[ECS] [request]: Support docker rootless

[gauravg2683]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request
ECS agent support for Rootless Docker Daemon https://docs.docker.com/engine/security/rootless/

Which service(s) is this request for?
ECS

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
I want to run ECS service container daemon should be run by non-root user. By using USER instruction I am able to run the process inside the container by non-root user but it's recommended to run container also with non privileged user.

When I run dockerd with rootless experiment feature and start the container on that host manually, it runs as a rootless. Same result I want to achieve when we deploy ECS service. But as soon as I start ecs agent and deploy my ecs service, it start the container as a root user. It's because when ecs agent start, it check if dockerd is running or not ( via Docker Host file ), if not find default socket file, it start dockerd. In my case, when I start ecs agent, it start new dockerd on my host as rootless dockerd created socket file on different location. So I tried to define DOCKER_HOST parameter so that when ECS agent start, it find that dockerd is already running and do not start new dockerd with root. But when I define that Docker socket path, amazon-ecs-init failed to start with permission error because the the Socket /home//.docker/run/docker.sock have ownership on that non-root user.

amazon-ecs-init: #033[0m2020-09-02T19:46:59Z #033[46m[ERROR]#033[49m could not start Agent: API error (500): {"message":"OCI runtime create failed: container_linux.go:349: starting container process caused \"process_linux.go:449: container init caused \\\"rootfs_linux.go:58: mounting \\\\\\\"/proc\\\\\\\" to rootfs \\\\\\\"/home/cvt_ecs_java/.local/share/docker/vfs/dir/xxxxxxxxxxxxx\\\\\\\" at \\\"/home/cvt_ecs_java/.local/share/docker/vfs/dir/xxxxxxxxxxxxxx/host/proc\\\" caused \\\\\\\"operation not permitted\\\\\\\"\\\"\": unknown"}

[muthu-vgh]

any movements on this feature request ?

[muthu-vgh]

#1535 is closed now, @nathanpeck @toricls

[muthu-vgh]

any movements on this feature request ?

its been another whole year

[KennethJ-USC]

Can a maintainer or another involved individual confirm whether ECS currently supports rootless Docker, and if so, what version of the ECS agent and is this documented in any AWS documentation?

I would like to be able to run the ECS agent on a non-ECS optimized EC2 image (i.e. a normal RHEL8 EC2 instance) but have ECS use rootless Docker.

Are there any updates on this issue?

I can explain the reasoning behind wanting to run rootless Docker but not caring about running rootful ECS agent via systemd in a less public venue.