Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Introduce a new environment variable ECS_EXCLUDE_IPV6_PORTBINDING #3025

Merged
merged 1 commit into from
Sep 15, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -194,7 +194,8 @@ additional details on each available environment variable.
| `ECS_ENABLE_AWSLOGS_EXECUTIONROLE_OVERRIDE` | `true` | Whether to enable awslogs log driver to authenticate via credentials of task execution IAM role. Needs to be true if you want to use awslogs log driver in a task that has task execution IAM role specified. When using the ecs-init RPM with version equal or later than V1.16.0-1, this env is set to true by default. | `false` | `false` |
| `ECS_FSX_WINDOWS_FILE_SERVER_SUPPORTED` | `true` | Whether FSx for Windows File Server volume type is supported on the container instance. This variable is only supported on agent versions 1.47.0 and later. | `false` | `true` |
| `ECS_ENABLE_RUNTIME_STATS` | `true` | Determines if [pprof](https://pkg.go.dev/net/http/pprof) is enabled for the agent. If enabled, the different profiles can be accessed through the agent's introspection port (e.g. `curl http://localhost:51678/debug/pprof/heap > heap.pprof`). In addition, agent's [runtime stats](https://pkg.go.dev/runtime#ReadMemStats) are logged to `/var/log/ecs/runtime-stats.log` file. | `false` | `false` |

| `ECS_EXCLUDE_IPV6_PORTBINDING` | `true` | Determines if agent should exclude IPv6 port binding using default network mode. If enabled, IPv6 port binding will be filtered out, and the response of DescribeTasks API call will not show tasks' IPv6 port bindings, but it is still included in Task metadata endpoint. | `true` | `true` |

### Persistence

When you run the Amazon ECS Container Agent in production, its `datadir` should be persisted between runs of the Docker
Expand Down
20 changes: 13 additions & 7 deletions agent/api/ecsclient/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -413,7 +413,7 @@ func (client *APIECSClient) SubmitTaskStateChange(change api.TaskStateChange) er

containerEvents := make([]*ecs.ContainerStateChange, len(change.Containers))
for i, containerEvent := range change.Containers {
containerEvents[i] = client.buildContainerStateChangePayload(containerEvent)
containerEvents[i] = client.buildContainerStateChangePayload(containerEvent, client.config.ShouldExcludeIPv6PortBinding.Enabled())
}

req.Containers = containerEvents
Expand Down Expand Up @@ -454,7 +454,7 @@ func (client *APIECSClient) buildManagedAgentStateChangePayload(change api.Manag
}
}

func (client *APIECSClient) buildContainerStateChangePayload(change api.ContainerStateChange) *ecs.ContainerStateChange {
func (client *APIECSClient) buildContainerStateChangePayload(change api.ContainerStateChange, shouldExcludeIPv6PortBinding bool) *ecs.ContainerStateChange {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is there any reason why ipv6 ports are excluded only in state change calls?
Wouldn't the ipv6 ports show up in task metadata endpoint otherwise?
its better to filter it here to avoid any discrepancies:

container.SetKnownPortBindings(metadata.PortBindings)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update README file and the description for the changelog to make the purpose/impact of this PR more clear. Thanks!

statechange := &ecs.ContainerStateChange{
ContainerName: aws.String(change.ContainerName),
}
Expand Down Expand Up @@ -487,27 +487,33 @@ func (client *APIECSClient) buildContainerStateChangePayload(change api.Containe
exitCode := int64(aws.IntValue(change.ExitCode))
statechange.ExitCode = aws.Int64(exitCode)
}
networkBindings := make([]*ecs.NetworkBinding, len(change.PortBindings))
for i, binding := range change.PortBindings {

networkBindings := []*ecs.NetworkBinding{}
for _, binding := range change.PortBindings {
if binding.BindIP == "::" && shouldExcludeIPv6PortBinding {
seelog.Debugf("Exclude IPv6 port binding %v for container %s in task %s", binding, change.ContainerName, change.TaskArn)
continue
}

hostPort := int64(binding.HostPort)
containerPort := int64(binding.ContainerPort)
bindIP := binding.BindIP
protocol := binding.Protocol.String()

networkBindings[i] = &ecs.NetworkBinding{
networkBindings = append(networkBindings, &ecs.NetworkBinding{
BindIP: aws.String(bindIP),
ContainerPort: aws.Int64(containerPort),
HostPort: aws.Int64(hostPort),
Protocol: aws.String(protocol),
}
})
}
statechange.NetworkBindings = networkBindings

return statechange
}

func (client *APIECSClient) SubmitContainerStateChange(change api.ContainerStateChange) error {
pl := client.buildContainerStateChangePayload(change)
pl := client.buildContainerStateChangePayload(change, client.config.ShouldExcludeIPv6PortBinding.Enabled())
if pl == nil {
return nil
}
Expand Down
7 changes: 4 additions & 3 deletions agent/api/ecsclient/client_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -84,9 +84,10 @@ func NewMockClient(ctrl *gomock.Controller,

return NewMockClientWithConfig(ctrl, ec2Metadata, additionalAttributes,
&config.Config{
Cluster: configuredCluster,
AWSRegion: "us-east-1",
InstanceAttributes: additionalAttributes,
Cluster: configuredCluster,
AWSRegion: "us-east-1",
InstanceAttributes: additionalAttributes,
ShouldExcludeIPv6PortBinding: config.BooleanDefaultTrue{Value: config.ExplicitlyEnabled},
})
}

Expand Down
3 changes: 3 additions & 0 deletions agent/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -591,6 +591,7 @@ func environmentConfig() (Config, error) {
FSxWindowsFileServerCapable: parseFSxWindowsFileServerCapability(),
External: parseBooleanDefaultFalseConfig("ECS_EXTERNAL"),
EnableRuntimeStats: parseBooleanDefaultFalseConfig("ECS_ENABLE_RUNTIME_STATS"),
ShouldExcludeIPv6PortBinding: parseBooleanDefaultTrueConfig("ECS_EXCLUDE_IPV6_PORTBINDING"),
}, err
}

Expand Down Expand Up @@ -623,6 +624,7 @@ func (cfg *Config) String() string {
"ContainerCreateTimeout: %v, "+
"DependentContainersPullUpfront: %v, "+
"TaskCPUMemLimit: %v, "+
"ShouldExcludeIPv6PortBinding: %v, "+
"%s",
cfg.Cluster,
cfg.AWSRegion,
Expand All @@ -640,6 +642,7 @@ func (cfg *Config) String() string {
cfg.ContainerCreateTimeout,
cfg.DependentContainersPullUpfront,
cfg.TaskCPUMemLimit,
cfg.ShouldExcludeIPv6PortBinding,
cfg.platformString(),
)
}
2 changes: 2 additions & 0 deletions agent/config/config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,7 @@ func TestEnvironmentConfig(t *testing.T) {
defer setTestEnv("ECS_CGROUP_CPU_PERIOD", "")
defer setTestEnv("ECS_PULL_DEPENDENT_CONTAINERS_UPFRONT", "true")()
defer setTestEnv("ECS_ENABLE_RUNTIME_STATS", "true")()
defer setTestEnv("ECS_EXCLUDE_IPV6_PORTBINDING", "true")()
additionalLocalRoutesJSON := `["1.2.3.4/22","5.6.7.8/32"]`
setTestEnv("ECS_AWSVPC_ADDITIONAL_LOCAL_ROUTES", additionalLocalRoutesJSON)
setTestEnv("ECS_ENABLE_CONTAINER_METADATA", "true")
Expand Down Expand Up @@ -214,6 +215,7 @@ func TestEnvironmentConfig(t *testing.T) {
assert.Equal(t, []string{"efsAuth"}, conf.VolumePluginCapabilities)
assert.True(t, conf.DependentContainersPullUpfront.Enabled(), "Wrong value for DependentContainersPullUpfront")
assert.True(t, conf.EnableRuntimeStats.Enabled(), "Wrong value for EnableRuntimeStats")
assert.True(t, conf.ShouldExcludeIPv6PortBinding.Enabled(), "Wrong value for ShouldExcludeIPv6PortBinding")
}

func TestTrimWhitespaceWhenCreating(t *testing.T) {
Expand Down
1 change: 1 addition & 0 deletions agent/config/config_unix.go
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,7 @@ func DefaultConfig() Config {
FSxWindowsFileServerCapable: false,
RuntimeStatsLogFile: defaultRuntimeStatsLogFile,
EnableRuntimeStats: BooleanDefaultFalse{Value: NotSet},
ShouldExcludeIPv6PortBinding: BooleanDefaultTrue{Value: ExplicitlyEnabled},
}
}

Expand Down
1 change: 1 addition & 0 deletions agent/config/config_unix_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,7 @@ func TestConfigDefault(t *testing.T) {
assert.False(t, cfg.DependentContainersPullUpfront.Enabled(), "Default DependentContainersPullUpfront set incorrectly")
assert.False(t, cfg.PollMetrics.Enabled(), "ECS_POLL_METRICS default should be false")
assert.False(t, cfg.EnableRuntimeStats.Enabled(), "Default EnableRuntimeStats set incorrectly")
assert.True(t, cfg.ShouldExcludeIPv6PortBinding.Enabled(), "Default ShouldExcludeIPv6PortBinding set incorrectly")
}

// TestConfigFromFile tests the configuration can be read from file
Expand Down
1 change: 1 addition & 0 deletions agent/config/config_windows.go
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,7 @@ func DefaultConfig() Config {
CNIPluginsPath: filepath.Join(ecsBinaryDir, defaultCNIPluginDirName),
RuntimeStatsLogFile: filepath.Join(ecsRoot, defaultRuntimeStatsLogFile),
EnableRuntimeStats: BooleanDefaultFalse{Value: NotSet},
ShouldExcludeIPv6PortBinding: BooleanDefaultTrue{Value: ExplicitlyEnabled},
}
}

Expand Down
1 change: 1 addition & 0 deletions agent/config/config_windows_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ func TestConfigDefault(t *testing.T) {
assert.Equal(t, DefaultImagePullTimeout, cfg.ImagePullTimeout, "Default ImagePullTimeout set incorrectly")
assert.False(t, cfg.DependentContainersPullUpfront.Enabled(), "Default DependentContainersPullUpfront set incorrectly")
assert.False(t, cfg.EnableRuntimeStats.Enabled(), "Default EnableRuntimeStats set incorrectly")
assert.True(t, cfg.ShouldExcludeIPv6PortBinding.Enabled(), "Default ShouldExcludeIPv6PortBinding set incorrectly")
}

func TestConfigIAMTaskRolesReserves80(t *testing.T) {
Expand Down
5 changes: 5 additions & 0 deletions agent/config/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -349,4 +349,9 @@ type Config struct {
// EnableRuntimeStats specifies if pprof should be enabled through the agent introspection port. By default, this configuration
// is set to false and can be overridden by means of the ECS_ENABLE_RUNTIME_STATS environment variable.
EnableRuntimeStats BooleanDefaultFalse

// ShouldExcludeIPv6PortBinding specifies whether agent should exclude IPv6 port bindings reported from docker. This configuration
// is set to true by default, and can be overridden by the ECS_EXCLUDE_IPV6_PORTBINDING environment variable. This is a workaround
// for docker's bug as detailed in https://github.com/aws/amazon-ecs-agent/issues/2870.
ShouldExcludeIPv6PortBinding BooleanDefaultTrue
}