Enable ECS EC2 task networking for Windows tasks #2915
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
angelcar
previously approved these changes
Jun 23, 2021
fenxiong
previously approved these changes
Jun 23, 2021
rawahars
force-pushed
the
feature/awsvpc-windows
branch
2 times, most recently
from
4c22a2b
to
d8c4d3f
Compare
rawahars
force-pushed
the
feature/awsvpc-windows
branch
from
d8c4d3f
to
efba353
Compare
…instance (aws#2498) * Changes to check if the pause image has been loaded on agent startup. We will cache pause image on ECS-Optimized Windows AMI. On agent startup, we check if the pause image is already loaded. The following changes are made as part of this commit: 1. Moved common functions from pause_linux.go to load.go 2. Moved the common code from IsLoaded function to a function in load.go 3. Unit tests for the same were moved from Linux specific files to common files
…ring. Changes include - 1. A wrapper for Golang net package 2. A wrapper over Windows API for interface monitoring 3. Network Utils added to retrieve interface information 4. A watcher for Windows which can handle newly added interfaces as well as periodic reconciliation of ENI states. Note : Few Windows and Linux common functions have been moved from Linux specific files to common files. The changes made are targeted for Windows platform only and do not impact the existing Linux functionality.
1. Build file changes to fix cross-platform travis builds and removing CGO import 2. Error handling for cases when Windows API calls fail explicitly 3. Changed UdevWatcher struct to ENIWatcher which is more generic 4. Changes to package names 5. Formatting changes
1. Refactored code to include aws#2527 in the new design 2. Addition of fields in ENIWatcher to ensure successful cross-pltform builds (darwin) 3. Removed the CGO import from iphelper_windows.go which was missed in the conflict resolution
Major changes made as part of this commit - 1. Integrated various individual components such as ENI Watcher and CNI plugins 2. Moved common code from platform specific file and vice versa 3. Created new plugin configuration and invokation logic for Windows 4. Integrated additional flows required for awsvpc mode
…ting DNS server address in Windows CNI plugin config
…aryIPv4VPCCIDRResourceFormat
The link name is a required parameter for the CNI plugin.
Earlier, we had planned on using vpc-shared-eni CNI plugin for task networking setup. However, based on the recent discussions, vpc-eni plugin would be used for the same.
Also, moved Linux specific constants out from common files.
On Windows, task ENI's link name is required for launching the tasks in awsvpc network mode. We update this dependency before the task is launched.
On Windows, if the CNI plugin is invoked too soon then HNS might not be able to find the network interface to bind with the vSwitch. In such a case, the plugin invocation might fail. Therefore, we will retry the namespace setup with a backoff.
…concurrent calls.
We need to perform some additional tasks to ensure that the task can access credentials endpoint. Additionally, if the IMDS has to be blocked for the task, then we create the appropriate Windows firewall rules.
… a separate interface
… routes and IMDS route in the task namespace. (aws#2876) * Add IMDS route to the task namespace if task is allowed to have IMDS access.c * Add support for adding additional local routes in awsvpc network mode on Windows. * Removed the workflow for getting Primary ipv4 address of the vpc. This is not required as we can use the dns settings of the primary instance ENI. * Added gSMA support while using awsvpc network mode. We use the instance ENIs DNS settings since both the ENIs would be in the same VPC and would be additionally beneficial during domain join. * PR review changes: Reverted netwrapper to platform agnostic package * Changes to json format for vpc-eni plugin * Bug fix to rectify the scenario when pause container sends nil network stats. Initially, without any network, pause container returns nil network stats. When container stats are collected with pause namespace in place, lastStats.NetworkStats is nil which causes agent to crash and restart. * Minor changes: Comment changes, logfile path consolidation and variable name change
…aws#2893) * Added CNI plugin version upgrade code to common file * Build vpc-eni cni plugin for Windows * Updated the git submodule for vpc-cni plugins * Disabled verbose option for Windows unit tests * Updated git submodule vpc-cni-plugins to latest release * Updated values for max retry during network setup
Instead of creating Windows Firewall rules, create a loopback route for IMDS inside the task namespace.
rawahars
force-pushed
the
feature/awsvpc-windows
branch
from
efba353
to
3495999
Compare
angelcar
approved these changes
Jun 29, 2021
fenxiong
approved these changes
Jun 29, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
These changes are for enabling ECS EC2 task networking for Windows tasks.
Implementation details
These changes are part of feature/awsvpc-windows branch
The same were implemented and reviewed in their respective CRs
Testing
A custom binary was tested with the changes.
Description for the changelog
Enabling ECS EC2 task networking for Windows tasks
Licensing
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.