Closed joeltg closed 5 years ago
Hi,
Starting ecs this way via userdata will cause a deadlock in systemd's startup scripts for docker and ecs.
The systemd units for both ecs and docker have a directive to wait for cloud-init to finish before starting. The cloud-init process isn't considered finished until your userdata has finished running. So, requesting ecs (or docker) to start within userdata will cause this condition.
You should be able to fix this by adding a '--no-block' flag:
systemctl enable --now --no-block ecs.service
Please let me know if you have any additional questions.
That's exactly what I was looking for! Thank you!
Hi guys, don't you think that aws agent unit file for systemd should be corrected and line
After=cloud-final.service
removed from it?
hi @petderek thanks.
I found that the systemctl enable --now
flag doesn't work in current systemd version (219) for Amazon Linux 2 ECS AMI - see https://unix.stackexchange.com/questions/374280/the-now-switch-of-systemctl.
Easiest way to fix this is as follows:
$ sudo systemctl edit --full ecs
...
...
[Unit]
Description=Amazon Elastic Container Service - container agent
Documentation=https://aws.amazon.com/documentation/ecs/
Requires=docker.service
After=docker.service
After=cloud-final.service # REMOVE THIS LINE
...
...
$ sudo systemctl daemon-reload
Or more directly (e.g. in a Packer script):
sudo cp /usr/lib/systemd/system/ecs.service /etc/systemd/system/ecs.service
sudo sed -i '/After=cloud-final.service/d' /etc/systemd/system/ecs.service
sudo systemctl daemon-reload
This is also an issue if services are installed, and started by the user data scripts, which have the ecs.service
as an "After" dependency.
The fact that the cloud-final.service
blocks until the user data completes causes a circular dependency which prevents the system from loading.
i.e. user.data > my.service > ecs.service > cloud-final.service > user.data
See the recent comments in #1740
This should be reopened and the ecs.service config should be updated to remove the cloud-final.service as a dependency.
This should be reopened and the ecs.service config should be updated to remove the cloud-final.service as a dependency.
The only problem with this is that it potentially breaks another use case. The reason we have the cloud-final.service
is so that a user can modify ecs configuration as part of the userdata script. Our documentation has examples like this:
echo ECS_CLUSTER=my_cluster >> /etc/ecs/ecs.config
Since we are guaranteed that userdata is completely processed before agent starts, no further systemd configuration is required in order to ensure that agent receives the intended values.
I'm thinking that the best path for the optimized AMI is to leave the current configuration as is for general use. The workarounds include:
systemctl enable --now --no-block ecs.service
if you need ecs to be available as part of your userdata script.Hi @petderek
In such case one of the mentioned workarounds like systemctl enable --now --no-block ecs.service
or update of unit file should be should be reflected in AWS ECS agent documentation page on AWS in part related to manual ECS agent installation. Systemd doesn't show any errors or other notifications about deadlock dependency.
I would agree to leave the behaviour as is to accommodate the simple use cases of modifying ECS configuration during user data.
In my use case, I actually do a "health check" of sorts in the user data section (as part of cfn-init
) and wait until the local ECS metadata endpoint is reporting back the agent has joined the desired cluster, before reporting back to CloudFormation that the instance has successfully initialised. This is a more advanced use case that can easily accommodate the workarounds required.
@petderek Do you know what the timeline of the boot process looks like? Could it be that ecs configuration is setup in the cloud-boothook
instead of a script phase? Would this be early enough?
I understand your hesitation to break the "simple" use case where ecs config is modified in the user data script, but as it is this causes a blocking issue which is far more severe than a config not being loaded as expected. I've spent nearly a week trying to understand why the ecs.service wasn't starting, until a college found this issue... I have to imagine there's a better way to achieve what's needed here without blocking the boot process by design.
Additionally, now understanding that the boot process is blocked by the user data, I've experimented with multiple approaches to making the user data exit quickly and this indeed solves the issue without the need to remove the cloud-final.service
from the ecs.service as a dependency.
i.e. systemctl enable --now --no-block <service>
(as indicated) is a viable workaround, as is something like using &
after the shell command to prevent the command from blocking (something like systemctl start <service> &
. In both cases, <service>
could be the ecs.service, or a custom service which has the ecs.service as a dependency.
Hi @petderek and @all I'm facing a similar trouble when I follow the steps described in this AWS blog post to install the rex-ray plugin in a ECS Optimized AMI (ie I'm not manually installing the ecs agent/service). When I do a curl looping to http://localhost:51678/v1/metadata in the user-data script to wait for the ecs service, it never stabilize (never starts) but without this loop it starts ok.
Could this be the same issue, and if so how should I circumvent it? should I manually start ecs using systemctl enable --now --no-block ecs
in my user-data script?
@ericchaves yes, this would be the same issue. The metadata endpoint won't be alive until agent starts, which by default won't happen until after the userdata script is finished.
@petderek , so is the user-data script below expected to work?
#!/bin/bash
systemctl enable --now --no-block ecs
docker plugin install rexray/ebs REXRAY_PREEMPT=true EBS_REGION=<AWS-REGION> --grant-all-permissions
systemctl restart docker
systemctl restart ecs
update: I tried some variations of the code above and it still blockig the user-data script, so in the end the question is how (or where) should I do to restart docker and ecs service when provisioning new ECS optimized instances?
Hi all, Finally found this issue discussion as I am running into this problem too, trying to migrate our userdata script from "Amazon Linux AMI" to "Amazon Linux 2 AMI". Find it quite incredible that no documentation can be found about this problem and the correct steps to follow to simply start the ecs agent from userdata script...
Anyway, I'd just like to replace my old command:
start ecs
with the one(s) compatible with Linux 2 AMI.
Can someone tell me what I have to do please ?, is systemctl enable --now --no-block ecs
enough and can I fully rely on it ?
(we're migrating on Linux 2 AMI as a first step of migrating to ARM bases a1 instance in production)
Here is our full user data script we have to migrate:
#!/bin/bash
yum update -y
echo ECS_CLUSTER="${ECS_CLUSTER_NAME}" >> /etc/ecs/ecs.config
echo ECS_LOGLEVEL=debug >> /etc/ecs/ecs.config
start ecs
yum install -y awslogs jq
# Inject the CloudWatch Logs configuration file contents
cat > /etc/awslogs/awslogs.conf <<- EOF
[general]
state_file = /var/lib/awslogs/agent-state
[/var/log/dmesg]
file = /var/log/dmesg
log_group_name = /var/log/dmesg
log_stream_name = {cluster}/{container_instance_id}
[/var/log/messages]
file = /var/log/messages
log_group_name = /var/log/messages
log_stream_name = {cluster}/{container_instance_id}
datetime_format = %b %d %H:%M:%S
[/var/log/docker]
file = /var/log/docker
log_group_name = /var/log/docker
log_stream_name = {cluster}/{container_instance_id}
datetime_format = %Y-%m-%dT%H:%M:%S.%f
[/var/log/ecs/ecs-init.log]
file = /var/log/ecs/ecs-init.log
log_group_name = /var/log/ecs/ecs-init.log
log_stream_name = {cluster}/{container_instance_id}
datetime_format = %Y-%m-%dT%H:%M:%SZ
[/var/log/ecs/ecs-agent.log]
file = /var/log/ecs/ecs-agent.log.*
log_group_name = /var/log/ecs/ecs-agent.log
log_stream_name = {cluster}/{container_instance_id}
datetime_format = %Y-%m-%dT%H:%M:%SZ
EOF
#######################
# cloudwatch setup
#######################
# Set the region to send CloudWatch Logs data to (the region where the container instance is located)
region=$(curl -s 169.254.169.254/latest/dynamic/instance-identity/document | jq -r .region)
sed -i -e "s/region = us-east-1/region = $region/g" /etc/awslogs/awscli.conf
script
exec 2>>/var/log/ecs/cloudwatch-logs-start.log
set -x
until curl -s http://localhost:51678/v1/metadata
do
sleep 1
done
# Grab the cluster and container instance ARN from instance metadata (ECS Agent Introspection)
# Ref: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-introspection.html
cluster=$(curl -s http://localhost:51678/v1/metadata | jq -r '. | .Cluster')
container_instance_id=$(curl -s http://localhost:51678/v1/metadata | jq -r '. | .ContainerInstanceArn' | awk -F/ '{print $2}' )
# Replace the cluster name and container instance ID placeholders with the actual values
sed -i -e "s/{cluster}/$cluster/g" /etc/awslogs/awslogs.conf
sed -i -e "s/{container_instance_id}/$container_instance_id/g" /etc/awslogs/awslogs.conf
service awslogs start
chkconfig awslogs on
end script
Thank you
@philippefuentes it looks like you are using ECS optimized AMI, so yes, in such case you should use
systemctl enable --now --no-block ecs
to start ecs agent
@dpavlov-smartling thank for your quick answer and sorry for not being specific enough, I indeed use ECS Optimized AMI
Unfortunately, it does not work for me, after ssh(ing) on a fresh new instance , the agent is not started using systemctl enable --now --no-block ecs
[ec2-user@ip-10-1-1-146 ~]$ systemctl status ecs
● ecs.service - Amazon Elastic Container Service - container agent
Loaded: loaded (/usr/lib/systemd/system/ecs.service; enabled; vendor preset: disabled)
Active: inactive (dead)
Docs: https://aws.amazon.com/documentation/ecs/
Even in the context of a userdata script, none of the commands suggested in this discussion worked for me, the only way I can seem to start the agent is by editing the conf file as suggested by @mixja , so by finally replacing:
start ecs
with:
sed -i '/After=cloud-final.service/d' /usr/lib/systemd/system/ecs.service
systemctl daemon-reload
In my userdata script, the agent is started correctly. But it is not really appealing to me...should I use this in production ?
Additional info, I'm using this AMI: ami-09cd8db92c6bf3a84
11:47 $ aws ssm get-parameters --names /aws/service/ecs/optimized-ami/amazon-linux-2/recommended --region eu-west-1
{
"Parameters": [
{
"Name": "/aws/service/ecs/optimized-ami/amazon-linux-2/recommended",
"Type": "String",
"Value": "{\"schema_version\":1,\"image_name\":\"amzn2-ami-ecs-hvm-2.0.20190402-x86_64-ebs\",\"image_id\":\"ami-09cd8db92c6bf3a84\",\"os\":\"Amazon Linux 2\",\"ecs_runtime_version\":\"Docker version 18.06.1-ce\",\"ecs_agent_version\":\"1.27.0\"}",
"Version": 12
}
],
"InvalidParameters": []
}
We don't use ECS optimized AMI, so we need to install ECS agent manually and following command does work properly:
amazon-linux-extras disable docker && amazon-linux-extras install -y ecs && systemctl enable --now --no-block ecs
It looks ok in this context indeed, I wish straightforward starting steps could be done when using ECS Optimized AMI. thx
Hi all, following @philippefuentes suggestion I was able to adjust my user-data script (I'm also using Amazon Linux 2 ECS Optmimize ami).
I'm sharing my final user-data script for others facing similar trouble and by chance find this issue (until aws docs & post got updated I hope =) ).
#!/bin/bash
yum install -y aws-cfn-bootstrap
yum update -y
/opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource ECSInstanceConfiguration --region ${AWS::Region}
sed -i '/After=cloud-final.service/d' /usr/lib/systemd/system/ecs.service
systemctl daemon-reload
exec 2>>/var/log/ecs-agent-reload.log
set -x
until curl -s http://localhost:51678/v1/metadata; do sleep 1; done
docker plugin install rexray/ebs REXRAY_PREEMPT=true EBS_REGION=${AWS::Region} --grant-all-permissions
systemctl restart docker
systemctl restart ecs
/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource ECSScalingGroup --region ${AWS::Region}
Cheers!
The AWS docs really, really should mention --no-block
for Amazon Linux2 AMI, because this is an absolutely ridic. issue to troubleshoot when following the instructions on the Amazon ECS doc pages. The Amazon ECS doc pages for 'how to install and run the ecs cluster agent' make the process seem trivial... but then you hit a race condition that only magically resolves itself if you land here and add the 'no-block' or you kill
the systemctl
process and notice that all of a sudden the ecs-init process that follows it seems to make things work.
Nothing what is mentioned here worked for me. I guess there is something fucked up with the systemd asynchron startup process (depencencies).
The safest workaround is to disable the ecs service and add an ecs.timer on the ecs service, whitch starts the ecs service with a little delay.
[Timer]
OnBootSec=15s
[Install]
WantedBy=basic.target
lol do you just make your customers go around in circles following instructions that don't work?
This is pretty embarrassing...
Hello everyone, I am not currently aware of any ECS docs page that recommends running systemctl start ecs
in userdata on the AL2 platform. We have this note in the docs page about installing the ecs container agent that I think clarifies this behavior, so I'm not sure exactly what more we can do to help with this issue (from https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-install.html):
Are there any ECS docs that currently direct users to start ecs in AL2 userdata? If so please provide URLs and we can fix them ASAP.
Hello everyone, I am not currently aware of any ECS docs page that recommends running
systemctl start ecs
in userdata on the AL2 platform. We have this note in the docs page about installing the ecs container agent that I think clarifies this behavior, so I'm not sure exactly what more we can do to help with this issue (from https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-install.html):Are there any ECS docs that currently direct users to start ecs in AL2 userdata? If so please provide URLs and we can fix them ASAP.
I think there is one advanced use case for using ECS with Rexray to mount EBS.
https://aws.amazon.com/blogs/compute/amazon-ecs-and-docker-volume-drivers-amazon-ebs/
This blog written by AWS is base on amazon linux (AL) not amazon linux 2 (AL2). but I would like to use AL2 over the old AL.
the step involved are required to restart the ecs service after plugin installed. but atm the stop/start and restart are being blocked with the block here
I was facing the same issue till I realized that there was no need to re-start the ecs service for Rexray device. I think the document is old (mentions Amazon Linux 1). As per comments above, the ECS service is not even running at this point and is going to be started at the end of user data execution anyway, so why do we need to start it within user data at all?
My docker plugin ls
shows Rexray as enabled. So I am guessing removing the ECS stop / start script is the right way to do this.
Hello everyone, I am not currently aware of any ECS docs page that recommends running
systemctl start ecs
in userdata on the AL2 platform.
I think the main problem is that there is no mention of how to start the ecs
service when running AL2 from User data. In the linked page, in step 4 you mention sudo amazon-linux-extras install -y ecs; sudo systemctl enable --now ecs
. However, you are asking to perform these steps by logging into the machine (step 2). This is ok for manual configuration. But when using something like ASG, devs depend on user data to install ecs and start it.
One clarification I need: if we install ecs using sudo amazon-linux-extras install -y ecs
, will it auto-start the service after user data init is complete? If that's the case, then all problems are resolved.
In any case, I strongly feel you should have a section in the above link on How to enable ECS from User data
. I just wasted 2 days simply trying to solve the ecs agent getting locked issue! So I feel many other people probably go through this horrid experience. Thanks!
@petderek I am also trying to create a persistence storage using EBS volume in ECS via Container instances from EC2 (AMI amazon linux 2 (AL2)). My goal is to attach existing EBS volume by using the same name of the EBS volume. The concerns are around the EC2 user_data script, task_definition used in light of autoprovision = false
I found these interesting blogs around the subject:
@saranglakare
#!/bin/bash
echo "ECS_CLUSTER=portcast-eta-test" >> /etc/ecs/ecs.config
# install the REX-Ray Docker volume plugin
docker plugin install rexray/ebs REXRAY_PREEMPT=true EBS_REGION=ap-southeast-1 --grant-all-permissions
# restart the ECS agent. This ensures the plugin is active and recognized once the agent starts.
sudo systemctl restart ecs
autoprovision = false
does it imply now I still need to mention the volume driver_options i.e the volumetype gp2 and size 5 ?To use existing volume it says here needs to be used which then gets referenced in task definition based on the documentation https://aws.amazon.com/blogs/compute/amazon-ecs-and-docker-volume-drivers-amazon-ebs/
--tag-specifications 'ResourceType=volume,Tags=[{Key=Name,Value=rexray-vol}]'
I think this is a bit off topic for this thread. Your user data script is correct, just remove the last line to restart ecs
which is simply not required! The plugin has nothing to do with ECS.. It's a Docker plugin. You can ssh to the machine and do docker plugin ls
and you should see the plugin is installed and active
.
Just say follow Step 3 onwards from this guide: https://aws.amazon.com/blogs/compute/amazon-ecs-and-docker-volume-drivers-amazon-ebs/
If you are using existing EBS volume, just use the name of the EBS volume in your Task definition (under volumes
-> name
), set autoprovision=false
, set shared=true
and you do not need to give any driverOpts
.
The only restriction is that the volume has to be in the same availability zone as the instance running. So ensure you only allow same az instances - from the same az where your volume exists. Hope this helps!
One clarification I need: if we install ecs using sudo amazon-linux-extras install -y ecs, will it auto-start the service after user data init is complete? If that's the case, then all problems are resolved.
In any case, I strongly feel you should have a section in the above link on How to enable ECS from User data. I just wasted 2 days simply trying to solve the ecs agent getting locked issue! So I feel many other people probably go through this horrid experience. Thanks!
Yes the service will be auto-started. The problem is I'm not exactly sure what we would write in a section titled "How to enable ECS from User data". ECS agent doesn't need to be enabled in userdata. If it's been installed via the rpm or deb package (or repos) then it's already been enabled. It will auto-start after userdata ends.
--no-block ecs.service
This work perfectly
Summary
The ecs agent fails to start when enabled in a user data script.
Description
Per the documentation here, I'm trying to install the ECS Container Agent on an an Amazon Linux 2 EC2 instance. I'm launching Linux 2 with on a t2.micro with all defaults except IAM Role set to ecsInstanceRole and user data set to
Expected Behavior
The ecs agent starts and the instance appears in the default cluster
Observed Behavior
The instance does not appear in the default cluster. SSHing into the instance:
... and journalctl doesn't have any log entries for ecs either.
Now if I try to start the ecs agent with
sudo systemctl start ecs
, the command will hang indefinitely, but if I stop it withsudo systemctl stop ecs
first and then start again, it will succeed and show up as registered in the default cluster.Environment Details
Amazon Linux 2 AMI t2.micro
Supporting Log Snippets
(relevant error at bottom)