-
Notifications
You must be signed in to change notification settings - Fork 510
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for ECS exec #3075
Add support for ECS exec #3075
Conversation
Builds will fail until I update the look aside cache |
- HostCertFile = "/var/lib/ecs/deps/execute-command/certs/tls-ca-bundle.pem" | ||
+ HostCertFile = "/usr/libexec/amazon-ecs-agent/managed-agents/execute-command/certs/tls-ca-bundle.pem" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are confident this is another bind mount from the host, and not a CA cert bundle that the agent retrieves from elsewhere and manages?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, this is another bind mount:
ecs-exec on ecs-exec [$] ❯ aws ecs execute-command \
--cluster bottlerocket --task <task-id> --container fedora \
--interactive --command "cat /proc/self/mountinfo" | rg tls
466 439 0:30 /pki/tls/certs/ca-bundle.crt /ecs-execute-command-384f4d6e-39e3-41ee-9e00-609338445345/certs/amazon-ssm-agent.crt ro,noatime - tmpfs tmpfs rw,context=system_u:object_r:etc_t:s0,mode=755
The agent does not manage the file. Even in the ECS anywhere script, the host's CA bundle is copied to this location:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can the patch just point the agent to /etc/pki/tls/certs/ca-bundle.crt
then? Then we wouldn't need a symlink.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could do this, however the patch will be bigger since there are other places in the agent that should be updated to reference this file, e.g.
This adds the Amazon SSM agent as a helper program in preparation to enable ECS exec. The SSM agent is used under the hood whenever a new ECS exec session is created. Signed-off-by: Arnaldo Garcia Rincon <[email protected]>
This adds the changes required to support ECS exec. A new patch in the ECS agent is required to change the paths where the agent looks for the SSM binaries, configurations and certificates, which are bind-mounted onto each task that is configured to use EXEC. Signed-off-by: Arnaldo Garcia Rincon <[email protected]>
(Forced push addresses comments above) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! 🚢
Issue number:
Closes #1649
Description of changes:
This includes the changes required to support ECS exec in Bottlerocket.
Under the hood, the ECS agent runs the Amazon SSM agent in each container configured to use EXEC. The ECS agent bind-mounts the statically-linked SSM agent's binaries (
amazon-ssm-agent
,ssm-agent-worker
,ssm-session-worker
) onto each container and uses docker to execute them within the container's namespaces.In the ECS Optimized AMIs, the ECS agent looks at the path
/managed-agents
for the dependencies needed to use ECS exec. This directory is a bind-mount to/var/lib/ecs/deps/
. The ECS agent checks that thebin
,config
andcerts
directories exist to mark the instances as “capable” to run ECS exec. The ECS agent requires the SSM binaries to be in a versioned directory withinbin
, and a CA bundle namedtls-ca-bundle.pem
to be available incerts
. The agent usesconfig
to store configurations created at runtime for each ECS exec session, so it needs to be writable by agent.In this PR, a patch for the ECS agent updates the path used to check for dependencies from
/managed-agents
to/usr/libexec/amazon-ecs-agent/managed-agents
. This is because in Bottlerocket the ECS agent runs as a system service instead of a docker container, and/usr/libexec
is used to store binaries that are used by other programs.The
config
directory for the SSM sessions is a symbolic link to/var/ecs/managed-agents/execute-command/config
to allow the ECS agent generate the required configurations at runtime. This directory is created viatmpfiles.d
. Thecerts
directory contains a symbolic link to the CA Bundle of the host. Thebin
directory is a symbolic link to the directory that contains the versioned SSM binaries.Testing done:
Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.