Add support for IPv6-only environments to exec agent (aws#4708)

Author: amogh09

agent/app/agent.go

@@ -347,7 +347,7 @@ func (agent *ecsAgent) start() int {
 		return exitcodes.ExitError
 	}
 	agent.initializeResourceFields(credentialsManager)
-	return agent.doStart(containerChangeEventStream, credentialsManager, state, imageManager, client, execcmd.NewManager())
+	return agent.doStart(containerChangeEventStream, credentialsManager, state, imageManager, client, execcmd.NewManager(agent.cfg))
 }
 
 // doStart is the worker invoked by start for starting the ECS Agent. This involves

agent/engine/common_integ_testutil.go

@@ -119,7 +119,7 @@ func setupGMSALinux(cfg *config.Config, state dockerstate.TaskEngineState, t *te
 
 	taskEngine := NewDockerTaskEngine(cfg, dockerClient, credentialsManager,
 		eventstream.NewEventStream("ENGINEINTEGTEST", context.Background()), imageManager, &hostResourceManager, state, metadataManager,
-		resourceFields, execcmd.NewManager(), engineserviceconnect.NewManager(), daemonManagers)
+		resourceFields, execcmd.NewManager(cfg), engineserviceconnect.NewManager(), daemonManagers)
 	taskEngine.MustInit(context.TODO())
 	return taskEngine, func() {
 		taskEngine.Shutdown()
@@ -278,7 +278,7 @@ func SetupIntegTestTaskEngine(cfg *config.Config, state dockerstate.TaskEngineSt
 
 	taskEngine := NewDockerTaskEngine(cfg, dockerClient, credentialsManager,
 		eventstream.NewEventStream("ENGINEINTEGTEST", context.Background()), imageManager, &hostResourceManager, state, metadataManager,
-		nil, execcmd.NewManager(), engineserviceconnect.NewManager(), daemonManagers)
+		nil, execcmd.NewManager(cfg), engineserviceconnect.NewManager(), daemonManagers)
 	taskEngine.MustInit(context.TODO())
 	return taskEngine, func() {
 		taskEngine.Shutdown()

agent/engine/docker_task_engine.go

@@ -2034,8 +2034,7 @@ func (engine *DockerTaskEngine) createContainer(task *apitask.Task, container *a
 	}
 
 	if execcmd.IsExecEnabledContainer(container) {
-		tID := task.GetID()
-		err := engine.execCmdMgr.InitializeContainer(tID, container, hostConfig)
+		err := engine.execCmdMgr.InitializeContainer(task, container, hostConfig)
 		if err != nil {
 			logger.Warn("Error initializing ExecCommandAgent; proceeding to start container without exec feature", logger.Fields{
 				field.TaskID:    task.GetID(),

agent/engine/engine_sudo_linux_integ_test.go

@@ -296,7 +296,7 @@ func TestExecCommandAgent(t *testing.T) {
 
 	testExecCmdHostBinDir := "/managed-agents/execute-command/bin"
 
-	taskEngine, done, _ := setupEngineForExecCommandAgent(t, testExecCmdHostBinDir)
+	taskEngine, done, _, cfg := setupEngineForExecCommandAgent(t, testExecCmdHostBinDir)
 	stateChangeEvents := taskEngine.StateChangeEvents()
 	defer done()
 
@@ -323,7 +323,7 @@ func TestExecCommandAgent(t *testing.T) {
 	cid := containerMap[testTask.Containers[0].Name].DockerID
 
 	// session limit is 2
-	testConfigFileName, _ := execcmd.GetExecAgentConfigFileName(2)
+	testConfigFileName, _ := execcmd.GetExecAgentConfigFileName(2, cfg, testTask)
 	testLogConfigFileName, _ := execcmd.GetExecAgentLogConfigFile()
 	verifyExecCmdAgentExpectedMounts(t, ctx, client, testTaskId, cid, testContainerName, testExecCmdHostBinDir+"/1.0.0.0", testConfigFileName, testLogConfigFileName)
 	pidA := verifyMockExecCommandAgentIsRunning(t, client, cid)
@@ -391,7 +391,7 @@ func TestManagedAgentEvent(t *testing.T) {
 
 			testExecCmdHostBinDir := "/managed-agents/execute-command/bin"
 
-			taskEngine, done, _ := setupEngineForExecCommandAgent(t, testExecCmdHostBinDir)
+			taskEngine, done, _, _ := setupEngineForExecCommandAgent(t, testExecCmdHostBinDir)
 			defer done()
 
 			testTask := createTestExecCommandAgentTask(testTaskId, testContainerName, time.Minute*tc.ManagedAgentLifetime)
@@ -448,7 +448,9 @@ func createTestExecCommandAgentTask(taskId, containerName string, sleepFor time.
 // setupEngineForExecCommandAgent creates a new TaskEngine with a custom execcmd.Manager that will attempt to read the
 // host binaries from the directory passed as parameter (as opposed to the default directory).
 // Additionally, it overrides the engine's monitorExecAgentsInterval to one second.
-func setupEngineForExecCommandAgent(t *testing.T, hostBinDir string) (TaskEngine, func(), credentials.Manager) {
+func setupEngineForExecCommandAgent(
+	t *testing.T, hostBinDir string,
+) (TaskEngine, func(), credentials.Manager, *config.Config) {
 	ctx, cancel := context.WithCancel(context.TODO())
 	defer cancel()
 
@@ -465,7 +467,7 @@ func setupEngineForExecCommandAgent(t *testing.T, hostBinDir string) (TaskEngine
 	imageManager := NewImageManager(cfg, dockerClient, state)
 	imageManager.SetDataClient(data.NewNoopClient())
 	metadataManager := containermetadata.NewManager(dockerClient, cfg)
-	execCmdMgr := execcmd.NewManagerWithBinDir(hostBinDir)
+	execCmdMgr := execcmd.NewManagerWithBinDir(hostBinDir, cfg)
 	hostResources := getTestHostResources()
 	hostResourceManager := NewHostResourceManager(hostResources)
 	daemonManagers := getTestDaemonManagers()
@@ -477,7 +479,7 @@ func setupEngineForExecCommandAgent(t *testing.T, hostBinDir string) (TaskEngine
 	taskEngine.MustInit(context.TODO())
 	return taskEngine, func() {
 		taskEngine.Shutdown()
-	}, credentialsManager
+	}, credentialsManager, cfg
 }
 
 const (

agent/engine/engine_windows_integ_test.go

@@ -576,7 +576,7 @@ func setupGMSA(cfg *config.Config, state dockerstate.TaskEngineState, t *testing
 
 	taskEngine := NewDockerTaskEngine(cfg, dockerClient, credentialsManager,
 		eventstream.NewEventStream("ENGINEINTEGTEST", context.Background()), imageManager, &hostResourceManager, state, metadataManager,
-		resourceFields, execcmd.NewManager(), engineserviceconnect.NewManager(), getTestDaemonManagers())
+		resourceFields, execcmd.NewManager(cfg), engineserviceconnect.NewManager(), getTestDaemonManagers())
 	taskEngine.MustInit(context.TODO())
 	return taskEngine, func() {
 		taskEngine.Shutdown()
@@ -814,7 +814,7 @@ func setupEngineForExecCommandAgent(t *testing.T, hostBinDir string) (TaskEngine
 	imageManager := NewImageManager(cfg, dockerClient, state)
 	imageManager.SetDataClient(data.NewNoopClient())
 	metadataManager := containermetadata.NewManager(dockerClient, cfg)
-	execCmdMgr := execcmd.NewManagerWithBinDir(hostBinDir)
+	execCmdMgr := execcmd.NewManagerWithBinDir(hostBinDir, cfg)
 	hostResources := getTestHostResources()
 	hostResourceManager := NewHostResourceManager(hostResources)
 

agent/engine/execcmd/manager.go

@@ -20,6 +20,7 @@ import (
 
 	apicontainer "github.com/aws/amazon-ecs-agent/agent/api/container"
 	apitask "github.com/aws/amazon-ecs-agent/agent/api/task"
+	"github.com/aws/amazon-ecs-agent/agent/config"
 	"github.com/aws/amazon-ecs-agent/agent/dockerclient/dockerapi"
 
 	"github.com/aws/aws-sdk-go-v2/service/ecs/types"
@@ -66,7 +67,7 @@ func (e StartError) Retry() bool {
 }
 
 type Manager interface {
-	InitializeContainer(taskId string, container *apicontainer.Container, hostConfig *dockercontainer.HostConfig) error
+	InitializeContainer(task *apitask.Task, container *apicontainer.Container, hostConfig *dockercontainer.HostConfig) error
 	StartAgent(ctx context.Context, client dockerapi.DockerClient, task *apitask.Task, container *apicontainer.Container, containerId string) error
 	RestartAgentIfStopped(ctx context.Context, client dockerapi.DockerClient, task *apitask.Task, container *apicontainer.Container, containerId string) (RestartStatus, error)
 }
@@ -77,20 +78,22 @@ type manager struct {
 	retryMinDelay       time.Duration
 	startRetryTimeout   time.Duration
 	inspectRetryTimeout time.Duration
+	agentConfig         *config.Config
 }
 
-func NewManager() *manager {
+func NewManager(cfg *config.Config) *manager {
 	return &manager{
 		hostBinDir:          HostBinDir,
 		retryMaxDelay:       defaultRetryMaxDelay,
 		retryMinDelay:       defaultRetryMinDelay,
 		startRetryTimeout:   defaultStartRetryTimeout,
 		inspectRetryTimeout: defaultInspectRetryTimeout,
+		agentConfig:         cfg,
 	}
 }
 
-func NewManagerWithBinDir(hostBinDir string) *manager {
-	m := NewManager()
+func NewManagerWithBinDir(hostBinDir string, cfg *config.Config) *manager {
+	m := NewManager(cfg)
 	m.hostBinDir = hostBinDir
 	return m
 }

agent/engine/execcmd/manager_init_task.go

@@ -30,6 +30,7 @@ import (
 	dockercontainer "github.com/docker/docker/api/types/container"
 
 	apicontainer "github.com/aws/amazon-ecs-agent/agent/api/container"
+	apitask "github.com/aws/amazon-ecs-agent/agent/api/task"
 	"github.com/pborman/uuid"
 )
 
@@ -50,14 +51,29 @@ var (
 	execAgentConfigTemplate = `{
 	"Mgs": {
 		"Region": "",
-		"Endpoint": "",
+		"Endpoint": "%s",
 		"StopTimeoutMillis": 20000,
 		"SessionWorkersLimit": %d
 	},
 	"Agent": {
 		"Region": "",
 		"OrchestrationRootDir": "",
 		"ContainerMode": true
+	},
+	"Ssm": {
+		"Endpoint": "%s"
+	},
+	"Mds": {
+		"Endpoint": "%s"
+	},
+	"S3": {
+		"Endpoint": "%s"
+	},
+	"Kms": {
+		"Endpoint": "%s"
+	},
+	"CloudWatch": {
+		"Endpoint": "%s"
 	}
 }`
 
@@ -66,7 +82,9 @@ var (
 
 // InitializeContainer adds the necessary bind mounts in order for the ExecCommandAgent to run properly in the container
 // TODO: [ecs-exec] Should we validate the ssm agent binaries & certs are valid and fail here if they're not? (bind mount will succeed even if files don't exist in host)
-func (m *manager) InitializeContainer(taskId string, container *apicontainer.Container, hostConfig *dockercontainer.HostConfig) (rErr error) {
+func (m *manager) InitializeContainer(
+	task *apitask.Task, container *apicontainer.Container, hostConfig *dockercontainer.HostConfig,
+) (rErr error) {
 	defer func() {
 		if rErr != nil {
 			container.UpdateManagedAgentByName(ExecuteCommandAgentName, apicontainer.ManagedAgentState{
@@ -89,7 +107,8 @@ func (m *manager) InitializeContainer(taskId string, container *apicontainer.Con
 		return rErr
 	}
 
-	rErr = addRequiredBindMounts(taskId, cn, latestBinVersionDir, uuid, sessionWorkersLimit, hostConfig)
+	rErr = addRequiredBindMounts(task, cn, latestBinVersionDir, uuid, sessionWorkersLimit,
+		hostConfig, m.agentConfig)
 	if rErr != nil {
 		return rErr
 	}

agent/engine/execcmd/manager_init_task_linux.go

@@ -16,10 +16,15 @@
 package execcmd
 
 import (
+	"errors"
 	"fmt"
 	"path/filepath"
 	"strings"
 
+	apitask "github.com/aws/amazon-ecs-agent/agent/api/task"
+	"github.com/aws/amazon-ecs-agent/agent/config"
+	"github.com/aws/amazon-ecs-agent/agent/utils/endpoints"
+	"github.com/aws/amazon-ecs-agent/ecs-agent/logger"
 	dockercontainer "github.com/docker/docker/api/types/container"
 )
 
@@ -114,25 +119,114 @@ func validConfigExists(configFilePath, expectedHash string) bool {
 
 var GetExecAgentConfigFileName = getAgentConfigFileName
 
-func getAgentConfigFileName(sessionLimit int) (string, error) {
-	config := fmt.Sprintf(execAgentConfigTemplate, sessionLimit)
+// formatSSMAgentConfig creates the SSM agent configuration with the appropriate endpoints
+// based on whether we're in an IPv6-only environment
+func formatSSMAgentConfig(sessionLimit int, cfg *config.Config, task *apitask.Task) (string, error) {
+	var (
+		mgsEndpoint string
+		ssmEndpoint string
+		mdsEndpoint string
+		s3Endpoint  string
+		kmsEndpoint string
+		cwlEndpoint string
+		err         error
+	)
+
+	// SSM Agent needs to use dualstack endpoints for its dependencies
+	// if the network only supports IPv6.
+	useDualStackEndpoints := false
+	if task.IsNetworkModeAWSVPC() {
+		// For awsvpc tasks, the task network is used by the SSM Agent
+		primaryENI := task.GetPrimaryENI()
+		if primaryENI == nil {
+			return "", errors.New("awsvpc mode task does not have a primary ENI")
+		}
+		useDualStackEndpoints = primaryENI.IPv6Only()
+	} else {
+		useDualStackEndpoints = cfg.InstanceIPCompatibility.IsIPv6Only()
+	}
+
+	if useDualStackEndpoints {
+		// Resolve SSM Messages endpoint
+		mgsEndpoint, err = endpoints.ResolveSSMMessagesDualStackEndpoint(cfg.AWSRegion)
+		if err != nil {
+			return "", fmt.Errorf("failed to resolve SSM Messages endpoint: %w", err)
+		}
+
+		// Resolve SSM endpoint
+		ssmEndpoint, err = endpoints.ResolveSSMEndpoint(cfg.AWSRegion, true)
+		if err != nil {
+			return "", fmt.Errorf("failed to resolve SSM endpoint: %w", err)
+		}
+
+		// Resolve EC2 Messages endpoint
+		mdsEndpoint, err = endpoints.ResolveEC2MessagesDualStackEndpoint(cfg.AWSRegion)
+		if err != nil {
+			return "", fmt.Errorf("failed to resolve EC2 Messages endpoint: %w", err)
+		}
+
+		// Resolve S3 endpoint
+		s3Endpoint, err = endpoints.ResolveS3Endpoint(cfg.AWSRegion, true)
+		if err != nil {
+			return "", fmt.Errorf("failed to resolve S3 endpoint: %w", err)
+		}
+
+		// Resolve KMS endpoint
+		kmsEndpoint, err = endpoints.ResolveKMSEndpoint(cfg.AWSRegion, true)
+		if err != nil {
+			return "", fmt.Errorf("failed to resolve KMS endpoint: %w", err)
+		}
+
+		// Resolve CloudWatch Logs endpoint
+		cwlEndpoint, err = endpoints.ResolveCloudWatchLogsEndpoint(cfg.AWSRegion, true)
+		if err != nil {
+			return "", fmt.Errorf("failed to resolve CloudWatch Logs endpoint: %w", err)
+		}
+
+		logger.Info("Using dualstack endpoints for SSM Agent in IPv6-only environment", logger.Fields{
+			"region":      cfg.AWSRegion,
+			"mgsEndpoint": mgsEndpoint,
+			"ssmEndpoint": ssmEndpoint,
+			"mdsEndpoint": mdsEndpoint,
+			"s3Endpoint":  s3Endpoint,
+			"kmsEndpoint": kmsEndpoint,
+			"cwlEndpoint": cwlEndpoint,
+		})
+	}
+
+	return fmt.Sprintf(execAgentConfigTemplate, mgsEndpoint, sessionLimit, ssmEndpoint,
+		mdsEndpoint, s3Endpoint, kmsEndpoint, cwlEndpoint), nil
+}
+
+func getAgentConfigFileName(sessionLimit int, cfg *config.Config, task *apitask.Task) (string, error) {
+	// Format the SSM agent config with appropriate endpoints
+	config, err := formatSSMAgentConfig(sessionLimit, cfg, task)
+	if err != nil {
+		return "", err
+	}
+
+	// Generate a hash of the config to use in the filename
 	hash := getExecAgentConfigHash(config)
 	configFileName := fmt.Sprintf(execAgentConfigFileNameTemplate, hash)
-	// check if config file exists already
+
+	// Check if config file exists already
 	configFilePath := filepath.Join(ECSAgentExecConfigDir, configFileName)
 	if fileExists(configFilePath) && validConfigExists(configFilePath, hash) {
 		return configFileName, nil
 	}
-	// check if config file is a dir; if true, remove it
+
+	// Check if config file is a dir; if true, remove it
 	if isDir(configFilePath) {
 		if err := removeAll(configFilePath); err != nil {
 			return "", err
 		}
 	}
-	// config doesn't exist; create a new one
+
+	// Config doesn't exist; create a new one
 	if err := createNewExecAgentConfigFile(config, configFilePath); err != nil {
 		return "", err
 	}
+
 	return configFileName, nil
 }
 
@@ -142,8 +236,11 @@ func certsExist() bool {
 
 // This function creates any necessary config directories/files and ensures that
 // the ssm-agent binaries, configs, logs, and plugin is bind mounted
-func addRequiredBindMounts(taskId, cn, latestBinVersionDir, uuid string, sessionWorkersLimit int, hostConfig *dockercontainer.HostConfig) error {
-	configFile, rErr := GetExecAgentConfigFileName(sessionWorkersLimit)
+func addRequiredBindMounts(
+	task *apitask.Task, cn, latestBinVersionDir, uuid string, sessionWorkersLimit int,
+	hostConfig *dockercontainer.HostConfig, cfg *config.Config,
+) error {
+	configFile, rErr := GetExecAgentConfigFileName(sessionWorkersLimit, cfg, task)
 	if rErr != nil {
 		rErr = fmt.Errorf("could not generate ExecAgent Config File: %v", rErr)
 		return rErr
@@ -191,7 +288,7 @@ func addRequiredBindMounts(taskId, cn, latestBinVersionDir, uuid string, session
 
 	// Add ssm log bind mount
 	hostConfig.Binds = append(hostConfig.Binds, getBindMountMapping(
-		filepath.Join(HostLogDir, taskId, cn),
+		filepath.Join(HostLogDir, task.GetID(), cn),
 		ContainerLogDir))
 	return nil
 }