Awesome
Amazon Elastic Container Service RPM
The Amazon Elastic Container Service RPM is software developed to support the Amazon ECS Container Agent. The Amazon ECS RPM is packaged for RPM-based systems that utilize Upstart as the init system.
Behavior
The upstart script installed by the Amazon ECS RPM runs at the completion of runlevel 3, 4, or 5 as the system starts.
The script will clean up any previous copies of the Amazon ECS Container Agent, and then start a new copy. Logs from
the RPM are available at /var/log/ecs/ecs-init.log
, while logs from the Amazon ECS Container Agent are available at
/var/log/ecs/ecs-agent.log
. The Amazon ECS RPM makes the Amazon ECS Container Agent introspection endpoint available
at http://127.0.0.1:51678/v1
. Configuration for the Amazon ECS Container Agent is read from /etc/ecs/ecs.config
.
All of the configurations in this file are used as environment variables of the ECS Agent container. Additionally, some
configurations can be used to configure other properties of the ECS Agent container, as described below.
Configuration Key | Example Value(s) | Description | Default value |
---|---|---|---|
ECS_AGENT_LABELS | {"test.label.1":"value1","test.label.2":"value2"} | The labels to add to the ECS Agent container. |
Additionally, the following environment variable(s) can be used to configure the behavior of the RPM:
Environment Variable Name | Example Value(s) | Description | Default value |
---|---|---|---|
ECS_SKIP_LOCALHOST_TRAFFIC_FILTER | <true | false> | By default, the ecs-init service adds an iptable rule to drop non-local packets to localhost if they're not part of an existing forwarded connection or DNAT, and removes the rule upon stop. If ECS_SKIP_LOCALHOST_TRAFFIC_FILTER is set to true, this rule will not be added/removed. | false |
ECS_ALLOW_OFFHOST_INTROSPECTION_ACCESS | <true | false> | By default, the ecs-init service adds an iptable rule to block access to ECS Agent's introspection port from off-host (or containers in awsvpc network mode), and removes the rule upon stop. If ECS_ALLOW_OFFHOST_INTROSPECTION_ACCESS is set to true, this rule will not be added/removed. | false |
ECS_OFFHOST_INTROSPECTION_INTERFACE_NAME | eth0 | Primary network interface name to be used for blocking offhost agent introspection port access. By default, this value is the interface that handles the default route (0.0.0.0/0 ) in kernel routing table (/proc/net/route ). If none could be found, we fall back to eth0 | - (Resolved at runtime) |
The above environment variable(s) can be used in the following way
- On Amazon Linux 1, the flag
ECS_SKIP_LOCALHOST_TRAFFIC_FILTER
can be turned on by addingenv ECS_SKIP_LOCALHOST_TRAFFIC_FILTER=true
to /etc/init/ecs.conf. - On Amazon Linux 2, the flag
ECS_SKIP_LOCALHOST_TRAFFIC_FILTER
can be turned on by addingECS_SKIP_LOCALHOST_TRAFFIC_FILTER=true
to /etc/ecs/ecs.config.
Usage
The upstart script installed by the Amazon Elastic Container Service RPM can be started or stopped with the following commands respectively:
sudo start ecs
sudo stop ecs
Updates
Updates to the Amazon ECS Container Agent should be performed through the Amazon ECS Container Agent. In the case where an update failed and the Amazon ECS Container Agent is no longer functional, a rollback can be initiated as follows:
sudo stop ecs
sudo /usr/libexec/amazon-ecs-init reload-cache
sudo start ecs
Security disclosures
If you think you’ve found a potential security issue, please do not post it in the Issues. Instead, please follow the instructions here or email AWS security directly.
Development
Building the RPM for test
On your local machine, you can use the docker target to generate an rpm:
make rpm-in-docker
This rpm can then be installed in an amazon linux ami:
# send rpm either through s3 or scp
rpm -i rpm-that-you-built.rpm
sudo systemctl enable ecs
sudo systemctl start ecs
Dev dependencies
Run make get-deps
to get dependencies for running tests and generating mocks.
Generating mocks
Mocks can be generated using the make generate
Makefile target. NOTE that this must be run on a linux machine.
License
The Amazon Elastic Container Service RPM is licensed under the Apache 2.0 License.