README
¶
Amazon ECS Container Agent
The Amazon ECS Container Agent is software developed for Amazon EC2 Container Service (Amazon ECS).
It runs on container instances and starts containers on behalf of Amazon ECS.
Usage
The best source of information on running this software is the Amazon ECS documentation.
On the Amazon Linux AMI
On the Amazon Linux AMI, we provide an init package which can be used via sudo yum install ecs-init && sudo start ecs
. This is the recommended way to run it in this environment.
On Other AMIs
The Amazon ECS Container Agent may also be run in a Docker container on an EC2 instance with a recent Docker version installed. A Docker image is available in our Docker Hub Repository.
$ mkdir -p /var/log/ecs /etc/ecs /var/lib/ecs/data
$ touch /etc/ecs/ecs.config
$ docker run --name ecs-agent \
--restart on-failure:10 -d \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /var/log/ecs:/log \
-v /var/lib/ecs/data:/data \
-v /var/lib/docker:/var/lib/docker \
-p 127.0.0.1:51678:51678 \
--env-file /etc/ecs/ecs.config \
-e ECS_LOGFILE=/log/ecs-agent.log \
-e ECS_DATADIR=/data/ \
amazon/amazon-ecs-agent
See also the Advanced Usage section below.
Building and Running from Source
Running the Amazon ECS Container Agent outside of Amazon EC2 is not supported.
Docker Image
The Amazon ECS Container Agent may be built by typing make
with the Docker
daemon (v1.5.0) running.
This produces an image tagged amazon/ecs-container-agent:make
that
you may run as described above.
Standalone
The Amazon ECS Container Agent may also be run outside of a Docker container as a go binary. This is not recommended for production, but it can be useful for development or easier integration with your local Go tools.
The following commands run the agent outside of Docker:
make gobuild
./out/amazon-ecs-agent
Make Targets
The following targets are available. Each may be run with make <target>
.
Make Target | Description |
---|---|
release |
(Default) Builds the agent within a Docker container and and packages it into a scratch-based image |
gobuild |
Runs a normal go build of the agent and stores the binary in ./out/amazon-ecs-agent |
static |
Runs go build to produce a static binary in ./out/amazon-ecs-agent |
test |
Runs all tests using go test |
test-in-docker |
Runs all tests inside a Docker container |
clean |
Removes build artifacts. Note: this does not remove Docker images |
Advanced Usage
The Amazon ECS Container Agent supports a number of configuration options, most of which should be set through environment variables.
Environment Variables
The following environment variables are available. All of them are optional. They are listed in a general order of likelihood that a user may want to configure them as something other than the defaults.
Environment Key | Example Value(s) | Description | Default Value |
---|---|---|---|
ECS_CLUSTER |
clusterName | The cluster this agent should check into. | default |
ECS_RESERVED_PORTS |
[22, 80, 5000, 8080] |
An array of ports that should be marked as unavailable for scheduling on this container instance. | [22, 2375, 2376, 51678] |
ECS_RESERVED_PORTS_UDP |
[53, 123] |
An array of UDP ports that should be marked as unavailable for scheduling on this container instance. | [] |
ECS_ENGINE_AUTH_TYPE |
"docker" | "dockercfg" | The type of auth data that is stored in the ECS_ENGINE_AUTH_DATA key. |
|
ECS_ENGINE_AUTH_DATA |
See the dockerauth documentation | Docker auth data formatted as defined by ECS_ENGINE_AUTH_TYPE . |
|
AWS_DEFAULT_REGION |
<us-west-2>|<us-east-1>|… | The region to be used in API requests as well as to infer the correct backend host. | Taken from Amazon EC2 instance metadata. |
AWS_ACCESS_KEY_ID |
AKIDEXAMPLE | The access key used by the agent for all calls. | Taken from Amazon EC2 instance metadata. |
AWS_SECRET_ACCESS_KEY |
EXAMPLEKEY | The secret key used by the agent for all calls. | Taken from Amazon EC2 instance metadata. |
DOCKER_HOST |
unix:///var/run/docker.sock | Used to create a connection to the Docker daemon; behaves similarly to this environment variable as used by the Docker client. | unix:///var/run/docker.sock |
ECS_LOGLEVEL |
<crit> | <error> | <warn> | <info> | <debug> | The level of detail that should be logged. | info |
ECS_LOGFILE |
/ecs-agent.log | The location where logs should be written. Log level is controlled by ECS_LOGLEVEL . |
blank |
ECS_CHECKPOINT |
<true | false> | Whether to checkpoint state to the DATADIR specified below. | true if ECS_DATADIR is explicitly set to a non-empty value; false otherwise |
ECS_DATADIR |
/data/ | The container path where state is checkpointed for use across agent restarts. | /data/ |
ECS_UPDATES_ENABLED |
<true | false> | Whether to exit for an updater to apply updates when requested. | false |
ECS_UPDATE_DOWNLOAD_DIR |
/cache | Where to place update tarballs within the container. | |
ECS_DISABLE_METRICS |
<true | false> | Whether to disable metrics gathering for tasks. | false |
AWS_SESSION_TOKEN |
The session token used for temporary credentials. | Taken from Amazon EC2 instance metadata. | |
ECS_RESERVED_MEMORY |
32 | Memory, in MB, to reserve for use by things other than containers managed by Amazon ECS. | 0 |
ECS_AVAILABLE_LOGGING_DRIVERS |
["awslogs","fluentd","gelf","json-file","journald","splunk","syslog"] |
Which logging drivers are available on the container instance. | ["json-file"] |
ECS_DISABLE_PRIVILEGED |
true |
Whether launching privileged containers is disabled on the container instance. | false |
ECS_SELINUX_CAPABLE |
true |
Whether SELinux is available on the container instance. | false |
ECS_APPARMOR_CAPABLE |
true |
Whether AppArmor is available on the container instance. | false |
ECS_ENGINE_TASK_CLEANUP_WAIT_DURATION |
10m | Time to wait to delete containers for a stopped task. If set to less than 1 minute, the value is ignored. | 3h |
ECS_CONTAINER_STOP_TIMEOUT |
10m | Time to wait for the container to exit normally before being forcibly killed. | 30s |
ECS_ENABLE_TASK_IAM_ROLE |
true |
Whether to enable IAM Roles for Tasks on the Container Instance | false |
ECS_ENABLE_TASK_IAM_ROLE_NETWORK_HOST |
true |
Whether to enable IAM Roles for Tasks when launched with host network mode on the Container Instance |
false |
Persistence
When you run the Amazon ECS Container Agent in production, its datadir
should be persisted
between runs of the Docker container. If this data is not persisted, the agent registers
a new container instance ARN on each launch and is not able to update the state of tasks it previously ran.
Flags
The agent also supports the following flags:
-k
— The agent will not require valid SSL certificates for the services that it communicates with.-loglevel
— Options:[<crit>|<error>|<warn>|<info>|<debug>]
. The agent will output on stdout at the given level. This is overridden by theECS_LOGLEVEL
environment variable, if present.
Contributing
Contributions and feedback are welcome! Proposals and pull requests will be considered and responded to. For more information, see the CONTRIBUTING.md file.
Amazon Web Services does not currently provide support for modified copies of this software.
License
The Amazon ECS Container Agent is licensed under the Apache 2.0 License.
Directories
¶
Path | Synopsis |
---|---|
acs/client
Package acsclient wraps the generated aws-sdk-go client to provide marshalling and unmarshalling of data over a websocket connection in the format expected by ACS.
|
Package acsclient wraps the generated aws-sdk-go client to provide marshalling and unmarshalling of data over a websocket connection in the format expected by ACS. |
acs/handler
Package handler deals with appropriately reacting to all ACS messages as well as maintaining the connection to ACS.
|
Package handler deals with appropriately reacting to all ACS messages as well as maintaining the connection to ACS. |
acs/update_handler
Package updater handles requests to update the agent.
|
Package updater handles requests to update the agent. |
acs/update_handler/os
Package os provides interfaces around the 'os', 'io', and 'ioutil' functions so that may be mocked out appropriately
|
Package os provides interfaces around the 'os', 'io', and 'ioutil' functions so that may be mocked out appropriately |
api/testutils
Package testutils contains files that are used in tests but not elsewhere and thus can be excluded from the final executable.
|
Package testutils contains files that are used in tests but not elsewhere and thus can be excluded from the final executable. |
config
Package config handles loading configuration data, warning on missing data, and setting sane defaults.
|
Package config handles loading configuration data, warning on missing data, and setting sane defaults. |
ecr
Package ecr helps generate clients to talk to the ECR API
|
Package ecr helps generate clients to talk to the ECR API |
engine
The 'engine' package contains code for interacting with container-running backends and handling events from them.
|
The 'engine' package contains code for interacting with container-running backends and handling events from them. |
engine/dockerauth
Package dockerauth handles storing auth configuration information for Docker registries.
|
Package dockerauth handles storing auth configuration information for Docker registries. |
engine/dockeriface
Package dockeriface contains an interface for go-dockerclient matching the subset used by the agent
|
Package dockeriface contains an interface for go-dockerclient matching the subset used by the agent |
engine/dockerstate/testutils
Package testutils contains files that are used in tests but not elsewhere and thus can be excluded from the final executable.
|
Package testutils contains files that are used in tests but not elsewhere and thus can be excluded from the final executable. |
engine/emptyvolume
Package emptyvolume contains some information related to the 'emptyvolumes'
|
Package emptyvolume contains some information related to the 'emptyvolumes' |
engine/testutils
Package testutils contains files that are used in tests but not elsewhere and thus can be excluded from the final executable.
|
Package testutils contains files that are used in tests but not elsewhere and thus can be excluded from the final executable. |
eventstream
Package handler deals with appropriately reacting to all ACS messages as well as maintaining the connection to ACS.
|
Package handler deals with appropriately reacting to all ACS messages as well as maintaining the connection to ACS. |
handlers
Package handlers deals with the agent introspection api.
|
Package handlers deals with the agent introspection api. |
httpclient
Package httpclient provides a thin, but testable, wrapper around http.Client.
|
Package httpclient provides a thin, but testable, wrapper around http.Client. |
sighandlers
sighandlers handle signals and behave appropriately.
|
sighandlers handle signals and behave appropriately. |
sighandlers/exitcodes
Package exitcodes defines agent exit codes
|
Package exitcodes defines agent exit codes |
statemanager
Package statemanager implements simple constructs for saving and restoring state from disk.
|
Package statemanager implements simple constructs for saving and restoring state from disk. |
utils/atomic
Package atomic implements higher level constructs on top of the stdlib atomic package
|
Package atomic implements higher level constructs on top of the stdlib atomic package |
utils/sync
Package sync is an analogue to the stdlib sync package.
|
Package sync is an analogue to the stdlib sync package. |
utils/ttime
Package ttime implements a testable alternative to the Go "time" package.
|
Package ttime implements a testable alternative to the Go "time" package. |
version
Package version contains constants to indicate the current version of the agent.
|
Package version contains constants to indicate the current version of the agent. |
wsclient
Package wsclient wraps the generated aws-sdk-go client to provide marshalling and unmarshalling of data over a websocket connection in the format expected by backend.
|
Package wsclient wraps the generated aws-sdk-go client to provide marshalling and unmarshalling of data over a websocket connection in the format expected by backend. |
misc
|
|
netkitten
Netkitten is a slimmed down netcat intended to make our integ tests able to run containers lighter than busybox+netcat, but still be able to do suitably complex network testing.
|
Netkitten is a slimmed down netcat intended to make our integ tests able to run containers lighter than busybox+netcat, but still be able to do suitably complex network testing. |