This is part of the change for ecs-agent to detect if an EC2 instance is exec-enabled, in other words, if the instance has the exec capability. Related change in amazon-ecs-agent:
(add link to pr in ecs-agent)
Update ecs-init to add bind mounts to the ecs-agent containter for exec-for-ECS capability detection. For an EC2 instance to be considered as exec-enabed, the instance needs to have these resources required by SSM:
SSM agent binaries
SSM agent configuration files (not validated for now)
certs files for SSM agent
Implementation details
For now, we only want to make sure all resources required by SSM (binaries, certs) exist. Since capabilities are stamped by ecs-agent, we need to provide a mechanism for the ecs-agent container to inspect the file system on host instance. To do this, we add bind mounts from the host instance to the ecs-agent container to check if all the following files exist:
/host/path/to/ecs-exec-dep
|-- bin
|-- amazon-ssm-agent
|-- ssm-session-worker
/host/path/to/certs
|-- tls-ca-bundle.pem
these get bind mounted to the ecs-agent container as:
One detail is to only create a bind mount if the source file/directory exists on host, we do not want to create an empty directory (with sudo) on host instance with docker. If the require file/directory does not exist on the instance, we want the ecs-agent to know that these resources do not exist, so the exec capability will not be added.
Testing
Manual test:
sudo systemctl start ecs
when all dependencies exist, inspect amazon-ecs-agent:latest container to check if all corresponding binds in HostConfig and mounts are added
remove one of the dependencies, sudo systemctl start ecs
inspect amazon-ecs-agent:latest container to check the corresponding binds and mounts are no longer added
New tests cover the changes: yes
TestGetCapabilityExecBinds
Description for the changelog
add bind mounts from SSM dependency (files/directories) on host to ecs-agent container for exec capability detection
Licensing
This contribution is under the terms of the Apache 2.0 License: yes
Summary
This is part of the change for ecs-agent to detect if an EC2 instance is
exec-enabled, in other words, if the instance has theexeccapability. Related change in amazon-ecs-agent: (add link to pr in ecs-agent)Update ecs-init to add bind mounts to the ecs-agent containter for exec-for-ECS capability detection. For an EC2 instance to be considered as
exec-enabed, the instance needs to have these resources required by SSM:SSM agent configuration files(not validated for now)Implementation details
For now, we only want to make sure all resources required by SSM (binaries, certs) exist. Since capabilities are stamped by ecs-agent, we need to provide a mechanism for the ecs-agent container to inspect the file system on host instance. To do this, we add bind mounts from the host instance to the ecs-agent container to check if all the following files exist:
these get bind mounted to the ecs-agent container as:
One detail is to only create a bind mount if the source file/directory exists on host, we do not want to create an empty directory (with
sudo) on host instance with docker. If the require file/directory does not exist on the instance, we want the ecs-agent to know that these resources do not exist, so theexeccapability will not be added.Testing
Manual test:
sudo systemctl start ecsamazon-ecs-agent:latestcontainer to check if all corresponding binds inHostConfigand mounts are addedsudo systemctl start ecsamazon-ecs-agent:latestcontainer to check the corresponding binds and mounts are no longer addedNew tests cover the changes: yes
TestGetCapabilityExecBindsDescription for the changelog
add bind mounts from SSM dependency (files/directories) on host to ecs-agent container for exec capability detection
Licensing
This contribution is under the terms of the Apache 2.0 License: yes