Require ip6tables for fault injection capabilty on IPv6-only instances (aws#4675)

Author: amogh09

agent/app/agent_capability.go

@@ -551,7 +551,7 @@ func (agent *ecsAgent) appendFaultInjectionCapabilities(capabilities []types.Att
 		return capabilities
 	}
 
-	if isFaultInjectionToolingAvailable() {
+	if isFaultInjectionToolingAvailable(agent.cfg) {
 		capabilities = appendNameOnlyAttribute(capabilities, attributePrefix+capabilityFaultInjection)
 		seelog.Debug("Fault injection capability is enabled.")
 	} else {

agent/app/agent_capability_test.go

@@ -1564,7 +1564,7 @@ func TestAppendFaultInjectionCapabilities(t *testing.T) {
 	defer func() { isFaultInjectionToolingAvailable = originalIsFaultInjectionToolingAvailable }()
 	t.Run("Fault Injection Capability Available", func(t *testing.T) {
 		// Test case where required tooling is available
-		isFaultInjectionToolingAvailable = func() bool { return true }
+		isFaultInjectionToolingAvailable = func(cfg *config.Config) bool { return true }
 		capabilities := []types.Attribute{}
 		agent := &ecsAgent{
 			cfg: &config.Config{},
@@ -1576,7 +1576,7 @@ func TestAppendFaultInjectionCapabilities(t *testing.T) {
 	})
 	t.Run("Fault Injection Capability Not Available", func(t *testing.T) {
 		// Test case where required tooling is not available
-		isFaultInjectionToolingAvailable = func() bool { return false }
+		isFaultInjectionToolingAvailable = func(cfg *config.Config) bool { return false }
 		capabilities := []types.Attribute{}
 		agent := &ecsAgent{
 			cfg: &config.Config{},
@@ -1588,7 +1588,7 @@ func TestAppendFaultInjectionCapabilities(t *testing.T) {
 
 	t.Run("Fault Injection Capability Not Available for EXTERNAL Launch Type", func(t *testing.T) {
 		// Test case where required tooling is available but EXTERNAL Launch Type
-		isFaultInjectionToolingAvailable = func() bool { return true }
+		isFaultInjectionToolingAvailable = func(cfg *config.Config) bool { return true }
 		capabilities := []types.Attribute{}
 		agent := &ecsAgent{
 			cfg: &config.Config{

agent/app/agent_capability_unix.go

@@ -258,8 +258,13 @@ var networkConfigClient = netconfig.NewNetworkConfigClient()
 
 // checkFaultInjectionTooling checks for the required network packages like iptables, tc
 // to be available on the host before ecs.capability.fault-injection can be advertised
-func checkFaultInjectionTooling() bool {
+func checkFaultInjectionTooling(cfg *config.Config) bool {
 	tools := []string{"iptables", "tc", "nsenter"}
+	if cfg.InstanceIPCompatibility.IsIPv6Only() {
+		// ip6tables is a required dependency on IPv6-only instances.
+		// TODO: Consider making ip6tables a required dependency for all instances (need to consider backwards compatibility)
+		tools = append(tools, "ip6tables")
+	}
 	for _, tool := range tools {
 		if _, err := lookPathFunc(tool); err != nil {
 			seelog.Warnf(

agent/app/agent_capability_unix_test.go

@@ -1041,7 +1041,7 @@ func TestCheckFaultInjectionTooling(t *testing.T) {
 		)
 		osExecWrapper = mockExec
 		assert.True(t,
-			checkFaultInjectionTooling(),
+			checkFaultInjectionTooling(&config.Config{}),
 			"Expected checkFaultInjectionTooling to return true when all tools are available")
 	})
 
@@ -1059,7 +1059,7 @@ func TestCheckFaultInjectionTooling(t *testing.T) {
 		)
 		osExecWrapper = mockExec
 		assert.False(t,
-			checkFaultInjectionTooling(),
+			checkFaultInjectionTooling(&config.Config{}),
 			"Expected checkFaultInjectionTooling to return false when kernel modules are not available")
 	})
 
@@ -1083,7 +1083,7 @@ func TestCheckFaultInjectionTooling(t *testing.T) {
 		)
 		osExecWrapper = mockExec
 		assert.False(t,
-			checkFaultInjectionTooling(),
+			checkFaultInjectionTooling(&config.Config{}),
 			"Expected checkFaultInjectionTooling to return false when unable to find default host interface name")
 	})
 
@@ -1112,7 +1112,7 @@ func TestCheckFaultInjectionTooling(t *testing.T) {
 		)
 		osExecWrapper = mockExec
 		assert.False(t,
-			checkFaultInjectionTooling(),
+			checkFaultInjectionTooling(&config.Config{}),
 			"Expected checkFaultInjectionTooling to return false when required tc show command failed")
 	})
 
@@ -1126,10 +1126,24 @@ func TestCheckFaultInjectionTooling(t *testing.T) {
 				return "/usr/bin/" + file, nil
 			}
 			assert.False(t,
-				checkFaultInjectionTooling(),
+				checkFaultInjectionTooling(&config.Config{}),
 				"Expected checkFaultInjectionTooling to return false when a tool is missing")
 		})
 	}
+
+	t.Run("missing ip6tables on IPv6-only instance", func(t *testing.T) {
+		lookPathFunc = func(file string) (string, error) {
+			if file == "ip6tables" {
+				return "", exec.ErrNotFound
+			}
+			return "/usr/bin/" + file, nil
+		}
+		assert.False(t,
+			checkFaultInjectionTooling(&config.Config{
+				InstanceIPCompatibility: ipcompatibility.NewIPv6OnlyCompatibility(),
+			}),
+			"Expected checkFaultInjectionTooling to return false when ip6tables is missing on IPv6-only instance")
+	})
 }
 
 func convertToInterfaceList(strings []string) []interface{} {

agent/app/agent_capability_unspecified.go

@@ -151,6 +151,6 @@ var isFaultInjectionToolingAvailable = checkFaultInjectionTooling
 
 // checkFaultInjectionTooling checks for the required network packages like iptables, tc
 // to be available on the host before ecs.capability.fault-injection can be advertised
-func checkFaultInjectionTooling() bool {
+func checkFaultInjectionTooling(_ *config.Config) bool {
 	return false
 }

agent/app/agent_capability_windows.go

@@ -149,7 +149,7 @@ var isFaultInjectionToolingAvailable = checkFaultInjectionTooling
 
 // checkFaultInjectionTooling checks for the required network packages like iptables, tc
 // to be available on the host before ecs.capability.fault-injection can be advertised
-func checkFaultInjectionTooling() bool {
+func checkFaultInjectionTooling(_ *config.Config) bool {
 	seelog.Warnf("Fault injection tooling is not supported on windows")
 	return false
 }