Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-batch: Unable to create Windows Fargate Job Definition due to invalid generated CF Template #29140

Closed
juantula opened this issue Feb 16, 2024 · 4 comments · Fixed by #29145
Closed

aws-batch: Unable to create Windows Fargate Job Definition due to invalid generated CF Template #29140

juantula opened this issue Feb 16, 2024 · 4 comments · Fixed by #29145
Labels
@aws-cdk/aws-batch Related to AWS Batch bug This issue is a bug. effort/medium Medium work item – several days of effort p2

Comments

@juantula
Copy link

juantula commented Feb 16, 2024
edited
Loading

Describe the bug

When trying to create an EcsJobDefinitionInstance, using a container of type EcsFargateContainerDefinition, with fargateCpuArchitecture=X86_64 and fargateOperatingSystemFamily=WINDOWS_SERVER_2019_FULL (but it also happens with any of the valid WINDOWS options too), I get the following error (after executing npx cdk deploy --all):

AWS::Batch::JobDefinition | WindowsJobDefinition (WindowsJobDefinition4BE72269) An error occurred (ClientException) when calling the RegisterJobDefinition operation: Error executing request, Exception : ReadonlyRootFilesystem parameter is not supported for Windows containers, RequestId: 2432267b-cacf-403e-9a70-1f7d565e814d

Expected Behavior

A new JobDefinition is created successfuly

Current Behavior

AWS::Batch::JobDefinition | WindowsJobDefinition (WindowsJobDefinition4BE72269) An error occurred (ClientException) when calling the RegisterJobDefinition operation: Error executing request, Exception : ReadonlyRootFilesystem parameter is not supported for Windows containers, RequestId: 2432267b-cacf-403e-9a70-1f7d565e814d

Reproduction Steps

const windowsJobDefinition = new batch.EcsJobDefinition(this, "WindowsJobDefinition", {
      jobDefinitionName: "windows-job-definition",
      container: new batch.EcsFargateContainerDefinition(this, "WindowsFargateContainer", {
        image: ecs.ContainerImage.fromRegistry("mcr.microsoft.com/dotnet/framework/runtime:4.7.2"),
        memory: cdk.Size.gibibytes(8),
        cpu: 2, 
        fargateCpuArchitecture: ecs.CpuArchitecture.X86_64,
        fargateOperatingSystemFamily: ecs.OperatingSystemFamily.WINDOWS_SERVER_2019_FULL,
      }),
    });

Possible Solution

The generated CloudFormation template looks like this:

{
  "WindowsJobDefinition4BE72269": {
   "Type": "AWS::Batch::JobDefinition",
   "Properties": {
    "ContainerProperties": {
     "Environment": [],
     "ExecutionRoleArn": {
      "Fn::GetAtt": [
       "WindowsFargateContainerExecutionRoleAE15A6C1",
       "Arn"
      ]
     },
     "FargatePlatformConfiguration": {},
     "Image": "mcr.microsoft.com/dotnet/framework/runtime:4.7.2",
     "NetworkConfiguration": {
      "AssignPublicIp": "DISABLED"
     },
     "ReadonlyRootFilesystem": false,
     "ResourceRequirements": [
      {
       "Type": "MEMORY",
       "Value": "8192"
      },
      {
       "Type": "VCPU",
       "Value": "2"
      }
     ],
     "RuntimePlatform": {
      "CpuArchitecture": "X86_64",
      "OperatingSystemFamily": "WINDOWS_SERVER_2019_FULL"
     }
    },
    "JobDefinitionName": "windows-job-definition",
    "PlatformCapabilities": [
     "FARGATE"
    ],
    "RetryStrategy": {},
    "Timeout": {},
    "Type": "container"
   },
   "Metadata": {
    "aws:cdk:path": "Stack/WindowsJobDefinition/Resource"
   }
  }
}

It can be seen that it has an "ReadonlyRootFilesystem": false, attribute. I imagine in the case of Windows containers, that attribute should not be present at all.

Additional Information/Context

Trying to build a Linux Job Definition works just fine, with all the same parameters (all but the operatingSystemFamily and the docker image name).
The issue also happens with all the previous CDK versions that include support for specifying the OS family (2.125.0, 2.126.0, 2.127.0)

CDK CLI Version

2.128.0

Framework Version

2.128.0

Node.js Version

v18.19.0

OS

Microsoft Windows [Version 10.0.19045.3930]

Language

TypeScript

Language Version

5.3.3

Other information

No response
@juantula juantula added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Feb 16, 2024
@github-actions github-actions bot added the @aws-cdk/aws-batch Related to AWS Batch label Feb 16, 2024
@msambol msambol mentioned this issue Feb 17, 2024
Merged
@pahud
Copy link
Contributor

pahud commented Feb 19, 2024

Thank you for the report and we'll review @msambol 's PR to move this forward.

@pahud pahud added p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Feb 19, 2024
@jerometremblay
Copy link

In the meantime, we can patch the generated CloudFormation template.

const jobDefinition = new batch.EcsJobDefinition(this, 'JobDefinition', { ... });
const cfnJobDefinition = jobDefinition.node.defaultChild as batch.CfnJobDefinition;
cfnJobDefinition.addPropertyOverride('ContainerProperties.ReadonlyRootFilesystem', undefined);

@juantula
Copy link
Author

In the meantime, we can patch the generated CloudFormation template.

const jobDefinition = new batch.EcsJobDefinition(this, 'JobDefinition', { ... });
const cfnJobDefinition = jobDefinition.node.defaultChild as batch.CfnJobDefinition;
cfnJobDefinition.addPropertyOverride('ContainerProperties.ReadonlyRootFilesystem', undefined);

Yup, that works, and it's better than editing the compiled JS code, as I was doing, thanks!

@github-actions github-actions bot mentioned this issue Mar 1, 2024
Closed
@mergify mergify bot closed this as completed in #29145 Mar 1, 2024
mergify bot pushed a commit that referenced this issue Mar 1, 2024
@msambol
fix(batch): windows does not support readonlyRootFilesystem (#29145)
7205143 
Here's from the k8s docs:
```
securityContext.readOnlyRootFilesystem - not possible on Windows; write access is required for registry & system processes to run inside the container
```

Closes #29140. 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 1, 2024

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

godwingrs22 pushed a commit to godwingrs22/aws-cdk that referenced this issue Mar 1, 2024
@msambol @godwingrs22
fix(batch): windows does not support readonlyRootFilesystem (aws#29145)
c2fa827 
Here's from the k8s docs:
```
securityContext.readOnlyRootFilesystem - not possible on Windows; write access is required for registry & system processes to run inside the container
```

Closes aws#29140. 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-batch Related to AWS Batch bug This issue is a bug. effort/medium Medium work item – several days of effort p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(batch): windows does not support readonlyRootFilesystem msambol/aws-cdk
3 participants
@pahud @juantula @jerometremblay