feat(mmds): Add flag for making MMDS operate like EC2 IMDS

While EC2 IMDS only supports text/plain and ignores Accept header,
Firecracker MMDS supports not only text/plain but also application/json.
If users don't have the control of libraries that set "Accept:
application/json" but expect MMDS to behave like EC2 IMDS, the above
difference becomes a problem. Not to break existing workloads, add a new
flag `imds_compat` (default to false) to PUT /mmds/config API.

Signed-off-by: Takahiro Itazuri <[email protected]>

Author: zulinx86

CHANGELOG.md

@@ -30,6 +30,11 @@ and this project adheres to
   version 2. These metrics also count requests that would be rejected in MMDS
   version 2 when MMDS version 1 is configured. They helps users assess readiness
   for migrating to MMDS version 2.
+- [#5310](https://github.com/firecracker-microvm/firecracker/pull/5310): Added
+  an optional `imds_compat` field (default to false if not provided) to PUT
+  requests to `/mmds/config` to enforce MMDS to always respond plain text
+  contents in the IMDS format regardless of the `Accept` header in requests.
+  Users need to regenerate snapshots.
 
 ### Changed
 

docs/device-api.md

@@ -76,6 +76,7 @@ specification:
 | `MmdsConfig`              | network_interfaces |    O     |       O        |      O       |        O         |   **R**    |      O       |     O      |
 |                           | version            |    O     |       O        |      O       |        O         |   **R**    |      O       |     O      |
 |                           | ipv4_address       |    O     |       O        |      O       |        O         |   **R**    |      O       |     O      |
+|                           | imds_compat        |    O     |       O        |      O       |        O         |     O      |      O       |     O      |
 | `NetworkInterface`        | guest_mac          |    O     |       O        |      O       |        O         |   **R**    |      O       |     O      |
 |                           | host_dev_name      |    O     |       O        |      O       |        O         |   **R**    |      O       |     O      |
 |                           | iface_id           |    O     |       O        |      O       |        O         |   **R**    |      O       |     O      |

docs/mmds/mmds-user-guide.md

@@ -308,7 +308,10 @@ The response format can be JSON or IMDS. The IMDS documentation can be found
 The output format can be selected by specifying the optional `Accept` header.
 Using `Accept: application/json` will format the output to JSON, while using
 `Accept: plain/text` or not specifying this optional header at all will format
-the output to IMDS.
+the output to IMDS. Setting `imds_compat` to `true` through PUT request to
+`/mmds/config` enforces MMDS to always respond in IMDS format regardless of the
+`Accept` header. This allows code written to work on EC2 IMDS to also work on
+Firecracker MMDS.
 
 Retrieving MMDS resources in IMDS format, other than JSON `string` and `object`
 types, is not supported.

src/firecracker/swagger/firecracker.yaml

@@ -888,7 +888,7 @@ definitions:
       is_read_only:
         type: boolean
         description:
-          Is block read only. 
+          Is block read only.
           This field is required for virtio-block config and should be omitted for vhost-user-block configuration.
       path_on_host:
         type: string
@@ -1125,6 +1125,12 @@ definitions:
         format: "169.254.([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-4]).([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])"
         default: "169.254.169.254"
         description: A valid IPv4 link-local address.
+      imds_comat:
+        type: boolean
+        description:
+          MMDS operates compatibly with EC2 IMDS (i.e. reponds "text/plain"
+          content regardless of Accept header in requests).
+        default: false
 
   MmdsContentsObject:
     type: object

src/vmm/src/device_manager/persist.rs

@@ -154,6 +154,7 @@ pub struct ConnectedLegacyState {
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct MmdsState {
     version: MmdsVersion,
+    imds_compat: bool,
 }
 
 /// Holds the device states.
@@ -326,8 +327,10 @@ impl<'a> Persist<'a> for MMIODeviceManager {
                 TYPE_NET => {
                     let net = locked_device.as_any().downcast_ref::<Net>().unwrap();
                     if let (Some(mmds_ns), None) = (net.mmds_ns.as_ref(), states.mmds.as_ref()) {
+                        let mmds_guard = mmds_ns.mmds.lock().expect("Poisoned lock");
                         states.mmds = Some(MmdsState {
-                            version: mmds_ns.mmds.lock().expect("Poisoned lock").version(),
+                            version: mmds_guard.version(),
+                            imds_compat: mmds_guard.imds_compat(),
                         });
                     }
 
@@ -537,9 +540,11 @@ impl<'a> Persist<'a> for MMIODeviceManager {
 
         // Initialize MMDS if MMDS state is included.
         if let Some(mmds) = &state.mmds {
-            constructor_args
-                .vm_resources
-                .set_mmds_basic_config(mmds.version, constructor_args.instance_id)?;
+            constructor_args.vm_resources.set_mmds_basic_config(
+                mmds.version,
+                mmds.imds_compat,
+                constructor_args.instance_id,
+            )?;
         }
 
         for net_state in &state.net_devices {
@@ -826,7 +831,8 @@ mod tests {
     "network_interfaces": [
       "netif"
     ],
-    "ipv4_address": "169.254.169.254"
+    "ipv4_address": "169.254.169.254",
+    "imds_compat": false
   }},
   "network-interfaces": [
     {{
@@ -859,7 +865,7 @@ mod tests {
                 .version(),
             MmdsVersion::V2
         );
-        assert_eq!(device_states.mmds.unwrap().version, MmdsVersion::V2.into());
+        assert_eq!(device_states.mmds.unwrap().version, MmdsVersion::V2);
 
         assert_eq!(restored_dev_manager, original_mmio_device_manager);
         assert_eq!(