By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

ECS with read only root file system - how to define volumes to use ephemeral storage and address them within docker container?

0

We have a Java SpringBoot app running in Docker in ECS. We have been asked to update the task configuration to make the root file system read only.
When we do that the SB app will no longer start because Tomcat is trying to write to /tmp and its now read only.
So I am trying to understand how to configure both Docker container and ECS Task Def so that both know about /tmp and its on the standard fargate ephemeral storage.
prior to app startup, we also generate ssl certs so there is at least one other directory that we need to have use the ephemeral storage
I tried using VOLUME in Docker and setting same volume in task def
Docker:
VOLUME ["/tmp"]

TaskDef
"mountPoints": [ { "sourceVolume": "tmp", "containerPath": "/tmp", "readOnly": false } ], ..... "volumes": [ { "name": "tmp", "host": {} } ],

Topics
ServerlessContainers
Tags
AWS FargateAmazon Elastic Container ServiceContainers
Language
English
Raymond
asked a month ago114 views
2 Answers
0

To address your issue with running a Java SpringBoot app in Docker on ECS with a read-only root filesystem, you can use Docker volumes to provide writable storage for specific directories like /tmp and your SSL certificate generation directory. Here's how you can configure both the Docker container and ECS Task Definition:

  1. In your Dockerfile, you can define the volumes you need:

    VOLUME ["/tmp", "/path/to/ssl/certs"]

  2. In your ECS Task Definition, you need to configure these volumes and mount points. For Fargate tasks, you can use ephemeral storage by specifying a dockerVolumeConfiguration with the "local" driver. Here's an example of how to set this up:

    "volumes": [ { "name": "tmp", "dockerVolumeConfiguration": { "scope": "task", "driver": "local", "labels": { "purpose": "temporary" } } }, { "name": "ssl-certs", "dockerVolumeConfiguration": { "scope": "task", "driver": "local", "labels": { "purpose": "ssl-certificates" } } } ], "containerDefinitions": [ { // other container definition properties "mountPoints": [ { "sourceVolume": "tmp", "containerPath": "/tmp", "readOnly": false }, { "sourceVolume": "ssl-certs", "containerPath": "/path/to/ssl/certs", "readOnly": false } ], "readonlyRootFilesystem": true } ]

This configuration creates two Docker volumes using the local driver, which will use the Fargate instance's ephemeral storage. The volumes are scoped to the task, meaning they will be created when the task starts and deleted when it stops.

The mountPoints in the container definition specify where these volumes should be mounted in the container. By setting "readOnly" to false, you allow the application to write to these directories.

Finally, setting "readonlyRootFilesystem" to true ensures that the root filesystem is read-only, while still allowing write access to the specified mount points.

With this setup, your Java SpringBoot application should be able to write to /tmp and generate SSL certificates in the designated directory, while the rest of the filesystem remains read-only.
Sources
Docker volume examples for Amazon ECS - Amazon Elastic Container Service
Specify a Docker volume in an Amazon ECS task definition - Amazon Elastic Container Service
Use Docker volumes with Amazon ECS - Amazon Elastic Container Service

profile picture
re:Post Agent
answered a month ago
0

Hello,

Greetings for the day,

Mounting the container's root filesystem as read-only prevents any writes to the container's root filesystem at container runtime and enforces the principle of immutability. This reduces security attack vectors since the container's filesystem cannot be tampered with or written to unless it has explicit read-write permissions on its filesystem folder and directories.

Further you mentioned that when you set the Read Only Root File System to true in the task definition, the ECS tasks referencing this task definition are failing (as they cannot write to /tmp). If your application/image is writing something to the root file system, then enabling this "ReadonlyRootFilesystem" to true would affect the containers as they would have only read access to the root filesystem.

Hence, the workaround we discussed was to configure your application to write all the files to different temp directory out of root file system and give that directory write access.

You can check your application paths that need a write permission and use Volumes to mount the application paths [1][2][3].

For example, you can consider creating a bind mount for the task and mount the desired volume inside the ECS container to the container path where application is meant to write the data.

I would like to highlight the use of bind volume and EFS volumes:

  • With bind mounts, a file or directory on a host, such as Amazon Fargate, is mounted into a container. Bind mounts are tied to the lifecycle of the container that uses them. After all of the containers that use a bind mount are stopped, such as when a task is stopped, the data is removed.

  • Amazon Elastic File System (Amazon EFS) provides simple, scalable file storage for use with your Amazon ECS tasks. With Amazon EFS, storage capacity is elastic. It grows and shrinks automatically as you add and remove files. Your applications can have the storage they need and when they need it.

Please make use of the required volume type as per your requirement.

This way you can make use of "readonlyRootFilesystem" set to true and your application can have a write access to specific directory to the task to run.

[1] https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#container_definition_storage

[2] https://docs.aws.amazon.com/AmazonECS/latest/developerguide/bind-mounts.html

[3] https://docs.aws.amazon.com/AmazonECS/latest/developerguide/efs-volumes.html

AWS
Shabbar_H
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content