Skip to content

Commit

Permalink
Introduce a new environment variable ECS_EXCLUDE_IPV6_PORTBINDING
Browse files Browse the repository at this point in the history
  • Loading branch information
chienhanlin committed Sep 15, 2021
1 parent 0c1e813 commit 7ec9685
Show file tree
Hide file tree
Showing 10 changed files with 33 additions and 11 deletions.
3 changes: 2 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -194,7 +194,8 @@ additional details on each available environment variable.
| `ECS_ENABLE_AWSLOGS_EXECUTIONROLE_OVERRIDE` | `true` | Whether to enable awslogs log driver to authenticate via credentials of task execution IAM role. Needs to be true if you want to use awslogs log driver in a task that has task execution IAM role specified. When using the ecs-init RPM with version equal or later than V1.16.0-1, this env is set to true by default. | `false` | `false` |
| `ECS_FSX_WINDOWS_FILE_SERVER_SUPPORTED` | `true` | Whether FSx for Windows File Server volume type is supported on the container instance. This variable is only supported on agent versions 1.47.0 and later. | `false` | `true` |
| `ECS_ENABLE_RUNTIME_STATS` | `true` | Determines if [pprof](https://pkg.go.dev/net/http/pprof) is enabled for the agent. If enabled, the different profiles can be accessed through the agent's introspection port (e.g. `curl http://localhost:51678/debug/pprof/heap > heap.pprof`). In addition, agent's [runtime stats](https://pkg.go.dev/runtime#ReadMemStats) are logged to `/var/log/ecs/runtime-stats.log` file. | `false` | `false` |

| `ECS_EXCLUDE_IPV6_PORTBINDING` | `true` | Determines if agent should exclude IPv6 port binding using default network mode. If enabled, IPv6 port binding will be filtered out, and the response of DescribeTasks API call will not show tasks' IPv6 port bindings, but it is still included in Task metadata endpoint. | `true` | `true` |

### Persistence

When you run the Amazon ECS Container Agent in production, its `datadir` should be persisted between runs of the Docker
Expand Down
20 changes: 13 additions & 7 deletions agent/api/ecsclient/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -413,7 +413,7 @@ func (client *APIECSClient) SubmitTaskStateChange(change api.TaskStateChange) er

containerEvents := make([]*ecs.ContainerStateChange, len(change.Containers))
for i, containerEvent := range change.Containers {
containerEvents[i] = client.buildContainerStateChangePayload(containerEvent)
containerEvents[i] = client.buildContainerStateChangePayload(containerEvent, client.config.ShouldExcludeIPv6PortBinding.Enabled())
}

req.Containers = containerEvents
Expand Down Expand Up @@ -454,7 +454,7 @@ func (client *APIECSClient) buildManagedAgentStateChangePayload(change api.Manag
}
}

func (client *APIECSClient) buildContainerStateChangePayload(change api.ContainerStateChange) *ecs.ContainerStateChange {
func (client *APIECSClient) buildContainerStateChangePayload(change api.ContainerStateChange, shouldExcludeIPv6PortBinding bool) *ecs.ContainerStateChange {
statechange := &ecs.ContainerStateChange{
ContainerName: aws.String(change.ContainerName),
}
Expand Down Expand Up @@ -487,27 +487,33 @@ func (client *APIECSClient) buildContainerStateChangePayload(change api.Containe
exitCode := int64(aws.IntValue(change.ExitCode))
statechange.ExitCode = aws.Int64(exitCode)
}
networkBindings := make([]*ecs.NetworkBinding, len(change.PortBindings))
for i, binding := range change.PortBindings {

networkBindings := []*ecs.NetworkBinding{}
for _, binding := range change.PortBindings {
if binding.BindIP == "::" && shouldExcludeIPv6PortBinding {
seelog.Debugf("Exclude IPv6 port binding %v for container %s in task %s", binding, change.ContainerName, change.TaskArn)
continue
}

hostPort := int64(binding.HostPort)
containerPort := int64(binding.ContainerPort)
bindIP := binding.BindIP
protocol := binding.Protocol.String()

networkBindings[i] = &ecs.NetworkBinding{
networkBindings = append(networkBindings, &ecs.NetworkBinding{
BindIP: aws.String(bindIP),
ContainerPort: aws.Int64(containerPort),
HostPort: aws.Int64(hostPort),
Protocol: aws.String(protocol),
}
})
}
statechange.NetworkBindings = networkBindings

return statechange
}

func (client *APIECSClient) SubmitContainerStateChange(change api.ContainerStateChange) error {
pl := client.buildContainerStateChangePayload(change)
pl := client.buildContainerStateChangePayload(change, client.config.ShouldExcludeIPv6PortBinding.Enabled())
if pl == nil {
return nil
}
Expand Down
7 changes: 4 additions & 3 deletions agent/api/ecsclient/client_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -84,9 +84,10 @@ func NewMockClient(ctrl *gomock.Controller,

return NewMockClientWithConfig(ctrl, ec2Metadata, additionalAttributes,
&config.Config{
Cluster: configuredCluster,
AWSRegion: "us-east-1",
InstanceAttributes: additionalAttributes,
Cluster: configuredCluster,
AWSRegion: "us-east-1",
InstanceAttributes: additionalAttributes,
ShouldExcludeIPv6PortBinding: config.BooleanDefaultTrue{Value: config.ExplicitlyEnabled},
})
}

Expand Down
3 changes: 3 additions & 0 deletions agent/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -591,6 +591,7 @@ func environmentConfig() (Config, error) {
FSxWindowsFileServerCapable: parseFSxWindowsFileServerCapability(),
External: parseBooleanDefaultFalseConfig("ECS_EXTERNAL"),
EnableRuntimeStats: parseBooleanDefaultFalseConfig("ECS_ENABLE_RUNTIME_STATS"),
ShouldExcludeIPv6PortBinding: parseBooleanDefaultTrueConfig("ECS_EXCLUDE_IPV6_PORTBINDING"),
}, err
}

Expand Down Expand Up @@ -623,6 +624,7 @@ func (cfg *Config) String() string {
"ContainerCreateTimeout: %v, "+
"DependentContainersPullUpfront: %v, "+
"TaskCPUMemLimit: %v, "+
"ShouldExcludeIPv6PortBinding: %v, "+
"%s",
cfg.Cluster,
cfg.AWSRegion,
Expand All @@ -640,6 +642,7 @@ func (cfg *Config) String() string {
cfg.ContainerCreateTimeout,
cfg.DependentContainersPullUpfront,
cfg.TaskCPUMemLimit,
cfg.ShouldExcludeIPv6PortBinding,
cfg.platformString(),
)
}
2 changes: 2 additions & 0 deletions agent/config/config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,7 @@ func TestEnvironmentConfig(t *testing.T) {
defer setTestEnv("ECS_CGROUP_CPU_PERIOD", "")
defer setTestEnv("ECS_PULL_DEPENDENT_CONTAINERS_UPFRONT", "true")()
defer setTestEnv("ECS_ENABLE_RUNTIME_STATS", "true")()
defer setTestEnv("ECS_EXCLUDE_IPV6_PORTBINDING", "true")()
additionalLocalRoutesJSON := `["1.2.3.4/22","5.6.7.8/32"]`
setTestEnv("ECS_AWSVPC_ADDITIONAL_LOCAL_ROUTES", additionalLocalRoutesJSON)
setTestEnv("ECS_ENABLE_CONTAINER_METADATA", "true")
Expand Down Expand Up @@ -214,6 +215,7 @@ func TestEnvironmentConfig(t *testing.T) {
assert.Equal(t, []string{"efsAuth"}, conf.VolumePluginCapabilities)
assert.True(t, conf.DependentContainersPullUpfront.Enabled(), "Wrong value for DependentContainersPullUpfront")
assert.True(t, conf.EnableRuntimeStats.Enabled(), "Wrong value for EnableRuntimeStats")
assert.True(t, conf.ShouldExcludeIPv6PortBinding.Enabled(), "Wrong value for ShouldExcludeIPv6PortBinding")
}

func TestTrimWhitespaceWhenCreating(t *testing.T) {
Expand Down
1 change: 1 addition & 0 deletions agent/config/config_unix.go
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,7 @@ func DefaultConfig() Config {
FSxWindowsFileServerCapable: false,
RuntimeStatsLogFile: defaultRuntimeStatsLogFile,
EnableRuntimeStats: BooleanDefaultFalse{Value: NotSet},
ShouldExcludeIPv6PortBinding: BooleanDefaultTrue{Value: ExplicitlyEnabled},
}
}

Expand Down
1 change: 1 addition & 0 deletions agent/config/config_unix_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,7 @@ func TestConfigDefault(t *testing.T) {
assert.False(t, cfg.DependentContainersPullUpfront.Enabled(), "Default DependentContainersPullUpfront set incorrectly")
assert.False(t, cfg.PollMetrics.Enabled(), "ECS_POLL_METRICS default should be false")
assert.False(t, cfg.EnableRuntimeStats.Enabled(), "Default EnableRuntimeStats set incorrectly")
assert.True(t, cfg.ShouldExcludeIPv6PortBinding.Enabled(), "Default ShouldExcludeIPv6PortBinding set incorrectly")
}

// TestConfigFromFile tests the configuration can be read from file
Expand Down
1 change: 1 addition & 0 deletions agent/config/config_windows.go
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,7 @@ func DefaultConfig() Config {
CNIPluginsPath: filepath.Join(ecsBinaryDir, defaultCNIPluginDirName),
RuntimeStatsLogFile: filepath.Join(ecsRoot, defaultRuntimeStatsLogFile),
EnableRuntimeStats: BooleanDefaultFalse{Value: NotSet},
ShouldExcludeIPv6PortBinding: BooleanDefaultTrue{Value: ExplicitlyEnabled},
}
}

Expand Down
1 change: 1 addition & 0 deletions agent/config/config_windows_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ func TestConfigDefault(t *testing.T) {
assert.Equal(t, DefaultImagePullTimeout, cfg.ImagePullTimeout, "Default ImagePullTimeout set incorrectly")
assert.False(t, cfg.DependentContainersPullUpfront.Enabled(), "Default DependentContainersPullUpfront set incorrectly")
assert.False(t, cfg.EnableRuntimeStats.Enabled(), "Default EnableRuntimeStats set incorrectly")
assert.True(t, cfg.ShouldExcludeIPv6PortBinding.Enabled(), "Default ShouldExcludeIPv6PortBinding set incorrectly")
}

func TestConfigIAMTaskRolesReserves80(t *testing.T) {
Expand Down
5 changes: 5 additions & 0 deletions agent/config/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -349,4 +349,9 @@ type Config struct {
// EnableRuntimeStats specifies if pprof should be enabled through the agent introspection port. By default, this configuration
// is set to false and can be overridden by means of the ECS_ENABLE_RUNTIME_STATS environment variable.
EnableRuntimeStats BooleanDefaultFalse

// ShouldExcludeIPv6PortBinding specifies whether agent should exclude IPv6 port bindings reported from docker. This configuration
// is set to true by default, and can be overridden by the ECS_EXCLUDE_IPV6_PORTBINDING environment variable. This is a workaround
// for docker's bug as detailed in https://github.com/aws/amazon-ecs-agent/issues/2870.
ShouldExcludeIPv6PortBinding BooleanDefaultTrue
}

0 comments on commit 7ec9685

Please sign in to comment.