Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent network-blackhole-port from affecting TMDS access #4403

Merged
merged 3 commits into from
Oct 22, 2024
Merged

Prevent network-blackhole-port from affecting TMDS access #4403

merged 3 commits into from
Oct 22, 2024

Conversation

amogh09
Copy link
Contributor

@amogh09 amogh09 commented Oct 21, 2024
edited
Loading

Summary

Network blackhole port fault with {"Port": 80, "Protocol": "tcp", "TrafficType": "egress"} configuration currently breaks task's access to TMDS since the fault affects all TCP destinations on port 80 which includes TMDS for the task. This is undesirable as TMDS access is needed to interact with Fault Injection APIs.

This PR prevents this issue by adding an additional rule to the fault's iptables chain that accepts all tcp traffic destined for TMDS.

Implementation details

The fault injection handler now appends an additional rule to accept TMDS traffic using the command below.

iptables -A <chain-name> -p tcp -d 169.254.170.2 --dport 80 -j ACCEPT

The fault chain looks like below after the fault has been injected.

Chain egress-tcp-80 (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            169.254.170.2        tcp dpt:80
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80

Testing

Ran a host mode and awsvpc mode task and then ran the following commands from the task container. The second command below does not work without the changes in this PR.

# Inject network-blackhole-port fault that blocks all TCP traffic destined to port 80
bash-5.2# curl -XPOST --data '{"Port": 80, "Protocol": "tcp", "TrafficType": "ingress"}' ${ECS_AGENT_URI}/fault/v1/network-blackhole-port/start
{"Status":"running"}bash-5.2#

# Now verify that TMDS is still reachable 
bash-5.2# curl -XPOST --data '{"Port": 80, "Protocol": "tcp", "TrafficType": "ingress"}' ${ECS_AGENT_URI}/fault/v1/network-blackhole-port/status
{"Status":"running"}bash-5.2#

New tests cover the changes: yes

Description for the changelog

bugfix: Prevent TMDS access from being impacted by network-blackhole-port fault.

Additional Information

Does this PR include breaking model changes? If so, Have you added transformation functions?

Does this PR include the addition of new environment variables in the README?

Licensing

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@amogh09 amogh09 changed the base branch from master to dev October 21, 2024 21:36
@amogh09 amogh09 changed the title Bhp protect tmds Prevent network-blackhole-port from affecting TMDS access Oct 21, 2024
@amogh09 amogh09 marked this pull request as ready for review October 21, 2024 21:55
@amogh09 amogh09 requested a review from a team as a code owner October 21, 2024 21:55
@xxx0624 xxx0624 merged commit 79f17a5 into aws:dev Oct 22, 2024
40 checks passed
amogh09 added a commit to amogh09/amazon-ecs-agent that referenced this pull request Oct 23, 2024
@amogh09 @xxx0624
Prevent network-blackhole-port from affecting TMDS access (aws#4403)
1f2bed4 
* Protect TMDS IP from being affected by network-blackhole-port fault

* Fix test

---------

Co-authored-by: xingzhen <[email protected]>
@mye956 mye956 mentioned this pull request Oct 30, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xxx0624 xxx0624 xxx0624 approved these changes

@tshan2001 tshan2001 tshan2001 approved these changes

@mye956 mye956 mye956 approved these changes

@tinnywang tinnywang tinnywang approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@amogh09 @tinnywang @xxx0624 @mye956 @tshan2001 @amazon-ecs-bot