• Stars
    star
    2,005
  • Rank 23,098 (Top 0.5 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created about 10 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Amazon Elastic Container Service Agent

Amazon ECS Container Agent

Amazon ECS logo

The Amazon ECS Container Agent is a component of Amazon Elastic Container Service (Amazon ECS) and is responsible for managing containers on behalf of Amazon ECS.

This repository comes with ECS-Init, which is a systemd based service to support the Amazon ECS Container Agent and keep it running. It is used for systems that utilize systemd as init systems and is packaged as deb or rpm. The source for ECS-Init is available in this repository at ./ecs-init while the packaging is available at ./packaging.

Usage

The best source of information on running this software is the Amazon ECS documentation.

On the Amazon Linux AMI

On the Amazon Linux AMI, we provide an installable RPM which can be used via sudo yum install ecs-init && sudo start ecs. This is the recommended way to run it in this environment.

On Other Linux AMIs

Amazon ECS docs provides deb and rpm packages and instructions to install ECS Container Agent on non-Amazon Linux instances.

The Amazon ECS Container Agent may also be run in a Docker container on an EC2 instance with a recent Docker version installed. Docker images are available in Docker Hub Repository and ECR Public Gallery.

$ # Set up directories the agent uses
$ mkdir -p /var/log/ecs /etc/ecs /var/lib/ecs/data
$ touch /etc/ecs/ecs.config
$ # Set up necessary rules to enable IAM roles for tasks
$ sysctl -w net.ipv4.conf.all.route_localnet=1
$ iptables -t nat -A PREROUTING -p tcp -d 169.254.170.2 --dport 80 -j DNAT --to-destination 127.0.0.1:51679
$ iptables -t nat -A OUTPUT -d 169.254.170.2 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 51679
$ # Run the agent
$ docker run --name ecs-agent \
    --detach=true \
    --restart=on-failure:10 \
    --volume=/var/run/docker.sock:/var/run/docker.sock \
    --volume=/var/log/ecs:/log \
    --volume=/var/lib/ecs/data:/data \
    --net=host \
    --env-file=/etc/ecs/ecs.config \
    --env=ECS_LOGFILE=/log/ecs-agent.log \
    --env=ECS_DATADIR=/data/ \
    --env=ECS_ENABLE_TASK_IAM_ROLE=true \
    --env=ECS_ENABLE_TASK_IAM_ROLE_NETWORK_HOST=true \
    amazon/amazon-ecs-agent:latest

On Other Linux AMIs when awsvpc networking mode is enabled

For the AWS VPC networking mode, ECS agent requires CNI plugin and dhclient to be available. ECS also needs the ecs-init to run as part of its startup. The following is an example of docker run configuration for running ecs-agent with Task ENI enabled. Note that ECS agent currently only supports cgroupfs for cgroup driver.

$ # Run the agent
$ /usr/bin/docker run --name ecs-agent \
--init \
--restart=on-failure:10 \
--volume=/var/run:/var/run \
--volume=/var/log/ecs/:/log:Z \
--volume=/var/lib/ecs/data:/data:Z \
--volume=/etc/ecs:/etc/ecs \
--volume=/sbin:/host/sbin \
--volume=/lib:/lib \
--volume=/lib64:/lib64 \
--volume=/usr/lib:/usr/lib \
--volume=/usr/lib64:/usr/lib64 \
--volume=/proc:/host/proc \
--volume=/sys/fs/cgroup:/sys/fs/cgroup \
--net=host \
--env-file=/etc/ecs/ecs.config \
--cap-add=sys_admin \
--cap-add=net_admin \
--env ECS_ENABLE_TASK_ENI=true \
--env ECS_UPDATES_ENABLED=true \
--env ECS_ENGINE_TASK_CLEANUP_WAIT_DURATION=1h \
--env ECS_DATADIR=/data \
--env ECS_ENABLE_TASK_IAM_ROLE=true \
--env ECS_ENABLE_TASK_IAM_ROLE_NETWORK_HOST=true \
--env ECS_LOGFILE=/log/ecs-agent.log \
--env ECS_AVAILABLE_LOGGING_DRIVERS='["json-file","awslogs","syslog","none"]' \
--env ECS_LOGLEVEL=info \
--detach \
amazon/amazon-ecs-agent:latest

See also the Advanced Usage section below.

On the ECS Optimized Windows AMI

ECS Optimized Windows AMI ships with a pre-installed PowerShell module called ECSTools to install, configure, and run the ECS Agent as a Windows service. To install the service, you can run the following PowerShell commands on an EC2 instance. To launch into another cluster instead of windows, replace the 'windows' in the script below with the name of your cluster.

PS C:\> Import-Module ECSTools
PS C:\> # The -EnableTaskIAMRole option is required to enable IAM roles for tasks.
PS C:\> Initialize-ECSAgent -Cluster 'windows' -EnableTaskIAMRole

Downloading Different Version of ECS Agent

To download different version of ECS Agent, you can do the following:

PS C:\> # use agentVersion = "latest" for the latest available agent version
PS C:\> $agentVersion = "v1.20.4"
PS C:\> Initialize-ECSAgent -Cluster 'windows' -EnableTaskIAMRole -Version $agentVersion

Build ECS Agent from source

Build ECS Agent Image (Linux)

ECS Agent can also be built locally from source on a linux machine. Use the following steps to build ECS Agent

  • Get ECS Agent source
git clone https://github.com/aws/amazon-ecs-agent.git
  • Build Agent image using release-agent make target
make release-agent

This installs the required build dependencies, builds ECS Agent image and saves it at a path ecs-agent-v${AGENT_VERSION}.tar. Load this using

docker load < ecs-agent-v${AGENT_VERSION}.tar

Follow the instructions above to continue with the installation

Build and run standalone (Linux)

The Amazon ECS Container Agent may also be run outside of a Docker container as a Go binary. At this time, this is not recommended for production on Linux, but it can be useful for development or easier integration with your local Go tools.

The following commands run the agent outside of Docker:

make gobuild
./out/amazon-ecs-agent

Standalone (Windows)

The Amazon ECS Container Agent may be built by invoking scripts\build_agent.ps1

Scripts (Windows)

The following scripts are available to help develop the Amazon ECS Container Agent on Windows:

  • scripts\run-integ-tests.ps1 - Runs all integration tests in the engine and stats packages
  • misc\windows-deploy\Install-ECSAgent.ps1 - Install the ECS agent as a Windows service
  • misc\windows-deploy\amazon-ecs-agent.ps1 - Helper script to set up the host and run the agent as a process
  • misc\windows-deploy\user-data.ps1 - Sample user-data that can be used with the Windows Server 2016 with Containers AMI to run the agent as a process

Build ECS-Init Package (Linux)

ECS-Init package can also be built as a deb or rpm depending on the linux system you are running. Follow instructions at generic-deb-integrated or generic-rpm-integrated to build and install ECS Agent with Init using deb or rpm.

Advanced Usage

The Amazon ECS Container Agent supports a number of configuration options, most of which should be set through environment variables.

Environment Variables

The table below provides an overview of optional environment variables that can be used to configure the ECS agent. See the Amazon ECS developer guide for additional details on each available environment variable.

Environment Key Example Value(s) Description Default value on Linux Default value on Windows
ECS_CLUSTER clusterName The cluster this agent should check into. default default
ECS_RESERVED_PORTS [22, 80, 5000, 8080] An array of ports that should be marked as unavailable for scheduling on this container instance. [22, 2375, 2376, 51678, 51679] [53, 135, 139, 445, 2375, 2376, 3389, 5985, 5986, 51678, 51679]
ECS_RESERVED_PORTS_UDP [53, 123] An array of UDP ports that should be marked as unavailable for scheduling on this container instance. [] []
ECS_ENGINE_AUTH_TYPE "docker" | "dockercfg" The type of auth data that is stored in the ECS_ENGINE_AUTH_DATA key.
ECS_ENGINE_AUTH_DATA See the dockerauth documentation Docker auth data formatted as defined by ECS_ENGINE_AUTH_TYPE.
AWS_DEFAULT_REGION <us-west-2>|<us-east-1>|… The region to be used in API requests as well as to infer the correct backend host. Taken from Amazon EC2 instance metadata. Taken from Amazon EC2 instance metadata.
AWS_ACCESS_KEY_ID AKIDEXAMPLE The access key used by the agent for all calls. Taken from Amazon EC2 instance metadata. Taken from Amazon EC2 instance metadata.
AWS_SECRET_ACCESS_KEY EXAMPLEKEY The secret key used by the agent for all calls. Taken from Amazon EC2 instance metadata. Taken from Amazon EC2 instance metadata.
AWS_SESSION_TOKEN The session token used for temporary credentials. Taken from Amazon EC2 instance metadata. Taken from Amazon EC2 instance metadata.
DOCKER_HOST unix:///var/run/docker.sock Used to create a connection to the Docker daemon; behaves similarly to this environment variable as used by the Docker client. unix:///var/run/docker.sock npipe:////./pipe/docker_engine
ECS_LOGLEVEL <crit> | <error> | <warn> | <info> | <debug> The level of detail to be logged. info info
ECS_LOGLEVEL_ON_INSTANCE <none> | <crit> | <error> | <warn> | <info> | <debug> Can be used to override ECS_LOGLEVEL and set a level of detail that should be logged in the on-instance log file, separate from the level that is logged in the logging driver. If a logging driver is explicitly set, on-instance logs are turned off by default, but can be turned back on with this variable. none if ECS_LOG_DRIVER is explicitly set to a non-empty value; otherwise the same value as ECS_LOGLEVEL none if ECS_LOG_DRIVER is explicitly set to a non-empty value; otherwise the same value as ECS_LOGLEVEL
ECS_LOGFILE /ecs-agent.log The location where logs should be written. Log level is controlled by ECS_LOGLEVEL. blank blank
ECS_CHECKPOINT <true | false> Whether to checkpoint state to the DATADIR specified below. true if ECS_DATADIR is explicitly set to a non-empty value; false otherwise true if ECS_DATADIR is explicitly set to a non-empty value; false otherwise
ECS_DATADIR /data/ The container path where state is checkpointed for use across agent restarts. Note that on Linux, when you specify this, you will need to make sure that the Agent container has a bind mount of $ECS_HOST_DATA_DIR/data:$ECS_DATADIR with the corresponding values of ECS_HOST_DATA_DIR and ECS_DATADIR. /data/ C:\ProgramData\Amazon\ECS\data
ECS_UPDATES_ENABLED <true | false> Whether to exit for an updater to apply updates when requested. false false
ECS_DISABLE_METRICS <true | false> Whether to disable metrics gathering for tasks. false false
ECS_POLL_METRICS <true | false> Whether to poll or stream when gathering metrics for tasks. Setting this value to true can help reduce the CPU usage of dockerd and containerd on the ECS container instance. See also ECS_POLL_METRICS_WAIT_DURATION for setting the poll interval. false false
ECS_POLLING_METRICS_WAIT_DURATION 10s Time to wait between polling for metrics for a task. Not used when ECS_POLL_METRICS is false. Maximum value is 20s and minimum value is 5s. If user sets above maximum it will be set to max, and if below minimum it will be set to min. 10s 10s
ECS_PULL_DEPENDENT_CONTAINERS_UPFRONT <true | false> Whether to pull images for containers with dependencies before the dependsOn condition has been satisfied. false false
ECS_RESERVED_MEMORY 32 Reduction, in MiB, of the memory capacity of the instance that is reported to Amazon ECS. Used by Amazon ECS when placing tasks on container instances. This doesn't reserve memory usage on the instance. 0 0
ECS_AVAILABLE_LOGGING_DRIVERS ["awslogs","fluentd","gelf","json-file","journald","logentries","splunk","syslog"] Which logging drivers are available on the container instance. ["json-file","none"] ["json-file","none"]
ECS_DISABLE_PRIVILEGED true Whether launching privileged containers is disabled on the container instance. false false
ECS_SELINUX_CAPABLE true Whether SELinux is available on the container instance. (Limited support; Z-mode mounts only.) false false
ECS_APPARMOR_CAPABLE true Whether AppArmor is available on the container instance. false false
ECS_ENGINE_TASK_CLEANUP_WAIT_DURATION 10m Default time to wait to delete containers for a stopped task (see also ECS_ENGINE_TASK_CLEANUP_WAIT_DURATION_JITTER). If set to less than 1 second, the value is ignored. 3h 3h
ECS_ENGINE_TASK_CLEANUP_WAIT_DURATION_JITTER 1h Jitter value for the task engine cleanup wait duration. When specified, the actual cleanup wait duration time for each task will be the duration specified in ECS_ENGINE_TASK_CLEANUP_WAIT_DURATION plus a random duration between 0 and the jitter duration. blank blank
ECS_CONTAINER_STOP_TIMEOUT 10m Instance scoped configuration for time to wait for the container to exit normally before being forcibly killed. 30s 30s
ECS_CONTAINER_START_TIMEOUT 10m Timeout before giving up on starting a container. 3m 8m
ECS_CONTAINER_CREATE_TIMEOUT 10m Timeout before giving up on creating a container. Minimum value is 1m. If user sets a value below minimum it will be set to min. 4m 4m
ECS_ENABLE_TASK_IAM_ROLE true Whether to enable IAM Roles for Tasks on the Container Instance false false
ECS_ENABLE_TASK_IAM_ROLE_NETWORK_HOST true Whether to enable IAM Roles for Tasks when launched with host network mode on the Container Instance false false
ECS_DISABLE_IMAGE_CLEANUP true Whether to disable automated image cleanup for the ECS Agent. false false
ECS_IMAGE_CLEANUP_INTERVAL 30m The time interval between automated image cleanup cycles. If set to less than 10 minutes, the value is ignored. 30m 30m
ECS_IMAGE_MINIMUM_CLEANUP_AGE 30m The minimum time interval between when an image is pulled and when it can be considered for automated image cleanup. 1h 1h
NON_ECS_IMAGE_MINIMUM_CLEANUP_AGE 30m The minimum time interval between when a non ECS image is created and when it can be considered for automated image cleanup. 1h 1h
ECS_NUM_IMAGES_DELETE_PER_CYCLE 5 The maximum number of images to delete in a single automated image cleanup cycle. If set to less than 1, the value is ignored. 5 5
ECS_IMAGE_PULL_BEHAVIOR <default | always | once | prefer-cached > The behavior used to customize the pull image process. If default is specified, the image will be pulled remotely, if the pull fails then the cached image in the instance will be used. If always is specified, the image will be pulled remotely, if the pull fails then the task will fail. If once is specified, the image will be pulled remotely if it has not been pulled before or if the image was removed by image cleanup, otherwise the cached image in the instance will be used. If prefer-cached is specified, the image will be pulled remotely if there is no cached image, otherwise the cached image in the instance will be used. default default
ECS_IMAGE_PULL_INACTIVITY_TIMEOUT 1m The time to wait after docker pulls complete waiting for extraction of a container. Useful for tuning large Windows containers. 1m 3m
ECS_IMAGE_PULL_TIMEOUT 1h The time to wait for pulling docker image. 2h 2h
ECS_INSTANCE_ATTRIBUTES {"stack": "prod"} These attributes take effect only during initial registration. After the agent has joined an ECS cluster, use the PutAttributes API action to add additional attributes. For more information, see Amazon ECS Container Agent Configuration in the Amazon ECS Developer Guide. {} {}
ECS_ENABLE_TASK_ENI false Whether to enable task networking for task to be launched with its own network interface false Not applicable
ECS_ENABLE_HIGH_DENSITY_ENI false Whether to enable high density eni feature when using task networking true Not applicable
ECS_CNI_PLUGINS_PATH /ecs/cni The path where the cni binary file is located /amazon-ecs-cni-plugins Not applicable
ECS_AWSVPC_BLOCK_IMDS true Whether to block access to Instance Metadata for Tasks started with awsvpc network mode false Not applicable
ECS_AWSVPC_ADDITIONAL_LOCAL_ROUTES ["10.0.15.0/24"] In awsvpc network mode, traffic to these prefixes will be routed via the host bridge instead of the task ENI [] Not applicable
ECS_ENABLE_CONTAINER_METADATA true When true, the agent will create a file describing the container's metadata and the file can be located and consumed by using the container enviornment variable $ECS_CONTAINER_METADATA_FILE false false
ECS_HOST_DATA_DIR /var/lib/ecs The source directory on the host from which ECS_DATADIR is mounted. We use this to determine the source mount path for container metadata files in the case the ECS Agent is running as a container. We do not use this value in Windows because the ECS Agent is not running as container in Windows. On Linux, note that when you specify this, you will need to make sure that the Agent container has a bind mount of $ECS_HOST_DATA_DIR/data:$ECS_DATADIR with the corresponding values of ECS_HOST_DATA_DIR and ECS_DATADIR. /var/lib/ecs Not used
ECS_ENABLE_TASK_CPU_MEM_LIMIT true Whether to enable task-level cpu and memory limits true false
ECS_CGROUP_PATH /sys/fs/cgroup The root cgroup path that is expected by the ECS agent. This is the path that accessible from the agent mount. /sys/fs/cgroup Not applicable
ECS_CGROUP_CPU_PERIOD 10ms CGroups CPU period for task level limits. This value should be between 8ms to 100ms 100ms Not applicable
ECS_AGENT_HEALTHCHECK_HOST localhost Override for the ecs-agent container's healthcheck localhost ip address localhost localhost
ECS_ENABLE_CPU_UNBOUNDED_WINDOWS_WORKAROUND true When true, ECS will allow CPU unbounded(CPU=0) tasks to run along with CPU bounded tasks in Windows. Not applicable false
ECS_ENABLE_MEMORY_UNBOUNDED_WINDOWS_WORKAROUND true When true, ECS will ignore the memory reservation parameter (soft limit) to run along with memory bounded tasks in Windows. To run a memory unbounded task, omit the memory hard limit and set any memory reservation, it will be ignored. Not applicable false
ECS_TASK_METADATA_RPS_LIMIT 100,150 Comma separated integer values for steady state and burst throttle limits for combined total traffic to task metadata endpoint and agent api endpoint. 40,60 40,60
ECS_SHARED_VOLUME_MATCH_FULL_CONFIG true When true, ECS Agent will compare name, driver options, and labels to make sure volumes are identical. When false, Agent will short circuit shared volume comparison if the names match. This is the default Docker behavior. If a volume is shared across instances, this should be set to false. false false
ECS_CONTAINER_INSTANCE_PROPAGATE_TAGS_FROM ec2_instance If ec2_instance is specified, existing tags defined on the container instance will be registered to Amazon ECS and will be discoverable using the ListTagsForResource API. Using this requires that the IAM role associated with the container instance have the ec2:DescribeTags action allowed. none none
ECS_CONTAINER_INSTANCE_TAGS {"tag_key": "tag_val"} The metadata that you apply to the container instance to help you categorize and organize them. Each tag consists of a key and an optional value, both of which you define. Tag keys can have a maximum character length of 128 characters, and tag values can have a maximum length of 256 characters. If tags also exist on your container instance that are propagated using the ECS_CONTAINER_INSTANCE_PROPAGATE_TAGS_FROM parameter, those tags will be overwritten by the tags specified using ECS_CONTAINER_INSTANCE_TAGS. {} {}
ECS_ENABLE_UNTRACKED_IMAGE_CLEANUP true Whether to allow the ECS agent to delete containers and images that are not part of ECS tasks. false false
ECS_EXCLUDE_UNTRACKED_IMAGE alpine:latest Comma separated list of imageName:tag of images that should not be deleted by the ECS agent if ECS_ENABLE_UNTRACKED_IMAGE_CLEANUP is enabled.
ECS_DISABLE_DOCKER_HEALTH_CHECK false Whether to disable the Docker Container health check for the ECS Agent. false false
ECS_NVIDIA_RUNTIME nvidia The Nvidia Runtime to be used to pass Nvidia GPU devices to containers. nvidia Not Applicable
ECS_ALTERNATE_CREDENTIAL_PROFILE default An alternate credential role/profile name. default default
ECS_ENABLE_SPOT_INSTANCE_DRAINING true Whether to enable Spot Instance draining for the container instance. If true, if the container instance receives a spot interruption notice, agent will set the instance's status to DRAINING, which gracefully shuts down and replaces all tasks running on the instance that are part of a service. It is recommended that this be set to true when using spot instances. false false
ECS_LOG_ROLLOVER_TYPE size | hourly Determines whether the container agent logfile will be rotated based on size or hourly. By default, the agent logfile is rotated each hour. hourly hourly
ECS_LOG_OUTPUT_FORMAT logfmt | json Determines the log output format. When the json format is used, each line in the log would be a structured JSON map. logfmt logfmt
ECS_LOG_MAX_FILE_SIZE_MB 10 When the ECS_LOG_ROLLOVER_TYPE variable is set to size, this variable determines the maximum size (in MB) the log file before it is rotated. If the rollover type is set to hourly then this variable is ignored. 10 10
ECS_LOG_MAX_ROLL_COUNT 24 Determines the number of rotated log files to keep. Older log files are deleted once this limit is reached. 24 24
ECS_LOG_DRIVER awslogs | fluentd | gelf | json-file | journald | logentries | syslog | splunk The logging driver to be used by the Agent container. json-file Not applicable
ECS_LOG_OPTS {"option":"value"} The options for configuring the logging driver set in ECS_LOG_DRIVER. {} Not applicable
ECS_ENABLE_AWSLOGS_EXECUTIONROLE_OVERRIDE true Whether to enable awslogs log driver to authenticate via credentials of task execution IAM role. Needs to be true if you want to use awslogs log driver in a task that has task execution IAM role specified. When using the ecs-init RPM with version equal or later than V1.16.0-1, this env is set to true by default. false false
ECS_FSX_WINDOWS_FILE_SERVER_SUPPORTED true Whether FSx for Windows File Server volume type is supported on the container instance. This variable is only supported on agent versions 1.47.0 and later. false true
ECS_ENABLE_RUNTIME_STATS true Determines if pprof is enabled for the agent. If enabled, the different profiles can be accessed through the agent's introspection port (e.g. curl http://localhost:51678/debug/pprof/heap > heap.pprof). In addition, agent's runtime stats are logged to /var/log/ecs/runtime-stats.log file. false false
ECS_EXCLUDE_IPV6_PORTBINDING true Determines if agent should exclude IPv6 port binding using default network mode. If enabled, IPv6 port binding will be filtered out, and the response of DescribeTasks API call will not show tasks' IPv6 port bindings, but it is still included in Task metadata endpoint. true true
ECS_WARM_POOLS_CHECK true Whether to ensure instances going into an EC2 Auto Scaling group warm pool are prevented from being registered with the cluster. Set to true only if using EC2 Autoscaling false false
ECS_SKIP_LOCALHOST_TRAFFIC_FILTER false By default, the ecs-init service adds an iptable rule to drop non-local packets to localhost if they're not part of an existing forwarded connection or DNAT, and removes the rule upon stop. If this is set to true, the rule will not be added or removed. false false
ECS_ALLOW_OFFHOST_INTROSPECTION_ACCESS true By default, the ecs-init service adds an iptable rule to block access to the agent introspection port from off-host (or containers in awsvpc network mode), and removes the rule upon stop. If this is set to true, the rule will not be added or removed false false
ECS_OFFHOST_INTROSPECTION_INTERFACE_NAME eth0 The primary network interface name to be used for blocking offhost agent introspection port access eth0 eth0
ECS_ENABLE_GPU_SUPPORT true Whether you use container instances with GPU support. This parameter is specified for the agent. You must also configure your task definitions for GPU. For more information false Not applicable
HTTP_PROXY 10.0.0.131:3128 The hostname (or IP address) and port number of an HTTP proxy to use for the Amazon ECS agent to connect to the internet. For example, this proxy will be used if your container instances do not have external network access through an Amazon VPC internet gateway or NAT gateway or instance. If this variable is set, you must also set the NO_PROXY variable to filter Amazon EC2 instance metadata and Docker daemon traffic from the proxy. null null
NO_PROXY <For Linux: 169.254.169.254,169.254.170.2,/var/run/docker.sock | For Windows: 169.254.169.254,169.254.170.2,\.\pipe\docker_engine> The HTTP traffic that should not be forwarded to the specified HTTP_PROXY. You must specify 169.254.169.254,/var/run/docker.sock to filter Amazon EC2 instance metadata and Docker daemon traffic from the proxy. null null
ECS_GMSA_SUPPORTED true Whether you use gMSA authentication to Active Directory in tasks. Each task must specify the location of a credential specification file in the dockerSecurityOpts parameter of a container definition. On Linux, this requires the credentials-fetcher daemon. false false
CREDENTIALS_FETCHER_HOST unix:///var/credentials-fetcher/socket/credentials_fetcher.sock Used to create a connection to the credentials-fetcher daemon; to support gMSA on Linux. The default is fine for most users, only needs to be modified if user is configuring a custom credentials-fetcher socket path, ie, CF_UNIX_DOMAIN_SOCKET_DIR. unix:///var/credentials-fetcher/socket/credentials_fetcher.sock Not Applicable
CREDENTIALS_FETCHER_SECRET_NAME_FOR_DOMAINLESS_GMSA secretmanager-secretname Used to support scaling option for gMSA on Linux credentials-fetcher daemon. If user is configuring gMSA on a non-domain joined instance, they need to create an Active Directory user with access to retrieve principals for the gMSA account and store it in secrets manager secretmanager-secretname Not Applicable
ECS_DYNAMIC_HOST_PORT_RANGE 100-200 This specifies the dynamic host port range that the agent uses to assign host ports from, for container ports mapping. If there are no available ports in the range for containers, including customer containers and Service Connect Agent containers (if Service Connect is enabled), service deployments would fail. Defined by /proc/sys/net/ipv4/ip_local_port_range 49152-65535

Additionally, the following environment variable(s) can be used to configure the behavior of the ecs-init service. When using ECS-Init, all env variables, including the ECS Agent variables above, are read from path /etc/ecs/ecs.config:

Environment Variable Name Example Value(s) Description Default value
ECS_SKIP_LOCALHOST_TRAFFIC_FILTER <true | false> By default, the ecs-init service adds an iptable rule to drop non-local packets to localhost if they're not part of an existing forwarded connection or DNAT, and removes the rule upon stop. If ECS_SKIP_LOCALHOST_TRAFFIC_FILTER is set to true, this rule will not be added/removed. false
ECS_ALLOW_OFFHOST_INTROSPECTION_ACCESS <true | false> By default, the ecs-init service adds an iptable rule to block access to ECS Agent's introspection port from off-host (or containers in awsvpc network mode), and removes the rule upon stop. If ECS_ALLOW_OFFHOST_INTROSPECTION_ACCESS is set to true, this rule will not be added/removed. false
ECS_OFFHOST_INTROSPECTION_INTERFACE_NAME eth0 Primary network interface name to be used for blocking offhost agent introspection port access. By default, this value is eth0 eth0
ECS_AGENT_LABELS {"test.label.1":"value1","test.label.2":"value2"} The labels to add to the ECS Agent container.

Persistence

When you run the Amazon ECS Container Agent in production, its datadir should be persisted between runs of the Docker container. If this data is not persisted, the agent registers a new container instance ARN on each launch and is not able to update the state of tasks it previously ran.

Flags

The agent also supports the following flags:

  • -k — The agent will not require valid SSL certificates for the services that it communicates with. We recommend against using this flag.
  • -loglevel — Options: [<crit>|<error>|<warn>|<info>|<debug>]. The agent will output on stdout at the given level. This is overridden by the ECS_LOGLEVEL environment variable, if present.

Make Targets (on Linux)

The following targets are available. Each may be run with make <target>.

Make Target Description
release-agent (Default Agent build) Builds Agent fetching required dependencies and saves image .tar to disk
generic-rpm-integrated Builds init rpm package and saves .rpm package to disk
generic-deb-integrated Builds init deb package and saves .deb package to disk
release (Legacy Agent build) Builds the agent within a Docker container and packages it into a scratch-based image
gobuild Runs a normal go build of the agent and stores the binary in ./out/amazon-ecs-agent
static Runs go build to produce a static binary in ./out/amazon-ecs-agent
test Runs all unit tests using go test
test-in-docker Runs all tests inside a Docker container
run-integ-tests Runs all integration tests in the engine and stats packages
clean Removes build artifacts. Note: this does not remove Docker images

Contributing

Contributions and feedback are welcome! Proposals and pull requests will be considered and responded to. For more information, see the CONTRIBUTING.md file.

If you have a bug/and issue around the behavior of the ECS agent, please open it here.

If you have a feature request, please open it over at the AWS Containers Roadmap.

Amazon Web Services does not currently provide support for modified copies of this software.

Security disclosures

If you think you’ve found a potential security issue, please do not post it in the Issues. Instead, please follow the instructions here or email AWS security directly.

License

The Amazon ECS Container Agent is licensed under the Apache 2.0 License.

More Repositories

1

aws-cli

Universal Command Line Interface for Amazon Web Services
Python
14,304
star
2

chalice

Python Serverless Microframework for AWS
Python
10,654
star
3

aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
JavaScript
10,440
star
4

amazon-sagemaker-examples

Example 📓 Jupyter notebooks that demonstrate how to build, train, and deploy machine learning models using 🧠 Amazon SageMaker.
Jupyter Notebook
9,542
star
5

serverless-application-model

The AWS Serverless Application Model (AWS SAM) transform is a AWS CloudFormation macro that transforms SAM templates into CloudFormation templates.
Python
9,342
star
6

aws-sdk-js

AWS SDK for JavaScript in the browser and Node.js
JavaScript
7,476
star
7

aws-sam-cli

CLI tool to build, test, debug, and deploy Serverless applications using AWS SAM
Python
6,506
star
8

aws-sdk-php

Official repository of the AWS SDK for PHP (@awsforphp)
PHP
5,886
star
9

containers-roadmap

This is the public roadmap for AWS container services (ECS, ECR, Fargate, and EKS).
Shell
5,164
star
10

karpenter

Karpenter is a Kubernetes Node Autoscaler built for flexibility, performance, and simplicity.
Go
4,615
star
11

s2n-tls

An implementation of the TLS/SSL protocols
C
4,465
star
12

aws-sdk-java

The official AWS SDK for Java 1.x. The AWS SDK for Java 2.x is available here: https://github.com/aws/aws-sdk-java-v2/
Java
4,117
star
13

aws-lambda-go

Libraries, samples and tools to help Go developers develop AWS Lambda functions.
Go
3,624
star
14

aws-sdk-pandas

pandas on AWS - Easy integration with Athena, Glue, Redshift, Timestream, Neptune, OpenSearch, QuickSight, Chime, CloudWatchLogs, DynamoDB, EMR, SecretManager, PostgreSQL, MySQL, SQLServer and S3 (Parquet, CSV, JSON and EXCEL).
Python
3,537
star
15

copilot-cli

The AWS Copilot CLI is a tool for developers to build, release and operate production ready containerized applications on AWS App Runner or Amazon ECS on AWS Fargate.
Go
3,488
star
16

aws-sdk-ruby

The official AWS SDK for Ruby.
Ruby
3,462
star
17

amazon-freertos

DEPRECATED - See README.md
C
2,535
star
18

aws-sdk-go-v2

AWS SDK for the Go programming language.
Go
2,518
star
19

aws-sdk-js-v3

Modularized AWS SDK for JavaScript.
TypeScript
2,476
star
20

jsii

jsii allows code in any language to naturally interact with JavaScript classes. It is the technology that enables the AWS Cloud Development Kit to deliver polyglot libraries from a single codebase!
TypeScript
2,371
star
21

sagemaker-python-sdk

A library for training and deploying machine learning models on Amazon SageMaker
Python
2,095
star
22

amazon-vpc-cni-k8s

Networking plugin repository for pod networking in Kubernetes using Elastic Network Interfaces on AWS
Go
2,071
star
23

aws-eks-best-practices

A best practices guide for day 2 operations, including operational excellence, security, reliability, performance efficiency, and cost optimization.
Python
2,022
star
24

lumberyard

Amazon Lumberyard is a free AAA game engine deeply integrated with AWS and Twitch – with full source.
C++
1,965
star
25

aws-sdk-net

The official AWS SDK for .NET. For more information on the AWS SDK for .NET, see our web site:
1,945
star
26

eks-anywhere

Run Amazon EKS on your own infrastructure 🚀
Go
1,899
star
27

aws-sdk-java-v2

The official AWS SDK for Java - Version 2
Java
1,822
star
28

aws-sdk-cpp

AWS SDK for C++
1,779
star
29

amazon-ecs-cli

The Amazon ECS CLI enables users to run their applications on ECS/Fargate using the Docker Compose file format, quickly provision resources, push/pull images in ECR, and monitor running applications on ECS/Fargate.
Go
1,725
star
30

aws-sdk-php-laravel

A Laravel 5+ (and 4) service provider for the AWS SDK for PHP
PHP
1,589
star
31

serverless-java-container

A Java wrapper to run Spring, Spring Boot, Jersey, and other apps inside AWS Lambda.
Java
1,483
star
32

aws-node-termination-handler

Gracefully handle EC2 instance shutdown within Kubernetes
Go
1,443
star
33

aws-lambda-dotnet

Libraries, samples and tools to help .NET Core developers develop AWS Lambda functions.
C#
1,430
star
34

aws-fpga

Official repository of the AWS EC2 FPGA Hardware and Software Development Kit
VHDL
1,380
star
35

eks-distro

Amazon EKS Distro (EKS-D) is a Kubernetes distribution based on and used by Amazon Elastic Kubernetes Service (EKS) to create reliable and secure Kubernetes clusters.
Shell
1,263
star
36

eks-charts

Amazon EKS Helm chart repository
Mustache
1,184
star
37

s2n-quic

An implementation of the IETF QUIC protocol
Rust
1,152
star
38

aws-toolkit-vscode

CodeWhisperer, CodeCatalyst, Local Lambda debug, SAM/CFN syntax, ECS Terminal, AWS resources
TypeScript
1,150
star
39

opsworks-cookbooks

Chef Cookbooks for the AWS OpsWorks Service
Ruby
1,058
star
40

aws-codebuild-docker-images

Official AWS CodeBuild repository for managed Docker images http://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref.html
Dockerfile
1,032
star
41

amazon-ssm-agent

An agent to enable remote management of your EC2 instances, on-premises servers, or virtual machines (VMs).
Go
975
star
42

aws-iot-device-sdk-js

SDK for connecting to AWS IoT from a device using JavaScript/Node.js
JavaScript
957
star
43

aws-iot-device-sdk-embedded-C

SDK for connecting to AWS IoT from a device using embedded C.
C
926
star
44

aws-health-tools

The samples provided in AWS Health Tools can help users to build automation and customized alerting in response to AWS Health events.
Python
887
star
45

aws-graviton-getting-started

Helping developers to use AWS Graviton2, Graviton3, and Graviton4 processors which power the 6th, 7th, and 8th generation of Amazon EC2 instances (C6g[d], M6g[d], R6g[d], T4g, X2gd, C6gn, I4g, Im4gn, Is4gen, G5g, C7g[d][n], M7g[d], R7g[d], R8g).
Python
850
star
46

aws-app-mesh-examples

AWS App Mesh is a service mesh that you can use with your microservices to manage service to service communication.
Shell
844
star
47

deep-learning-containers

AWS Deep Learning Containers (DLCs) are a set of Docker images for training and serving models in TensorFlow, TensorFlow 2, PyTorch, and MXNet.
Python
800
star
48

aws-parallelcluster

AWS ParallelCluster is an AWS supported Open Source cluster management tool to deploy and manage HPC clusters in the AWS cloud.
Python
782
star
49

aws-lambda-runtime-interface-emulator

Go
771
star
50

aws-toolkit-jetbrains

AWS Toolkit for JetBrains - a plugin for interacting with AWS from JetBrains IDEs
Kotlin
735
star
51

graph-notebook

Library extending Jupyter notebooks to integrate with Apache TinkerPop, openCypher, and RDF SPARQL.
Jupyter Notebook
706
star
52

aws-iot-device-sdk-python

SDK for connecting to AWS IoT from a device using Python.
Python
670
star
53

amazon-chime-sdk-js

A JavaScript client library for integrating multi-party communications powered by the Amazon Chime service.
TypeScript
655
star
54

amazon-ec2-instance-selector

A CLI tool and go library which recommends instance types based on resource criteria like vcpus and memory
Go
642
star
55

studio-lab-examples

Example notebooks for working with SageMaker Studio Lab. Sign up for an account at the link below!
Jupyter Notebook
625
star
56

aws-secretsmanager-agent

The AWS Secrets Manager Agent is a local HTTP service that you can install and use in your compute environments to read secrets from Secrets Manager and cache them in memory.
Rust
584
star
57

event-ruler

Event Ruler is a Java library that allows matching many thousands of Events per second to any number of expressive and sophisticated rules.
Java
564
star
58

aws-sdk-rails

Official repository for the aws-sdk-rails gem, which integrates the AWS SDK for Ruby with Ruby on Rails.
Ruby
554
star
59

aws-mwaa-local-runner

This repository provides a command line interface (CLI) utility that replicates an Amazon Managed Workflows for Apache Airflow (MWAA) environment locally.
Shell
553
star
60

amazon-eks-pod-identity-webhook

Amazon EKS Pod Identity Webhook
Go
534
star
61

aws-lambda-java-libs

Official mirror for interface definitions and helper classes for Java code running on the AWS Lambda platform.
C++
518
star
62

aws-lambda-base-images

506
star
63

aws-appsync-community

The AWS AppSync community
HTML
495
star
64

sagemaker-training-toolkit

Train machine learning models within a 🐳 Docker container using 🧠 Amazon SageMaker.
Python
493
star
65

dotnet

GitHub home for .NET development on AWS
487
star
66

aws-cdk-rfcs

RFCs for the AWS CDK
JavaScript
476
star
67

aws-sam-cli-app-templates

Python
472
star
68

aws-elastic-beanstalk-cli-setup

Simplified EB CLI installation mechanism.
Python
453
star
69

amazon-cloudwatch-agent

CloudWatch Agent enables you to collect and export host-level metrics and logs on instances running Linux or Windows server.
Go
403
star
70

secrets-store-csi-driver-provider-aws

The AWS provider for the Secrets Store CSI Driver allows you to fetch secrets from AWS Secrets Manager and AWS Systems Manager Parameter Store, and mount them into Kubernetes pods.
Go
393
star
71

amazon-braket-examples

Example notebooks that show how to apply quantum computing in Amazon Braket.
Python
376
star
72

aws-for-fluent-bit

The source of the amazon/aws-for-fluent-bit container image
Shell
375
star
73

aws-pdk

The AWS PDK provides building blocks for common patterns together with development tools to manage and build your projects.
TypeScript
361
star
74

aws-extensions-for-dotnet-cli

Extensions to the dotnet CLI to simplify the process of building and publishing .NET Core applications to AWS services
C#
346
star
75

aws-sdk-php-symfony

PHP
346
star
76

aws-app-mesh-roadmap

AWS App Mesh is a service mesh that you can use with your microservices to manage service to service communication
344
star
77

aws-lambda-builders

Python library to compile, build & package AWS Lambda functions for several runtimes & framework
Python
337
star
78

aws-iot-device-sdk-python-v2

Next generation AWS IoT Client SDK for Python using the AWS Common Runtime
Python
335
star
79

constructs

Define composable configuration models through code
TypeScript
332
star
80

pg_tle

Framework for building trusted language extensions for PostgreSQL
C
329
star
81

graph-explorer

React-based web application that enables users to visualize both property graph and RDF data and explore connections between data without having to write graph queries.
TypeScript
321
star
82

aws-codedeploy-agent

Host Agent for AWS CodeDeploy
Ruby
316
star
83

aws-sdk-ruby-record

Official repository for the aws-record gem, an abstraction for Amazon DynamoDB.
Ruby
313
star
84

aws-ops-wheel

The AWS Ops Wheel is a randomizer that biases for options that haven’t come up recently; you can also outright cheat and specify the next result to be generated.
JavaScript
308
star
85

aws-xray-sdk-python

AWS X-Ray SDK for the Python programming language
Python
304
star
86

sagemaker-inference-toolkit

Serve machine learning models within a 🐳 Docker container using 🧠 Amazon SageMaker.
Python
303
star
87

efs-utils

Utilities for Amazon Elastic File System (EFS)
Python
286
star
88

amazon-ivs-react-native-player

A React Native wrapper for the Amazon IVS iOS and Android player SDKs.
TypeScript
286
star
89

sagemaker-spark

A Spark library for Amazon SageMaker.
Scala
282
star
90

apprunner-roadmap

This is the public roadmap for AWS App Runner.
280
star
91

aws-xray-sdk-go

AWS X-Ray SDK for the Go programming language.
Go
274
star
92

aws-toolkit-eclipse

(End of life: May 31, 2023) AWS Toolkit for Eclipse
Java
273
star
93

elastic-beanstalk-roadmap

AWS Elastic Beanstalk roadmap
272
star
94

aws-logging-dotnet

.NET Libraries for integrating Amazon CloudWatch Logs with popular .NET logging libraries
C#
271
star
95

sagemaker-tensorflow-training-toolkit

Toolkit for running TensorFlow training scripts on SageMaker. Dockerfiles used for building SageMaker TensorFlow Containers are at https://github.com/aws/deep-learning-containers.
Python
270
star
96

aws-lc-rs

aws-lc-rs is a cryptographic library using AWS-LC for its cryptographic operations. The library strives to be API-compatible with the popular Rust library named ring.
Rust
263
star
97

elastic-load-balancing-tools

AWS Elastic Load Balancing Tools
Java
262
star
98

aws-step-functions-data-science-sdk-python

Step Functions Data Science SDK for building machine learning (ML) workflows and pipelines on AWS
Python
261
star
99

amazon-braket-sdk-python

A Python SDK for interacting with quantum devices on Amazon Braket
Python
254
star
100

aws-xray-sdk-node

The official AWS X-Ray SDK for Node.js.
JavaScript
248
star