Specify network interfaces that accept MMDS requests through /mmds/config API
#2872
Conversation
Enhance `/mmds/config` to contain a list of the network interface IDs capable of forwarding packets to MMDS. Network interface IDs mentioned must be valid at the time of this request. The net device model will reply to HTTP GET requests sent to the MMDS address via the interfaces mentioned. In this case, both ARP requests and TCP segments heading to `ipv4_address` are intercepted by the device model, and do not reach the associated TAP device. This implementation makes the `allow-mmds-requests` field set when creating a net device redundant. Will remove the `allow-mmds-requests` field in a subsequent commit. Signed-off-by: Luminita Voicu <lumivo@amazon.com>
Remove `allow_mmds_requests` from the API request that attaches network interfaces. Interfaces that allow forwarding requests to MMDS are now specified through the `network_interfaces` field inside PUT requests to `/mmds/config`. Signed-off-by: Luminita Voicu <lumivo@amazon.com>
Signed-off-by: Luminita Voicu <lumivo@amazon.com>
luminitavoicu
force-pushed
the
net_ifaces_in_mmds_config
branch
from
a778394 to
9b22233
Compare
luminitavoicu
changed the title
/mmds/config API
luminitavoicu
added
NextRelease
Status: Awaiting review
There was a problem hiding this comment.
There are some passages from the mmds doc that need updating, for example this one: https://github.com/firecracker-microvm/firecracker/blob/main/docs/mmds/mmds-user-guide.md#example.
| let _ = self.net_builder.build(body)?; | ||
| Ok(()) |
There was a problem hiding this comment.
nit:
| let _ = self.net_builder.build(body)?; | |
| Ok(()) | |
| let _ = self.net_builder.build(body) |
Indeed, there are many updates needed to the docs. I would prefer to include them in the PR that updates MMDS's behavior, since these changes are tightly coupled with MMDS. WDYT? |
| assert test_microvm.api_session.is_status_no_content(response.status_code) | ||
|
|
||
|
|
||
| def test_api_mmds_config(test_microvm_with_api): |
There was a problem hiding this comment.
What happens when an interface is configured via /network-interfaces, mmds is enabled on it, and then the interface deleted from /network-interfaces?
There was a problem hiding this comment.
// Create `MmdsNetworkStack` and configure the IPv4 address for
// existing built network devices whose names are defined in the
// network interface ID list.
for net_device in self.net_builder.iter_mut() {
let mut net_device_lock = net_device.lock().expect("Poisoned lock");
if network_interfaces.contains(net_device_lock.id()) {
net_device_lock.configure_mmds_network_stack(ipv4_addr);
} else {
net_device_lock.disable_mmds_network_stack();
}
}This piece of code from set_mmds_config() handles this case. We iterate through all network devices attached and if the ID of the net iface is present in the network_interfaces list provided through MmdsConfig, then we configure it to allow MMDS requests. Otherwise, we disable the MMDS Network Stack from that interface. This ensures that only the interfaces specified in the list accept forwarding requests to MMDS.
There was a problem hiding this comment.
I think Radu was referring to the case where an user appends an interface and then deletes it. We do not offer a delete api endpoint in Firecracker. Also, the patch request on network interface allows updating of the rate limiters only.
There was a problem hiding this comment.
Thanks Diana for clarifying! In this case simple is better
4 participants
Reason for This PR
Provide a cleaner API for allowing MMDS requests on network interfaces.
Also fixes #2174
Description of Changes
Add a
network_interfacesfield that takes a list of the network interface IDs capable of forwarding packets to the MMDS. Network interface IDs mentioned must be valid at the time of this request. The net device model will reply to HTTP GET requests sent to the MMDS address via the interfaces mentioned. In this case, both ARP requests and TCP segments heading toipv4_addressare intercepted by the device model, and do not reach the associated TAP device.Remove
allow_mmds_requestsfrom the body of the request that creates network interfaces.This functionality can be added in
rust-vmm.License Acceptance
By submitting this pull request, I confirm that my contribution is made under
the terms of the Apache 2.0 license.
PR Checklist
[Author TODO: Meet these criteria.][Reviewer TODO: Verify that these criteria are met. Request changes if not]git commit -s).unsafecode is properly documented.CHANGELOG.md.