Request: Support for tmpfs parameter when launching containers

[CameronGo]

There is now support in the docker engine for a tmpfs flag that mounts a tmpfs file system into the running container. I believe this was added with docker v1.10.0. I would very much like to use this as a mechanism to store config secrets (such as PGP keys, DB passwords, etc...) I do not see a way currently to pass this option in to the ECS TaskDefinition. The syntax for the docker run command with this parameter looks like this:

docker run -ti --tmpfs /secrets:rw,noexec,nosuid,size=100m ubuntu:14.04 bash

[ceharris]

While the use of tmpfs mounts for secrets is also interesting, another use case for this feature would be to allow containers running under ECS to more easily run in read-only mode; e.g. by mounting tmpfs filesystems on /tmp, /var/run, etc.

[Overbryd]

This would be highly appreciated!

I would like to run some containers read only and use --tmpfs to give them some read/write space they can use (it is ephermal data anyways). This would substantially lower the pressure on EBS io.

+1

[raygunsix]

+1

[rhuddleston]

+1 I would also like to run read only and need this to move forward with that

[cyrilchampier]

+1, nice to have

[ceharris]

Running containers with a read-only root filesystem is now part of the CIS benchmark, and thus it won't be long before organizations start insisting on having this Docker functionality when running on ECS. It's possible run read-only now, but without having tmpfs for scratch space, it's hard to use effectively.

[philenz]

+1 such a simple and effective security option to use read-only with tmpfs

[osiegmar]

+1

[nomnux]

+1

[Prendo93]

+1

[seren]

This would be useful for us as well

[jhmartin]

A specific use case for this is the storage of the Varnish VSM file, where Varnish is very sensitive to slowdowns in writes to this temporary file. Mounting this directory into tmpfs would insulate it against EBS latencies.

[piotrbulinski]

In some cases, it's sufficient with using /dev/shm (which is tmpfs and has 64M by default).

[jhmartin]

@piotrbulinski I looked at that, but unfortunately my Varnish VSM file is about 80MB.

[piotrbulinski]

@jhmartin indeed, in some cases it will not be enough. Unfortunately for you the --shm-size is not supported either (#787)...

[coen-hyde]

I don't like being just another +1 but this is essential for running readonly containers

[sdesalas]

+1... @jhmartin, in the meantime you can increase the size of /dev/shm as a workaround.

[kerryjj]

+1 to being able to use tmpfs in ecs and elasticbeanstalk

[ghost]

+1

[bruceharrison1984]

+1

[zbyszek-matuszewski]

+1

[jayaskren]

+1

[dond00m]

+1

[asieira]

+1

[asieira]

Actually, --tmpfs doesn't allow you to set options. Ideally, we should be able to specify the tmpfs size and default file mode as per --mount type=tmpfs.

My use case is a per-container RAM disk for a sqlite database when running https://github.com/mlsecproject/gglsbl-rest in my ECS cluster, for performance reasons.

[gavinmh]

+1

[Stavanger75]

+1

[wangdrew]

+1

[t0sche]

Would love to see this in ECS since it is supported in docker_containers

[samuelkarp]

A proposal for the implementation of tmpfs is available in #1149.

[aaithal]

Hello everyone, we announced support for tmpfs parameter in the task definition today! Please refer to our documentation for more details.

Closing this issue for now. Please let us know if you have any follow up comments/questions regarding this.

[jorrit]

I would like to comment that the docs should be updated to state that the unit for shmsize/tmpfs.Size is MB.

Edit: Of course I also want to thank you for adding this feature!

[sharanyad]

@jorrit Thanks for reporting. The docs are updated now.

[jorrit]

Wonderful, thanks!