Merge remote-tracking branch 'upstream/master' into centos

.travis.yml

@@ -2,7 +2,7 @@ language: go
 go_import_path: github.com/aws/amazon-ecs-init
 sudo: false
 go:
-  - 1.12
+  - 1.15
 
 matrix:
   include:

CHANGELOG.md

@@ -1,5 +1,36 @@
 # Changelog
 
+## 1.50.2-1
+* Cache Agent version 1.50.2
+
+## 1.50.1-1
+* Cache Agent version 1.50.1
+* Does not restart ECS Agent when it exits with exit code 5
+
+## 1.50.0-1
+* Cache Agent version 1.50.0
+* Allows ECS customers to execute interactive commands inside containers.
+
+## 1.49.0-1
+* Cache Agent version 1.49.0
+* Removes iptable rule that drops packets to port 51678 unconditionally on ecs service stop
+
+## 1.48.1-1
+* Cache Agent version 1.48.1
+
+## 1.48.0-2
+* Cache Agent version 1.48.0
+
+## 1.47.0-1
+* Cache Agent version 1.47.0
+
+## 1.46.0-1
+* Cache Agent version 1.46.0
+
+## 1.45.0-1
+* Cache Agent version 1.45.0
+* Block offhost access to agent's introspection port by default. Configurable via env ECS\_ALLOW\_OFFHOST\_INTROSPECTION\_ACCESS
+
 ## 1.44.4-1
 * Cache Agent version 1.44.4
 

Makefile

@@ -22,6 +22,22 @@ dev:
 generate:
 	PATH=$(PATH):$(shell pwd)/scripts go generate -v ./...
 
+PLATFORM:=$(shell uname -s)
+ifeq (${PLATFORM},Linux)
+                dep_arch=linux-386
+        else ifeq (${PLATFORM},Darwin)
+                dep_arch=darwin-386
+        endif
+
+DEP_VERSION=v0.5.0
+.PHONY: get-dep
+get-dep: bin/dep
+
+bin/dep:
+	mkdir -p ./bin
+	curl -L https://github.com/golang/dep/releases/download/$(DEP_VERSION)/dep-${dep_arch} -o ./bin/dep
+	chmod +x ./bin/dep
+
 static:
 	./scripts/gobuild.sh
 
@@ -111,7 +127,7 @@ ubuntu-trusty:
 get-deps:
 	go get golang.org/x/tools/cover
 	go get golang.org/x/tools/cmd/cover
-	go get github.com/fzipp/gocyclo
+	go get github.com/fzipp/gocyclo/cmd/gocyclo
 	go get golang.org/x/tools/cmd/goimports
 	go get github.com/golang/mock/mockgen
 	go get honnef.co/go/tools/cmd/staticcheck
@@ -123,6 +139,7 @@ clean:
 	-rm -f amazon-ecs-volume-plugin.conf
 	-rm -f amazon-ecs-volume-plugin.service
 	-rm -f amazon-ecs-volume-plugin.socket
+	-rm -rf ./bin
 	-rm -f ./sources.tgz
 	-rm -f ./amazon-ecs-init
 	-rm -f ./ecs-agent-*.tar

README.md

@@ -24,6 +24,11 @@ Additionally, the following environment variable(s) can be used to configure the
 | Environment Variable Name | Example Value(s)            | Description | Default value |
 |:----------------|:----------------------------|:------------|:-----------------------|
 | `ECS_SKIP_LOCALHOST_TRAFFIC_FILTER` | <true | false> | By default, the ecs-init service adds an iptable rule to drop non-local packets to localhost if they're not part of an existing forwarded connection or DNAT, and removes the rule upon stop. If `ECS_SKIP_LOCALHOST_TRAFFIC_FILTER` is set to true, this rule will not be added/removed. | false |
+| `ECS_ALLOW_OFFHOST_INTROSPECTION_ACCESS` | <true | false> | By default, the ecs-init service adds an iptable rule to block access to ECS Agent's introspection port from off-host (or containers in awsvpc network mode), and removes the rule upon stop. If `ECS_ALLOW_OFFHOST_INTROSPECTION_ACCESS` is set to true, this rule will not be added/removed. | false |
+
+The above environment variable(s) can be used in the following way
+- On Amazon Linux 1, the flag `ECS_SKIP_LOCALHOST_TRAFFIC_FILTER` can be turned on by adding `env ECS_SKIP_LOCALHOST_TRAFFIC_FILTER=true` to /etc/init/ecs.conf.
+- On Amazon Linux 2, the flag `ECS_SKIP_LOCALHOST_TRAFFIC_FILTER` can be turned on by adding `ECS_SKIP_LOCALHOST_TRAFFIC_FILTER=true` to /etc/ecs/ecs.config.
 
 ## Usage
 The upstart script installed by the Amazon Elastic Container Service RPM can be started or stopped with the following commands respectively:

ecs-init/ECSVERSION

@@ -1 +1 @@
-1.44.4
+1.50.2

ecs-init/Gopkg.toml

@@ -35,7 +35,7 @@
 
 [[constraint]]
   name = "github.com/aws/aws-sdk-go"
-  version = "1.27.0"
+  version = "v1.36.0"
 
 [prune]
   go-tests = true

ecs-init/config/common.go

@@ -46,7 +46,7 @@ const (
 	// DefaultAgentVersion is the version of the agent that will be
 	// fetched if required. This should look like v1.2.3 or an
 	// 8-character sha, as is downloadable from S3.
-	DefaultAgentVersion = "v1.44.4"
+	DefaultAgentVersion = "v1.50.2"
 
 	// AgentPartitionBucketName is the name of the paritional s3 bucket that stores the agent
 	AgentPartitionBucketName = "amazon-ecs-agent"

ecs-init/docker/docker.go

@@ -17,6 +17,7 @@ import (
 	"bytes"
 	"encoding/json"
 	"io"
+	"os"
 	"path/filepath"
 	"strings"
 	"time"
@@ -106,6 +107,16 @@ const (
 	iptablesUsrLibDir   = "/usr/lib"
 	iptablesLib64Dir    = "/lib64"
 	iptablesUsrLib64Dir = "/usr/lib64"
+
+	hostResourcesRootDir      = "/var/lib/ecs/deps"
+	containerResourcesRootDir = "/managed-agents"
+
+	execCapabilityName     = "execute-command"
+	execBinRelativePath    = "bin"
+	execConfigRelativePath = "config"
+	execCertsRelativePath  = "certs"
+
+	execAgentLogRelativePath = "/exec"
 )
 
 var pluginDirs = []string{
@@ -114,6 +125,8 @@ var pluginDirs = []string{
 	pluginSpecFilesUsrDir,
 }
 
+var isPathValid = defaultIsPathValid
+
 // Client enables business logic for running the Agent inside Docker
 type Client struct {
 	docker dockerclient
@@ -256,7 +269,7 @@ func (c *Client) getContainerConfig(envVarsFromFiles map[string]string) *godocke
 		"ECS_AGENT_CONFIG_FILE_PATH":            config.AgentJSONConfigFile(),
 		"ECS_UPDATE_DOWNLOAD_DIR":               config.CacheDirectory(),
 		"ECS_UPDATES_ENABLED":                   "true",
-		"ECS_AVAILABLE_LOGGING_DRIVERS":         `["json-file","syslog","awslogs","none"]`,
+		"ECS_AVAILABLE_LOGGING_DRIVERS":         `["json-file","syslog","awslogs","fluentd","none"]`,
 		"ECS_ENABLE_TASK_IAM_ROLE":              "true",
 		"ECS_ENABLE_TASK_IAM_ROLE_NETWORK_HOST": "true",
 		"ECS_AGENT_LABELS":                      "",
@@ -375,6 +388,7 @@ func (c *Client) getHostConfig(envVarsFromFiles map[string]string) *godocker.Hos
 		config.CgroupMountpoint() + ":" + DefaultCgroupMountpoint,
 		// bind mount instance config dir
 		config.InstanceConfigDirectory() + ":" + config.InstanceConfigDirectory(),
+		filepath.Join(config.LogDirectory(), execAgentLogRelativePath) + ":" + filepath.Join(logDir, execAgentLogRelativePath),
 	}
 
 	// for al, al2 add host ssl cert directory mounts
@@ -393,6 +407,10 @@ func (c *Client) getHostConfig(envVarsFromFiles map[string]string) *godocker.Hos
 	}
 
 	binds = append(binds, getDockerPluginDirBinds()...)
+
+	// only add bind mounts when the src file/directory exists on host; otherwise docker API create an empty directory on host
+	binds = append(binds, getCapabilityExecBinds()...)
+
 	return createHostConfig(binds)
 }
 
@@ -427,6 +445,46 @@ func getDockerPluginDirBinds() []string {
 	return pluginBinds
 }
 
+func getCapabilityExecBinds() []string {
+	hostResourcesDir := filepath.Join(hostResourcesRootDir, execCapabilityName)
+	containerResourcesDir := filepath.Join(containerResourcesRootDir, execCapabilityName)
+
+	var binds []string
+
+	// bind mount the entire /host/dependency/path/execute-command/bin folder
+	hostBinDir := filepath.Join(hostResourcesDir, execBinRelativePath)
+	if isPathValid(hostBinDir, true) {
+		binds = append(binds,
+			hostBinDir+":"+filepath.Join(containerResourcesDir, execBinRelativePath)+readOnly)
+	}
+
+	// bind mount the entire /host/dependency/path/execute-command/config folder
+	// in read-write mode to allow ecs-agent to write config files to host file system
+	// (docker will) create the config folder if it does not exist
+	hostConfigDir := filepath.Join(hostResourcesDir, execConfigRelativePath)
+	binds = append(binds,
+		hostConfigDir+":"+filepath.Join(containerResourcesDir, execConfigRelativePath))
+
+	// bind mount the entire /host/dependency/path/execute-command/certs folder
+	hostCertsDir := filepath.Join(hostResourcesDir, execCertsRelativePath)
+	if isPathValid(hostCertsDir, true) {
+		binds = append(binds,
+			hostCertsDir+":"+filepath.Join(containerResourcesDir, execCertsRelativePath)+readOnly)
+	}
+
+	return binds
+}
+
+func defaultIsPathValid(path string, shouldBeDirectory bool) bool {
+	fileInfo, err := os.Stat(path)
+	if err != nil {
+		return false
+	}
+
+	isDirectory := fileInfo.IsDir()
+	return (isDirectory && shouldBeDirectory) || (!isDirectory && !shouldBeDirectory)
+}
+
 // nvidiaGPUDevicesPresent checks if nvidia GPU devices are present in the instance
 func nvidiaGPUDevicesPresent() bool {
 	matches, err := MatchFilePatternForGPU(gpu.NvidiaGPUDeviceFilePattern)