-
Notifications
You must be signed in to change notification settings - Fork 510
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ecs: add iptables
rules for ECS introspection server
#2267
ecs: add iptables
rules for ECS introspection server
#2267
Conversation
iptables
rules for ecs introspection server and some commentsiptables
rules for ECS introspection server
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you elaborate on the testing you've done to specifically test these changes? I'm not too familiar with the ECS agent introspection API. Looking at the issue, can you try verifying you can access the introspection API endpoint in a running ECS task?
packages/ecs-agent/ecs.service
Outdated
ExecStartPre=/sbin/iptables -t filter -I INPUT --dst 127.0.0.0/8 ! \ | ||
--src 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP | ||
ExecStart=/usr/bin/amazon-ecs-agent | ||
# Grant access to metadata server |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These ExecStopPost
directives are deleting the iptable rules right? Would this be more accurate?:
# Grant access to metadata server | |
# Remove access to IMDS from ECS tasks |
Same for the new comments below
packages/ecs-agent/ecs.service
Outdated
@@ -13,17 +13,29 @@ RestartSec=1s | |||
EnvironmentFile=-/etc/ecs/ecs.config | |||
EnvironmentFile=/etc/network/proxy.env | |||
Environment=ECS_CHECKPOINT=true | |||
# Grant access to metadata server |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"metadata server" is somewhat ambiguous. Also might be good specify what we're granting access to.
Would this be accurate?
# Grant access to metadata server | |
# Grant ECS tasks access to IMDS |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Discussed with @arnaldo2792 and I agree - clarifying the "metadata server" is a good idea. :)
@etungsten Sure, I'll add further details in the PR description, but essentially:
|
b06ebf6
to
45f8494
Compare
Latest force push: respond to PR suggestions (fix comment clarity) |
45f8494
to
697d227
Compare
Latest force push: replace IMDS with proper name |
iptables
rules for ECS introspection serveriptables
rules for ECS introspection server
697d227
to
cf61982
Compare
Latest force push: fix commit message |
The code change looks fine to me as long as the Datadog agent is working on the ECS variant now. Can you fix the commit subject to align to conventions?
|
@bcressey: @arnaldo2792 and I just finished testing the Datadog agent. We confirmed that docker labels get translated to Datadog tags using the following environment variable in the Datadog agent Task configuration: {
"name": "DD_DOCKER_LABELS_AS_TAGS",
"value": "'{\"com.amazonaws.ecs.task-definition-family\": \"task_name_test\", \"com.amazonaws.ecs.task-definition-version\": \"task_version_test\"}'"
} The tags appeared for a Task scoped to a Bottlerocket host containing my changes, and did not appear for a Task scoped to a Bottlerocket host without my changes. |
iptables
rules for ECS introspection serveriptables
rules for ECS introspection server
Enables ECS Tasks to query the ECS Introspection Server.
cf61982
to
0075507
Compare
Latest force push: fix commit message to align to convention |
Issue number:
Closes #2195
Description of changes:
Adds
iptables
rules that forward traffic destined for the ECS Introspection port on the Docker Bridge interface address to the ECS Introspection port on the localhost interface (where the ECS Introspection Server is listening).Testing done:
aws-ecs-1
variant in an ECS cluster, which consisted of:curl
the API endpoint (172.17.0.1:51678) over HTTP from within that fedora container (ECS Task)Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.