adds daemon-bridge netns

Author: Jose Villalta

ecs-agent/netlib/platform/api.go

@@ -78,6 +78,10 @@ type API interface {
 		primaryIf *networkinterface.NetworkInterface,
 		scConfig *serviceconnect.ServiceConnectConfig,
 	) error
+
+	// ConfigureDaemonNetNS configures a network namespace for workloads running as daemons.
+	// This is an internal networking mode available in EMI (ECS Managed Instances) only.
+	ConfigureDaemonNetNS(netNS *tasknetworkconfig.NetworkNamespace) error
 }
 
 // Config contains platform-specific data.

ecs-agent/netlib/platform/cniconf_linux.go

@@ -121,6 +121,40 @@ func createBridgePluginConfig(netNSPath string) ecscni.PluginConfig {
 	return bridgeConfig
 }
 
+// createBridgePluginConfig constructs the configuration object for bridge plugin
+func createDaemonBridgePluginConfig(netNSPath string) ecscni.PluginConfig {
+	cniConfig := ecscni.CNIConfig{
+		NetNSPath:      netNSPath,
+		CNISpecVersion: cniSpecVersion,
+		CNIPluginName:  BridgePluginName,
+	}
+
+	_, routeIPNet, _ := net.ParseCIDR(AgentEndpoint)
+	route := &types.Route{
+		Dst: *routeIPNet,
+	}
+
+	ipamConfig := &ecscni.IPAMConfig{
+		CNIConfig: ecscni.CNIConfig{
+			NetNSPath:      netNSPath,
+			CNISpecVersion: cniSpecVersion,
+			CNIPluginName:  IPAMPluginName,
+		},
+		IPV4Subnet: ECSSubNet,
+		IPV4Routes: []*types.Route{route},
+		ID:         netNSPath,
+	}
+
+	// Invoke the bridge plugin and ipam plugin
+	bridgeConfig := &ecscni.BridgeConfig{
+		CNIConfig: cniConfig,
+		Name:      "emi-bridge", // TODO create a const and make this a parameter.
+		IPAM:      *ipamConfig,
+	}
+
+	return bridgeConfig
+}
+
 func createAppMeshPluginConfig(
 	netNSPath string,
 	cfg *appmesh.AppMesh,

ecs-agent/netlib/platform/common.go

@@ -19,6 +19,7 @@ import (
 	"time"
 
 	"github.com/aws/amazon-ecs-agent/ecs-agent/netlib/model/ecscni"
+	"github.com/aws/amazon-ecs-agent/ecs-agent/netlib/model/tasknetworkconfig"
 
 	"github.com/containernetworking/cni/pkg/types"
 )
@@ -92,3 +93,9 @@ func (c *common) interfacesMACToName() (map[string]string, error) {
 func (c *common) HandleHostMode() error {
 	return errors.New("invalid platform for host mode")
 }
+
+// ConfigureDaemonNetNS configures a network namespace for workloads running as daemons.
+// This is an internal networking mode available in EMI (ECS Managed Instances) only.
+func (c *common) ConfigureDaemonNetNS(netNS *tasknetworkconfig.NetworkNamespace) error {
+	return errors.New("daemon network namespaces are not supported in this platform")
+}

ecs-agent/netlib/platform/managed_linux.go

@@ -56,10 +56,15 @@ func (m *managedLinux) BuildTaskNetworkConfiguration(
 			return nil, errors.Wrap(err, "failed to translate network configuration")
 		}
 	case types.NetworkModeHost:
-		netNSs, err = m.buildDefaultNetworkNamespace(taskID)
+		netNSs, err = m.buildDefaultNetworkNamespaceConfig(taskID)
 		if err != nil {
 			return nil, errors.Wrap(err, "failed to create network namespace with host eni")
 		}
+	case "daemon-bridge":
+		netNSs, err = m.buildHostDaemonNamespaceConfig(taskID)
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to create daemon host namespace")
+		}
 	default:
 		return nil, errors.New("invalid network mode: " + string(mode))
 	}
@@ -205,7 +210,7 @@ func (m *managedLinux) ConfigureServiceConnect(
 }
 
 // buildDefaultNetworkNamespace return default network namespace of host ENI for host mode.
-func (m *managedLinux) buildDefaultNetworkNamespace(taskID string) ([]*tasknetworkconfig.NetworkNamespace, error) {
+func (m *managedLinux) buildDefaultNetworkNamespaceConfig(taskID string) ([]*tasknetworkconfig.NetworkNamespace, error) {
 	macAddress, err1 := m.client.GetMetadata(MacResource)
 	ec2ID, err2 := m.client.GetMetadata(InstanceIDResource)
 	macToNames, err3 := m.common.interfacesMACToName()
@@ -306,3 +311,147 @@ func (m *managedLinux) buildDefaultNetworkNamespace(taskID string) ([]*tasknetwo
 func (m *managedLinux) HandleHostMode() error {
 	return nil
 }
+
+func (m *managedLinux) buildHostDaemonNamespaceConfig(taskID string) ([]*tasknetworkconfig.NetworkNamespace, error) {
+	macAddress, err1 := m.client.GetMetadata(MacResource)
+	ec2ID, err2 := m.client.GetMetadata(InstanceIDResource)
+	macToNames, err3 := m.common.interfacesMACToName()
+	if err := goErr.Join(err1, err2, err3); err != nil {
+		logger.Error("Error fetching fields for default ENI", logger.Fields{
+			loggerfield.Error: err,
+		})
+		return nil, err
+	}
+
+	hostENI := &ecsacs.ElasticNetworkInterface{
+		AttachmentArn:                aws.String("arn"),
+		Ec2Id:                        aws.String(ec2ID),
+		MacAddress:                   aws.String(macAddress),
+		DomainNameServers:            []*string{},
+		DomainName:                   []*string{},
+		PrivateDnsName:               aws.String(DefaultArg),
+		InterfaceAssociationProtocol: aws.String(DefaultArg),
+		Index:                        aws.Int64(64),
+	}
+
+	ipComp, err := net.DetermineIPCompatibility(m.netlink, macAddress)
+	if err != nil {
+		logger.Error("Failed to determine IP compatibility of host ENI", logger.Fields{
+			loggerfield.Error: err,
+		})
+		return nil, err
+	}
+
+	if !ipComp.IsIPv4Compatible() && !ipComp.IsIPv6Compatible() {
+		return nil, errors.New("Failed to build the default network namespace because the host ENI is neither " +
+			"IPv4 enabled nor IPv6 enabled")
+	}
+
+	if ipComp.IsIPv6Compatible() {
+		privateIpv6, err1 := m.client.GetMetadata(PrivateIPv6Address)
+		ipv6SubNet, err2 := m.client.GetMetadata(fmt.Sprintf(IPv6SubNetCidrBlock, macAddress))
+		if err := goErr.Join(err1, err2); err != nil {
+			logger.Error("Error fetching IPv6 fields for default ENI", logger.Fields{
+				loggerfield.Error: err,
+			})
+			return nil, err
+		}
+
+		hostENI.Ipv6Addresses = []*ecsacs.IPv6AddressAssignment{
+			{
+				Primary: aws.Bool(true),
+				Address: aws.String(privateIpv6),
+			},
+		}
+		hostENI.SubnetGatewayIpv6Address = aws.String(ipv6SubNet)
+	}
+
+	if ipComp.IsIPv4Compatible() {
+		privateIpv4, err1 := m.client.GetMetadata(PrivateIPv4Address)
+		ipv4SubNet, err2 := m.client.GetMetadata(fmt.Sprintf(IPv4SubNetCidrBlock, macAddress))
+		if err := goErr.Join(err1, err2); err != nil {
+			logger.Error("Error fetching IPv4 fields for default ENI", logger.Fields{
+				loggerfield.Error: err,
+			})
+			return nil, err
+		}
+
+		hostENI.Ipv4Addresses = []*ecsacs.IPv4AddressAssignment{
+			{
+				Primary:        aws.Bool(true),
+				PrivateAddress: aws.String(privateIpv4),
+			},
+		}
+		hostENI.SubnetGatewayIpv4Address = aws.String(ipv4SubNet)
+	}
+
+	netNSName := "host-daemon"
+	netNSPath := m.common.GetNetNSPath(netNSName)
+	netInt, err := networkinterface.New(hostENI, DefaultArg, nil, macToNames)
+	if err != nil {
+		logger.Error("Failed to create the network interface", logger.Fields{
+			loggerfield.Error: err,
+		})
+		return nil, err
+	}
+
+	netInt.Default = true
+	netInt.DesiredStatus = status.NetworkReady
+	netInt.KnownStatus = status.NetworkReady
+	daemonNamespace, err := tasknetworkconfig.NewNetworkNamespace(netNSName, netNSPath, 0, nil, netInt)
+	if err != nil {
+		logger.Error("Error building default network namespace for host mode", logger.Fields{
+			loggerfield.Error: err,
+		})
+		return nil, err
+	}
+	daemonNamespace.KnownState = status.NetworkReady
+	daemonNamespace.DesiredState = status.NetworkReady
+	return []*tasknetworkconfig.NetworkNamespace{daemonNamespace}, nil
+}
+
+func (m *managedLinux) configureDaemonNetNS(ctx context.Context, taskID string, netNS *tasknetworkconfig.NetworkNamespace) error {
+	var err error
+	if netNS.DesiredState == status.NetworkDeleted {
+		return errors.New("invalid transition state encountered: " + netNS.DesiredState.String())
+	}
+
+	// Create the network namespace and setup DNS configuration within the netns.
+	// This has to happen before any CNI plugin is executed.
+	if netNS.KnownState == status.NetworkNone &&
+		netNS.DesiredState == status.NetworkReadyPull {
+
+		logger.Debug("Creating netns: " + netNS.Path)
+		// Create network namespace on the host.
+		err = m.CreateNetNS(netNS.Path)
+		if err != nil {
+			return err
+		}
+
+		logger.Debug("Creating DNS config files")
+
+		// Create necessary DNS config files for the netns.
+		err = m.CreateDNSConfig(taskID, netNS)
+		if err != nil {
+			return err
+		}
+	}
+
+	// Create MI-Bridge
+	var cniNetConf []ecscni.PluginConfig
+	cniNetConf = append(cniNetConf, createDaemonBridgePluginConfig(netNS.Path))
+	add := true
+
+	_, err = m.common.executeCNIPlugin(ctx, add, cniNetConf...)
+	if err != nil {
+		err = errors.Wrap(err, "failed to setup deamon network namespace bridge")
+	}
+
+	return err
+}
+
+// ConfigureDaemonNetNS will create a network namespace using the host ENI and host dns configuration.
+// It will contain a loopback interface and a bridge to the internal ECS subnet.
+func (m *managedLinux) ConfigureDaemonNetNS(netNS *tasknetworkconfig.NetworkNamespace) error {
+	return m.configureDaemonNetNS(context.Background(), netNS.Path, netNS)
+}

ecs-agent/netlib/platform/managed_linux_test.go

@@ -131,7 +131,7 @@ func testManagedLinuxBranchENIConfiguration(t *testing.T) {
 	require.NoError(t, err)
 }
 
-func TestBuildDefaultNetworkNamespace(t *testing.T) {
+func TestBuildDefaultNetworkNamespaceConfig(t *testing.T) {
 	tests := []struct {
 		name       string
 		taskID     string
@@ -278,7 +278,7 @@ func TestBuildDefaultNetworkNamespace(t *testing.T) {
 				common: *commonPlatform,
 			}
 
-			namespaces, err := ml.buildDefaultNetworkNamespace(tt.taskID)
+			namespaces, err := ml.buildDefaultNetworkNamespaceConfig(tt.taskID)
 
 			if tt.expectedError != nil {
 				assert.Error(t, err)