Merge branch 'aws:master' into master

.github/dependabot.yml

@@ -24,3 +24,10 @@ updates:
     # the bot stuck at trying to upgrade it; (2) sdk change has higher risk of breaking the agent so probably safer to
     # upgrade manually.
     - dependency-name: "github.com/aws/aws-sdk-go"
+- package-ecosystem: "github-actions"
+  directory: ".github/workflows"
+  schedule:
+    interval: weekly
+    time: "00:00"
+  open-pull-requests-limit: 1
+  target-branch: "dev"

CHANGELOG.md

@@ -1,5 +1,14 @@
 # Changelog
 
+# 1.89.2
+* Enhancement - Refactors Branch ENI configuration to support all platform types [#4436](https://github.com/aws/amazon-ecs-agent/pull/4436)
+* Enhancement - Update agent version of https://github.com/containerd/cgroups from v3.0.2 to v3.0.4 [#4350](https://github.com/aws/amazon-ecs-agent/pull/4350)
+* Enhancement - Implement credentials chain for aws-sdk-go-v2 [#4424](https://github.com/aws/amazon-ecs-agent/pull/4424)
+* Enhancement - Update amazon-ecs-cni-plugins to 2024.09.0 [#4442](https://github.com/aws/amazon-ecs-agent/pull/4442)
+* Enhancement - Remove typos from annotations in ecs-init/docker/docker.go [#4426](https://github.com/aws/amazon-ecs-agent/pull/4426)
+* Enhancement - Add check if tc is compatible before advertising fault injection capability [#4434](https://github.com/aws/amazon-ecs-agent/pull/4434)
+* Enhancement - Add /etc/pki directory to appnet agent's bind mounts for service connect [#4437](https://github.com/aws/amazon-ecs-agent/pull/4437)
+
 # 1.89.1
 * Changes included from discarded v1.89.0 release
 

VERSION

@@ -1 +1 @@
-1.89.1
+1.89.2

agent/api/container/container.go

@@ -34,6 +34,7 @@ import (
 	"github.com/cihub/seelog"
 	"github.com/docker/docker/api/types"
 	dockercontainer "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/registry"
 )
 
 const (
@@ -977,7 +978,7 @@ func (c *Container) ShouldPullWithASMAuth() bool {
 // SetASMDockerAuthConfig add the docker auth config data to the
 // RegistryAuthentication struct held by the container, this is then passed down
 // to the docker client to pull the image
-func (c *Container) SetASMDockerAuthConfig(dac types.AuthConfig) {
+func (c *Container) SetASMDockerAuthConfig(dac registry.AuthConfig) {
 	c.RegistryAuthentication.ASMAuthData.SetDockerAuthConfig(dac)
 }
 

agent/api/container/registryauth.go

@@ -18,7 +18,7 @@ import (
 
 	"github.com/aws/amazon-ecs-agent/ecs-agent/credentials"
 
-	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/registry"
 )
 
 // RegistryAuthenticationData is the authentication data sent by the ECS backend.  Currently, the only supported
@@ -36,7 +36,7 @@ type ECRAuthData struct {
 	RegistryID       string `json:"registryId"`
 	UseExecutionRole bool   `json:"useExecutionRole"`
 	pullCredentials  credentials.IAMRoleCredentials
-	dockerAuthConfig types.AuthConfig
+	dockerAuthConfig registry.AuthConfig
 	lock             sync.RWMutex
 }
 
@@ -50,7 +50,7 @@ type ASMAuthData struct {
 	Region string `json:"region"`
 	// dockerAuthConfig gets populated during the ASM resource creation
 	// by the task engine
-	dockerAuthConfig types.AuthConfig
+	dockerAuthConfig registry.AuthConfig
 	lock             sync.RWMutex
 }
 
@@ -71,7 +71,7 @@ func (auth *ECRAuthData) SetPullCredentials(creds credentials.IAMRoleCredentials
 }
 
 // GetDockerAuthConfig returns the pull credentials in the auth
-func (auth *ECRAuthData) GetDockerAuthConfig() types.AuthConfig {
+func (auth *ECRAuthData) GetDockerAuthConfig() registry.AuthConfig {
 	auth.lock.RLock()
 	defer auth.lock.RUnlock()
 
@@ -80,15 +80,15 @@ func (auth *ECRAuthData) GetDockerAuthConfig() types.AuthConfig {
 
 // SetDockerAuthConfig sets the credentials to pull from ECR in the
 // ecr auth data
-func (auth *ECRAuthData) SetDockerAuthConfig(dac types.AuthConfig) {
+func (auth *ECRAuthData) SetDockerAuthConfig(dac registry.AuthConfig) {
 	auth.lock.Lock()
 	defer auth.lock.Unlock()
 
 	auth.dockerAuthConfig = dac
 }
 
 // GetDockerAuthConfig returns the pull credentials in the auth
-func (auth *ASMAuthData) GetDockerAuthConfig() types.AuthConfig {
+func (auth *ASMAuthData) GetDockerAuthConfig() registry.AuthConfig {
 	auth.lock.RLock()
 	defer auth.lock.RUnlock()
 
@@ -97,7 +97,7 @@ func (auth *ASMAuthData) GetDockerAuthConfig() types.AuthConfig {
 
 // SetDockerAuthConfig sets the credentials to pull from ECR in the
 // auth
-func (auth *ASMAuthData) SetDockerAuthConfig(dac types.AuthConfig) {
+func (auth *ASMAuthData) SetDockerAuthConfig(dac registry.AuthConfig) {
 	auth.lock.Lock()
 	defer auth.lock.Unlock()
 

agent/app/agent.go

@@ -59,6 +59,7 @@ import (
 	apierrors "github.com/aws/amazon-ecs-agent/ecs-agent/api/errors"
 	"github.com/aws/amazon-ecs-agent/ecs-agent/credentials"
 	"github.com/aws/amazon-ecs-agent/ecs-agent/credentials/instancecreds"
+	"github.com/aws/amazon-ecs-agent/ecs-agent/credentials/providers"
 	"github.com/aws/amazon-ecs-agent/ecs-agent/doctor"
 	"github.com/aws/amazon-ecs-agent/ecs-agent/ec2"
 	"github.com/aws/amazon-ecs-agent/ecs-agent/eventstream"
@@ -68,6 +69,7 @@ import (
 	"github.com/aws/amazon-ecs-agent/ecs-agent/tcs/model/ecstcs"
 	"github.com/aws/amazon-ecs-agent/ecs-agent/utils/retry"
 	"github.com/aws/amazon-ecs-agent/ecs-agent/wsclient"
+	awsv2 "github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/awserr"
 	aws_credentials "github.com/aws/aws-sdk-go/aws/credentials"
@@ -146,6 +148,7 @@ type ecsAgent struct {
 	dockerClient                dockerapi.DockerClient
 	containerInstanceARN        string
 	credentialProvider          *aws_credentials.Credentials
+	credentialsCache            *awsv2.CredentialsCache
 	stateManagerFactory         factory.StateManager
 	saveableOptionFactory       factory.SaveableOption
 	pauseLoader                 loader.Loader
@@ -231,6 +234,11 @@ func newAgent(blackholeEC2Metadata bool, acceptInsecureCert *bool) (agent, error
 		metadataManager = containermetadata.NewManager(dockerClient, cfg)
 	}
 
+	credentialsCache := providers.NewInstanceCredentialsCache(
+		cfg.External.Enabled(),
+		providers.NewRotatingSharedCredentialsProviderV2(),
+		nil,
+	)
 	initialSeqNumber := int64(-1)
 	return &ecsAgent{
 		ctx:               ctx,
@@ -244,6 +252,7 @@ func newAgent(blackholeEC2Metadata bool, acceptInsecureCert *bool) (agent, error
 		// to mimic roughly the way it's instantiated by the SDK for a default
 		// session.
 		credentialProvider:          instancecreds.GetCredentials(cfg.External.Enabled()),
+		credentialsCache:            credentialsCache,
 		stateManagerFactory:         factory.NewStateManager(),
 		saveableOptionFactory:       factory.NewSaveableOption(),
 		pauseLoader:                 pause.New(),
@@ -781,7 +790,7 @@ func (agent *ecsAgent) registerContainerInstance(
 	client ecs.ECSClient,
 	additionalAttributes []*ecsmodel.Attribute) error {
 	// Preflight request to make sure they're good
-	if preflightCreds, err := agent.credentialProvider.Get(); err != nil || preflightCreds.AccessKeyID == "" {
+	if preflightCreds, err := agent.credentialsCache.Retrieve(context.TODO()); err != nil || !preflightCreds.HasKeys() {
 		seelog.Errorf("Error getting valid credentials: %s", err)
 	}
 

agent/app/agent_capability.go

@@ -553,6 +553,7 @@ func (agent *ecsAgent) appendFaultInjectionCapabilities(capabilities []*ecs.Attr
 
 	if isFaultInjectionToolingAvailable() {
 		capabilities = appendNameOnlyAttribute(capabilities, attributePrefix+capabilityFaultInjection)
+		seelog.Debug("Fault injection capability is enabled.")
 	} else {
 		seelog.Warn("Fault injection capability not enabled: Required network tools are missing")
 	}

agent/app/agent_capability_unix.go

@@ -18,6 +18,7 @@ package app
 
 import (
 	"context"
+	"fmt"
 	"os/exec"
 	"path/filepath"
 	"strings"
@@ -30,6 +31,7 @@ import (
 	"github.com/aws/amazon-ecs-agent/agent/taskresource/volume"
 	"github.com/aws/amazon-ecs-agent/agent/utils"
 	"github.com/aws/amazon-ecs-agent/ecs-agent/api/ecs/model/ecs"
+	"github.com/aws/amazon-ecs-agent/ecs-agent/tmds/utils/netconfig"
 	"github.com/aws/amazon-ecs-agent/ecs-agent/utils/execwrapper"
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/cihub/seelog"
@@ -45,6 +47,7 @@ const (
 	modInfoCmd                  = "modinfo"
 	faultInjectionKernelModules = "sch_netem"
 	ctxTimeoutDuration          = 60 * time.Second
+	tcShowCmdString             = "tc -j q show dev %s parent 1:1"
 )
 
 var (
@@ -250,6 +253,7 @@ var isFaultInjectionToolingAvailable = checkFaultInjectionTooling
 // wrapper around exec.LookPath
 var lookPathFunc = exec.LookPath
 var osExecWrapper = execwrapper.NewExec()
+var networkConfigClient = netconfig.NewNetworkConfigClient()
 
 // checkFaultInjectionTooling checks for the required network packages like iptables, tc
 // to be available on the host before ecs.capability.fault-injection can be advertised
@@ -263,7 +267,7 @@ func checkFaultInjectionTooling() bool {
 			return false
 		}
 	}
-	return checkFaultInjectionModules()
+	return checkFaultInjectionModules() && checkTCShowTooling()
 }
 
 // checkFaultInjectionModules checks for the required kernel modules such as sch_netem to be installed
@@ -278,3 +282,21 @@ func checkFaultInjectionModules() bool {
 	}
 	return true
 }
+
+func checkTCShowTooling() bool {
+	ctxWithTimeout, cancel := context.WithTimeout(context.Background(), ctxTimeoutDuration)
+	defer cancel()
+	hostDeviceName, netErr := netconfig.DefaultNetInterfaceName(networkConfigClient.NetlinkClient)
+	if netErr != nil {
+		seelog.Warnf("Failed to obtain the network interface device name on the host: %v", netErr)
+		return false
+	}
+	tcShowCmd := fmt.Sprintf(tcShowCmdString, hostDeviceName)
+	cmdList := strings.Split(tcShowCmd, " ")
+	_, err := osExecWrapper.CommandContext(ctxWithTimeout, cmdList[0], cmdList[1:]...).CombinedOutput()
+	if err != nil {
+		seelog.Warnf("Failed to call %s which is needed for fault-injection feature: %v", tcShowCmd, err)
+		return false
+	}
+	return true
+}