aws · TheanLim · Apr 21, 2025 · Apr 21, 2025 · Apr 21, 2025
@@ -20,6 +20,7 @@ import (
 	"github.com/pkg/errors"
 
 	apitask "github.com/aws/amazon-ecs-agent/agent/api/task"
+	"github.com/aws/amazon-ecs-agent/agent/config/ipcompatibility"
 	"github.com/aws/amazon-ecs-agent/agent/engine"
 	"github.com/aws/amazon-ecs-agent/ecs-agent/acs/model/ecsacs"
 	"github.com/aws/amazon-ecs-agent/ecs-agent/credentials"
@@ -32,13 +33,15 @@ var (
 
 // credentialsMetadataSetter struct implements CredentialsMetadataSetter interface defined in ecs-agent module.
 type credentialsMetadataSetter struct {
-	taskEngine engine.TaskEngine
+	taskEngine      engine.TaskEngine
+	ipCompatibility ipcompatibility.IPCompatibility
 }
 
 // NewCredentialsMetadataSetter creates a new credentialsMetadataSetter.
-func NewCredentialsMetadataSetter(taskEngine engine.TaskEngine) *credentialsMetadataSetter {
+func NewCredentialsMetadataSetter(taskEngine engine.TaskEngine, ipCompatibility ipcompatibility.IPCompatibility) *credentialsMetadataSetter {
 	return &credentialsMetadataSetter{
-		taskEngine: taskEngine,
+		taskEngine:      taskEngine,
+		ipCompatibility: ipCompatibility,
 	}
 }
 
@@ -62,7 +65,7 @@ func (cmSetter *credentialsMetadataSetter) SetExecRoleCredentialsMetadata(
 
 	// Refresh domainless gMSA plugin credentials if needed.
 	err = checkAndSetDomainlessGMSATaskExecutionRoleCredentialsImpl(credentials.IAMRoleCredentialsFromACS(
-		message.RoleCredentials, aws.ToString(message.RoleType)), task)
+		message.RoleCredentials, aws.ToString(message.RoleType)), task, cmSetter.ipCompatibility)
 	if err != nil {
 		return errors.Wrap(err, fmt.Sprintf("unable to set %s for task with ARN %s",
 			"DomainlessGMSATaskExecutionRoleCredentials", aws.ToString(message.TaskArn)))

@@ -19,20 +19,21 @@ package session
 import (
 	"github.com/aws/amazon-ecs-agent/agent/api/task"
 	asmfactory "github.com/aws/amazon-ecs-agent/agent/asm/factory"
+	"github.com/aws/amazon-ecs-agent/agent/config/ipcompatibility"
 	s3factory "github.com/aws/amazon-ecs-agent/agent/s3/factory"
 	ssmfactory "github.com/aws/amazon-ecs-agent/agent/ssm/factory"
 	"github.com/aws/amazon-ecs-agent/agent/taskresource/credentialspec"
 	"github.com/aws/amazon-ecs-agent/ecs-agent/credentials"
 )
 
-func checkAndSetDomainlessGMSATaskExecutionRoleCredentials(iamRoleCredentials credentials.IAMRoleCredentials, task *task.Task) error {
+func checkAndSetDomainlessGMSATaskExecutionRoleCredentials(iamRoleCredentials credentials.IAMRoleCredentials, task *task.Task, ipCompatibility ipcompatibility.IPCompatibility) error {
 	// exit early if the task does not need domainless gMSA
 	if !task.RequiresDomainlessCredentialSpecResource() {
 		return nil
 	}
 	credspecContainerMapping := task.GetAllCredentialSpecRequirements()
 	credentialspecResource, err := credentialspec.NewCredentialSpecResource(task.Arn, "", task.ExecutionCredentialsID,
-		nil, ssmfactory.NewSSMClientCreator(), s3factory.NewS3ClientCreator(), asmfactory.NewClientCreator(), credspecContainerMapping)
+		nil, ssmfactory.NewSSMClientCreator(), s3factory.NewS3ClientCreator(), asmfactory.NewClientCreator(), credspecContainerMapping, ipCompatibility)
 	if err != nil {
 		return err
 	}

@@ -21,6 +21,7 @@ import (
 
 	apicontainer "github.com/aws/amazon-ecs-agent/agent/api/container"
 	apitask "github.com/aws/amazon-ecs-agent/agent/api/task"
+	"github.com/aws/amazon-ecs-agent/agent/config/ipcompatibility"
 	mock_engine "github.com/aws/amazon-ecs-agent/agent/engine/mocks"
 	"github.com/aws/amazon-ecs-agent/ecs-agent/acs/model/ecsacs"
 	acssession "github.com/aws/amazon-ecs-agent/ecs-agent/acs/session"
@@ -75,6 +76,8 @@ var testRefreshCredentialsMessage = &ecsacs.IAMRoleCredentialsMessage{
 	},
 }
 
+var testIPCompatibility = ipcompatibility.NewIPCompatibility(true, true)
+
 // TestInvalidCredentialsMessageNotAcked tests that invalid credential message
 // is not ACKed.
 func TestInvalidCredentialsMessageNotAcked(t *testing.T) {
@@ -87,7 +90,7 @@ func TestInvalidCredentialsMessageNotAcked(t *testing.T) {
 		return nil
 	}
 	testRefreshCredentialsResponder := acssession.NewRefreshCredentialsResponder(credentials.NewManager(),
-		NewCredentialsMetadataSetter(nil),
+		NewCredentialsMetadataSetter(nil, testIPCompatibility),
 		metrics.NewNopEntryFactory(),
 		testResponseSender)
 
@@ -114,7 +117,7 @@ func TestCredentialsMessageNotAckedWhenTaskNotFound(t *testing.T) {
 		return nil
 	}
 	testRefreshCredentialsResponder := acssession.NewRefreshCredentialsResponder(credentials.NewManager(),
-		NewCredentialsMetadataSetter(mockTaskEngine),
+		NewCredentialsMetadataSetter(mockTaskEngine, testIPCompatibility),
 		metrics.NewNopEntryFactory(),
 		testResponseSender)
 
@@ -158,15 +161,15 @@ func TestHandleRefreshMessageAckedWhenCredentialsUpdated(t *testing.T) {
 				return nil
 			}
 			testRefreshCredentialsResponder := acssession.NewRefreshCredentialsResponder(credentialsManager,
-				NewCredentialsMetadataSetter(mockTaskEngine),
+				NewCredentialsMetadataSetter(mockTaskEngine, testIPCompatibility),
 				metrics.NewNopEntryFactory(),
 				testResponseSender)
 
 			handleCredentialsMessage :=
 				testRefreshCredentialsResponder.HandlerFunc().(func(*ecsacs.IAMRoleCredentialsMessage))
 
 			checkAndSetDomainlessGMSATaskExecutionRoleCredentialsImpl = func(
-				iamRoleCredentials credentials.IAMRoleCredentials, task *apitask.Task) error {
+				iamRoleCredentials credentials.IAMRoleCredentials, task *apitask.Task, ipCompatibility ipcompatibility.IPCompatibility) error {
 				if tc.taskArn != task.Arn {
 					return errors.New(fmt.Sprintf("Expected taskArnInput to be %s, instead got %s", tc.taskArn,
 						task.Arn))
@@ -232,15 +235,15 @@ func TestCredentialsMessageNotAckedWhenDomainlessGMSACredentialsError(t *testing
 				return nil
 			}
 			testRefreshCredentialsResponder := acssession.NewRefreshCredentialsResponder(credentialsManager,
-				NewCredentialsMetadataSetter(mockTaskEngine),
+				NewCredentialsMetadataSetter(mockTaskEngine, testIPCompatibility),
 				metrics.NewNopEntryFactory(),
 				testResponseSender)
 
 			handleCredentialsMessage :=
 				testRefreshCredentialsResponder.HandlerFunc().(func(*ecsacs.IAMRoleCredentialsMessage))
 
 			checkAndSetDomainlessGMSATaskExecutionRoleCredentialsImpl = func(
-				iamRoleCredentials credentials.IAMRoleCredentials, task *apitask.Task) error {
+				iamRoleCredentials credentials.IAMRoleCredentials, task *apitask.Task, ipCompatibility ipcompatibility.IPCompatibility) error {
 				if tc.taskArn != task.Arn {
 					return errors.New(fmt.Sprintf("Expected taskArnInput to be %s, instead got %s", tc.taskArn, task.Arn))
 				}

@@ -18,13 +18,15 @@ package session
 
 import (
 	"github.com/aws/amazon-ecs-agent/agent/api/task"
+	"github.com/aws/amazon-ecs-agent/agent/config/ipcompatibility"
 	"github.com/aws/amazon-ecs-agent/agent/taskresource/credentialspec"
 	"github.com/aws/amazon-ecs-agent/ecs-agent/credentials"
 )
 
 // setDomainlessGMSATaskExecutionRoleCredentials sets the taskExecutionRoleCredentials to a Windows Registry Key so that
 // the domainless gMSA plugin can use these credentials to retrieve the customer Active Directory credential
-func checkAndSetDomainlessGMSATaskExecutionRoleCredentials(iamRoleCredentials credentials.IAMRoleCredentials, task *task.Task) error {
+// ipCompatibility is noop - kept it to keep consistent method signature across platforms
+func checkAndSetDomainlessGMSATaskExecutionRoleCredentials(iamRoleCredentials credentials.IAMRoleCredentials, task *task.Task, ipCompatibility ipcompatibility.IPCompatibility) error {
 	// exit early if the task does not need domainless gMSA
 	if !task.RequiresDomainlessCredentialSpecResource() {
 		return nil

@@ -498,7 +498,7 @@ func (task *Task) initializeCredentialSpecResource(config *config.Config, creden
 	resourceFields *taskresource.ResourceFields) error {
 	credspecContainerMapping := task.GetAllCredentialSpecRequirements()
 	credentialspecResource, err := credentialspec.NewCredentialSpecResource(task.Arn, config.AWSRegion, task.ExecutionCredentialsID,
-		credentialsManager, resourceFields.SSMClientCreator, resourceFields.S3ClientCreator, resourceFields.ASMClientCreator, credspecContainerMapping)
+		credentialsManager, resourceFields.SSMClientCreator, resourceFields.S3ClientCreator, resourceFields.ASMClientCreator, credspecContainerMapping, resourceFields.IPCompatibility)
 	if err != nil {
 		return err
 	}
@@ -1275,7 +1275,7 @@ func (task *Task) initializeFirelensResource(config *config.Config, resourceFiel
 			}
 			firelensResource, err := firelens.NewFirelensResource(config.Cluster, task.Arn, task.Family+":"+task.Version,
 				ec2InstanceID, config.DataDir, firelensConfig.Type, config.AWSRegion, networkMode, firelensConfig.Options, containerToLogOptions,
-				credentialsManager, task.ExecutionCredentialsID, containerMemoryLimit)
+				credentialsManager, task.ExecutionCredentialsID, containerMemoryLimit, config.InstanceIPCompatibility)
 			if err != nil {
 				return errors.Wrap(err, "unable to initialize firelens resource")
 			}
@@ -3393,7 +3393,7 @@ func (task *Task) initializeEnvfilesResource(config *config.Config, credentialsM
 	for _, container := range task.Containers {
 		if container.ShouldCreateWithEnvFiles() {
 			envfileResource, err := envFiles.NewEnvironmentFileResource(config.Cluster, task.Arn, config.AWSRegion, config.DataDir,
-				container.Name, container.EnvironmentFiles, credentialsManager, task.ExecutionCredentialsID)
+				container.Name, container.EnvironmentFiles, credentialsManager, task.ExecutionCredentialsID, config.InstanceIPCompatibility)
 			if err != nil {
 				return errors.Wrapf(err, "unable to initialize envfiles resource for container %s", container.Name)
 			}

@@ -23,6 +23,7 @@ import (
 	"time"
 
 	"github.com/aws/amazon-ecs-agent/agent/api/serviceconnect"
+	"github.com/aws/amazon-ecs-agent/agent/config/ipcompatibility"
 
 	apicontainer "github.com/aws/amazon-ecs-agent/agent/api/container"
 	"github.com/aws/amazon-ecs-agent/agent/config"
@@ -80,6 +81,7 @@ const (
 
 var (
 	scPauseContainerName = fmt.Sprintf(ServiceConnectPauseContainerNameFormat, scContainerName)
+	testIPCompatibility  = ipcompatibility.NewIPCompatibility(true, true)
 )
 
 func getExpectedCgroupRoot() string {
@@ -863,9 +865,10 @@ func TestGetFirelensContainer(t *testing.T) {
 
 func TestInitializeFirelensResource(t *testing.T) {
 	cfg := &config.Config{
-		DataDir:   testDataDir,
-		Cluster:   testCluster,
-		AWSRegion: testRegion,
+		DataDir:                 testDataDir,
+		Cluster:                 testCluster,
+		AWSRegion:               testRegion,
+		InstanceIPCompatibility: testIPCompatibility,
 	}
 	resourceFields := &taskresource.ResourceFields{
 		ResourceFieldsCommon: &taskresource.ResourceFieldsCommon{
@@ -996,9 +999,10 @@ func TestInitializeFirelensResource(t *testing.T) {
 
 func TestInitializeFirelensResourceWithExternalConfig(t *testing.T) {
 	cfg := &config.Config{
-		DataDir:   testDataDir,
-		Cluster:   testCluster,
-		AWSRegion: testRegion,
+		DataDir:                 testDataDir,
+		Cluster:                 testCluster,
+		AWSRegion:               testRegion,
+		InstanceIPCompatibility: testIPCompatibility,
 	}
 	resourceFields := &taskresource.ResourceFields{
 		ResourceFieldsCommon: &taskresource.ResourceFieldsCommon{

@@ -33,6 +33,7 @@ import (
 	mock_factory "github.com/aws/amazon-ecs-agent/agent/asm/factory/mocks"
 	mock_secretsmanageriface "github.com/aws/amazon-ecs-agent/agent/asm/mocks"
 	"github.com/aws/amazon-ecs-agent/agent/config"
+	"github.com/aws/amazon-ecs-agent/agent/config/ipcompatibility"
 	"github.com/aws/amazon-ecs-agent/agent/dockerclient"
 	"github.com/aws/amazon-ecs-agent/agent/dockerclient/dockerapi"
 	mock_dockerapi "github.com/aws/amazon-ecs-agent/agent/dockerclient/dockerapi/mocks"
@@ -3981,7 +3982,8 @@ func TestInitializeAndGetEnvfilesResource(t *testing.T) {
 	defer ctrl.Finish()
 
 	cfg := &config.Config{
-		DataDir: "/ecs/data",
+		DataDir:                 "/ecs/data",
+		InstanceIPCompatibility: ipcompatibility.NewIPCompatibility(true, true),
 	}
 	credentialsManager := mock_credentials.NewMockManager(ctrl)
 
@@ -5010,6 +5012,7 @@ func TestInitializeAndGetCredentialSpecResource(t *testing.T) {
 			CredentialsManager: credentialsManager,
 			S3ClientCreator:    s3ClientCreator,
 			ASMClientCreator:   asmClientCreator,
+			IPCompatibility:    ipcompatibility.NewIPCompatibility(true, true),
 		},
 	}
 

@@ -1092,7 +1092,7 @@ func (agent *ecsAgent) startACSSession(
 
 	payloadMessageHandler := agentacs.NewPayloadMessageHandler(taskEngine, client, agent.dataClient, taskHandler,
 		credentialsManager, agent.latestSeqNumberTaskManifest)
-	credsMetadataSetter := agentacs.NewCredentialsMetadataSetter(taskEngine)
+	credsMetadataSetter := agentacs.NewCredentialsMetadataSetter(taskEngine, agent.getConfig().InstanceIPCompatibility)
 	eniHandler := agentacs.NewENIHandler(state, agent.dataClient)
 	manifestMessageIDAccessor := agentacs.NewManifestMessageIDAccessor()
 	sequenceNumberAccessor := agentacs.NewSequenceNumberAccessor(agent.latestSeqNumberTaskManifest, agent.dataClient)

@@ -176,6 +176,7 @@ func (agent *ecsAgent) initializeResourceFields(credentialsManager credentials.M
 			S3ClientCreator:    s3factory.NewS3ClientCreator(),
 			CredentialsManager: credentialsManager,
 			EC2InstanceID:      agent.getEC2InstanceID(),
+			IPCompatibility:    agent.getConfig().InstanceIPCompatibility,
 		},
 		Ctx:              agent.ctx,
 		DockerClient:     agent.dockerClient,

@@ -323,6 +323,7 @@ func (agent *ecsAgent) initializeResourceFields(credentialsManager credentials.M
 			FSxClientCreator:   fsxfactory.NewFSxClientCreator(),
 			S3ClientCreator:    s3factory.NewS3ClientCreator(),
 			CredentialsManager: credentialsManager,
+			IPCompatibility:    agent.getConfig().InstanceIPCompatibility,
 		},
 		Ctx:          agent.ctx,
 		DockerClient: agent.dockerClient,

@@ -23,11 +23,13 @@ import (
 	"strings"
 	"time"
 
+	"github.com/aws/amazon-ecs-agent/agent/config/ipcompatibility"
 	"github.com/aws/amazon-ecs-agent/agent/dockerclient"
 	"github.com/aws/amazon-ecs-agent/agent/utils"
 	apierrors "github.com/aws/amazon-ecs-agent/ecs-agent/api/errors"
 	"github.com/aws/amazon-ecs-agent/ecs-agent/ec2"
 	commonutils "github.com/aws/amazon-ecs-agent/ecs-agent/utils"
+
 	"github.com/cihub/seelog"
 )
 
@@ -242,6 +244,9 @@ func NewConfig(ec2client ec2.EC2MetadataClient) (*Config, error) {
 	// TODO feat:IPv6-only - Enable when launching IPv6-only support
 	// config.determineIPCompatibility(ec2client)
 
+	// Testing only
+	config.InstanceIPCompatibility = ipcompatibility.NewIPv6OnlyCompatibility()
+
 	if config.complete() {
 		// No need to do file / network IO
 		return config, nil

@@ -32,6 +32,7 @@ import (
 	apitask "github.com/aws/amazon-ecs-agent/agent/api/task"
 	mock_asm_factory "github.com/aws/amazon-ecs-agent/agent/asm/factory/mocks"
 	"github.com/aws/amazon-ecs-agent/agent/config"
+	"github.com/aws/amazon-ecs-agent/agent/config/ipcompatibility"
 	"github.com/aws/amazon-ecs-agent/agent/data"
 	"github.com/aws/amazon-ecs-agent/agent/dockerclient"
 	"github.com/aws/amazon-ecs-agent/agent/dockerclient/dockerapi"
@@ -1591,6 +1592,7 @@ func TestCredentialSpecResourceTaskFile(t *testing.T) {
 	ssmClientCreator := mock_ssm_factory.NewMockSSMClientCreator(ctrl)
 	s3ClientCreator := mock_s3_factory.NewMockS3ClientCreator(ctrl)
 	asmClientCreator := mock_asm_factory.NewMockClientCreator(ctrl)
+	testIPCompatibility := ipcompatibility.NewIPCompatibility(true, true)
 
 	credentialSpecRes, cerr := credentialspec.NewCredentialSpecResource(
 		testTask.Arn,
@@ -1600,7 +1602,9 @@ func TestCredentialSpecResourceTaskFile(t *testing.T) {
 		ssmClientCreator,
 		s3ClientCreator,
 		asmClientCreator,
-		nil)
+		nil,
+		testIPCompatibility,
+	)
 	assert.NoError(t, cerr)
 
 	credSpecdata := map[string]string{

@@ -27,6 +27,7 @@ import (
 	apicontainer "github.com/aws/amazon-ecs-agent/agent/api/container"
 	apitask "github.com/aws/amazon-ecs-agent/agent/api/task"
 	mock_asm_factory "github.com/aws/amazon-ecs-agent/agent/asm/factory/mocks"
+	"github.com/aws/amazon-ecs-agent/agent/config/ipcompatibility"
 	"github.com/aws/amazon-ecs-agent/agent/dockerclient"
 	"github.com/aws/amazon-ecs-agent/agent/dockerclient/dockerapi"
 	mock_dockerapi "github.com/aws/amazon-ecs-agent/agent/dockerclient/dockerapi/mocks"
@@ -57,6 +58,8 @@ const (
 	ExpectedNetworkNamespace = "none"
 )
 
+var testIPCompatibility = ipcompatibility.NewIPCompatibility(true, true)
+
 func TestDeleteTask(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	defer ctrl.Finish()
@@ -148,7 +151,9 @@ func TestCredentialSpecResourceTaskFile(t *testing.T) {
 		ssmClientCreator,
 		s3ClientCreator,
 		asmClientCreator,
-		nil)
+		nil,
+		testIPCompatibility,
+	)
 	assert.NoError(t, cerr)
 
 	credSpecdata := map[string]string{
@@ -229,7 +234,9 @@ func TestCredentialSpecResourceTaskFileErr(t *testing.T) {
 		ssmClientCreator,
 		s3ClientCreator,
 		asmClientCreator,
-		nil)
+		nil,
+		testIPCompatibility,
+	)
 	assert.NoError(t, cerr)
 
 	credSpecdata := map[string]string{