aws-ecs-1: constrain ephemeral port range #1051
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ECS documents a smaller ephemeral port range than is default on Bottlerocket. Constraining our range to the documented ECS range should avoid surprising customers who expect ECS's documented range and have configured their security groups accordingly.
bcressey
approved these changes
Aug 19, 2020
webern
approved these changes
Aug 19, 2020
jahkeup
approved these changes
Aug 19, 2020
jahkeup
reviewed
Aug 19, 2020
|
|
||
| # Constrain ephemeral ports to the range documented for ECS | ||
| # https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_PortMapping.html | ||
| net.ipv4.ip_local_port_range = 32768 60999 |
There was a problem hiding this comment.
Didn't see 60999 referenced in the linked docs, is 60999 a value that was chosen over65535?
There was a problem hiding this comment.
I copied this without noticing it was different from the ECS documentation, but 60999 is the upper bound I see on Amazon Linux, Debian, and Ubuntu. I can add that to the comments if you want.
There was a problem hiding this comment.
I think we should keep this aligned with documented and current usages of the constrained port range: so yes, I'd prefer to see this as 65535.
An example: the current port range used by the CDK is 32768-65535 (though this range might be opened up in the near future).
There was a problem hiding this comment.
- Discussed offline with @samuelkarp : common distributions are using the kernel's default of
60999 - digging into the kernel history on
60999(and the move to61000) show no concerns surrounding65535nor60999(other than for port assignment efficacy) - I'm on board with leaving this at
60999👍
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue number:
#815
Description of changes:
ECS documents a smaller ephemeral port range than is default on Bottlerocket. Constraining our range to the documented ECS range should avoid surprising customers who expect ECS's documented range and have configured their security groups accordingly.
Testing done:
docker runlocally and saw the correct ephemeral port range being used."portMappings": [{"containerPort": 80}]and saw the correct ephemeral port range being used.Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.