Running dotnet-monitor in a docker sidecar (not root) #7732
jamescarter-le
started this conversation in
General
Replies: 2 comments
-
|
Related: dotnet/dotnet-docker#6081 |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
I don't have a lot of knowledge of ECS, but I can provide some ideas to look at:
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Documentation Request
Running dotnet-monitor in a docker sidecar container mode, when using non-root users (default for dotnet-monitor, and aspnet images).
I am adding dotnet-monitor to AWS ECS container, as a side-car. I'm unable to get dotnet-monitor to read the socket file from the app when running both as their default users. I understand that the default UID of aspnet and (I suppose) dotnet-monitor is 1000 (app).
This gives me Permission Denied from IpcSocket. Running them both as root does solve this problem, however I would like to drop down to the default permission set as recommend by Microsoft and the default containers.
I attach a normal Docker volume (non persistent) to both containers, and do not specify their UID when starting them. This gives me permission denied.
I've tried setting both their users to 'app', '1000', '1654', but none of these settings work.
What am I missing here? I feel like a little more documentation on this (mostly likely the default?) configuration would be very useful.
Previous documentation
Existing docker compose for this scenario
Configuration example
{ "taskDefinitionArn": "arn:aws:ecs:eu-west-1:myaws:task-definition/MyContainerTask:30", "containerDefinitions": [ { "name": "MyContainer", "image": "myaws.dkr.ecr.eu-west-1.amazonaws.com/mycontainer:latest", "cpu": 0, "memory": 448, "links": [], "portMappings": [ { "name": "http", "containerPort": 8080, "hostPort": 0, "protocol": "tcp", "appProtocol": "http" } ], "essential": true, "entryPoint": [], "command": [], "environment": [ { "name": "OTEL_ENDPOINT", "value": "http://otel-collector.sandbox.local:4317" }, { "name": "DOTNET_DiagnosticPorts", "value": "/diag/dotnet-monitor.sock,nosuspend" }, { "name": "DOTNET_gcServer", "value": "1" } ], "environmentFiles": [], "mountPoints": [ { "sourceVolume": "diagnostics", "containerPath": "/diag", "readOnly": false } ], "volumesFrom": [], "secrets": [], "dnsServers": [], "dnsSearchDomains": [], "extraHosts": [], "dockerSecurityOptions": [], "dockerLabels": {}, "ulimits": [], "logConfiguration": { "logDriver": "awslogs", "options": { "awslogs-group": "logs-from-ecs", "mode": "non-blocking", "awslogs-multiline-pattern": "^(trace|debug|info|warn|error|critical|none)", "awslogs-region": "eu-west-1", "awslogs-stream-prefix": "containers" }, "secretOptions": [] }, "systemControls": [], "credentialSpecs": [] }, { "name": "dotnet-monitor", "image": "mcr.microsoft.com/dotnet/monitor:9", "cpu": 256, "memory": 512, "links": [], "portMappings": [ { "containerPort": 52323, "hostPort": 0, "protocol": "tcp" } ], "essential": false, "entryPoint": [], "command": [], "environment": [ { "name": "DOTNETMONITOR_Urls", "value": "http://+:52323" }, { "name": "DOTNETMONITOR_DiagnosticPort__ConnectionMode", "value": "Listen" }, { "name": "DOTNETMONITOR_Storage__DumpTempFolder", "value": "/diag/dumps" }, { "name": "DOTNETMONITOR_DiagnosticPort__EndpointName", "value": "/diag/dotnet-monitor.sock" } ], "environmentFiles": [], "mountPoints": [ { "sourceVolume": "diagnostics", "containerPath": "/diag", "readOnly": false } ], "volumesFrom": [], "secrets": [ { "name": "Authentication__MonitorApiKey__Subject", "valueFrom": "arn:aws:secretsmanager:eu-west-1:myaws:secret:DotnetMonitorAuthentication:Subject::" }, { "name": "Authentication__MonitorApiKey__PublicKey", "valueFrom": "arn:aws:secretsmanager:eu-west-1:myaws:secret:DotnetMonitorAuthentication:PublicKey::" } ], "dnsServers": [], "dnsSearchDomains": [], "extraHosts": [], "dockerSecurityOptions": [], "dockerLabels": {}, "ulimits": [], "logConfiguration": { "logDriver": "awslogs", "options": { "awslogs-group": "logs-from-ecs", "mode": "non-blocking", "awslogs-region": "eu-west-1", "awslogs-stream-prefix": "containers" }, "secretOptions": [] }, "systemControls": [], "credentialSpecs": [] } ], "family": "MyContainerTask", "taskRoleArn": "arn:aws:iam::myaws:role/Exec-0GqZn4YCDiZp", "executionRoleArn": "arn:aws:iam::myaws:role/Exec-ApgSEYISB08l", "networkMode": "bridge", "revision": 30, "volumes": [ { "name": "diagnostics", "host": {} } ], "status": "ACTIVE", "requiresAttributes": [ { "name": "com.amazonaws.ecs.capability.logging-driver.awslogs" }, { "name": "ecs.capability.execution-role-awslogs" }, { "name": "com.amazonaws.ecs.capability.ecr-auth" }, { "name": "com.amazonaws.ecs.capability.docker-remote-api.1.19" }, { "name": "ecs.capability.secrets.asm.environment-variables" }, { "name": "com.amazonaws.ecs.capability.docker-remote-api.1.17" }, { "name": "com.amazonaws.ecs.capability.docker-remote-api.1.28" }, { "name": "com.amazonaws.ecs.capability.docker-remote-api.1.30" }, { "name": "com.amazonaws.ecs.capability.task-iam-role" }, { "name": "ecs.capability.execution-role-ecr-pull" }, { "name": "com.amazonaws.ecs.capability.docker-remote-api.1.18" } ], "placementConstraints": [], "compatibilities": [ "EC2" ], "requiresCompatibilities": [ "EC2" ], "registeredAt": "2024-11-28T15:38:24.620Z", "registeredBy": "", "tags": [] }Beta Was this translation helpful? Give feedback.
All reactions