Introduce a new environment variable ECS_EXCLUDE_IPV6_PORTBINDING

[chienhanlin]

Summary

A behavioral change in docker container port binding, where both IPv4 and IPv6 bindings will be exposed starting from Docker version 20.10.6, is reported in following issues and PR:

• Docker 20.10.6 IPv6 bindings shouldn't be mapped as network bindings for tasks for non IPv6 networks. #2870
• Filter out ipv6 port forwards when an ipv6 default route doesn't exist #2855
• [ECS] [request]: Support PortMappings in Bridge mode on Docker 20.10.6 containers-roadmap#1377
• Different port number are getting mapped on ipv4 and ipv6 for same expose port moby/moby#42442
• Regression in 20.10.6: Docker report a published port on ipv6 when ipv6 is disabled moby/moby#42375

To mitigate this issue, this PR introduces a new agent environment variable ECS_EXCLUDE_IPV6_PORTBINDING to filter out IPv6 port bindings for default network mode tasks. This config variable is true by default, which means the IPv6 port bindings will be filtered out in the Container State Change Payload. To include IPv6 port bindings, set ECS_EXCLUDE_IPV6_PORTBINDING=false in the /etc/ecs/ecs.config file and then restart the agent.

No change is made on the metadata. Customers can still find both IPv4 and IPv6 port bindings from the task metadata endpoint even when ECS_EXCLUDE_IPV6_PORTBINDING=true. This raw data, which is retrieved from docker inspect, is kept for further debug operation.

Implementation details

1. Add a new type ShouldExcludeIPv6PortBinding and a config variable ECS_EXCLUDE_IPV6_PORTBINDING to agent and is true by default.
2. Update README with the new config variable ECS_EXCLUDE_IPV6_PORTBINDING.
3. Filter out IPv6 port bindings while building the container state change payload if ShouldExcludeIPv6PortBinding is true.
4. Update unit tests with the new config.

Testing

Following two docker versions are used for testing:

• Docker version 20.10.4, which dose not have the behavioral change.
• Docker version 20.10.7, which exposes both IPv4 and IPv6 port bindings.

Manual test cases:
Steps:

1. Run a Task to launch a docker container using the nginx docker image under the bridge network mode, and define the container port mappings in the task definition.

      "portMappings": [
        {
          "hostPort": 0,
          "protocol": "tcp",
          "containerPort": 80
        }

2. Run docker ps and docker inspect to get the docker container port mappings.
3. Get metadata for the task by curl ${ECS_CONTAINER_METADATA_URI_V4}/task.
4. Run AWS CLI describe-tasks to verify the port binding.

Results of each test case are listed as follows:

1. Docker version 20.10.4 and ECS_EXCLUDE_IPV6_PORTBINDING is not set.
2. Docker version 20.10.4 and ECS_EXCLUDE_IPV6_PORTBINDING is set to true.
3. Docker version 20.10.4 and ECS_EXCLUDE_IPV6_PORTBINDING is set to false.

Test cases 1-3 have the same responses.

• No IPv6 port binding is found in the nginx docker container.
• The response of AWS CLI describe-tasks command shows only IPv4 port binding in the container.

 "networkBindings": [
    {
        "protocol": "tcp", 
         "bindIP": "0.0.0.0", 
         "containerPort": 80, 
         "hostPort": 49155
    }
],

• The response of {ECS_CONTAINER_METADATA_URI_V4}/task does not contains IPv6 port binding info.

4. Docker version 20.10.7 and ECS_EXCLUDE_IPV6_PORTBINDING is not set.
5. Docker version 20.10.7 and ECS_EXCLUDE_IPV6_PORTBINDING is set to true.

Test cases 4-5 have the same responses.

• No IPv6 port binding in the nginx docker container

        "NetworkSettings": {
            "Bridge": "",
            "LinkLocalIPv6Address": "",
            "LinkLocalIPv6PrefixLen": 0,
            "Ports": {
                "80/tcp": [
                    {
                        "HostIp": "0.0.0.0",
                        "HostPort": "49154"
                    }
                ]
            },
          ...
        }

• The response of AWS CLI describe-tasks command shows only IPv4 port binding in the container

"networkBindings": [
    {
        "protocol": "tcp", 
        "bindIP": "0.0.0.0", 
        "containerPort": 80, 
         "hostPort": 49154
    }
],

• The response of {ECS_CONTAINER_METADATA_URI_V4}/task contains both IPv4 and IPv6 port bindings info.

6. Docker version 20.10.7 and ECS_EXCLUDE_IPV6_PORTBINDING is set to false.

• An IPv6 port binding is found in the nginx docker container

        "NetworkSettings": {
            "Bridge": "",
            "LinkLocalIPv6Address": "",
            "LinkLocalIPv6PrefixLen": 0,
            "Ports": {
                "80/tcp": [
                    {
                        "HostIp": "0.0.0.0",
                        "HostPort": "49155"
                    },
                    {
                        "HostIp": "::",
                        "HostPort": "49155"
                    }
                ]
            },
          ...
        }

• The response of AWS CLI describe-tasks command shows both IPv4 and IPv6 port bindings in the container

"networkBindings": [
    {
        "protocol": "tcp", 
        "bindIP": "0.0.0.0", 
        "containerPort": 80, 
         "hostPort": 49155
    }, 
    {
        "protocol": "tcp", 
        "bindIP": "::", 
        "containerPort": 80, 
        "hostPort": 49155
    }
],

• The response of {ECS_CONTAINER_METADATA_URI_V4}/task contains both IPv4 and IPv6 port bindings info.

7. awsvpc and host network mode

• No behavioral change, comparing with agent version 1.55.2, is found while running a task with awsvpc and host mode

New tests cover the changes: no, but existing config unit tests are updated.

Description for the changelog

Enhancement - Introduce a new environment variable ECS_EXCLUDE_IPV6_PORTBINDING, which is true by default. When this filter is enabled, the response of DescribeTasks API call will not show the IPv6 port bindings for default network mode tasks, but it is still included in the Task metadata endpoint. This is a workaround for docker's bug as detailed in #2870.

Licensing

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[fenxiong]

just wondering - does this filtering change anything for container in host and awsvpc network mode? i'm assuming no, but would be good to do a manual test to verify

[chienhanlin]

just wondering - does this filtering change anything for container in host and awsvpc network mode? i'm assuming no, but would be good to do a manual test to verify

This filter does not change anything for containers in host and awsvpc network mode. Will add the manual test results to the PR, and also add following info as a reference. Thanks!

For Task definition:

• Network Mode : Host
  Your containers will share the container instance network stack. Port mappings can only specify container ports (any existing host port specifications will be removed).

• Network Mode : awsvpc
  Your containers in the task will share an ENI using a common network stack. Port mappings can only specify container ports (any existing host port specifications will be removed).

• Network Mode : None
  Your containers will not have any network access to external routes. Port mappings are not valid with this network mode (any existing port mappings will be removed).

For Amazon ECS IPv6 support
See Amazon ECS now supports Internet Protocol Version 6 (IPv6) in awsvpc networking mode announcement for more details.

[yinyic]

nit - maybe a more appropriate name would be ShouldExcludeIPv6PortBinding? Technically at the moment that this variable is checked it's not excluded yet.

[chienhanlin]

Update the config variable to ShouldExcludeIPv6PortBinding as recommended. Thanks!

[yinyic]

nit - we can probably make it shorter
"Excluded IPv6 port binding: %v"

[chienhanlin]

Update the debug message as recommended. Thanks!

[chienhanlin]

Note: TestHandlerDoesntLeakGoroutines failed in the windows unit tests check, which is not introduced by code changes in this PR.

[vsiddharth]

Note: TestHandlerDoesntLeakGoroutines failed in the windows unit tests check, which is not introduced by code changes in this PR.

That test has been flaky for a while on Windows. Can we update or skip that test for a more consistent signal?

[sharanyad]

is there any reason why ipv6 ports are excluded only in state change calls?
Wouldn't the ipv6 ports show up in task metadata endpoint otherwise?
its better to filter it here to avoid any discrepancies:

amazon-ecs-agent/agent/engine/docker_task_engine.go

Line 494 in 225bc3a

container.SetKnownPortBindings(metadata.PortBindings)

[chienhanlin]

Update README file and the description for the changelog to make the purpose/impact of this PR more clear. Thanks!

[sharanyad]

we may want to indicate this is only for bridge mode tasks

[chienhanlin]

Update the description with the network mode as follows,
"Determines if agent should exclude IPv6 port binding using default network mode. If enabled, IPv6 port binding will be filtered out, and the response of DescribeTasks API call will not show tasks' IPv6 port bindings, but it is still included in Task metadata endpoint."
Thanks!

[sharanyad]

can we also log the container name/task ID if possible, so this is more useful?

[chienhanlin]

Add the container name and the task ARN to the debug log, as

level=debug time=xxx msg="Exclude IPv6 port binding {80 49155 :: 0} for container web in task xxxxx" module=client.go

[mythri-garaga]

Skipped Windows unit tests in favor of #3030

[zen0wu]

Just noticed this behavior today - has this recently regressed?

I'm on Docker 20.10.7 and ecs-agent 1.57.1 and am still noticing IPV6 binding being created, even after setting ECS_EXCLUDE_IPV6_PORTBINDING=true explicitly (and restart the ecs-agent), it still doesn't prevent the issue.

[vekien]

Is this working? I have also added echo ECS_EXCLUDE_IPV6_PORTBINDING=true >> /etc/ecs/ecs.config; but my docker tasks are still binding to ipv6.