Modify to work with AWS ECS #300
Conversation
app/entrypoint.sh
Outdated
|
|
||
| set -u |
There was a problem hiding this comment.
this change was to make it not error on "${DOCKER_PROVIDER,,}" which is possibly unbound (but actually is not because of the -n sanity)
|
Hi ! Thanks for that PR. I have two remarks:
btw 1) is currently lacking on this line and that line could directly |
|
@buchdag done |
There was a problem hiding this comment.
Woops sorry, seems I misdirected you.
My last comment was suggesting that if [[ -z "$CONTAINER_ID" ]]; then be changed to if [[ -z "${CONTAINER_ID:-}" ]]; then, no need to do a separate assignment first for this one.
Also please do not remove the export of CONTAINER_ID even if it's not needed at the moment.
|
@buchdag makes sense, changed |
|
I got the same issue as described here and the proposed fix helped me to get this working again. However i got two problems:
|
|
|
@myoung34 is it possible that in some case AWS ECS does not set the Is this If it's not widely used and/or if it is sometimes not set by ECS, maybe the fix should rather directly test |
|
I ilke the current way because there's no behavior change existing or across cloud providers, but is "opt in" by setting |
|
@buchdag I pushed up what it would look like to test for AWS ECS. |
|
@myoung34 do you think a better approach would be to check in From what @DurinMusicspear said, if There is a similar proposition for the same issue in |
|
I think the best way to approach it is with an opt-in flag like |
|
Ok I might have misunderstood something from the beginning, the |
|
It is, but it acts like an opt-in. not providing it would be no change in current behavior, manually providing it is a way for the user to set behavior, basically saying "i want this to act under ECS" , so if its ECS, use the |
|
Got it. I thought If you introduce a new environment variable you'll have to document its use in the README. With all that in mind i think the sed override might be simpler / more reliable. Something like, let's say: Unless I've missed something, default behavior is unchanged, it is explicit and it work under ECS even if If in the future getting the container ID under Kubernetes or another container management service require something more complex than a regexp change, the Your thought ? |
|
/proc/cgroup is not a good choice on ECS. it might work, but it might not as well. The container ID is provided first-hand in the environment variable given via the API ( |
|
Ok so let's go for
proto code: |
|
Hi, thanks for addressing this issue. When can users expect this to be merged? |
|
@jschlieber As soon as the requested changes are made. @myoung34 If you lack time to make the changes or if you think they're problematic, please let me know. |
|
I tested @myoung34 initial fix, and there is another issue on ECS: when the docker API is called on the script it gets this: {"message":"No such exec instance 'null' found in daemon"} this is part of the docker-compose for the nginx-proxy container nginx_proxy:
image: jwilder/nginx-proxy
container_name: nginx_proxy
links:
- geoserver
ports:
- 80:80
- 443:443
labels:
- com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy=truethis also causes this error when trying to reload nginx:
on the nginx config file /etc/nginx/conf.d/default.conf (I replaced the real domain with example.com): |
|
At the moment this image works on AWS ECS using docker stacks (implementing @myoung34 fix) - manually creating your EC2 instance and going from there. Also there is a mayor confusion on the docs:
Hope this helps anyone with the same issue. |
|
@pbreah thanks for reporting the issue, there are a few more instances of functions sharing names with variables, I'll try to fix them asap. |
|
@myoung34 it doesn't work for me on elastic beanstalk multi-container docker platform, |
|
@vfeskov I dont think you can use it in beanstalk since that's not the same as ECS |
|
@myoung34 elastic beanstalk uses ecs and the companion was working fine before (post) this change: vfeskov@bb85a95 makes it get container id correctly, but i'm now struggling with "Connection refused" error |
|
@vfeskov Im not sure but I dont use beanstalk with containers so feel free to push additional changes if anything has to change to accomodate it. As for the current push: @buchdag Latest meets criteria and passes manual verify on ECS with ecs.config enabled. |
|
@myoung34 Can you check if this command works in your setup? It does work on Elastic Beanstalk ECS, and it doesn't require any additional config export CONTAINER_ID=$(cat /proc/self/cgroup | sed -nE 's/^.+(docker[\/-]|ecs\/[a-f0-9\-]+\/)([a-f0-9]{64}).*/\2/p' | head -n 1) |
|
@vfeskov that wont work in ECS, it does not expose that in the prc file: |
|
looks exactly what i see on elastic beanstalk ecs and the regex extracts container id nicely |
|
@vfeskov feel free to submit a regex fix after this merge then, but there are better ways to get container ids in other areas (like ECS) using the metadata instead of relying on the cgroup file. |
|
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/create_deploy_docker_ecs.html
so something like this then? case "${DOCKER_PROVIDER}" in
ecs|ECS)
# AWS ECS. Enabled in /etc/ecs/ecs.config (http://docs.aws.amazon.com/AmazonECS/latest/developerguide/container-metadata.html)
if [[ -n "${ECS_CONTAINER_METADATA_FILE:-}" ]]; then
export CONTAINER_ID=$(grep ContainerID "${ECS_CONTAINER_METADATA_FILE}" | sed 's/.*: "\(.*\)",/\1/g')
else
echo "${DOCKER_PROVIDER} specified as 'ecs' but not available. See: http://docs.aws.amazon.com/AmazonECS/latest/developerguide/container-metadata.html"
exit 1
fi
;;
*)
export CONTAINER_ID=$(cat /proc/self/cgroup | sed -nE 's/^.+(docker[\/-]|ecs\/[a-f0-9\-]+\/)([a-f0-9]{64}).*/\2/p' | head -n 1)
;;
esac |
|
That would work but this is starting to get into scope creep. Can we just get this merged and issue subsequent pr's ? I've already added code not related to ecs here and would like to stop making changes |
|
@myoung34 LGTM, thanks for this PR and the added effort on changes. Is it ok with you if I squash the commits ? |
|
Good with me, I meant to originally. Thanks! |
|
Hi, I'm still having the "Error: can't get my container ID !" i'm following your instructions about "Separate containers" on https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion I'm trying to mount that on AWS ECS Task Definition with those 3 containers. Can anyone tell me if i'm missing some new instruction? thanks a lot |
+ add foundation for future support of other container management services
|
Getting 'Error: can't get my container ID' with the combined container setup. Verified ECS_ENABLE_CONTAINER_METADATA is available in the container. Verified that the function get_self_cid works fine when I run it manually in the container. Maybe metadata file takes a little bit to establish and this is getting called before before that happens and causing the container blow up? Not sure what else could be going on. |
|
@sunomie I also started getting the same issue when I used the latest AMI with the latest ECS agent (1.21.0) however previous versions work as per the documentation. I was able to fix it on the latest agent by removing the DOCKER_PROVIDER environment variable completely. Update: tl;dr I don't know what changed in the latest AMI and/or ECS agent but removing the DOCKER_PROVIDER setting from the companion container and adding |
|
Concur. Was also able to fix it on the latest agent by removing the
DOCKER_PROVIDER environment variable completely. Thank you.
On Tue, Oct 23, 2018 at 5:00 AM Stephen Law ***@***.***> wrote:
@sunomie <https://github.com/sunomie> I also started getting the same
issue with the latest ECS agent (1.21.0) however previous versions work as
per the documentation. I was able to fix it on the latest agent by removing
the DOCKER_PROVIDER environment variable completely. It looks like the
prefix in /proc/self/cgroup is now /docker/ and not /ecs/ like in the
previous versions.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#300 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAaK7_6nYJeKMLlfT5diihg-KkqnWRFpks5untqogaJpZM4Q-5rT>
.
--
Greg
|
|
This self container ID issue with AWS ECS bugs me. The sole purpose of getting the LE container ID are a configuration check during container startup and the ability to automatically get the nginx-proxy container ID with None of them are actually required to correctly run the container. I'm a newbie with ECS but I guess the |
|
The self container ID is now retrieved with a way simpler method that has been tested to work on Amazon ECS (and should work on Kubernetes too) + the hard requirement that the container be able to retrieve its self ID during startup has been lifted if you use other methods of getting the This should greatly simplify the use of this container on Amazon ECS. |
In ECS the
/proc/self/cgroupcontains the prefix/ecs/not/docker/(likely the issue with other hosts such as kubernetes)The "aws" fix here is to use the
ECS_CONTAINER_METADATA_FILEenv var provided by ecsIm open to modifying it as well to instead take an override for the sed: