[service] [request]: Custom seccomp profile for ECS containers

[nick-kang]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request Ability to add custom seccomp profile to ECS containers

Which service(s) is this request for? ECS

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? We'd like to securely run headless chromium on ECS. We'd like to run the container giving the least privileges possible and that involves passing in a custom seccomp.json file (https://github.com/docker/for-linux/issues/496#issuecomment-441149510).

ECS dockerSecurityOptions doesn't not support custom seccomp files.

Are you currently working around this issue? We are using EKS as a workaround and this is blocking our migration to ECS.

Additional context Anything else we should know?

Attachments If you think you might have additional information that you'd like to include via an attachment, please do - we'll take a look. (Remember to remove any personally-identifiable information.)

[forty]

I have just opened a support case to AWS support on this topic.

Our use case is to be able to communicate with AWS Nitro Enclave through VSOCK, which is by default not possible with recent docker releases, as the default seccomp filter does not allow AF_VSOCK.

Allowing custom profile would avoid having to ressort to using privileged=true (the only workaround currently) which is not great obviously.

[douddle]

I have a similar issue. I need to use VSOCK. I have found this previous issue pretty similar but pending since 5 years! https://github.com/aws/containers-roadmap/issues/356