Upudate dockerPortMap() in task.go with dynamic host port range support part 2

chienhanlin · chienhanlin · commit 9855c1b981d6 · 2023-02-21T09:28:14.000Z
diff --git a/agent/api/task/task.go b/agent/api/task/task.go
@@ -2340,10 +2340,53 @@ func (task *Task) dockerLinks(container *apicontainer.Container, dockerContainer
 var getHostPortRange = utils.GetHostPortRange
 var getHostPort = utils.GetHostPort
 
+// In buildPortMapWithSCIngressConfig, the dockerPortMap and the containerPortSet will be constructed
+// for ingress listeners under two service connect bridge mode cases:
+// (1) non-default bridge mode service connect experience: customers specify host ports for listeners in the ingress config.
+// (2) default bridge mode service connect experience: customers do not specify host ports for listeners in the ingress config.
+// Instead, ECS Agent finds host ports within the given dynamic host port range.
+// An error will be returned for case (2) if ECS Agent cannot find an available host port within range.
+func (task *Task) buildPortMapWithSCIngressConfig(dynamicHostPortRange string) (nat.PortMap, map[int]struct{}, error) {
+	var err error
+	ingressDockerPortMap := nat.PortMap{}
+	ingressContainerPortSet := make(map[int]struct{})
+	protocolStr := "tcp"
+	for _, ic := range task.ServiceConnectConfig.IngressConfig {
+		listenerPortInt := int(ic.ListenerPort)
+		dockerPort := nat.Port(strconv.Itoa(listenerPortInt) + "/" + protocolStr)
+		hostPortStr := ""
+		if ic.HostPort != nil {
+			// For non-default bridge mode service connect experience, a host port is specified by customers
+			hostPortStr = strconv.Itoa(int(*ic.HostPort))
+		} else {
+			// For default bridge mode service connect experience, customers do not specify a host port
+			// thus the host port will be assigned by ECS Agent.
+			// ECS Agent will find an available host port within the given dynamic host port range,
+			// or return an error if no host port is available within the range.
+			hostPortStr, err = getHostPort(protocolStr, dynamicHostPortRange)
+			if err != nil {
+				return nil, nil, err
+			}
+		}
+
+		ingressDockerPortMap[dockerPort] = append(ingressDockerPortMap[dockerPort], nat.PortBinding{HostPort: hostPortStr})
+		// Append non-range, singular container port to the ingressContainerPortSet
+		ingressContainerPortSet[listenerPortInt] = struct{}{}
+	}
+	return ingressDockerPortMap, ingressContainerPortSet, err
+}
+
 // dockerPortMap creates a port binding map for
 // (1) Ingress listeners for the service connect AppNet container in the service connect enabled bridge network mode task.
 // (2) Port mapping definied by customers in the task definition.
 //
+// For service connect bridge mode task, we will create port bindings for customers' application containers
+// and service connect AppNet container, and let them to be published by the associated pause containers.
+// (a) For default bridge service connect experience, ECS Agent will assign a host port within the
+// default/user-specified dynamic host port range for the ingress listener. If no available host port can be
+// found by ECS Agent, an error will be returned.
+// (b) For non-default bridge service connect experience, ECS Agent will use the user-defined host port for the ingress listener.
+//
 // For non-service connect bridge network mode task, ECS Agent will assign a host port or a host port range
 // within the default/user-specified dynamic host port range. If no available host port or host port range can be
 // found by ECS Agent, an error will be returned.
@@ -2354,43 +2397,49 @@ var getHostPort = utils.GetHostPort
 func (task *Task) dockerPortMap(container *apicontainer.Container, dynamicHostPortRange string) (nat.PortMap, error) {
 	hostPortStr := ""
 	dockerPortMap := nat.PortMap{}
-	scContainer := task.GetServiceConnectContainer()
 	containerToCheck := container
 	containerPortSet := make(map[int]struct{})
 	containerPortRangeMap := make(map[string]string)
+
+	// For service connect bridge network mode task, we will create port bindings for task containers,
+	// including both application containers and service connect AppNet container, and let them to be published
+	// by the associated pause containers.
 	if task.IsServiceConnectEnabled() && task.IsNetworkModeBridge() {
 		if container.Type == apicontainer.ContainerCNIPause {
-			// we will create bindings for task containers (including both customer containers and SC Appnet container)
-			// and let them be published by the associated pause container.
-			// Note - for SC bridge mode we do not allow customer to specify a host port for their containers. Additionally,
-			// When an ephemeral host port is assigned, Appnet will NOT proxy traffic to that port
+			// Find the task container associated with this particular pause container
 			taskContainer, err := task.getBridgeModeTaskContainerForPauseContainer(container)
 			if err != nil {
 				return nil, err
 			}
+
+			scContainer := task.GetServiceConnectContainer()
 			if taskContainer == scContainer {
-				// create bindings for all ingress listener ports
-				// no need to create binding for egress listener port as it won't be access from host level or from outside
-				for _, ic := range task.ServiceConnectConfig.IngressConfig {
-					listenerPortInt := int(ic.ListenerPort)
-					dockerPort := nat.Port(strconv.Itoa(listenerPortInt)) + "/tcp"
-					hostPort := 0           // default bridge-mode SC experience - host port will be an ephemeral port assigned by docker
-					if ic.HostPort != nil { // non-default bridge-mode SC experience - host port specified by customer
-						hostPort = int(*ic.HostPort)
-					}
-					dockerPortMap[dockerPort] = append(dockerPortMap[dockerPort], nat.PortBinding{HostPort: strconv.Itoa(hostPort)})
-					// append non-range, singular container port to the containerPortSet
-					containerPortSet[listenerPortInt] = struct{}{}
-					// set taskContainer.ContainerPortSet to be used during network binding creation
-					taskContainer.SetContainerPortSet(containerPortSet)
+				// If the associated task container is the service connect AppNet container,
+				// create port binding(s) for ingress listener ports based on its ingress config.
+				// Note that, there is no need to do this for egress listener port as it won't be accessed
+				// from host level or from outside.
+				dockerPortMap, containerPortSet, err := task.buildPortMapWithSCIngressConfig(dynamicHostPortRange)
+				if err != nil {
+					logger.Error("Failed to build a port map with service connect ingress config", logger.Fields{
+						field.TaskID:           task.GetID(),
+						field.Container:        taskContainer.Name,
+						"dynamicHostPortRange": dynamicHostPortRange,
+						field.Error:            err,
+					})
+					return nil, err
 				}
+				// Set taskContainer.ContainerPortSet to be used during network binding creation
+				taskContainer.SetContainerPortSet(containerPortSet)
 				return dockerPortMap, nil
 			}
 			containerToCheck = taskContainer
 		} else {
-			// If container is neither SC container nor pause container, it's a regular task container. Its port bindings(s)
-			// are published by the associated pause container, and we leave the map empty here (docker would actually complain
-			// otherwise).
+			// If the container is neither service connect AppNet container nor pause container, and it is a regular task container.
+			// Its port bindings(s) are published by the associated pause container, and we will leave the map empty here
+			// (docker would actually complain otherwise).
+			//
+			// Note - for service connect bridge mode, we do not allow customers to specify a host port for their application containers.
+			// Additionally, AppNet will NOT proxy traffic to that port when an ephemeral host port is assigned.
 			return dockerPortMap, nil
 		}
 	}
@@ -2478,6 +2527,12 @@ func (task *Task) dockerPortMap(container *apicontainer.Container, dynamicHostPo
 	// Set Container.ContainerPortSet and Container.ContainerPortRangeMap to be used during network binding creation
 	containerToCheck.SetContainerPortSet(containerPortSet)
 	containerToCheck.SetContainerPortRangeMap(containerPortRangeMap)
+	logger.Debug("containerToCheck is", logger.Fields{
+		field.Container:         containerToCheck.Name,
+		"dockerPortMap":         dockerPortMap,
+		"containerPortSet":      containerPortSet,
+		"containerPortRangeMap": containerPortRangeMap,
+	})
 	return dockerPortMap, nil
 }
 
diff --git a/agent/api/task/task_test.go b/agent/api/task/task_test.go
@@ -424,6 +424,14 @@ var (
 	defaultSCProtocol                      = "/tcp"
 )
 
+func getDefaultDynamicHostPortRange() (start int, end int) {
+	startHostPortRange, endHostPortRange, err := utils.GetDynamicHostPortRange()
+	if err != nil {
+		return utils.DefaultPortRangeStart, utils.DefaultPortRangeEnd
+	}
+	return startHostPortRange, endHostPortRange
+}
+
 func getTestTaskServiceConnectBridgeMode() *Task {
 	testTask := &Task{
 		NetworkMode: BridgeNetworkMode,
@@ -479,61 +487,110 @@ func convertSCPort(port uint16) nat.Port {
 }
 
 // TestDockerHostConfigSCBridgeMode verifies port bindings and network mode overrides for each
-// container in an SC-enabled bridge mode task. The test task is consisted of the SC container, a regular container,
+// container in an SC-enabled bridge mode task with default/user-specified dynamic host port range.
+// The test task is consisted of the SC container, a regular container,
 // and two pause containers associated with each.
 func TestDockerHostConfigSCBridgeMode(t *testing.T) {
 	testTask := getTestTaskServiceConnectBridgeMode()
-	// task container and SC container should both get empty port binding map and "container" network mode
-	actualConfig, err := testTask.DockerHostConfig(testTask.Containers[0], dockerMap(testTask), defaultDockerClientAPIVersion,
-		&config.Config{})
-	assert.Nil(t, err)
-	assert.NotNil(t, actualConfig)
-	assert.Equal(t, dockercontainer.NetworkMode(fmt.Sprintf("%s-%s", // e.g. "container:dockerid-~internal~ecs~pause-C1"
-		dockerMappingContainerPrefix+dockerIDPrefix+NetworkPauseContainerName, "C1")), actualConfig.NetworkMode)
-	assert.Empty(t, actualConfig.PortBindings, "Task container port binding should be empty")
-
-	actualConfig, err = testTask.DockerHostConfig(testTask.Containers[2], dockerMap(testTask), defaultDockerClientAPIVersion,
-		&config.Config{})
-	assert.Nil(t, err)
-	assert.NotNil(t, actualConfig)
-	assert.Equal(t, dockercontainer.NetworkMode(fmt.Sprintf("%s-%s", // e.g. "container:dockerid-~internal~ecs~pause-C1"
-		dockerMappingContainerPrefix+dockerIDPrefix+NetworkPauseContainerName, serviceConnectContainerTestName)), actualConfig.NetworkMode)
-	assert.Empty(t, actualConfig.PortBindings, "SC container port binding should be empty")
+	testCases := []struct {
+		testStartHostPort int
+		testEndHostPort   int
+		testName          string
+		testError         bool
+	}{
+		{
+			testStartHostPort: 0,
+			testEndHostPort:   0,
+			testName:          "with default dynamic host port range",
+		},
+		{
+			testStartHostPort: 50000,
+			testEndHostPort:   60000,
+			testName:          "with user-specified dynamic host port range",
+		},
+		{
+			testStartHostPort: 1,
+			testEndHostPort:   2,
+			testName:          "with user-specified dynamic host port range but no available host port",
+			testError:         true,
+		},
+	}
 
-	// task pause container should get port binding map of the task container
-	actualConfig, err = testTask.DockerHostConfig(testTask.Containers[1], dockerMap(testTask), defaultDockerClientAPIVersion,
-		&config.Config{})
-	assert.Nil(t, err)
-	assert.NotNil(t, actualConfig)
-	assert.Equal(t, dockercontainer.NetworkMode(BridgeNetworkMode), actualConfig.NetworkMode)
-	bindings, ok := actualConfig.PortBindings[convertSCPort(SCTaskContainerPort1)]
-	assert.True(t, ok, "Could not get port bindings")
-	assert.Equal(t, 1, len(bindings), "Wrong number of bindings")
-	assert.Equal(t, "0", bindings[0].HostPort, "Wrong hostport")
-	bindings, ok = actualConfig.PortBindings[convertSCPort(SCTaskContainerPort2)]
-	assert.True(t, ok, "Could not get port bindings")
-	assert.Equal(t, 1, len(bindings), "Wrong number of bindings")
-	assert.Equal(t, "0", bindings[0].HostPort, "Wrong hostport")
-
-	// SC pause container should get port binding map of all ingress listeners
-	actualConfig, err = testTask.DockerHostConfig(testTask.Containers[3], dockerMap(testTask), defaultDockerClientAPIVersion,
-		&config.Config{})
-	assert.Nil(t, err)
-	assert.NotNil(t, actualConfig)
-	assert.Equal(t, dockercontainer.NetworkMode(BridgeNetworkMode), actualConfig.NetworkMode)
-	// SC - ingress listener 1 - default experience
-	bindings, ok = actualConfig.PortBindings[convertSCPort(SCIngressListener1ContainerPort)]
-	assert.True(t, ok, "Could not get port bindings")
-	assert.Equal(t, 1, len(bindings), "Wrong number of bindings")
-	assert.Equal(t, "0", bindings[0].HostPort, "Wrong hostport")
-	// SC - ingress listener 2 - non-default host port
-	bindings, ok = actualConfig.PortBindings[convertSCPort(SCIngressListener2ContainerPort)]
-	assert.True(t, ok, "Could not get port bindings")
-	assert.Equal(t, 1, len(bindings), "Wrong number of bindings")
-	assert.Equal(t, strconv.Itoa(int(SCIngressListener2HostPort)), bindings[0].HostPort, "Wrong hostport")
-	// SC - egress listener - should not have port binding
-	bindings, ok = actualConfig.PortBindings[convertSCPort(SCEgressListenerContainerPort)]
-	assert.False(t, ok, "egress listener has port binding but it shouldn't")
+	for _, tc := range testCases {
+		t.Run(tc.testName, func(t *testing.T) {
+			// need to reset the tracker to avoid getting data from previous test cases
+			utils.ResetTracker()
+			if tc.testStartHostPort == 0 && tc.testEndHostPort == 0 {
+				tc.testStartHostPort, tc.testEndHostPort = getDefaultDynamicHostPortRange()
+			}
+			testDynamicHostPortRange := fmt.Sprintf("%d-%d", tc.testStartHostPort, tc.testEndHostPort)
+			testConfig := &config.Config{DynamicHostPortRange: testDynamicHostPortRange}
+
+			// task container and SC container should both get empty port binding map and "container" network mode
+
+			// the task container
+			actualConfig, err := testTask.DockerHostConfig(testTask.Containers[0], dockerMap(testTask), defaultDockerClientAPIVersion, testConfig)
+			assert.Nil(t, err)
+			assert.NotNil(t, actualConfig)
+			assert.Equal(t, dockercontainer.NetworkMode(fmt.Sprintf("%s-%s", // e.g. "container:dockerid-~internal~ecs~pause-C1"
+				dockerMappingContainerPrefix+dockerIDPrefix+NetworkPauseContainerName, "C1")), actualConfig.NetworkMode)
+			assert.Empty(t, actualConfig.PortBindings, "Task container port binding should be empty")
+
+			// the service connect container
+			actualConfig, err = testTask.DockerHostConfig(testTask.Containers[2], dockerMap(testTask), defaultDockerClientAPIVersion, testConfig)
+			assert.Nil(t, err)
+			assert.NotNil(t, actualConfig)
+			assert.Equal(t, dockercontainer.NetworkMode(fmt.Sprintf("%s-%s", // e.g. "container:dockerid-~internal~ecs~pause-C1"
+				dockerMappingContainerPrefix+dockerIDPrefix+NetworkPauseContainerName, serviceConnectContainerTestName)), actualConfig.NetworkMode)
+			assert.Empty(t, actualConfig.PortBindings, "SC container port binding should be empty")
+
+			// task pause container should get port binding map of the task container
+			actualConfig, err = testTask.DockerHostConfig(testTask.Containers[1], dockerMap(testTask), defaultDockerClientAPIVersion, testConfig)
+			if !tc.testError {
+				assert.Nil(t, err)
+				assert.NotNil(t, actualConfig)
+				assert.Equal(t, dockercontainer.NetworkMode(BridgeNetworkMode), actualConfig.NetworkMode)
+				bindings, ok := actualConfig.PortBindings[convertSCPort(SCTaskContainerPort1)]
+				assert.True(t, ok, "Could not get port bindings")
+				assert.Equal(t, 1, len(bindings), "Wrong number of bindings")
+				hostPort, _ := strconv.Atoi(bindings[0].HostPort)
+				result := utils.PortIsInRange(hostPort, tc.testStartHostPort, tc.testEndHostPort)
+				assert.True(t, result, "hostport is not in the dynamic host port range")
+
+				bindings, ok = actualConfig.PortBindings[convertSCPort(SCTaskContainerPort2)]
+				assert.True(t, ok, "Could not get port bindings")
+				assert.Equal(t, 1, len(bindings), "Wrong number of bindings")
+				hostPort, _ = strconv.Atoi(bindings[0].HostPort)
+				result = utils.PortIsInRange(hostPort, tc.testStartHostPort, tc.testEndHostPort)
+				assert.True(t, result, "hostport is not in the dynamic host port range")
+
+				// SC pause container should get port binding map of all ingress listeners
+				actualConfig, err = testTask.DockerHostConfig(testTask.Containers[3], dockerMap(testTask), defaultDockerClientAPIVersion, testConfig)
+				assert.Nil(t, err)
+				assert.NotNil(t, actualConfig)
+				assert.Equal(t, dockercontainer.NetworkMode(BridgeNetworkMode), actualConfig.NetworkMode)
+
+				// SC - ingress listener 1 - default experience
+				bindings, ok = actualConfig.PortBindings[convertSCPort(SCIngressListener1ContainerPort)]
+				assert.True(t, ok, "Could not get port bindings")
+				hostPort, _ = strconv.Atoi(bindings[0].HostPort)
+				result = utils.PortIsInRange(hostPort, tc.testStartHostPort, tc.testEndHostPort)
+				assert.True(t, result, "hostport is not in the dynamic host port range")
+
+				// SC - ingress listener 2 - non-default host port
+				bindings, ok = actualConfig.PortBindings[convertSCPort(SCIngressListener2ContainerPort)]
+				assert.True(t, ok, "Could not get port bindings")
+				assert.Equal(t, 1, len(bindings), "Wrong number of bindings")
+				assert.Equal(t, strconv.Itoa(int(SCIngressListener2HostPort)), bindings[0].HostPort, "Wrong hostport")
+
+				// SC - egress listener - should not have port binding
+				bindings, ok = actualConfig.PortBindings[convertSCPort(SCEgressListenerContainerPort)]
+				assert.False(t, ok, "egress listener has port binding but it shouldn't")
+			} else {
+				assert.NotNil(t, err)
+			}
+		})
+	}
 }
 
 // TestDockerHostConfigSCBridgeMode_getPortBindingFailure verifies that when we can't find the task
diff --git a/agent/utils/ephemeral_ports.go b/agent/utils/ephemeral_ports.go
@@ -96,6 +96,11 @@ func (pt *safePortTracker) GetLastAssignedHostPort() int {
 
 var tracker safePortTracker
 
+// ResetTracker resets the last assigned host port to 0.
+func ResetTracker() {
+	tracker.SetLastAssignedHostPort(0)
+}
+
 // GetHostPortRange gets N contiguous host ports from the ephemeral host port range defined on the host.
 // dynamicHostPortRange can be set by customers using ECS Agent environment variable ECS_DYNAMIC_HOST_PORT_RANGE;
 // otherwise, ECS Agent will use the default value returned from GetDynamicHostPortRange() in the utils package.
diff --git a/agent/utils/ephemeral_ports_test.go b/agent/utils/ephemeral_ports_test.go
@@ -144,7 +144,7 @@ func TestGetHostPortRange(t *testing.T) {
 					assert.Equal(t, tc.expectedLastAssignedPort[i], actualLastAssignedHostPort)
 				} else {
 					// need to reset the tracker to avoid getting data from previous test cases
-					tracker.SetLastAssignedHostPort(0)
+					ResetTracker()
 
 					hostPortRange, err := GetHostPortRange(tc.numberOfPorts, tc.protocol, tc.testDynamicHostPortRange)
 					assert.Equal(t, tc.expectedError, err)
@@ -196,7 +196,8 @@ func TestGetHostPort(t *testing.T) {
 
 	for _, tc := range testCases {
 		if tc.resetLastAssignedHostPort {
-			tracker.SetLastAssignedHostPort(0)
+			// need to reset the tracker to avoid getting data from previous test cases
+			ResetTracker()
 		}
 
 		t.Run(tc.testName, func(t *testing.T) {
@@ -275,6 +276,14 @@ func TestVerifyPortsWithinRange(t *testing.T) {
 	}
 }
 
+func TestResetTracker(t *testing.T) {
+	tracker.SetLastAssignedHostPort(100)
+	ResetTracker()
+	expectedResetVal := 0
+	actualResult := tracker.GetLastAssignedHostPort()
+	assert.Equal(t, expectedResetVal, actualResult)
+}
+
 func getPortRangeLength(portRange string) (int, error) {
 	startPort, endPort, err := nat.ParsePortRangeToInt(portRange)
 	if err != nil {
