Skip to content
This repository has been archived by the owner on Oct 11, 2023. It is now read-only.

Add support for task networking (awsvpc as network_mode) #2739

Closed
aureliomarcoag opened this issue Apr 11, 2019 · 2 comments
Closed

Add support for task networking (awsvpc as network_mode) #2739

aureliomarcoag opened this issue Apr 11, 2019 · 2 comments
Assignees
@Jason-ZW
Labels
area/service

Comments

@aureliomarcoag
Copy link

RancherOS Version: (ros os version)
v1.5.1
Where are you running RancherOS? (docker-machine, AWS, GCE, baremetal, etc.)
AWS ECS

Hi,
I'm currently using RancherOS to deploy a sample Nginx WebApp using ECS, which supports bridge and awsvpc network modes. RancherOS works fine with the former, but apparently won't work with awsvpc. Since I want to use AWS AppMesh as well, I need awsvpc network mode to work (see this).
I've done some digging and what I found is that apparently all we need to get awsvpc to work is to run the ecs-agent with the "--init" flag:

aws/amazon-ecs-agent#1083 (comment)

To configure an ENI for containers/tasks, ECS agent depends on tools such as dhclient and on some container capabilities such as the --init flag, SYSTEM_ADMIN and NET_ADMIN capabilities that are provided via Docker. ECS init is a convenient way for the ECS agent to be bootstrapped with all of these so that tasks that require ENIs do not fail during initialization because of missing dependencies/configurations.

And indeed, I was able to make it work by running the command @aaithal posted here on my RancherOS ECS Instance:

docker run --name ecs-agent \
  --init \
  --restart=on-failure:10 \
  --volume=/var/run:/var/run \
  --volume=/var/log/ecs/:/log \
  --volume=/var/lib/ecs/data:/data \
  --volume=/etc/ecs:/etc/ecs \
  --volume=/sbin:/sbin \
  --volume=/lib:/lib \
  --volume=/lib64:/lib64 \
  --volume=/usr/lib:/usr/lib \
  --volume=/proc:/host/proc \
  --volume=/sys/fs/cgroup:/sys/fs/cgroup \
  --volume=/var/lib/ecs/dhclient:/var/lib/dhclient \
  --net=host \
  --env ECS_LOGFILE=/log/ecs-agent.log \
  --env ECS_DATADIR=/data \
  --env ECS_UPDATES_ENABLED=false \
  --env ECS_AVAILABLE_LOGGING_DRIVERS='["json-file","syslog","awslogs"]' \
  --env ECS_ENABLE_TASK_IAM_ROLE=true \
  --env ECS_ENABLE_TASK_IAM_ROLE_NETWORK_HOST=true \
  --env ECS_UPDATES_ENABLED=true \
  --env ECS_ENABLE_TASK_ENI=true \
  --env ECS_CLUSTER=default-cmage-nginx-cluster \
  --cap-add=sys_admin \
  --cap-add=net_admin \
  amazon/amazon-ecs-agent:latest

The running task:
1555010892

Containers in the instance:
1555010920

We can already pass ECS_* variables to ecs-agent, so the only thing missing here would be allowing users to define a different command for system services, I believe. An example cloud-config would look like this:

#cloud-config
rancher:
  ...
  services_include:
    amazon-ecs-agent: true
      command: /ecs-agent --init

I couldn't find a documentation that shows an example of this being possible, which is why I'm resorting to opening this issue.
@aureliomarcoag
Copy link
Author

Sorry, I got it all wrong. I somehow mistook the "--init" argument for a container argument, but it's rather an argument to 'docker run'.

@aureliomarcoag
Copy link
Author

Still, it would be nice if this was possible.
Can I specify additional env vars to system services and add the "init: true" (--init) parameter?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@Jason-ZW Jason-ZW

Labels
area/service
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@niusmallnan @aureliomarcoag @Jason-ZW