Alpine Linux support

[daaru00]

Hi,
can be SSM agent installed on Linux Alpine OS? Ther's a supported version?

[AmyZhangAmz]

Thank you for posting here. Currently, we don't support Alpine Linux OS officially. You could find information about supported OS and installation instructions in this link: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-prereqs.html

[exoszajzbuk]

Any update on adding support for Alpine?

[ipmb]

For anyone coming across this issue via search, here's an unofficial Dockerfile that builds and runs the agent on Alpine: https://gist.github.com/ipmb/a8213fb459c27178f88dda7149c35be2

[enomotodev]

@ipmb Thanks to you, I'm able to confirm that it works.

But the Agent version displayed in Managed Instances is 2.3.0.0 and I couldn't use session manager, so here's how to solve it.

FROM golang:1.12-alpine as builder
ARG VERSION=2.3.930.0
RUN set -ex && apk add --no-cache make git gcc libc-dev curl bash && \
    curl -sLO https://github.com/aws/amazon-ssm-agent/archive/${VERSION}.tar.gz && \
    mkdir -p /go/src/github.com && \
    tar xzf ${VERSION}.tar.gz && \
    mv amazon-ssm-agent-${VERSION} /go/src/github.com/amazon-ssm-agent && \
    cd /go/src/github.com/amazon-ssm-agent && \
    echo ${VERSION} > /go/src/github.com/amazon-ssm-agent/VERSION && \
    gofmt -w agent && make checkstyle || ./Tools/bin/goimports -w agent && \
    make build-linux

FROM alpine
RUN set -ex && apk add --no-cache sudo ca-certificates && \
    adduser -D ssm-user && echo "ssm-user ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/ssm-agent-users && \
    mkdir -p /etc/amazon/ssm
COPY --from=builder /go/src/github.com/amazon-ssm-agent/bin/linux_amd64/ /usr/bin
COPY --from=builder /go/src/github.com/amazon-ssm-agent/bin/amazon-ssm-agent.json.template /etc/amazon/ssm/amazon-ssm-agent.json
COPY --from=builder /go/src/github.com/amazon-ssm-agent/bin/seelog_unix.xml /etc/amazon/ssm/seelog.xml
CMD ["/usr/bin/amazon-ssm-agent"]

Without this line, the Agent version did not seem to be recognized correctly.

echo ${VERSION} > /go/src/github.com/amazon-ssm-agent/VERSION && \

[axot]

We are consider use alpine as Fargate base container, it need this ssm-agent for troubleshooting, any advices?

I tried the Docker build step before, but the agent version always show as 2.3.0.0.

Starting Agent: amazon-ssm-agent - v2.3.0.0

I also checked the VERSION file is correct.

${VERSION} > /go/src/github.com/amazon-ssm-agent/VERSION

[axot]

@enomotodev Hi, I found your solution works fine in 2.3.930.0, but when I upgrade to the latest 2.3.1509.0, it return back to show as 2.3.0.0.

[ashishkurian]

@ipmb @enomotodev : Thank you guys for this work. However, I am running into PATH issues for goimports. I am getting the following issue:

/bin/sh: ./Tools/bin/goimports: not found

How did you guys fix this issue? I tried a lot to search for this error, but did not find much help online.

[patlachance]

@enomotodev Hi, I found your solution works fine in 2.3.930.0, but when I upgrade to the latest 2.3.1509.0, it return back to show as 2.3.0.0.

Hi, did you found a workaround to get latest release running?

[nitrocode]

@AmyZhangAmz if you don't support alpine officially, what's the harm in leaving this ticket open and allowing someone to PR changes in to add support ?

Edit: I tried the above container with the following parameters

FROM golang:1.13-alpine as builder
ARG VERSION=3.0.431.0

And I was able to reproduce the version issue

✗ docker run 734c754346e7
...
2020-11-25 21:48:49 INFO [amazon-ssm-agent] amazon-ssm-agent - v3.0.0.0
...

I tried using apk add rpm and apk add dpkg to see if I could install it without having to compile it from source.

bash-5.0# wget "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_64bit/session-manager-plugin.deb"
bash-5.0# dpkg -i session-manager-plugin.deb
dpkg: error processing archive session-manager-plugin.deb (--install):
 package architecture (amd64) does not match system (musl-linux-amd64)
Errors were encountered while processing:
 session-manager-plugin.deb
bash-5.0# dpkg --print-architecture
musl-linux-amd64

bash-5.0# wget "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/linux_64bit/session-manager-plugin.rpm"
bash-5.0# rpm -i session-manager-plugin.rpm
error: Failed dependencies:
	/bin/sh is needed by session-manager-plugin-1.2.30.0-1.x86_64
	libc.so.6()(64bit) is needed by session-manager-plugin-1.2.30.0-1.x86_64
	libc.so.6(GLIBC_2.2.5)(64bit) is needed by session-manager-plugin-1.2.30.0-1.x86_64
	libpthread.so.0()(64bit) is needed by session-manager-plugin-1.2.30.0-1.x86_64
	libpthread.so.0(GLIBC_2.2.5)(64bit) is needed by session-manager-plugin-1.2.30.0-1.x86_64
	libpthread.so.0(GLIBC_2.3.2)(64bit) is needed by session-manager-plugin-1.2.30.0-1.x86_64

This is too bad as the packer docker container uses alpine and it would have been nice to be able to use this binary directly in that container. Now we'll have to create an unofficial docker image based on centos or ubuntu just to use the session-manager-plugin.

[apachler]

Any news on an official support for Alpine Linux?

[SpootyMcSpoot]

Bump

[Dinovoh]

Any news on an official support for Alpine Linux so far?

[mgagp]

Trying to setup ansible + AWS session manager... Same issues... Alpine support would be useful

[TarSzator]

Can this ticket be reopened?

A lot of docker images are based on Alpine and extending these images to support the AWS Session Manager would be made way more easy by adding support for Alpine

[axot]

Hi @TarSzator, did you try to use ECS Exec, it should be a better way to do this job. Please checkout this document https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-exec.html

[TarSzator]

@axot For that I need the SSM :-) Did I overlooked something that I can use ECS Exec without AWS SSM?

[axot]

@TarSzator I think you don't need install ssm agent into container, I tested with fargate 1.4.0. It works fine. Please also check this blog. https://aws.amazon.com/blogs/containers/new-using-amazon-ecs-exec-access-your-containers-fargate-ec2/. It will mount ssm agent from host side(aws/containers-roadmap#1050).

[apachler]

@axot did you really test with Alpine Linux? Since it is based on musl i dont think that the mounted SSM agent is working. But it would be really cool if that works out of the box.

[axot]

@apachler Yes, it works out of box.

[dmattia]

Now that AWS Inspector v2 has enhanced ECR scanning, I've noticed that my alpine linux containers, which I run for most of our prodution apps, do not work with the scanning. I believe adding SSM to these images would make them scannable, but I don't want to change distros away from alpine, which I believe to be easier to secure, just to add a less-secure distro that has SSM built-in, if that makes sense.

So I think this ticket is worth reconsidering with the recent changes.

[misaon]

@TarSzator I think you don't need install ssm agent into container, I tested with fargate 1.4.0. It works fine. Please also check this blog. https://aws.amazon.com/blogs/containers/new-using-amazon-ecs-exec-access-your-containers-fargate-ec2/. It will mount ssm agent from host side(aws/containers-roadmap#1050).

For me mount ssm agent host from side works only in Alpine 3.14, Alpine 3.15 not work...

[etiennechabert]

Hello folks, I am going to share with you the work-around that I just used and deployed. This is now allowing me to use a new functionality provided by SSM: StartPortForwardingSessionToRemoteHost.

Warning

Not sure what kind of side effects this may cause, I just tested this for my limited use-case.

@aws: Please provide a proper solution!

The problem

Before putting this hack in place (yes it's very much a hack...) I was blocked by an error always asking me to update to a newer version, while I was running on the last one... like you the version returned was always the major one (in my case 3.1.0.0):

An error occurred (BadRequest) when calling the StartSession operation: The version of the SSM agent installed on this instance doesn't support port forwarding to remote hosts. Install the latest version of the SSM agent to use port forwarding sessions to remote hosts.

Like you, my agent was always returning the major version:

The "solution"

Add a sed to the Dockerfile to replace a constant in the code, this constant is the one forcing the major...:

 sed -i s/3.1.0.0/${VERSION}/g /go/src/github.com/amazon-ssm-agent/agent/version/version.go

Note: Obviously replace 3.1.0.0 with the major you are planing to use ⚠️

My dockerfile now looks like that

FROM golang:alpine as builder
ARG VERSION=3.1.1511.0
RUN set -ex && apk add --no-cache make git gcc libc-dev curl bash && \
    curl -sLO https://github.com/aws/amazon-ssm-agent/archive/refs/tags/${VERSION}.tar.gz && \
    mkdir -p /go/src/github.com && \
    tar xzf ${VERSION}.tar.gz && \
    mv amazon-ssm-agent-${VERSION} /go/src/github.com/amazon-ssm-agent && \
    cd /go/src/github.com/amazon-ssm-agent && \
    echo ${VERSION} > VERSION && \
    sed -i s/3.1.0.0/${VERSION}/g /go/src/github.com/amazon-ssm-agent/agent/version/version.go && \
    gofmt -w agent && make checkstyle && \
    make build-linux

FROM alpine
RUN set -ex && apk add --no-cache sudo ca-certificates && \
    adduser -D ssm-user && echo "ssm-user ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/ssm-agent-users && \
    mkdir -p /etc/amazon/ssm
COPY --from=builder /go/src/github.com/amazon-ssm-agent/bin/linux_amd64/ /usr/bin
COPY --from=builder /go/src/github.com/amazon-ssm-agent/bin/seelog_unix.xml /etc/amazon/ssm/seelog.xml
COPY conf/amazon-ssm-agent.json /etc/amazon/ssm/amazon-ssm-agent.json

CMD ["/usr/bin/amazon-ssm-agent"]

My agent is now returning the correct version, I can use the new feature from SSM