fix gmsa,fsx capability bug

aws · Jan 23, 2023 · d429efb · d429efb
1 parent 17daadd
commit d429efb
Show file tree

Hide file tree

Showing 15 changed files with 74 additions and 41 deletions.
diff --git a/agent/app/agent_capability.go b/agent/app/agent_capability.go
@@ -312,7 +312,7 @@ func (agent *ecsAgent) appendDockerDependentCapabilities(capabilities []*ecs.Att
 }
 
 func (agent *ecsAgent) appendGMSACapabilities(capabilities []*ecs.Attribute) []*ecs.Attribute {
-	if agent.cfg.GMSACapable {
+	if agent.cfg.GMSACapable.Enabled() {
 		return appendNameOnlyAttribute(capabilities, attributePrefix+capabilityGMSA)
 	}
 

diff --git a/agent/app/agent_capability_test.go b/agent/app/agent_capability_test.go
@@ -1432,7 +1432,7 @@ func TestAppendGMSACapabilities(t *testing.T) {
 
 	agent := &ecsAgent{
 		cfg: &config.Config{
-			GMSACapable: true,
+			GMSACapable: config.BooleanDefaultFalse{Value: config.ExplicitlyEnabled},
 		},
 	}
 

diff --git a/agent/app/agent_capability_windows.go b/agent/app/agent_capability_windows.go
@@ -109,7 +109,7 @@ func (agent *ecsAgent) appendIPv6Capability(capabilities []*ecs.Attribute) []*ec
 }
 
 func (agent *ecsAgent) appendFSxWindowsFileServerCapabilities(capabilities []*ecs.Attribute) []*ecs.Attribute {
-	if agent.cfg.FSxWindowsFileServerCapable {
+	if agent.cfg.FSxWindowsFileServerCapable.Enabled() {
 		return appendNameOnlyAttribute(capabilities, attributePrefix+capabilityFSxWindowsFileServer)
 	}
 

diff --git a/agent/app/agent_capability_windows_test.go b/agent/app/agent_capability_windows_test.go
@@ -236,7 +236,7 @@ func TestAppendGMSACapabilitiesFalse(t *testing.T) {
 
 	agent := &ecsAgent{
 		cfg: &config.Config{
-			GMSACapable: false,
+			GMSACapable: config.BooleanDefaultFalse{Value: config.ExplicitlyDisabled},
 		},
 	}
 
@@ -258,7 +258,7 @@ func TestAppendFSxWindowsFileServerCapabilities(t *testing.T) {
 
 	agent := &ecsAgent{
 		cfg: &config.Config{
-			FSxWindowsFileServerCapable: true,
+			FSxWindowsFileServerCapable: config.BooleanDefaultFalse{Value: config.ExplicitlyEnabled},
 		},
 	}
 
@@ -280,7 +280,7 @@ func TestAppendFSxWindowsFileServerCapabilitiesFalse(t *testing.T) {
 
 	agent := &ecsAgent{
 		cfg: &config.Config{
-			FSxWindowsFileServerCapable: false,
+			FSxWindowsFileServerCapable: config.BooleanDefaultFalse{Value: config.ExplicitlyDisabled},
 		},
 	}
 

diff --git a/agent/config/config_unix.go b/agent/config/config_unix.go
@@ -101,7 +101,7 @@ func DefaultConfig() Config {
 		NvidiaRuntime:                       DefaultNvidiaRuntime,
 		CgroupCPUPeriod:                     defaultCgroupCPUPeriod,
 		GMSACapable:                         parseGMSACapability(),
-		FSxWindowsFileServerCapable:         false,
+		FSxWindowsFileServerCapable:         BooleanDefaultFalse{Value: ExplicitlyDisabled},
 		RuntimeStatsLogFile:                 defaultRuntimeStatsLogFile,
 		EnableRuntimeStats:                  BooleanDefaultFalse{Value: NotSet},
 		ShouldExcludeIPv6PortBinding:        BooleanDefaultTrue{Value: ExplicitlyEnabled},

diff --git a/agent/config/config_windows.go b/agent/config/config_windows.go
@@ -142,8 +142,8 @@ func DefaultConfig() Config {
 		SharedVolumeMatchFullConfig:         BooleanDefaultFalse{Value: ExplicitlyDisabled}, //only requiring shared volumes to match on name, which is default docker behavior
 		PollMetrics:                         BooleanDefaultFalse{Value: NotSet},
 		PollingMetricsWaitDuration:          DefaultPollingMetricsWaitDuration,
-		GMSACapable:                         true,
-		FSxWindowsFileServerCapable:         true,
+		GMSACapable:                         BooleanDefaultFalse{Value: ExplicitlyDisabled},
+		FSxWindowsFileServerCapable:         BooleanDefaultFalse{Value: ExplicitlyDisabled},
 		PauseContainerImageName:             DefaultPauseContainerImageName,
 		PauseContainerTag:                   DefaultPauseContainerTag,
 		CNIPluginsPath:                      filepath.Join(ecsBinaryDir, defaultCNIPluginDirName),

diff --git a/agent/config/parse_linux.go b/agent/config/parse_linux.go
@@ -25,14 +25,14 @@ import (
 	"github.com/cihub/seelog"
 )
 
-func parseGMSACapability() bool {
+func parseGMSACapability() BooleanDefaultFalse {
 	envStatus := utils.ParseBool(os.Getenv("ECS_GMSA_SUPPORTED"), true)
 	if envStatus {
 		// Check if domain join check override is present
 		skipDomainJoinCheck := utils.ParseBool(os.Getenv(envSkipDomainJoinCheck), false)
 		if skipDomainJoinCheck {
 			seelog.Infof("Skipping domain join validation based on environment override")
-			return true
+			return BooleanDefaultFalse{Value: ExplicitlyEnabled}
 		}
 
 		// check if the credentials fetcher socket is created and exists
@@ -42,15 +42,15 @@ func parseGMSACapability() bool {
 			if err != nil {
 				if os.IsNotExist(err) {
 					seelog.Errorf("CREDENTIALS_FETCHER_HOST_DIR not found, err: %v", err)
-					return false
+					return BooleanDefaultFalse{Value: ExplicitlyDisabled}
 				}
 			}
 
 			//skip domain join check if the domainless gMSA is supported by setting the env variable
 			domainlessGMSAUser := os.Getenv("CREDENTIALS_FETCHER_SECRET_NAME_FOR_DOMAINLESS_GMSA")
 			if domainlessGMSAUser != "" && len(domainlessGMSAUser) > 0 {
 				seelog.Info("domainless gMSA support is enabled")
-				return true
+				return BooleanDefaultFalse{Value: ExplicitlyEnabled}
 			}
 
 			// returns true if the container instance is domain joined
@@ -59,16 +59,17 @@ func parseGMSACapability() bool {
 
 			if !isDomainJoined {
 				seelog.Error("gMSA on linux requires domain joined instance. Did not find expected env var ECS_DOMAIN_JOINED_LINUX_INSTANCE=true")
+				return BooleanDefaultFalse{Value: ExplicitlyDisabled}
 			}
-			return isDomainJoined
+			return BooleanDefaultFalse{Value: ExplicitlyEnabled}
 		}
 	}
 	seelog.Debug("env variables to support gMSA are not set")
-	return false
+	return BooleanDefaultFalse{Value: ExplicitlyDisabled}
 }
 
-func parseFSxWindowsFileServerCapability() bool {
-	return false
+func parseFSxWindowsFileServerCapability() BooleanDefaultFalse {
+	return BooleanDefaultFalse{Value: ExplicitlyDisabled}
 }
 
 var IsWindows2016 = func() (bool, error) {

diff --git a/agent/config/parse_linux_test.go b/agent/config/parse_linux_test.go
@@ -27,25 +27,25 @@ func TestParseGMSACapabilitySupported(t *testing.T) {
 	t.Setenv("ECS_DOMAIN_JOINED_LINUX_INSTANCE", "True")
 	t.Setenv("CREDENTIALS_FETCHER_HOST_DIR", "/var/run")
 
-	assert.True(t, parseGMSACapability())
+	assert.True(t, parseGMSACapability().Enabled())
 }
 
 func TestParseGMSACapabilityNonDomainJoined(t *testing.T) {
 	t.Setenv("ECS_GMSA_SUPPORTED", "True")
 	t.Setenv("ECS_DOMAIN_JOINED_LINUX_INSTANCE", "False")
 
-	assert.False(t, parseGMSACapability())
+	assert.False(t, parseGMSACapability().Enabled())
 }
 
 func TestParseGMSACapabilityUnsupported(t *testing.T) {
 	t.Setenv("ECS_GMSA_SUPPORTED", "False")
 
-	assert.False(t, parseGMSACapability())
+	assert.False(t, parseGMSACapability().Enabled())
 }
 
 func TestSkipDomainJoinCheckParseGMSACapability(t *testing.T) {
 	t.Setenv("ECS_GMSA_SUPPORTED", "True")
 	t.Setenv("ZZZ_SKIP_DOMAIN_JOIN_CHECK_NOT_SUPPORTED_IN_PRODUCTION", "True")
 
-	assert.True(t, parseGMSACapability())
+	assert.True(t, parseGMSACapability().Enabled())
 }
diff --git a/agent/config/parse_unsupported.go b/agent/config/parse_unsupported.go
@@ -21,12 +21,12 @@ import (
 	"strings"
 )
 
-func parseGMSACapability() bool {
-	return false
+func parseGMSACapability() BooleanDefaultFalse {
+	return BooleanDefaultFalse{Value: ExplicitlyDisabled}
 }
 
-func parseFSxWindowsFileServerCapability() bool {
-	return false
+func parseFSxWindowsFileServerCapability() BooleanDefaultFalse {
+	return BooleanDefaultFalse{Value: ExplicitlyDisabled}
 }
 
 var IsWindows2016 = func() (bool, error) {

diff --git a/agent/config/parse_unsupported_test.go b/agent/config/parse_unsupported_test.go
@@ -0,0 +1,31 @@
+//go:build !linux && !windows
+// +build !linux,!windows
+
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"). You may
+// not use this file except in compliance with the License. A copy of the
+// License is located at
+//
+//	httpaws.amazon.com/apache2.0/
+//
+// or in the "license" file accompanying this file. This file is distributed
+// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+// express or implied. See the License for the specific language governing
+// permissions and limitations under the License.
+
+package config
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestParseGMSACapabilitySupported(t *testing.T) {
+	assert.False(t, parseGMSACapability().Enabled())
+}
+
+func TestParseFSxWindowsFileServerCapability(t *testing.T) {
+	assert.False(t, parseGMSACapability().Enabled())
+}
diff --git a/agent/config/parse_windows.go b/agent/config/parse_windows.go
@@ -35,41 +35,42 @@ const (
 )
 
 // parseGMSACapability is used to determine if gMSA support can be enabled
-func parseGMSACapability() bool {
+func parseGMSACapability() BooleanDefaultFalse {
 	envStatus := utils.ParseBool(os.Getenv("ECS_GMSA_SUPPORTED"), true)
 	return checkDomainJoinWithEnvOverride(envStatus)
 }
 
 // parseFSxWindowsFileServerCapability is used to determine if fsxWindowsFileServer support can be enabled
-func parseFSxWindowsFileServerCapability() bool {
+func parseFSxWindowsFileServerCapability() BooleanDefaultFalse {
 	// fsxwindowsfileserver is not supported on Windows 2016 and non-domain-joined container instances
 	status, err := IsWindows2016()
 	if err != nil || status == true {
-		return false
+		return BooleanDefaultFalse{Value: ExplicitlyDisabled}
 	}
 
 	envStatus := utils.ParseBool(os.Getenv("ECS_FSX_WINDOWS_FILE_SERVER_SUPPORTED"), true)
 	return checkDomainJoinWithEnvOverride(envStatus)
 }
 
-func checkDomainJoinWithEnvOverride(envStatus bool) bool {
+func checkDomainJoinWithEnvOverride(envStatus bool) BooleanDefaultFalse {
 	if envStatus {
 		// Check if domain join check override is present
 		skipDomainJoinCheck := utils.ParseBool(os.Getenv(envSkipDomainJoinCheck), false)
 		if skipDomainJoinCheck {
 			seelog.Debug("Skipping domain join validation based on environment override")
-			return true
+			return BooleanDefaultFalse{Value: ExplicitlyEnabled}
 		}
 		// check if container instance is domain joined.
 		// If container instance is not domain joined, explicitly disable feature configuration.
 		status, err := isDomainJoined()
-		if err == nil && status == true {
-			return true
+		if err != nil {
+			seelog.Errorf("Unable to determine valid domain join with err: %v", err)
+		}
+		if status == true {
+			return BooleanDefaultFalse{Value: ExplicitlyEnabled}
 		}
-		seelog.Errorf("Unable to determine valid domain join: %v", err)
 	}
-
-	return false
+	return BooleanDefaultFalse{Value: ExplicitlyDisabled}
 }
 
 // isDomainJoined is used to validate if container instance is part of a valid active directory.

diff --git a/agent/config/parse_windows_test.go b/agent/config/parse_windows_test.go
@@ -27,7 +27,7 @@ func TestParseGMSACapability(t *testing.T) {
 	os.Setenv("ECS_GMSA_SUPPORTED", "False")
 	defer os.Unsetenv("ECS_GMSA_SUPPORTED")
 
-	assert.False(t, parseGMSACapability())
+	assert.False(t, parseGMSACapability().Enabled())
 }
 
 func TestParseBooleanEnvVar(t *testing.T) {
@@ -49,5 +49,5 @@ func TestParseFSxWindowsFileServerCapability(t *testing.T) {
 	os.Setenv("ECS_FSX_WINDOWS_FILE_SERVER_SUPPORTED", "False")
 	defer os.Unsetenv("ECS_FSX_WINDOWS_FILE_SERVER_SUPPORTED")
 
-	assert.False(t, parseFSxWindowsFileServerCapability())
+	assert.False(t, parseFSxWindowsFileServerCapability().Enabled())
 }
diff --git a/agent/config/types.go b/agent/config/types.go
@@ -329,14 +329,14 @@ type Config struct {
 
 	// GMSACapable is the config option to indicate if gMSA is supported.
 	// It should be enabled by default only if the container instance is part of a valid active directory domain.
-	GMSACapable bool
+	GMSACapable BooleanDefaultFalse
 
 	// VolumePluginCapabilities specifies the capabilities of the ecs volume plugin.
 	VolumePluginCapabilities []string
 
 	// FSxWindowsFileServerCapable is the config option to indicate if fsxWindowsFileServer is supported.
 	// It should be enabled by default only if the container instance is part of a valid active directory domain.
-	FSxWindowsFileServerCapable bool
+	FSxWindowsFileServerCapable BooleanDefaultFalse
 
 	// External specifies whether agent is running on external compute capacity (i.e. outside of aws).
 	External BooleanDefaultFalse

diff --git a/agent/engine/engine_sudo_linux_integ_test.go b/agent/engine/engine_sudo_linux_integ_test.go
@@ -767,7 +767,7 @@ func TestGMSATaskFile(t *testing.T) {
 	cfg := defaultTestConfigIntegTest()
 	cfg.TaskCPUMemLimit.Value = config.ExplicitlyDisabled
 	cfg.TaskCleanupWaitDuration = 3 * time.Second
-	cfg.GMSACapable = true
+	cfg.GMSACapable = config.BooleanDefaultFalse{Value: config.ExplicitlyEnabled}
 	cfg.AWSRegion = "us-west-2"
 
 	taskEngine, done, _ := setupGMSALinux(cfg, nil, t)

diff --git a/agent/engine/engine_windows_integ_test.go b/agent/engine/engine_windows_integ_test.go
@@ -455,7 +455,7 @@ func defaultTestConfigIntegTestGMSA() *config.Config {
 	cfg.TaskCPUMemLimit.Value = config.ExplicitlyDisabled
 	cfg.ImagePullBehavior = config.ImagePullPreferCachedBehavior
 
-	cfg.GMSACapable = true
+	cfg.GMSACapable = config.BooleanDefaultFalse{Value: config.ExplicitlyEnabled}
 	cfg.AWSRegion = "us-west-2"
 
 	return cfg