From 895410dbda66ee36694d1fa79722984bdac0ae2f Mon Sep 17 00:00:00 2001 From: Arnaldo Garcia Rincon Date: Wed, 3 May 2023 22:11:10 +0000 Subject: [PATCH 1/2] packages: add amazon-ssm-agent This adds the Amazon SSM agent as a helper program in preparation to enable ECS exec. The SSM agent is used under the hood whenever a new ECS exec session is created. Signed-off-by: Arnaldo Garcia Rincon --- packages/amazon-ssm-agent/Cargo.toml | 16 ++++++ .../amazon-ssm-agent/amazon-ssm-agent.spec | 50 +++++++++++++++++++ packages/amazon-ssm-agent/build.rs | 9 ++++ packages/amazon-ssm-agent/pkg.rs | 1 + 4 files changed, 76 insertions(+) create mode 100644 packages/amazon-ssm-agent/Cargo.toml create mode 100644 packages/amazon-ssm-agent/amazon-ssm-agent.spec create mode 100644 packages/amazon-ssm-agent/build.rs create mode 100644 packages/amazon-ssm-agent/pkg.rs diff --git a/packages/amazon-ssm-agent/Cargo.toml b/packages/amazon-ssm-agent/Cargo.toml new file mode 100644 index 00000000000..91a55bf7739 --- /dev/null +++ b/packages/amazon-ssm-agent/Cargo.toml @@ -0,0 +1,16 @@ +[package] +name = "amazon-ssm-agent" +version = "0.1.0" +edition = "2021" +publish = false +build = "build.rs" + +[lib] +path = "pkg.rs" + +[[package.metadata.build-package.external-files]] +url = "https://github.com/aws/amazon-ssm-agent/archive/3.2.815.0/amazon-ssm-agent-3.2.815.0.tar.gz" +sha512 = "724b659f7141dc9c797288f109b35c2a516f08f843d472da0d44f1a04c5fbce30fd8df0cde95be355ca2a710b146c89e1ee3bb5905c297a90b3aaccf78d9da8b" + +[build-dependencies] +glibc = { path = "../glibc" } diff --git a/packages/amazon-ssm-agent/amazon-ssm-agent.spec b/packages/amazon-ssm-agent/amazon-ssm-agent.spec new file mode 100644 index 00000000000..85f0452988c --- /dev/null +++ b/packages/amazon-ssm-agent/amazon-ssm-agent.spec @@ -0,0 +1,50 @@ +# Don't generate debug packages because we are compiling without CGO, +# and the `gc` compiler doesn't append the the ".note.gnu.build-id" section +# https://fedoraproject.org/wiki/PackagingDrafts/Go#Build_ID +%global debug_package %{nil} + +%global goproject github.com/aws +%global gorepo amazon-ssm-agent +%global goimport %{goproject}/%{gorepo} + +Name: %{_cross_os}amazon-ssm-agent +Version: 3.2.815.0 +Release: 1%{?dist} +Summary: An agent to enable remote management of EC2 instances +License: Apache-2.0 +URL: https://github.com/aws/amazon-ssm-agent +Source0: %{gorepo}-%{version}.tar.gz +BuildRequires: %{_cross_os}glibc-devel + +%description +%{summary}. + +%prep +%setup -n %{gorepo}-%{version} + +%build +%set_cross_go_flags + +# Set CGO_ENABLED=0 to statically link binaries that will be bind-mounted by the ECS agent +CGO_ENABLED=0 go build ${GOFLAGS} -installsuffix cgo -a -ldflags "-s" -o amazon-ssm-agent \ + ./core/agent.go ./core/agent_unix.go ./core/agent_parser.go +CGO_ENABLED=0 go build ${GOFLAGS} -installsuffix cgo -a -ldflags "-s" -o ssm-agent-worker \ + ./agent/agent.go ./agent/agent_unix.go ./agent/agent_parser.go +CGO_ENABLED=0 go build ${GOFLAGS} -installsuffix cgo -a -ldflags "-s" -o ssm-session-worker \ + ./agent/framework/processor/executer/outofproc/sessionworker/main.go + +%install +# Install the SSM agent under 'libexecdir', since it is meant to be used by other programs +install -d %{buildroot}%{_cross_libexecdir}/amazon-ssm-agent/bin/%{version} +for b in amazon-ssm-agent ssm-agent-worker ssm-session-worker; do + install -D -p -m 0755 ${b} %{buildroot}%{_cross_libexecdir}/amazon-ssm-agent/bin/%{version} +done + +%cross_scan_attribution go-vendor vendor + +%files +%license LICENSE +%{_cross_attribution_file} +%{_cross_attribution_vendor_dir} +%dir %{_cross_libexecdir}/amazon-ssm-agent +%{_cross_libexecdir}/amazon-ssm-agent diff --git a/packages/amazon-ssm-agent/build.rs b/packages/amazon-ssm-agent/build.rs new file mode 100644 index 00000000000..cad8999af53 --- /dev/null +++ b/packages/amazon-ssm-agent/build.rs @@ -0,0 +1,9 @@ +use std::process::{exit, Command}; + +fn main() -> Result<(), std::io::Error> { + let ret = Command::new("buildsys").arg("build-package").status()?; + if !ret.success() { + exit(1); + } + Ok(()) +} diff --git a/packages/amazon-ssm-agent/pkg.rs b/packages/amazon-ssm-agent/pkg.rs new file mode 100644 index 00000000000..d799fb2d44c --- /dev/null +++ b/packages/amazon-ssm-agent/pkg.rs @@ -0,0 +1 @@ +// not used From 692810ff6e34f4792a728f3de88514126741d474 Mon Sep 17 00:00:00 2001 From: Arnaldo Garcia Rincon Date: Wed, 3 May 2023 22:14:42 +0000 Subject: [PATCH 2/2] ecs-agent: enable ECS exec This adds the changes required to support ECS exec. A new patch in the ECS agent is required to change the paths where the agent looks for the SSM binaries, configurations and certificates, which are bind-mounted onto each task that is configured to use EXEC. Signed-off-by: Arnaldo Garcia Rincon --- ...execcmd-directories-for-Bottlerocket.patch | 67 +++++++++++++++++++ packages/ecs-agent/Cargo.toml | 1 + packages/ecs-agent/ecs-agent.spec | 26 +++++++ packages/ecs-agent/ecs-tmpfiles.conf | 3 + variants/Cargo.lock | 8 +++ 5 files changed, 105 insertions(+) create mode 100644 packages/ecs-agent/0006-execcmd-change-execcmd-directories-for-Bottlerocket.patch diff --git a/packages/ecs-agent/0006-execcmd-change-execcmd-directories-for-Bottlerocket.patch b/packages/ecs-agent/0006-execcmd-change-execcmd-directories-for-Bottlerocket.patch new file mode 100644 index 00000000000..30586f8b4e0 --- /dev/null +++ b/packages/ecs-agent/0006-execcmd-change-execcmd-directories-for-Bottlerocket.patch @@ -0,0 +1,67 @@ +From c9f3e2e695fa0c426c7c9196354c5ac7f138845a Mon Sep 17 00:00:00 2001 +From: Arnaldo Garcia Rincon +Date: Wed, 3 May 2023 18:23:40 +0000 +Subject: [PATCH] execcmd: change execcmd directories for Bottlerocket + +The ECS agent performs checks on directories that, in normal +circumstances, are mounted on the ECS agent container. Since the ECS +agent runs as a service in Bottlerocket, the paths to the directories +are different. + +Signed-off-by: Arnaldo Garcia Rincon +--- + agent/app/agent_capability_unix.go | 2 +- + agent/engine/execcmd/manager_init_task_linux.go | 4 ++-- + agent/engine/execcmd/manager_linux.go | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/agent/app/agent_capability_unix.go b/agent/app/agent_capability_unix.go +index 51b4393..76492c7 100644 +--- a/agent/app/agent_capability_unix.go ++++ b/agent/app/agent_capability_unix.go +@@ -37,7 +37,7 @@ const ( + SSE41 = "sse4_1" + SSE42 = "sse4_2" + CpuInfoPath = "/proc/cpuinfo" +- capabilityDepsRootDir = "/managed-agents" ++ capabilityDepsRootDir = "/usr/libexec/amazon-ecs-agent/managed-agents" + ) + + var ( +diff --git a/agent/engine/execcmd/manager_init_task_linux.go b/agent/engine/execcmd/manager_init_task_linux.go +index 05af158..6117e55 100644 +--- a/agent/engine/execcmd/manager_init_task_linux.go ++++ b/agent/engine/execcmd/manager_init_task_linux.go +@@ -24,7 +24,7 @@ import ( + ) + + const ( +- ecsAgentExecDepsDir = "/managed-agents/execute-command" ++ ecsAgentExecDepsDir = "/usr/libexec/amazon-ecs-agent/managed-agents/execute-command" + + // ecsAgentDepsBinDir is the directory where ECS Agent will read versions of SSM agent + ecsAgentDepsBinDir = ecsAgentExecDepsDir + "/bin" +@@ -40,7 +40,7 @@ const ( + ContainerLogDir = "/var/log/amazon/ssm" + ECSAgentExecLogDir = "/log/exec" + +- HostCertFile = "/var/lib/ecs/deps/execute-command/certs/tls-ca-bundle.pem" ++ HostCertFile = "/usr/libexec/amazon-ecs-agent/managed-agents/execute-command/certs/tls-ca-bundle.pem" + ContainerCertFileSuffix = "certs/amazon-ssm-agent.crt" + + ContainerConfigFileSuffix = "configuration/" + containerConfigFileName +diff --git a/agent/engine/execcmd/manager_linux.go b/agent/engine/execcmd/manager_linux.go +index 706d5da..6322816 100644 +--- a/agent/engine/execcmd/manager_linux.go ++++ b/agent/engine/execcmd/manager_linux.go +@@ -16,6 +16,6 @@ + package execcmd + + const ( +- hostExecDepsDir = "/var/lib/ecs/deps/execute-command" ++ hostExecDepsDir = "/usr/libexec/amazon-ecs-agent/managed-agents/execute-command" + HostBinDir = hostExecDepsDir + "/bin" + ) +-- +2.39.2 + diff --git a/packages/ecs-agent/Cargo.toml b/packages/ecs-agent/Cargo.toml index eac2e03db82..f014b199b5a 100644 --- a/packages/ecs-agent/Cargo.toml +++ b/packages/ecs-agent/Cargo.toml @@ -41,3 +41,4 @@ glibc = { path = "../glibc" } # docker-engine = { path = "../docker-engine" } # `iptables` is only needed at runtime, and is pulled in by `release`. # iptables = { path = "../iptables" } +amazon-ssm-agent = { path = "../amazon-ssm-agent" } diff --git a/packages/ecs-agent/ecs-agent.spec b/packages/ecs-agent/ecs-agent.spec index 3a262fe3eba..787da0d561c 100644 --- a/packages/ecs-agent/ecs-agent.spec +++ b/packages/ecs-agent/ecs-agent.spec @@ -68,6 +68,9 @@ Patch0004: 0004-bottlerocket-remove-unsupported-CNI-plugins.patch # Bottlerocket-specific - fix procfs path for non-containerized ECS agent Patch0005: 0005-bottlerocket-fix-procfs-path-on-host.patch +# Bottlerocket-specific - fix ECS exec directories +Patch0006: 0006-execcmd-change-execcmd-directories-for-Bottlerocket.patch + # Bottlerocket-specific - filesystem location for ECS CNI plugins Patch1001: 1001-bottlerocket-default-filesystem-locations.patch @@ -75,6 +78,7 @@ BuildRequires: %{_cross_os}glibc-devel Requires: %{_cross_os}docker-engine Requires: %{_cross_os}iptables +Requires: %{_cross_os}amazon-ssm-agent %description %{summary}. @@ -248,6 +252,27 @@ install -D -p -m 0644 %{S:102} %{buildroot}%{_cross_tmpfilesdir}/ecs.conf install -D -p -m 0644 %{S:103} %{buildroot}%{_cross_sysctldir}/90-ecs.conf install -D -p -m 0644 %{S:104} %{buildroot}%{_cross_templatedir}/ecs.config +# Directory for agents used by the ECS agent, e.g. SSM, Service Connect +%global managed_agents %{_cross_libexecdir}/amazon-ecs-agent/managed-agents +install -d %{buildroot}%{managed_agents} + +# Directory for ECS exec artifacts +%global ecs_exec_dir %{managed_agents}/execute-command +install -d %{buildroot}%{ecs_exec_dir} + +# The ECS agent looks for real versioned directories under bin, symlinks will be +# ignored. Thus, link the bin directory in the ssm-agent directory which contains +# the versioned binaries. +ln -rs %{buildroot}%{_cross_libexecdir}/amazon-ssm-agent/bin %{buildroot}/%{ecs_exec_dir}/bin + +# The ECS agent generates and stores configurations for ECS exec sessions inside +# "config", thus reference it with a symlink to a directory under /var +ln -rs %{buildroot}%{_cross_localstatedir}/ecs/managed-agents/execute-command/config %{buildroot}%{ecs_exec_dir}/config + +# Use the host's certificates bundle for ECS exec sessions +install -d %{buildroot}%{ecs_exec_dir}/certs +ln -rs %{buildroot}%{_cross_sysconfdir}/pki/tls/certs/ca-bundle.crt %{buildroot}%{ecs_exec_dir}/certs/tls-ca-bundle.pem + # Prepare license and vendor information so it can be co-installable mv %{ecscni_gorepo}-%{ecscni_gitrev}/LICENSE %{ecscni_gorepo}-%{ecscni_gitrev}/LICENSE.%{ecscni_gorepo} mv %{vpccni_gorepo}-%{vpccni_gitrev}/LICENSE %{vpccni_gorepo}-%{vpccni_gitrev}/LICENSE.%{vpccni_gorepo} @@ -289,6 +314,7 @@ mv %{vpccni_gorepo}-%{vpccni_gitrev}/vendor go-vendor/%{vpccni_gorepo} %{_cross_libexecdir}/amazon-ecs-agent/ecs-eni %{_cross_libexecdir}/amazon-ecs-agent/ecs-ipam %{_cross_libexecdir}/amazon-ecs-agent/vpc-branch-eni +%{_cross_libexecdir}/amazon-ecs-agent/managed-agents %{_cross_unitdir}/ecs.service %{_cross_unitdir}/etc-ecs.mount %{_cross_tmpfilesdir}/ecs.conf diff --git a/packages/ecs-agent/ecs-tmpfiles.conf b/packages/ecs-agent/ecs-tmpfiles.conf index 8bba088b1a1..e4ec94bf179 100644 --- a/packages/ecs-agent/ecs-tmpfiles.conf +++ b/packages/ecs-agent/ecs-tmpfiles.conf @@ -1,2 +1,5 @@ d /var/lib/ecs/data 0700 root root d /var/log/ecs 0755 root root +d /var/log/ecs/exec 0755 root root - +R /var/ecs/managed-agents - - - - +d /var/ecs/managed-agents/execute-command/config 0750 root root - diff --git a/variants/Cargo.lock b/variants/Cargo.lock index 4364383cbe1..d62f317a90c 100644 --- a/variants/Cargo.lock +++ b/variants/Cargo.lock @@ -9,6 +9,13 @@ dependencies = [ "glibc", ] +[[package]] +name = "amazon-ssm-agent" +version = "0.1.0" +dependencies = [ + "glibc", +] + [[package]] name = "aws-dev" version = "0.1.0" @@ -343,6 +350,7 @@ dependencies = [ name = "ecs-agent" version = "0.1.0" dependencies = [ + "amazon-ssm-agent", "glibc", ]