Skip to content

Require ip6tables for fault injection capabilty on IPv6-only instances #4675

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 10, 2025
Merged

Require ip6tables for fault injection capabilty on IPv6-only instances #4675

merged 2 commits into from
Jun 10, 2025

Conversation

amogh09
Copy link
Contributor

@amogh09 amogh09 commented Jun 5, 2025
edited
Loading

Summary

This change makes ip6tables a required dependency for fault injection capability on IPv6-only instances. While the Agent already uses ip6tables to apply network-blackhole-port fault to IPv6 traffic (as implemented in PR #4629), this requirement is currently only enforced for IPv6-only tasks, remaining best-effort for other tasks.

By making this change, the Agent will detect missing ip6tables dependency during instance registration for IPv6-only instances, preventing failures during fault injection. While we plan to consider enforcing IPv6 fault injection across all instance types in the future, this requires careful backwards-compatibility considerations. Since IPv6-only support is an upcoming feature, we can safely enforce this requirement for IPv6-only instances now without breaking existing functionality.

Testing

Temporarily renamed ip6tables on an IPv6-only and a dual-stack instance and ran Agent.

IPv6-only instance -

[ec2-user@ipv6only ~]$ which ip6tables
/usr/bin/which: no ip6tables in (/home/ec2-user/.local/bin:/home/ec2-user/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin)
[ec2-user@ipv6only ~]$ grep -i fault /var/log/ecs/ecs-agent.log
level=warn time=2025-06-05T22:14:09Z msg="Failed to find network tool ip6tables that is needed for fault-injection feature: exec: \"ip6tables\": executable file not found in $PATH" module=agent_capability_unix.go
level=warn time=2025-06-05T22:14:09Z msg="Fault injection capability not enabled: Required network tools are missing" module=agent_capability.go
level=debug time=2025-06-05T22:14:09Z msg="Successfully set up Fault TMDS handlers" module=task_server_setup.go
[ec2-user@ipv6only ~]$ grep -i 'starting amazon ecs' /var/log/ecs/ecs-agent.log
level=info time=2025-06-05T22:14:08Z msg="Starting Amazon ECS Agent" version="1.94.0" commit="07357f54"

Dual-stack instance -

ip-10-0-0-23 ❱ which ip6tables
ip6tables not found
ip-10-0-0-23 ❱ grep -i fault /var/log/ecs/ecs-agent.log
level=debug time=2025-06-05T22:12:34Z msg="Fault injection capability is enabled." module=agent_capability.go
level=debug time=2025-06-05T22:12:35Z msg="Successfully set up Fault TMDS handlers" module=task_server_setup.go
ip-10-0-0-23 ❱ grep -i 'starting amazon ecs' /var/log/ecs/ecs-agent.log
level=info time=2025-06-05T22:12:34Z msg="Starting Amazon ECS Agent" version="1.94.0" commit="07357f54"

New tests cover the changes: yes

Description for the changelog

Enhancement: require ip6tables for fault injection capability on IPv6-only instances

Additional Information

Does this PR include breaking model changes? If so, Have you added transformation functions?

no

Does this PR include the addition of new environment variables in the README?

no

Licensing

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@amogh09 amogh09 changed the base branch from master to dev June 5, 2025 21:51
@amogh09 amogh09 marked this pull request as ready for review June 5, 2025 22:04
@amogh09 amogh09 requested a review from a team as a code owner June 5, 2025 22:04
danehlim
danehlim reviewed Jun 5, 2025
View reviewed changes
danehlim
danehlim previously approved these changes Jun 5, 2025
View reviewed changes
@amogh09 amogh09 enabled auto-merge (squash) June 10, 2025 17:17
@amogh09 amogh09 merged commit 5dfeba5 into aws:dev Jun 10, 2025
40 checks passed
@prateekchaudhry prateekchaudhry mentioned this pull request Jul 3, 2025
Merged
timj-hh pushed a commit to timj-hh/amazon-ecs-agent that referenced this pull request Jul 19, 2025
@amogh09 @timj-hh
Require ip6tables for fault injection capabilty on IPv6-only instances (
b4c4077 
aws#4675)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mye956 mye956 mye956 approved these changes

@danehlim danehlim danehlim approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@amogh09 @mye956 @danehlim @amazon-ecs-bot @harishxr