Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ECS with EC2 autoscaling cannot use DIND but dockerd daemon starts successfully after enabling privileged = true #105

Closed
1 task done
RazvanGherlea opened this issue Aug 2, 2023 · 4 comments
Closed
1 task done

ECS with EC2 autoscaling cannot use DIND but dockerd daemon starts successfully after enabling privileged = true #105

RazvanGherlea opened this issue Aug 2, 2023 · 4 comments

Comments

@RazvanGherlea
Copy link

RazvanGherlea commented Aug 2, 2023
edited
Loading

Description

I cannot mount /var/run/docker.sock on the task container although defining mountPoints and volume in the module.

container_definitions

          mountPoints = [
            {
              readOnly = null,
              containerPath = "/var/run/docker.sock",
              sourceVolume = "docker_sock"
            }
          ]

And in services on the same level as container definitions:

      volume = [{

        name      = "docker_sock"
        host = {
          sourcePath = "/var/run/docker.sock"
        }
      }]

If your request is for a new feature, please use the Feature request template.

  • ✋ I have searched the open/closed issues and my issue is not listed.

Versions

  • Module version [Required]: version=5.2.1

Reproduction Code [Required]

Steps to reproduce the behaviour:

When providing the above mentioned arguments to the resource, the volume is not mounted and container fails with the following error:

Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?.

Expected behaviour

As I can start the dockerd by calling the binary from entrypoint -> command but there is no other space to execute other commands

Actual behavior

Container is not able to run DIND

Terminal Output Screenshot(s)

Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?.

Additional context
@RazvanGherlea
Copy link
Author

I found the issue. It looks like you have defined a different naming convention for the default definition of Docker from mountPoints to mount_points. But the rest of the arguments like containerPath, sourceVolume and f.e. readOnly you allowed the default naming convention that can be seen in the outputs.

For example the following block solved the issue:

          mount_points = [ # You can observe that it is different from the output
            {
              containerPath = "/var/run/docker.sock"
              sourceVolume = "docker-socket"
              readOnly = false
            }
          ]

After applying the update, the output looks like the following:

          "mountPoints" = tolist([
            {
              "containerPath" = "/var/run/docker.sock"
              "readOnly" = false
              "sourceVolume" = "docker-socket"
            },
          ])

This is a bit confusing to be honest. But looking at your module I can see that you are using a dynamic
This is a visual illustration of what I mean.

The ongoing issues is related to using a non root user inside the container.

On my local pc, I am using the exact same image and forging start with the created user.

Dockerfile:

RUN groupadd "runner" && useradd -g "runner" --shell /bin/bash "runner" \
    && mkdir -p "/home/runner" \
    && chown -R "runner":"runner" "/home/runner"
RUN usermod -aG docker "runner"

WORKDIR /home/runner
USER runner

From my terminal (local pc) I can run the docker version command with user runner:

❯ docker run --user runner -ti -v /var/run/docker.sock:/var/run/docker.sock github-runner-entrypoint:0.8 /bin/bash
runner@62514eaea867:~$ /usr/bin/docker version --format '{{.Server.APIVersion}}'
1.41
runner@62514eaea867:~$

From ECS task, I get an error that I the user does not have sufficient privileges:

terraform:

User declaration under container_definitions:

user = "runner"

Command-line parameters:

          entrypoint = ["/bin/bash", "-c"]
          command = ["/bin/mount && /bin/docker run debian:latest /bin/ls"]

If I disable the user = "runner" I can successfully run the docker command.

Please can you see anything wrong on my side here or am I missing some extra parameter please ?

@bryantbiggs
Copy link
Member

the variables used by the container definition can be found here https://github.com/terraform-aws-modules/terraform-aws-ecs/blob/master/modules/container-definition/variables.tf

Terraform currently does not have a resource for ECS container definition hashicorp/terraform-provider-aws#17988

The ECS API simply takes in a JSON payload for the container definition, and this module tries to support that through a psuedo-Terraform way. Its standard convention that the Terraform arguments are written in snake-case, but the ECS container definition API is camelCase. As always, look at the variable definitions to provide the correct form

@RazvanGherlea
Copy link
Author

Thanks a lot @bryantbiggs for the reply and the documentation link.

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 25, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bryantbiggs @RazvanGherlea