Skip to content

Check if ipv6 has been disabled on the host #4744

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mye956 merged 1 commit into from
Aug 6, 2025
Merged

Check if ipv6 has been disabled on the host #4744

mye956 merged 1 commit into from
Aug 6, 2025

Conversation

@mye956
Copy link
Contributor

@mye956 mye956 commented Aug 5, 2025
edited
Loading

Summary

This PR will check whether /proc/sys/net/ipv6 exists within the host before running any ip6tables commands.

Implementation details

  • Running os.Stat on /proc/sys/net/ipv6 to check if it exists.

Testing

Added new unit test cases

Manual testing:

[ec2-user@ip-172-31-24-50 ~]$ systemctl status ecs
● ecs.service - Amazon Elastic Container Service - container agent
   Loaded: loaded (/usr/lib/systemd/system/ecs.service; disabled; vendor preset: disabled)
   Active: active (running) since Tue 2025-08-05 23:50:55 UTC; 25s ago
     Docs: https://aws.amazon.com/documentation/ecs/
  Process: 19675 ExecStartPre=/usr/libexec/amazon-ecs-init pre-start (code=exited, status=0/SUCCESS)
  Process: 19648 ExecStartPre=/bin/bash -c if [ $(/usr/bin/systemctl is-active docker) != "active" ]; then exit 1; fi (code=exited, status=0/SUCCESS)
 Main PID: 19702 (amazon-ecs-init)
    Tasks: 7
   Memory: 4.2M
   CGroup: /system.slice/ecs.service
           └─19702 /usr/libexec/amazon-ecs-init start

Aug 05 23:50:55 ip-172-31-24-50.us-west-2.compute.internal amazon-ecs-init[19675]: level=info time=2025-08-05T23:50:55Z msg="pre-start: checking ecs agent container image loaded presence"
Aug 05 23:50:55 ip-172-31-24-50.us-west-2.compute.internal amazon-ecs-init[19675]: level=info time=2025-08-05T23:50:55Z msg="pre-start: ecs agent container image loaded presence: true"
Aug 05 23:50:55 ip-172-31-24-50.us-west-2.compute.internal amazon-ecs-init[19675]: level=info time=2025-08-05T23:50:55Z msg="pre-start: reloading agent"
Aug 05 23:50:55 ip-172-31-24-50.us-west-2.compute.internal systemd[1]: Started Amazon Elastic Container Service - container agent.
Aug 05 23:50:55 ip-172-31-24-50.us-west-2.compute.internal amazon-ecs-init[19702]: level=info time=2025-08-05T23:50:55Z msg="Successfully created docker client with API version 1.25"
Aug 05 23:50:55 ip-172-31-24-50.us-west-2.compute.internal amazon-ecs-init[19702]: level=info time=2025-08-05T23:50:55Z msg="start"
Aug 05 23:50:55 ip-172-31-24-50.us-west-2.compute.internal amazon-ecs-init[19702]: level=info time=2025-08-05T23:50:55Z msg="Container name: /ecs-agent"
Aug 05 23:50:55 ip-172-31-24-50.us-west-2.compute.internal amazon-ecs-init[19702]: level=info time=2025-08-05T23:50:55Z msg="Removing existing agent container ID: fdc03aca12c9fa80fc9d2f2d40232d790c6bc9b7181cfddf9ca38bb4de65030f"
Aug 05 23:50:55 ip-172-31-24-50.us-west-2.compute.internal amazon-ecs-init[19702]: level=info time=2025-08-05T23:50:55Z msg="Starting Amazon Elastic Container Service Agent"
Aug 05 23:50:55 ip-172-31-24-50.us-west-2.compute.internal amazon-ecs-init[19702]: level=info time=2025-08-05T23:50:55Z msg="Operating system family is: amzn_2"
[ec2-user@ip-172-31-24-50 ~]$ ls /proc/sys/net/ipv6
ls: cannot access /proc/sys/net/ipv6: No such file or directory
[ec2-user@ip-172-31-24-50 ~]$ docker ps
CONTAINER ID   IMAGE                            COMMAND    CREATED          STATUS                    PORTS     NAMES
026360a785c2   amazon/amazon-ecs-agent:latest   "/agent"   38 seconds ago   Up 35 seconds (healthy)             ecs-agent

With IPv6 enabled

[ec2-user@ip-172-31-24-50 ~]$ systemctl status ecs
● ecs.service - Amazon Elastic Container Service - container agent
   Loaded: loaded (/usr/lib/systemd/system/ecs.service; disabled; vendor preset: disabled)
   Active: active (running) since Tue 2025-08-05 23:53:17 UTC; 16s ago
     Docs: https://aws.amazon.com/documentation/ecs/
  Process: 2804 ExecStartPre=/usr/libexec/amazon-ecs-init pre-start (code=exited, status=0/SUCCESS)
  Process: 2782 ExecStartPre=/bin/bash -c if [ $(/usr/bin/systemctl is-active docker) != "active" ]; then exit 1; fi (code=exited, status=0/SUCCESS)
 Main PID: 2840 (amazon-ecs-init)
    Tasks: 7
   Memory: 17.8M
   CGroup: /system.slice/ecs.service
           └─2840 /usr/libexec/amazon-ecs-init start

Aug 05 23:53:17 ip-172-31-24-50.us-west-2.compute.internal amazon-ecs-init[2804]: level=info time=2025-08-05T23:53:17Z msg="Successfully blocked IPv6 off-host access for introspection server with ip6tables."
Aug 05 23:53:17 ip-172-31-24-50.us-west-2.compute.internal amazon-ecs-init[2804]: level=info time=2025-08-05T23:53:17Z msg="pre-start: checking ecs agent container image loaded presence"
Aug 05 23:53:17 ip-172-31-24-50.us-west-2.compute.internal amazon-ecs-init[2804]: level=info time=2025-08-05T23:53:17Z msg="pre-start: ecs agent container image loaded presence: true"
Aug 05 23:53:17 ip-172-31-24-50.us-west-2.compute.internal systemd[1]: Started Amazon Elastic Container Service - container agent.
Aug 05 23:53:17 ip-172-31-24-50.us-west-2.compute.internal amazon-ecs-init[2840]: level=info time=2025-08-05T23:53:17Z msg="Successfully created docker client with API version 1.25"
Aug 05 23:53:17 ip-172-31-24-50.us-west-2.compute.internal amazon-ecs-init[2840]: level=info time=2025-08-05T23:53:17Z msg="start"
Aug 05 23:53:17 ip-172-31-24-50.us-west-2.compute.internal amazon-ecs-init[2840]: level=info time=2025-08-05T23:53:17Z msg="Container name: /ecs-agent"
Aug 05 23:53:17 ip-172-31-24-50.us-west-2.compute.internal amazon-ecs-init[2840]: level=info time=2025-08-05T23:53:17Z msg="Removing existing agent container ID: 026360a785c27afca97e03fad8bfe6b0fab42537918ebf2f5664db0bf0ca7481"
Aug 05 23:53:17 ip-172-31-24-50.us-west-2.compute.internal amazon-ecs-init[2840]: level=info time=2025-08-05T23:53:17Z msg="Starting Amazon Elastic Container Service Agent"
Aug 05 23:53:17 ip-172-31-24-50.us-west-2.compute.internal amazon-ecs-init[2840]: level=info time=2025-08-05T23:53:17Z msg="Operating system family is: amzn_2"
[ec2-user@ip-172-31-24-50 ~]$ ls /proc/sys/net/ipv6
anycast_src_echo_reply  bindv6only                 calipso_cache_enable  flowlabel_consistency  flowlabel_state_ranges  icmp         idgen_retries        ip6frag_low_thresh       ip6frag_time      mld_max_msf  neigh  xfrm6_gc_thresh
auto_flowlabels         calipso_cache_bucket_size  conf                  flowlabel_reflect      fwmark_reflect          idgen_delay  ip6frag_high_thresh  ip6frag_secret_interval  ip_nonlocal_bind  mld_qrv      route
[ec2-user@ip-172-31-24-50 ~]$

Ubuntu (checking if path exists)

ubuntu@ip-172-31-24-43:~$ ls /proc/sys/net/ipv6
anycast_src_echo_reply  bindv6only                 calipso_cache_enable  fib_multipath_hash_fields  fib_notify_on_flag_change  flowlabel_reflect       fwmark_reflect  idgen_delay    ioam6_id       ip6frag_high_thresh  ip6frag_secret_interval  ip_nonlocal_bind     max_dst_opts_number  max_hbh_opts_number  mld_qrv  route           xfrm6_gc_thresh
auto_flowlabels         calipso_cache_bucket_size  conf                  fib_multipath_hash_policy  flowlabel_consistency      flowlabel_state_ranges  icmp            idgen_retries  ioam6_id_wide  ip6frag_low_thresh   ip6frag_time             max_dst_opts_length  max_hbh_length       mld_max_msf          neigh    seg6_flowlabel

New tests cover the changes: yes

Description for the changelog

enhancement - Check if IPv6 kernel config file exists before using ip6tables

Additional Information

Does this PR include breaking model changes? If so, Have you added transformation functions?

Does this PR include the addition of new environment variables in the README?

Licensing

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@mye956 mye956 requested a review from a team as a code owner August 5, 2025 21:56
@mye956 mye956 force-pushed the detect-ipv6-disabled branch 3 times, most recently from 97dfc28 to 299a1dc Compare August 5, 2025 23:44
@mye956 mye956 changed the title WIP Check if ipv6 has been disabled on the host Aug 5, 2025
amogh09
amogh09 previously approved these changes Aug 5, 2025
View reviewed changes
singholt
singholt previously approved these changes Aug 6, 2025
View reviewed changes
danehlim
danehlim previously approved these changes Aug 6, 2025
View reviewed changes
prateekchaudhry
prateekchaudhry reviewed Aug 6, 2025
View reviewed changes
@mye956 mye956 dismissed stale reviews from danehlim, singholt, and amogh09 via 7d7fed2 August 6, 2025 00:10
@mye956 mye956 force-pushed the detect-ipv6-disabled branch from 299a1dc to 7d7fed2 Compare August 6, 2025 00:10
@mye956 mye956 added the bot/test label Aug 6, 2025
@mye956 mye956 added the bot/test label Aug 6, 2025
@mye956 mye956 enabled auto-merge (rebase) August 6, 2025 17:20
@mye956 mye956 merged commit d97d513 into aws:dev Aug 6, 2025
40 checks passed
@harishxr harishxr mentioned this pull request Aug 7, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@prateekchaudhry prateekchaudhry prateekchaudhry approved these changes

@amogh09 amogh09 amogh09 approved these changes

@danehlim danehlim danehlim approved these changes

@singholt singholt singholt left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@mye956 @prateekchaudhry @amogh09 @singholt @danehlim @amazon-ecs-bot