feat(netlib): Add static link-local IP assignment to daemon namespaces

Assign predictable link-local IP addresses to managed daemon network
namespaces. Daemon namespaces now receive 169.254.172.2/22 for IPv4
and fd00:ec2::172:2/112 for IPv6, enabling reliable communication
between the host and daemons running inside the namespace.

Changes:
- Add DaemonNamespaceIPv4 and DaemonNamespaceIPv6 constants
- Update createDaemonBridgePluginConfig to set static IPs in IPAM config
- Update unit tests for IPv4-only, IPv6-only, and dual-stack cases
- Add e2e connectivity tests for IPv4 and IPv6

Author: Jose Villalta

ecs-agent/netlib/platform/cniconf.go

@@ -21,9 +21,12 @@ const (
 	ECSSubNet     = "169.254.172.0/22"
 	AgentEndpoint = "169.254.170.2/32"
 
-	// Daemon-bridge networking constants
+	// Daemon-bridge networking constants.
 	DaemonBridgeGatewayIP   = "169.254.172.1"
 	DefaultRouteDestination = "0.0.0.0/0"
+	// DaemonNamespaceIPv4 is the static IPv4 address assigned to daemon namespace interfaces.
+	// The address includes the /22 prefix length to match the ECS subnet.
+	DaemonNamespaceIPv4 = "169.254.172.2/22"
 
 	// IPv6 daemon-bridge networking constants
 	// Using fd00:ec2::172:0/112 as a unique local address (ULA) subnet for ECS internal communication.
@@ -33,6 +36,9 @@ const (
 	ECSSubNetIPv6               = "fd00:ec2::172:0/112"
 	DaemonBridgeGatewayIPv6     = "fd00:ec2::172:1"
 	DefaultRouteDestinationIPv6 = "::/0"
+	// DaemonNamespaceIPv6 is the static IPv6 address assigned to daemon namespace interfaces.
+	// The address includes the /112 prefix length to match the ECS IPv6 subnet.
+	DaemonNamespaceIPv6 = "fd00:ec2::172:2/112"
 
 	CNIPluginLogFileEnv    = "ECS_CNI_LOG_FILE"
 	VPCCNIPluginLogFileEnv = "VPC_CNI_LOG_FILE"

ecs-agent/netlib/platform/cniconf_linux.go

@@ -179,15 +179,17 @@ func createDaemonBridgePluginConfig(netNSPath string, ipComp ipcompatibility.IPC
 			CNISpecVersion: cniSpecVersion,
 			CNIPluginName:  IPAMPluginName,
 		},
-		IPV4Subnet: ECSSubNet,
-		IPV4Routes: ipv4Routes,
-		IPV6Routes: ipv6Routes,
-		ID:         netNSPath,
+		IPV4Subnet:  ECSSubNet,
+		IPV4Address: DaemonNamespaceIPv4,
+		IPV4Routes:  ipv4Routes,
+		IPV6Routes:  ipv6Routes,
+		ID:          netNSPath,
 	}
 
-	// Add IPv6 subnet and gateway if IPv6 compatible
+	// Add IPv6 subnet, gateway, and static address if IPv6 compatible.
 	if ipComp.IsIPv6Compatible() {
 		ipamConfig.IPV6Subnet = ECSSubNetIPv6
+		ipamConfig.IPV6Address = DaemonNamespaceIPv6
 		ipamConfig.IPV6Gateway = DaemonBridgeGatewayIPv6
 	}
 

ecs-agent/netlib/platform/cniconf_linux_test.go

@@ -359,15 +359,21 @@ func getTestV2NInterface() *networkinterface.NetworkInterface {
 	}
 }
 
+// TestCreateDaemonBridgePluginConfig verifies that createDaemonBridgePluginConfig produces
+// correct CNI configurations for different IP compatibility modes, including static IP
+// address assignment for daemon namespaces.
+// **Validates: Requirements 2.1, 2.2, 3.1, 3.2, 4.1**
 func TestCreateDaemonBridgePluginConfig(t *testing.T) {
-	// Common CNI config for all test cases
+	t.Parallel()
+
+	// Common CNI config for all test cases.
 	cniConfig := ecscni.CNIConfig{
 		NetNSPath:      netNSPath,
 		CNISpecVersion: cniSpecVersion,
 		CNIPluginName:  BridgePluginName,
 	}
 
-	// Common routes
+	// Common routes.
 	_, agentRouteIPNet, _ := net.ParseCIDR(AgentEndpoint)
 	agentRoute := &types.Route{
 		Dst: *agentRouteIPNet,
@@ -387,15 +393,15 @@ func TestCreateDaemonBridgePluginConfig(t *testing.T) {
 		GW:  bridgeGWv6,
 	}
 
-	for _, tc := range []struct {
+	tests := []struct {
 		name           string
 		ipComp         ipcompatibility.IPCompatibility
 		expectedConfig *ecscni.BridgeConfig
 		expectError    bool
 		errorContains  string
 	}{
 		{
-			name:   "IPv4-only configuration",
+			name:   "IPv4-only configuration includes static IPv4 address",
 			ipComp: ipcompatibility.NewIPv4OnlyCompatibility(),
 			expectedConfig: &ecscni.BridgeConfig{
 				CNIConfig: cniConfig,
@@ -406,15 +412,16 @@ func TestCreateDaemonBridgePluginConfig(t *testing.T) {
 						CNISpecVersion: cniSpecVersion,
 						CNIPluginName:  IPAMPluginName,
 					},
-					IPV4Subnet: ECSSubNet,
-					IPV4Routes: []*types.Route{agentRoute, defaultRouteIPv4},
-					ID:         netNSPath,
+					IPV4Subnet:  ECSSubNet,
+					IPV4Address: DaemonNamespaceIPv4,
+					IPV4Routes:  []*types.Route{agentRoute, defaultRouteIPv4},
+					ID:          netNSPath,
 				},
 			},
 			expectError: false,
 		},
 		{
-			name:   "IPv6-only configuration",
+			name:   "IPv6-only configuration includes static IPv6 address",
 			ipComp: ipcompatibility.NewIPv6OnlyCompatibility(),
 			expectedConfig: &ecscni.BridgeConfig{
 				CNIConfig: cniConfig,
@@ -426,8 +433,10 @@ func TestCreateDaemonBridgePluginConfig(t *testing.T) {
 						CNIPluginName:  IPAMPluginName,
 					},
 					IPV4Subnet:  ECSSubNet,
-					IPV4Routes:  []*types.Route{agentRoute}, // ECS agent endpoint always included
+					IPV4Address: DaemonNamespaceIPv4,        // IPv4 address is always set for IPAM.
+					IPV4Routes:  []*types.Route{agentRoute}, // ECS agent endpoint always included.
 					IPV6Subnet:  ECSSubNetIPv6,
+					IPV6Address: DaemonNamespaceIPv6,
 					IPV6Gateway: DaemonBridgeGatewayIPv6,
 					IPV6Routes:  []*types.Route{defaultRouteIPv6},
 					ID:          netNSPath,
@@ -436,7 +445,7 @@ func TestCreateDaemonBridgePluginConfig(t *testing.T) {
 			expectError: false,
 		},
 		{
-			name:   "Dual-stack configuration",
+			name:   "Dual-stack configuration includes both static IPv4 and IPv6 addresses",
 			ipComp: ipcompatibility.NewDualStackCompatibility(),
 			expectedConfig: &ecscni.BridgeConfig{
 				CNIConfig: cniConfig,
@@ -448,8 +457,10 @@ func TestCreateDaemonBridgePluginConfig(t *testing.T) {
 						CNIPluginName:  IPAMPluginName,
 					},
 					IPV4Subnet:  ECSSubNet,
+					IPV4Address: DaemonNamespaceIPv4,
 					IPV4Routes:  []*types.Route{agentRoute, defaultRouteIPv4},
 					IPV6Subnet:  ECSSubNetIPv6,
+					IPV6Address: DaemonNamespaceIPv6,
 					IPV6Gateway: DaemonBridgeGatewayIPv6,
 					IPV6Routes:  []*types.Route{defaultRouteIPv6},
 					ID:          netNSPath,
@@ -463,19 +474,22 @@ func TestCreateDaemonBridgePluginConfig(t *testing.T) {
 			expectError:   true,
 			errorContains: "host is neither IPv4 nor IPv6 compatible",
 		},
-	} {
-		tc := tc
+	}
 
-		t.Run(tc.name, func(t *testing.T) {
-			actualConfig, err := createDaemonBridgePluginConfig(netNSPath, tc.ipComp)
+	for _, tt := range tests {
+		tt := tt // Capture range variable for parallel execution.
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			actualConfig, err := createDaemonBridgePluginConfig(netNSPath, tt.ipComp)
 
-			if tc.expectError {
+			if tt.expectError {
 				require.Error(t, err)
-				require.Contains(t, err.Error(), tc.errorContains)
+				require.Contains(t, err.Error(), tt.errorContains)
 				require.Nil(t, actualConfig)
 			} else {
 				require.NoError(t, err)
-				expected, err := json.Marshal(tc.expectedConfig)
+				expected, err := json.Marshal(tt.expectedConfig)
 				require.NoError(t, err)
 				actual, err := json.Marshal(actualConfig)
 				require.NoError(t, err)