Skip to content

Commit

Permalink
Fix a issue that agent does not clean task execution credentials from…
Browse files Browse the repository at this point in the history
… credential manager
  • Loading branch information
Realmonia committed Aug 20, 2021
1 parent 4449712 commit d00e36a
Show file tree
Hide file tree
Showing 2 changed files with 78 additions and 1 deletion.
9 changes: 8 additions & 1 deletion agent/engine/task_manager.go
Original file line number Diff line number Diff line change
Expand Up @@ -350,7 +350,7 @@ func (mtask *managedTask) steadyState() bool {
}
}

// cleanupCredentials removes credentials for a stopped task
// cleanupCredentials removes credentials for a stopped task (execution credentials are removed in cleanupTask)
func (mtask *managedTask) cleanupCredentials() {
taskCredentialsID := mtask.GetCredentialsID()
if taskCredentialsID != "" {
Expand Down Expand Up @@ -1424,6 +1424,7 @@ func (mtask *managedTask) time() ttime.Time {
}

func (mtask *managedTask) cleanupTask(taskStoppedDuration time.Duration) {
taskExecutionCredentialsID := mtask.GetExecutionCredentialsID()
cleanupTimeDuration := mtask.GetKnownStatusTime().Add(taskStoppedDuration).Sub(ttime.Now())
cleanupTime := make(<-chan time.Time)
if cleanupTimeDuration < 0 {
Expand Down Expand Up @@ -1453,6 +1454,12 @@ func (mtask *managedTask) cleanupTask(taskStoppedDuration time.Duration) {
return
}

// Remove TaskExecutionCredentials from credentialsManager
if taskExecutionCredentialsID != "" {
logger.Info("Cleaning up task's execution credentials")
mtask.credentialsManager.RemoveCredentials(taskExecutionCredentialsID)
}

logger.Info("Cleaning up task's containers and data", logger.Fields{
field.TaskARN: mtask.Arn,
})
Expand Down
70 changes: 70 additions & 0 deletions agent/engine/task_manager_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ import (
"github.com/aws/amazon-ecs-agent/agent/engine/dependencygraph"
mock_dockerstate "github.com/aws/amazon-ecs-agent/agent/engine/dockerstate/mocks"
mock_engine "github.com/aws/amazon-ecs-agent/agent/engine/mocks"
mock_credentials "github.com/aws/amazon-ecs-agent/agent/credentials/mocks"
"github.com/aws/amazon-ecs-agent/agent/engine/testdata"
"github.com/aws/amazon-ecs-agent/agent/eventstream"
"github.com/aws/amazon-ecs-agent/agent/sighandlers/exitcodes"
Expand Down Expand Up @@ -1335,6 +1336,75 @@ func TestTaskWaitForExecutionCredentials(t *testing.T) {
}
}

func TestCleanupTaskWithExecutionCredentials(t *testing.T) {
cfg := getTestConfig()
ctrl := gomock.NewController(t)
mockTime := mock_ttime.NewMockTime(ctrl)
mockState := mock_dockerstate.NewMockTaskEngineState(ctrl)
mockClient := mock_dockerapi.NewMockDockerClient(ctrl)
mockImageManager := mock_engine.NewMockImageManager(ctrl)
mockCredentialsManager := mock_credentials.NewMockManager(ctrl)
mockResource := mock_taskresource.NewMockTaskResource(ctrl)
defer ctrl.Finish()

ctx, cancel := context.WithCancel(context.TODO())
defer cancel()

taskEngine := &DockerTaskEngine{
ctx: ctx,
cfg: &cfg,
dataClient: data.NewNoopClient(),
state: mockState,
client: mockClient,
imageManager: mockImageManager,
credentialsManager: mockCredentialsManager,
}
mTask := &managedTask{
ctx: ctx,
cancel: cancel,
Task: testdata.LoadTask("sleep5"),
credentialsManager: mockCredentialsManager,
_time: mockTime,
engine: taskEngine,
acsMessages: make(chan acsTransition),
dockerMessages: make(chan dockerContainerChange),
resourceStateChangeEvent: make(chan resourceStateChange),
cfg: taskEngine.cfg,
}

mTask.Task.ResourcesMapUnsafe = make(map[string][]taskresource.TaskResource)
mTask.Task.SetExecutionRoleCredentialsID("executionRoleCredentialsId")
mTask.AddResource("mockResource", mockResource)
mTask.SetKnownStatus(apitaskstatus.TaskStopped)
mTask.SetSentStatus(apitaskstatus.TaskStopped)
container := mTask.Containers[0]
dockerContainer := &apicontainer.DockerContainer{
DockerName: "dockerContainer",
}

// Expectations for triggering cleanup
now := mTask.GetKnownStatusTime()
taskStoppedDuration := 1 * time.Minute
mockTime.EXPECT().Now().Return(now).AnyTimes()
cleanupTimeTrigger := make(chan time.Time)
mockTime.EXPECT().After(gomock.Any()).Return(cleanupTimeTrigger)
go func() {
cleanupTimeTrigger <- now
}()

// Expectations to verify the execution credentials get removed
mockCredentialsManager.EXPECT().RemoveCredentials("executionRoleCredentialsId")

// Expectations to verify that the task gets removed
mockState.EXPECT().ContainerMapByArn(mTask.Arn).Return(map[string]*apicontainer.DockerContainer{container.Name: dockerContainer}, true)
mockClient.EXPECT().RemoveContainer(gomock.Any(), dockerContainer.DockerName, gomock.Any()).Return(nil)
mockImageManager.EXPECT().RemoveContainerReferenceFromImageState(container).Return(nil)
mockState.EXPECT().RemoveTask(mTask.Task)
mockResource.EXPECT().Cleanup()
mockResource.EXPECT().GetName()
mTask.cleanupTask(taskStoppedDuration)
}

func TestCleanupTaskWithInvalidInterval(t *testing.T) {
ctrl := gomock.NewController(t)
mockTime := mock_ttime.NewMockTime(ctrl)
Expand Down

0 comments on commit d00e36a

Please sign in to comment.