Advertise Domainless gMSA capability on Windows

Author: arun-annamalai

agent/app/agent_capability.go

@@ -66,6 +66,7 @@ const (
 	capabilityFirelensConfigS3                             = "firelens.options.config.s3"
 	capabilityFullTaskSync                                 = "full-sync"
 	capabilityGMSA                                         = "gmsa"
+	capabilityGMSADomainless                               = "gmsa-domainless"
 	capabilityEFS                                          = "efs"
 	capabilityEFSAuth                                      = "efsAuth"
 	capabilityEnvFilesS3                                   = "env-files.s3"
@@ -271,6 +272,9 @@ func (agent *ecsAgent) capabilities() ([]*ecs.Attribute, error) {
 	// support GMSA capabilities
 	capabilities = agent.appendGMSACapabilities(capabilities)
 
+	// support GMSA domainless capabilities
+	capabilities = agent.appendGMSADomainlessCapabilities(capabilities)
+
 	// support efs auth on ecs capabilities
 	for _, cap := range agent.cfg.VolumePluginCapabilities {
 		capabilities = agent.appendEFSVolumePluginCapabilities(capabilities, cap)
@@ -319,6 +323,14 @@ func (agent *ecsAgent) appendGMSACapabilities(capabilities []*ecs.Attribute) []*
 	return capabilities
 }
 
+func (agent *ecsAgent) appendGMSADomainlessCapabilities(capabilities []*ecs.Attribute) []*ecs.Attribute {
+	if agent.cfg.GMSADomainlessCapable.Enabled() {
+		return appendNameOnlyAttribute(capabilities, attributePrefix+capabilityGMSADomainless)
+	}
+
+	return capabilities
+}
+
 func (agent *ecsAgent) appendLoggingDriverCapabilities(capabilities []*ecs.Attribute) []*ecs.Attribute {
 	knownVersions := make(map[dockerclient.DockerVersion]struct{})
 	// Determine known API versions. Known versions are used exclusively for logging-driver enablement, since none of

agent/app/agent_capability_test.go

@@ -1433,3 +1433,47 @@ func TestAppendGMSACapabilities(t *testing.T) {
 		assert.Equal(t, aws.StringValue(expected.Value), aws.StringValue(capabilities[i].Value))
 	}
 }
+
+func TestAppendGMSADomainlessCapabilities(t *testing.T) {
+	var inputCapabilities []*ecs.Attribute
+	var expectedCapabilities []*ecs.Attribute
+
+	expectedCapabilities = append(expectedCapabilities,
+		[]*ecs.Attribute{
+			{
+				Name: aws.String(attributePrefix + capabilityGMSADomainless),
+			},
+		}...)
+
+	agent := &ecsAgent{
+		cfg: &config.Config{
+			GMSADomainlessCapable: config.BooleanDefaultFalse{Value: config.ExplicitlyEnabled},
+		},
+	}
+
+	capabilities := agent.appendGMSADomainlessCapabilities(inputCapabilities)
+
+	assert.Equal(t, len(expectedCapabilities), len(capabilities))
+	for i, expected := range expectedCapabilities {
+		assert.Equal(t, aws.StringValue(expected.Name), aws.StringValue(capabilities[i].Name))
+		assert.Equal(t, aws.StringValue(expected.Value), aws.StringValue(capabilities[i].Value))
+	}
+}
+
+func TestAppendGMSADomainlessCapabilitiesFalse(t *testing.T) {
+	var inputCapabilities []*ecs.Attribute
+	var expectedCapabilities []*ecs.Attribute
+
+	expectedCapabilities = append(expectedCapabilities,
+		[]*ecs.Attribute{}...)
+
+	agent := &ecsAgent{
+		cfg: &config.Config{
+			GMSADomainlessCapable: config.BooleanDefaultFalse{Value: config.ExplicitlyDisabled},
+		},
+	}
+
+	capabilities := agent.appendGMSADomainlessCapabilities(inputCapabilities)
+
+	assert.Equal(t, len(expectedCapabilities), len(capabilities))
+}

agent/config/config.go

@@ -587,6 +587,7 @@ func environmentConfig() (Config, error) {
 		CgroupCPUPeriod:                     parseCgroupCPUPeriod(),
 		SpotInstanceDrainingEnabled:         parseBooleanDefaultFalseConfig("ECS_ENABLE_SPOT_INSTANCE_DRAINING"),
 		GMSACapable:                         parseGMSACapability(),
+		GMSADomainlessCapable:               parseGMSADomainlessCapability(),
 		VolumePluginCapabilities:            parseVolumePluginCapabilities(),
 		FSxWindowsFileServerCapable:         parseFSxWindowsFileServerCapability(),
 		External:                            parseBooleanDefaultFalseConfig("ECS_EXTERNAL"),

agent/config/config_unix.go

@@ -102,6 +102,7 @@ func DefaultConfig() Config {
 		NvidiaRuntime:                       DefaultNvidiaRuntime,
 		CgroupCPUPeriod:                     defaultCgroupCPUPeriod,
 		GMSACapable:                         parseGMSACapability(),
+		GMSADomainlessCapable:               parseGMSADomainlessCapability(),
 		FSxWindowsFileServerCapable:         BooleanDefaultFalse{Value: ExplicitlyDisabled},
 		RuntimeStatsLogFile:                 defaultRuntimeStatsLogFile,
 		EnableRuntimeStats:                  BooleanDefaultFalse{Value: NotSet},

agent/config/config_windows.go

@@ -144,6 +144,7 @@ func DefaultConfig() Config {
 		PollMetrics:                         BooleanDefaultFalse{Value: NotSet},
 		PollingMetricsWaitDuration:          DefaultPollingMetricsWaitDuration,
 		GMSACapable:                         BooleanDefaultFalse{Value: ExplicitlyDisabled},
+		GMSADomainlessCapable:               BooleanDefaultFalse{Value: ExplicitlyDisabled},
 		FSxWindowsFileServerCapable:         BooleanDefaultFalse{Value: ExplicitlyDisabled},
 		PauseContainerImageName:             DefaultPauseContainerImageName,
 		PauseContainerTag:                   DefaultPauseContainerTag,

agent/config/parse_linux.go

@@ -72,6 +72,10 @@ func parseFSxWindowsFileServerCapability() BooleanDefaultFalse {
 	return BooleanDefaultFalse{Value: ExplicitlyDisabled}
 }
 
+func parseGMSADomainlessCapability() BooleanDefaultFalse {
+	return BooleanDefaultFalse{Value: ExplicitlyDisabled}
+}
+
 var IsWindows2016 = func() (bool, error) {
 	return false, errors.New("unsupported platform")
 }

agent/config/parse_unsupported.go

@@ -29,6 +29,10 @@ func parseFSxWindowsFileServerCapability() BooleanDefaultFalse {
 	return BooleanDefaultFalse{Value: ExplicitlyDisabled}
 }
 
+func parseGMSADomainlessCapability() BooleanDefaultFalse {
+	return BooleanDefaultFalse{Value: ExplicitlyDisabled}
+}
+
 var IsWindows2016 = func() (bool, error) {
 	return false, errors.New("unsupported platform")
 }

agent/config/parse_windows.go

@@ -23,6 +23,8 @@ import (
 	"syscall"
 	"unsafe"
 
+	"golang.org/x/sys/windows/registry"
+
 	"github.com/aws/amazon-ecs-agent/agent/utils"
 	"github.com/cihub/seelog"
 )
@@ -32,6 +34,11 @@ const (
 	// to skip the windows server version check. This is useful for testing and
 	// should not be set for any non-test use-case.
 	envSkipWindowsServerVersionCheck = "ZZZ_SKIP_WINDOWS_SERVER_VERSION_CHECK_NOT_SUPPORTED_IN_PRODUCTION"
+	gmsaPluginGUID                   = "{859E1386-BDB4-49E8-85C7-3070B13920E1}"
+)
+
+var (
+	fnQueryDomainlessGmsaPluginSubKeys = queryDomainlessGmsaPluginSubKeys
 )
 
 // parseGMSACapability is used to determine if gMSA support can be enabled
@@ -40,6 +47,26 @@ func parseGMSACapability() BooleanDefaultFalse {
 	return checkDomainJoinWithEnvOverride(envStatus)
 }
 
+// parseGMSADomainlessCapability is used to determine if gMSA domainless support can be enabled
+func parseGMSADomainlessCapability() BooleanDefaultFalse {
+	envStatus := utils.ParseBool(os.Getenv("ECS_GMSA_SUPPORTED"), false)
+	if envStatus {
+		// gmsaDomainless is not supported on Windows 2016
+		isWindows2016, err := IsWindows2016()
+		if err != nil || isWindows2016 {
+			return BooleanDefaultFalse{Value: ExplicitlyDisabled}
+		}
+
+		// gmsaDomainless is not supported if the plugin is not installed on the instance
+		installed, err := isDomainlessGmsaPluginInstalled()
+		if err != nil || !installed {
+			return BooleanDefaultFalse{Value: ExplicitlyDisabled}
+		}
+		return BooleanDefaultFalse{Value: ExplicitlyEnabled}
+	}
+	return BooleanDefaultFalse{Value: ExplicitlyDisabled}
+}
+
 // parseFSxWindowsFileServerCapability is used to determine if fsxWindowsFileServer support can be enabled
 func parseFSxWindowsFileServerCapability() BooleanDefaultFalse {
 	// fsxwindowsfileserver is not supported on Windows 2016 and non-domain-joined container instances
@@ -114,3 +141,42 @@ var IsWindows2016 = func() (bool, error) {
 
 	return isWS2016, nil
 }
+
+var queryDomainlessGmsaPluginSubKeys = func() ([]string, error) {
+	k, err := registry.OpenKey(registry.LOCAL_MACHINE, `SYSTEM\CurrentControlSet\Control\CCG\COMClasses\`, registry.READ)
+	if err != nil {
+		seelog.Errorf("Failed to open registry key SYSTEM\\CurrentControlSet\\Control\\CCG\\COMClasses with error: %v", err)
+		return nil, err
+	}
+	defer k.Close()
+	stat, err := k.Stat()
+	if err != nil {
+		seelog.Errorf("Failed to stat registry key SYSTEM\\CurrentControlSet\\Control\\CCG\\COMClasses with error: %v", err)
+		return nil, err
+	}
+	subKeys, err := k.ReadSubKeyNames(int(stat.SubKeyCount))
+	if err != nil {
+		seelog.Errorf("Failed to read subkeys of SYSTEM\\CurrentControlSet\\Control\\CCG\\COMClasses with error: %v", err)
+		return nil, err
+	}
+
+	seelog.Debugf("gMSA Subkeys are %+v", subKeys)
+	return subKeys, nil
+}
+
+// This function queries all gmsa plugin subkeys to check whether the Amazon ECS Plugin GUID is present.
+func isDomainlessGmsaPluginInstalled() (bool, error) {
+	subKeys, err := fnQueryDomainlessGmsaPluginSubKeys()
+	if err != nil {
+		seelog.Errorf("Failed to query gmsa plugin subkeys")
+		return false, err
+	}
+
+	for _, subKey := range subKeys {
+		if subKey == gmsaPluginGUID {
+			return true, nil
+		}
+	}
+
+	return false, nil
+}

agent/config/parse_windows_test.go

@@ -51,3 +51,63 @@ func TestParseFSxWindowsFileServerCapability(t *testing.T) {
 
 	assert.False(t, parseFSxWindowsFileServerCapability().Enabled())
 }
+
+func TestParseDomainlessgMSACapabilityFalseOnW2016(t *testing.T) {
+	IsWindows2016 = func() (bool, error) {
+		return true, nil
+	}
+
+	os.Setenv("ECS_GMSA_SUPPORTED", "True")
+	defer os.Unsetenv("ECS_GMSA_SUPPORTED")
+
+	fnQueryDomainlessGmsaPluginSubKeys = func() ([]string, error) {
+		return []string{}, nil
+	}
+
+	assert.False(t, parseGMSADomainlessCapability().Enabled())
+}
+
+func TestParseDomainlessgMSACapabilityFalsePluginNoEnv(t *testing.T) {
+	IsWindows2016 = func() (bool, error) {
+		return false, nil
+	}
+
+	os.Setenv("ECS_GMSA_SUPPORTED", "False")
+	defer os.Unsetenv("ECS_GMSA_SUPPORTED")
+
+	fnQueryDomainlessGmsaPluginSubKeys = func() ([]string, error) {
+		return []string{"{859E1386-BDB4-49E8-85C7-3070B13920E1}"}, nil
+	}
+
+	assert.False(t, parseGMSADomainlessCapability().Enabled())
+}
+
+func TestParseDomainlessgMSACapabilityFalseNoPlugin(t *testing.T) {
+	IsWindows2016 = func() (bool, error) {
+		return false, nil
+	}
+
+	os.Setenv("ECS_GMSA_SUPPORTED", "True")
+	defer os.Unsetenv("ECS_GMSA_SUPPORTED")
+
+	fnQueryDomainlessGmsaPluginSubKeys = func() ([]string, error) {
+		return []string{}, nil
+	}
+
+	assert.False(t, parseGMSADomainlessCapability().Enabled())
+}
+
+func TestParseDomainlessgMSACapabilityTrue(t *testing.T) {
+	IsWindows2016 = func() (bool, error) {
+		return false, nil
+	}
+
+	os.Setenv("ECS_GMSA_SUPPORTED", "True")
+	defer os.Unsetenv("ECS_GMSA_SUPPORTED")
+
+	fnQueryDomainlessGmsaPluginSubKeys = func() ([]string, error) {
+		return []string{"{859E1386-BDB4-49E8-85C7-3070B13920E1}"}, nil
+	}
+
+	assert.True(t, parseGMSADomainlessCapability().Enabled())
+}

agent/config/types.go

@@ -331,6 +331,10 @@ type Config struct {
 	// It should be enabled by default only if the container instance is part of a valid active directory domain.
 	GMSACapable BooleanDefaultFalse
 
+	// GMSADomainlessCapable is the config option to indicate if gMSA domainless is supported.
+	// It should be enabled by if the container instance has a plugin to support active directory authentication.
+	GMSADomainlessCapable BooleanDefaultFalse
+
 	// VolumePluginCapabilities specifies the capabilities of the ecs volume plugin.
 	VolumePluginCapabilities []string