IPv6 default route for IPv6-only awsvpc tasks

[amogh09]

Summary

This change makes Agent create an IPv6 default route in task network namespace of awsvpc tasks whose task ENIs are IPv6-only. The default route is via the task subnet's gateway address which will be passed to Agent by ECS backend. Changes to update ECS backend model to include IPv6 subnet gateway address are not a part of this change and will be made separately in the near future.

This change is applicable only to IPv6-only task ENIs. Dual stack task ENIs continue to work as before (without an explicitly created default IPv6 route).

The default routes are created by vpc-eni (for standard awsvpc mode) and vpc-branch-eni (for awsvpc mode with ENI trunking enabled) CNI plugins. The plugins themselves already support creating default IPv6 routes, so we just need Agent to pass the IPv6 subnet gateway address to the plugins.

Implementation details

1. Add SubnetGatewayIPV6Address field to NetworkInterface type in ecs-agent module. Also add a GetSubnetGatewayIPv6Address method to get it. This struct is Agent's representation of ENIs.
2. Update CNI configs generated for vpc-eni and vpc-branch-eni plugins so that they include IPv6 subnet gateway address for IPv6-only task ENIs.

Testing

New tests cover the changes: yes

Made temporary changes to the code so that task ENIs as seen by task engine only have IPv6 addresses (they are already passed by ECS backend) and an IPv6 subnet gateway address. Ran an awsvpc task in dual-stack subnet and verified that the task's network has an IPv6 default route via the subnet gateway and no IPv4 default route.

ipv6dev ❱ docker exec -it a2b914a4f4f1 bash
bash-5.2# ip -6 route show default
default via 2600:1f14:323a:e001::1 dev eth0 metric 1024 pref medium
default via fe80::5f:3cff:fe81:2ef dev eth0 proto ra metric 1024 expires 1799sec hoplimit 255 pref medium
bash-5.2# ip route show default
bash-5.2#

There are two IPv6 default routes because a default route is automatically configured for IPv6 task ENIs by EC2. However, ECS will be adding an explicit route that will be via the default subnet gateway address and will take priority (as it has no metric).

Did the same testing on an instance enabled for ENI trunking also. Observed the same results.

Description for the changelog

Additional Information

Does this PR include breaking model changes? If so, Have you added transformation functions?

Does this PR include the addition of new environment variables in the README?

Licensing

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[ShelbyZ]

Would it be an error if the IPv4 subnet gatway address is populated here and if so should we report an error?

[harishxr]

plus 1 to this comment, I dont see any validation being done for this field not to get an ipv4 address

[amogh09]

Would it be an error if the IPv4 subnet gatway address is populated here and if so should we report an error?

Technically yes. The consequence will be that the task network will have an IPv4 default route and no IPv6 default route causing all IPv6 outgoing traffic to not work. However, task payloads are sent to Agent by ECS Backend which is a trusted source, so Agent does minimal validation of task payloads.

Parsing ACS payload for this field is a part of this other PR. That has some validation (not specifically the IP version though). We can discuss the validations there.