search

USACE / instrumentation

Instrumentation project issue tracking and project planning
MIT License
4 stars 1 forks source link

Fargate Platform Version 1.3.0 --> 1.4.0 : Shared /git volume not visible from primary-container instrumentation-dcs #88

Closed brettpalmberg closed 3 years ago

brettpalmberg commented 3 years ago

Summary

Issue Resolved.

Debug, trial-and-error, and slight refactor in container definition resolved an issue related to a shared volume, shared between sidecar-container and primary-container.

This is related to a known change between Fargate Platform 1.3.0 and 1.4.0 that affects shared ephemeral volumes. See https://github.com/aws/containers-roadmap/issues/863.

Setup

Two containers in a single task definition share a volume called git. The volume is mounted at /git in both containers.

The first container, which we will call sidecar-container is responsible for a git clone into the /git directory. The /git mount point is not owned by root and the container runs with a non-root user.

The second container, which we will call primary-container makes use of the files available in /git (resulting from the git clone by sidecar-container). The /git mount point is not owned by root and the container runs with a non-root user.

The UID of the non-root user running inside sidecar-container and primary-container is the same.

Symptom

Upon upgrading Fargate Platform 1.3.0 --> Fargate Platform 1.4.0, files in /git are visible from sidecar-container. Files in /git are not visible from primary-container.

Solution

The solution in our case was to:

  1. Stop using volumesFrom in primary-container and add the git volume to mountPoints instead. Interestingly, this was different - seemingly opposite - of a solution using volumesFrom described at https://github.com/aws/containers-roadmap/issues/863.
container_definitions = [
    {
      "name": "sidecar-container",
      "mountPoints": [{"readOnly": false, "containerPath": "/git", "sourceVolume": "git"}],
      "volumesFrom": [],
      ...
    },
    {
      "name": "primary-container"
-     "volumesFrom": [{"sourceContainer": "sidecar-container", "readOnly": true}],
+    "volumesFrom": [],
-     "mountPoints":[],
+    "mountPoints": [{"readOnly": true, "containerPath": "/git", "sourceVolume": "git"}],
      "dependsOn": [{"containerName": "sidecar-container", "condition": "COMPLETE"}],
      ...
    },
]
  1. Ensure dockerfiles for both primary-container and sidecar-container each include the following directive:
VOLUME [ "/git" ]
brettpalmberg commented 3 years ago

cc @jeffsuperglide @adamscarberry