Debug, trial-and-error, and slight refactor in container definition resolved an issue related to a shared volume, shared between sidecar-container and primary-container.
Two containers in a single task definition share a volume called git. The volume is mounted at /git in both containers.
The first container, which we will call sidecar-container is responsible for a git clone into the /git directory. The /git mount point is not owned by root and the container runs with a non-root user.
The second container, which we will call primary-container makes use of the files available in /git (resulting from the git clone by sidecar-container). The /git mount point is not owned by root and the container runs with a non-root user.
The UID of the non-root user running inside sidecar-container and primary-container is the same.
Symptom
Upon upgrading Fargate Platform 1.3.0 --> Fargate Platform 1.4.0, files in /git are visible from sidecar-container. Files in /git are not visible from primary-container.
Solution
The solution in our case was to:
Stop using volumesFrom in primary-container and add the git volume to mountPoints instead. Interestingly, this was different - seemingly opposite - of a solution using volumesFrom described at https://github.com/aws/containers-roadmap/issues/863.
Summary
Issue Resolved.
Debug, trial-and-error, and slight refactor in
container definition
resolved an issue related to a shared volume, shared between sidecar-container and primary-container.This is related to a known change between Fargate Platform
1.3.0
and1.4.0
that affects shared ephemeral volumes. See https://github.com/aws/containers-roadmap/issues/863.Setup
Two containers in a single task definition share a volume called
git
. The volume is mounted at/git
in both containers.The first container, which we will call sidecar-container is responsible for a
git clone
into the/git
directory. The/git
mount point is not owned byroot
and the container runs with anon-root
user.The second container, which we will call primary-container makes use of the files available in
/git
(resulting from thegit clone
by sidecar-container). The/git
mount point is not owned byroot
and the container runs with anon-root
user.The UID of the
non-root
user running inside sidecar-container and primary-container is the same.Symptom
Upon upgrading
Fargate Platform 1.3.0
-->Fargate Platform 1.4.0
, files in/git
are visible from sidecar-container. Files in/git
are not visible from primary-container.Solution
The solution in our case was to:
volumesFrom
in primary-container and add thegit
volume tomountPoints
instead. Interestingly, this was different - seemingly opposite - of a solution usingvolumesFrom
described at https://github.com/aws/containers-roadmap/issues/863.