Skip docker bridge iptables rules for introspection blocking when no bridge found (#4785)

Author: amogh09

ecs-init/docker/docker.go

@@ -16,7 +16,7 @@ package docker
 import (
 	"bytes"
 	"encoding/json"
-	"fmt"
+	"errors"
 	"io"
 	"os"
 	"os/exec"
@@ -165,6 +165,9 @@ var (
 	execCommand                   = exec.Command
 	execLookPath                  = exec.LookPath
 	checkNvidiaGPUDevicesPresence = nvidiaGPUDevicesPresent
+	// ErrNoBridgeNetwork indicates no docker bridge network interface was found
+	ErrNoBridgeNetwork = errors.New(
+		"unable to find any virtual docker bridge network interfaces on the host")
 )
 
 // client enables business logic for running the Agent inside Docker
@@ -694,5 +697,5 @@ func (c *client) FindDefaultBridgeNetworkInterfaceName() (string, error) {
 			}
 		}
 	}
-	return "", fmt.Errorf("unable to find any virtual docker bridge network interfaces on the host")
+	return "", ErrNoBridgeNetwork
 }

ecs-init/engine/engine.go

@@ -100,13 +100,18 @@ func New() (*Engine, error) {
 	if err != nil {
 		return nil, err
 	}
-	docker, err := getDockerClient()
+	dockerClient, err := getDockerClient()
 	if err != nil {
 		return nil, err
 	}
-	dockerBridgeNetworkName, err := docker.FindDefaultBridgeNetworkInterfaceName()
+	dockerBridgeNetworkName, err := dockerClient.FindDefaultBridgeNetworkInterfaceName()
 	if err != nil {
-		return nil, err
+		if errors.Is(err, docker.ErrNoBridgeNetwork) {
+			log.Info("No docker bridge network found, skipping bridge-specific iptables rules")
+			dockerBridgeNetworkName = ""
+		} else {
+			return nil, err
+		}
 	}
 	credentialsProxyRoute, err := iptables.NewNetfilterRoute(cmdExec, netlinkwrapper.New(), dockerBridgeNetworkName)
 	if err != nil {

ecs-init/exec/iptables/iptables.go

@@ -118,10 +118,15 @@ func (route *NetfilterRoute) Create() error {
 
 		// Allow docker's virtual bridge interface to access the introspection server. Inserting it after applying
 		// the rule to drop all connections other than loopback interface will push it on top of priority.
-		err = route.modifyNetfilterEntry(iptablesTableFilter, iptablesInsert, allowIntrospectionForDockerIptablesInputChainArgs, true)
-		if err != nil {
-			log.Errorf("Error adding input chain entry to allow %s access to introspection server: %w", err)
-			return err
+		if defaultDockerBridgeNetworkName != "" {
+			err = route.modifyNetfilterEntry(iptablesTableFilter, iptablesInsert,
+				allowIntrospectionForDockerIptablesInputChainArgs, true)
+			if err != nil {
+				log.Errorf(
+					"Error adding input chain entry to allow %s access to introspection server: %w",
+					err)
+				return err
+			}
 		}
 	}
 
@@ -150,9 +155,13 @@ func (route *NetfilterRoute) Remove() error {
 		introspectionInputError = fmt.Errorf("error removing input chain entry: %v", introspectionInputError)
 	}
 
-	dockerIntrospectionInputError = route.modifyNetfilterEntry(iptablesTableFilter, iptablesDelete, allowIntrospectionForDockerIptablesInputChainArgs, true)
-	if dockerIntrospectionInputError != nil {
-		dockerIntrospectionInputError = fmt.Errorf("error removing input chain entry: %v", dockerIntrospectionInputError)
+	if defaultDockerBridgeNetworkName != "" {
+		dockerIntrospectionInputError = route.modifyNetfilterEntry(iptablesTableFilter,
+			iptablesDelete, allowIntrospectionForDockerIptablesInputChainArgs, true)
+		if dockerIntrospectionInputError != nil {
+			dockerIntrospectionInputError = fmt.Errorf(
+				"error removing input chain entry: %v", dockerIntrospectionInputError)
+		}
 	}
 
 	outputErr := route.modifyNetfilterEntry(iptablesTableNat, iptablesDelete, getOutputChainArgs, false)