Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(ecs): Add SystemControls to ContainerDefinition #16970

Merged
merged 5 commits into from
Nov 12, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions packages/@aws-cdk/aws-ecs/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -427,6 +427,25 @@ The task execution role is automatically granted read permissions on the secrets
files is restricted to the EC2 launch type for files hosted on S3. Further details provided in the AWS documentation
about [specifying environment variables](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html).

### System controls

To set system controls (kernel parameters) on the container, use the `systemControls` prop:

```ts
declare const taskDefinition: ecs.TaskDefinition;

taskDefinition.addContainer('container', {
Comment on lines +435 to +437
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this a working example? Doesn't this need to actually instantiate a TaskDefinition first?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes this is not a working example since the section is concerned about the container definition of an existing taskDefinition. The same is being followed across the README.

image: ecs.ContainerImage.fromRegistry("amazon/amazon-ecs-sample"),
memoryLimitMiB: 1024,
systemControls: [
{
namespace: 'net',
value: 'ipv4.tcp_tw_recycle',
},
],
});
```

## Service

A `Service` instantiates a `TaskDefinition` on a `Cluster` a given number of
Expand Down
32 changes: 32 additions & 0 deletions packages/@aws-cdk/aws-ecs/lib/container-definition.ts
Original file line number Diff line number Diff line change
Expand Up @@ -307,6 +307,15 @@ export interface ContainerDefinitionOptions {
* @default - No inference accelerators assigned.
*/
readonly inferenceAcceleratorResources?: string[];

/**
* A list of namespaced kernel parameters to set in the container.
ayush987goyal marked this conversation as resolved.
Show resolved Hide resolved
*
* @default - No system controls are set.
* @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskdefinition-systemcontrol.html
* @see https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#container_definition_systemcontrols
*/
readonly systemControls?: SystemControl[];
}

/**
Expand Down Expand Up @@ -669,6 +678,7 @@ export class ContainerDefinition extends CoreConstruct {
linuxParameters: this.linuxParameters && this.linuxParameters.renderLinuxParameters(),
resourceRequirements: (!this.props.gpuCount && this.inferenceAcceleratorResources.length == 0 ) ? undefined :
renderResourceRequirements(this.props.gpuCount, this.inferenceAcceleratorResources),
systemControls: this.props.systemControls && renderSystemControls(this.props.systemControls),
};
}
}
Expand Down Expand Up @@ -1040,3 +1050,25 @@ function renderVolumeFrom(vf: VolumeFrom): CfnTaskDefinition.VolumeFromProperty
readOnly: vf.readOnly,
};
}

/**
* Kernel parameters to set in the container
*/
export interface SystemControl {
/**
* The namespaced kernel parameter for which to set a value.
*/
readonly namespace: string;

/**
* The value for the namespaced kernel parameter specified in namespace.
*/
readonly value: string;
}

function renderSystemControls(systemControls: SystemControl[]): CfnTaskDefinition.SystemControlProperty[] {
return systemControls.map(sc => ({
namespace: sc.namespace,
value: sc.value,
}));
}
43 changes: 43 additions & 0 deletions packages/@aws-cdk/aws-ecs/test/container-definition.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,9 @@ describe('container definition', () => {
secrets: {
SECRET: ecs.Secret.fromSecretsManager(secret),
},
systemControls: [
{ namespace: 'SomeNamespace', value: 'SomeValue' },
],
});

// THEN
Expand Down Expand Up @@ -218,6 +221,12 @@ describe('container definition', () => {
],
StartTimeout: 2,
StopTimeout: 5,
SystemControls: [
{
Namespace: 'SomeNamespace',
Value: 'SomeValue',
},
],
User: 'rootUser',
WorkingDirectory: 'a/b/c',
},
Expand Down Expand Up @@ -753,6 +762,40 @@ describe('container definition', () => {
});
});

test('can specify system controls', () => {
// GIVEN
const stack = new cdk.Stack();
const taskDefinition = new ecs.Ec2TaskDefinition(stack, 'TaskDef');

// WHEN
taskDefinition.addContainer('cont', {
image: ecs.ContainerImage.fromRegistry('test'),
memoryLimitMiB: 1024,
systemControls: [
{ namespace: 'SomeNamespace1', value: 'SomeValue1' },
{ namespace: 'SomeNamespace2', value: 'SomeValue2' },
],
});

// THEN
expect(stack).toHaveResourceLike('AWS::ECS::TaskDefinition', {
ContainerDefinitions: [
{
SystemControls: [
{
Namespace: 'SomeNamespace1',
Value: 'SomeValue1',
},
{
Namespace: 'SomeNamespace2',
Value: 'SomeValue2',
},
],
},
],
});
});

describe('Environment Files', () => {
describe('with EC2 task definitions', () => {
test('can add asset environment file to the container definition', () => {
Expand Down