded output directory creation

Signed-off-by: Takahiro Itazuri <itazur@amazon.com>
@zulinx86
tool: Support Go compilation
4b35a14 
compile_and_install() expects a Go project to end with ".go" to
distinguish from C sources and places the compiled binary with a name
without ".go".

Signed-off-by: Takahiro Itazuri <itazur@amazon.com>
@zulinx86
tool: Add source of Go SDK's credential provider
215e542 
It will be compiled as part of CI artifacts build and the built binary
will be placed in guest rootfs.

Signed-off-by: Takahiro Itazuri <itazur@amazon.com>
@zulinx86
test: Add test for Go SDK credential provider
a37ea35 
Add a regression test that ensures the token TTL header is set in the
MMDS response to "PUT /latest/api/token". AWS SDK for Go tries to parse
the header even if the header is not included (i.e. treat as an empty
string if not exist).

Signed-off-by: Takahiro Itazuri <itazur@amazon.com>
@zulinx86
tool: Add source for Go SDK cred provider with custom endpoint
fd37440 
When a custom endpoint is configured, AWS SDK for Go sets "Accept:
application/json" in request, although not set Accept header by default.
This will be used in an integration test to be added in the next commit.

Signed-off-by: Takahiro Itazuri <itazur@amazon.com>
@zulinx86
test: Add test for Go SDK credential provider with custom endpoint
24404fb 
AWS SDK for Go sets "Accept: application" in a request to retrieve AWS
credentials. If imds_compat is true, it should work. If false, it should
NOT work, because MMDS responds a string of a JSON object containing the
credentials (i.e. wrapped with doulequotes) with "Content-Type:
application/json" but AWS SDK for Go expects only the inner JSON object.

Signed-off-by: Takahiro Itazuri <itazur@amazon.com>
@zulinx86 zulinx86 force-pushed the mmds_ttl_header_in_response branch from 2a1a47e to 24404fb Compare July 25, 2025 08:07
Manciukic
Manciukic reviewed Jul 25, 2025
View reviewed changes
@zulinx86 zulinx86 merged commit 1ca8af1 into firecracker-microvm:main Jul 25, 2025
6 of 7 checks passed
@zulinx86 zulinx86 deleted the mmds_ttl_header_in_response branch July 25, 2025 12:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Manciukic Manciukic Manciukic approved these changes

@roypat roypat roypat approved these changes

@xmarcalx xmarcalx Awaiting requested review from xmarcalx xmarcalx is a code owner

@kalyazin kalyazin Awaiting requested review from kalyazin kalyazin is a code owner

@pb8o pb8o Awaiting requested review from pb8o pb8o is a code owner

Assignees
No one assigned
Labels
Status: Awaiting review Indicates that a pull request is ready to be reviewed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@zulinx86 @Manciukic @roypat