You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
By default, on RHEL, the /var directory is not readable within a container, even if mounted, unless it has been labeled appropriately. Simply running chcon -Rt svirt_sandbox_file_t /var/lib/ecs/data on the EC2 instance fixed the problem. The ECS agent should take care of this.
Expected Behavior
root@system-09a0f119c3fd27eb1:/# echo $ECS_CONTAINER_METADATA_FILE
/opt/ecs/metadata/15726a86-938f-49b1-9521-80e6334e6e6b/ecs-container-metadata.json
root@system-09a0f119c3fd27eb1:/# ls -l $ECS_CONTAINER_METADATA_FILE
-rw-r--r--. 1 root root 779 Nov 27 12:10 ecs-container-metadata.json
I'm think theres a few options available that could make this more straightforward for future use cases.
If we put this into agent, we could do something like this:
Check metadata is enabled.
If enabled, check if selinux is enforced and if the permissions are set correctly.
If required, set the permissions.
An alternative would be to fail fast, indicating that there is a problem with the host setup. This would :
Check if metadata is enabled.
If enabled, check that the data directory is readable.
If not readable, fail to start agent.
I'm hesitant to do the first option, because we typically delegate host setup to ecs-init. Agent already expects the parameters its given to be usable.
Failing fast is not an option here as ecs-agent runs in privileged mode and already has permission to access /data directory.
While we are working on an actual fix, here is a workaround that you can use to access /data directory.
Run the task in privileged mode.
Actual fix could be like:
If both ECS_SELINUX_CAPABLE and ECS_ENABLE_CONTAINER_METADATA are set to true on the ECS Agent, we mount the metadata directody in Z mode.
Summary
ECS_CONTAINER_METADATA_FILE
not readable from within container on RHEL unlesschcon -Rt svirt_sandbox_file_t /var/lib/ecs/data
is run on the hostDescription
This blog post explains the problem better than I can: http://www.projectatomic.io/blog/2015/06/using-volumes-with-docker-can-cause-problems-with-selinux/
By default, on RHEL, the
/var
directory is not readable within a container, even if mounted, unless it has been labeled appropriately. Simply runningchcon -Rt svirt_sandbox_file_t /var/lib/ecs/data
on the EC2 instance fixed the problem. The ECS agent should take care of this.Expected Behavior
Observed Behavior
Environment Details
Docker command to run ECS agent container:
Mounts and Binds from
docker inspect ...
command:The text was updated successfully, but these errors were encountered: