New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to run "docker exec... " command in ECS #143

Open
shoaib-tarams opened this Issue Aug 3, 2016 · 48 comments

Comments

Projects
None yet
@shoaib-tarams

shoaib-tarams commented Aug 3, 2016

Hi
I have three containers that are running in ECS. But the website comes up only when we run "docker exec..." command. I can do this by login into the server and running this command. But this shouldn't be used. So my question is how to run "docker exec..." command without logging into the server.
You can give solution in AMAZON ECS console or using ecs-cli or any other which you know.
Since using ecs-cli command, we can make a cluster, tasks etc from our local machine. So how to run docker exec command from local machine into the containers.

@panga

This comment has been minimized.

panga commented Sep 6, 2016

+1

1 similar comment
@stongo

This comment has been minimized.

stongo commented Sep 23, 2016

+1

@VinceMD

This comment has been minimized.

VinceMD commented Oct 13, 2016

can't you add your exec command to the dockerfile?

I'd like to run my rake db migrate task and not sure what is the most elegant way to go about it. It should runs only the first time when creating the cluster to create the database and seed it with test data

@andreykats

This comment has been minimized.

andreykats commented Oct 13, 2016

+1

1 similar comment
@ricardson

This comment has been minimized.

ricardson commented Jan 2, 2017

+1

@WillLiu360

This comment has been minimized.

WillLiu360 commented Jan 19, 2017

@VinceMD docker exec could be a valid use case when you want to update some code(git pull) in the container after image is built. Writing exec in dockerfile would require re-build the image, push the image, restart ECS task...

@royroque

This comment has been minimized.

royroque commented Feb 14, 2017

+1

1 similar comment
@calvintennant

This comment has been minimized.

calvintennant commented Feb 22, 2017

+1

@r631269

This comment has been minimized.

r631269 commented Feb 28, 2017

I would like this functionality. Researching various secrets injection solutions where the container wouldn't have to be modified to include aws tools

@cxmcc

This comment has been minimized.

cxmcc commented May 26, 2017

I built a tool ecsctl to do this. However, you will need to customize docker daemon configuration on container instances to listen on a port.

@panga

This comment has been minimized.

panga commented May 29, 2017

@cxmcc what about security? How do you secure tcp port of Docker daemon?

@cxmcc

This comment has been minimized.

cxmcc commented May 30, 2017

@panga Currently with networking configurations.
externally only open this port to trusted network (vpn/bastion, etc)
internally run a iptables rule to drop traffic going to that port from containers:
iptables --insert INPUT 1 --in-interface docker+ --protocol tcp --destination-port MYDOCKERPORT --jump DROP
Alternatively I believe using a tls cert may be possible, but I have not tried out.

@destebanm

This comment has been minimized.

destebanm commented Jun 21, 2017

So...,if I am not wrong, right now it is not possible to run commands over running tasks, like "docker exec" way, isn´t it?

@nmeyerhans

This comment has been minimized.

nmeyerhans commented Jun 21, 2017

@destebanm It's certainly possible to docker exec into a container that's running as part of an ECS task, but you currently need to identify the specific instance and container manually using ECS and Docker tooling and log in to the appropriate instance. This is clearly suboptimal, and we're tracking this as a feature request.

I'd be interested in hearing ideas for how this might work. What would be the ideal workflow around docker exec? Would people prefer that it be integrated into the web console, such that you can identify a task with the UI and get an interactive docker exec environment in the browser? Or would CLI integration be better?

@ktruckenmiller

This comment has been minimized.

ktruckenmiller commented Jun 21, 2017

On the ECS Agent, you could marshall the unix socket to a TCP endpoint. This endpoint would need to be authed with a IAM token so that the console that is connecting to the socket is authenticated for a short period of time.

The best way of getting a quick shell would be from within the ECS Console. You could right click on the task itself, then you could open up a sh to the container. Otherwise you're using the cli to list the containers, get statistics, yada yada. It just seems more simple to look at the metrics of a service, then go into a container that way. Docker-cloud did this integration awhile back, but it works great and it's a simple way to get into your container to do a quick ls or curl to a database.

But you could also do a CLI integration that would behave in much of the same way, by connecting your docker cli to that specific socket via an AWS API. I might be missing something so please fill in the gaps if you have ideas!

@dvizzini

This comment has been minimized.

dvizzini commented Aug 9, 2017

I just want to say that I would love to be able to exec into a running ecs container from my Macbook terminal.

It would make debugging so much quicker and easier.

@rayj-pgi

This comment has been minimized.

rayj-pgi commented Dec 31, 2017

+1

@prcorcoran

This comment has been minimized.

prcorcoran commented Feb 2, 2018

I am working in a development ECS cluster with EC2 instances that another developer built using his own key pair. Therefore I can't ssh into the instance to run 'docker exec...'. It would be great if something was made available to do this.

@tomelliff

This comment has been minimized.

tomelliff commented Feb 17, 2018

@nmeyerhans Not sure if there's a better issue/repo to discuss being able to exec into an ECS task container but this seems to be the best I can find for now.

I was considering spending some time writing an ECS executor for Gitlab Runner that would allow people to run CI jobs as one off ECS tasks but the Gitlab Runner model for both Docker and Kubernetes is to run a container and then exec into it so it can receive the output easily.

I was thinking about seeing if I could hack something together where it overrides the command each time with the script lines concatenated together and then try to read the logs out of Cloudwatch log but it's horribly ugly and the delay on fetching the logs is probably going to be impractical, let alone not being able to support things like after_script (although that's less needed for my use cases right now).

If being able to exec into an ECS task container was possible then I think an ECS executor for Gitlab should be easy enough to write and would be a real benefit for my company. Coupled with Fargate that would be a really, really interesting way of running our CI workloads. That said, I'm also considering just waiting for EKS access and then moving to Kubernetes executors as that's the least work to get this off the Docker-Machine runners I'm using. I expect that will probably be the thing that moves me from ECS to Kubernetes for production services as well although I do prefer the relative simplicity of ECS to k8s.

@harlantwood

This comment has been minimized.

harlantwood commented Mar 17, 2018

@nmeyerhans when you say:

It's certainly possible to docker exec into a container that's running as part of an ECS task, but you currently need to identify the specific instance and container manually using ECS and Docker tooling and log in to the appropriate instance.

Can you explain how to do that? That would suffice for me as a workaround...

@keeth

This comment has been minimized.

keeth commented Mar 17, 2018

@harlantwood just ssh into your ECS instance and run docker exec..

ssh ec2-user@my-ecs-server
docker ps
docker exec -it 34cfe4c6b6d5 sh
@marpo60

This comment has been minimized.

marpo60 commented May 2, 2018

That works perfectly when doing ECS/EC2

How about when doing ECS/Fargate? Is it possible?
With Fargate you don't have access to the host machine at all

@MattRiches

This comment has been minimized.

MattRiches commented May 22, 2018

+1

@Sp1tF1r3

This comment has been minimized.

Sp1tF1r3 commented Jun 5, 2018

+1 for Fargate

2 similar comments
@vinshetty

This comment has been minimized.

vinshetty commented Jun 10, 2018

+1 for Fargate

@danielxdam

This comment has been minimized.

danielxdam commented Jun 26, 2018

+1 for Fargate

@Virtualimmortal

This comment has been minimized.

Virtualimmortal commented Jun 26, 2018

+1 for Fargate

1 similar comment
@danhiris

This comment has been minimized.

danhiris commented Jun 28, 2018

+1 for Fargate

@andrykonchin

This comment has been minimized.

andrykonchin commented Jul 4, 2018

+1

@rkreich

This comment has been minimized.

rkreich commented Jul 5, 2018

+1 for Fargate

1 similar comment
@Manjunath07

This comment has been minimized.

Manjunath07 commented Jul 12, 2018

+1 for Fargate

@enthal

This comment has been minimized.

enthal commented Jul 13, 2018

For Fargate, has anyone had luck opening ssh access to the container? Yes I do believe that would require an image with sshd2 and a known key (not ideal!), and opening port 22.

@wreed4

This comment has been minimized.

wreed4 commented Jul 17, 2018

+1 for a Fargate solution. Can't open port 22 and allow ssh. (company policy)

@nitinvavdiya

This comment has been minimized.

nitinvavdiya commented Jul 30, 2018

For AWC ECS using EC2 cluster, we can access container by doing SSH on EC2, But how can I access the container in Fargate mode?

+1 for Fargate

@hguillermo

This comment has been minimized.

hguillermo commented Jul 31, 2018

+1 for a Fargate ssh access!

@milawidyanto

This comment has been minimized.

milawidyanto commented Aug 7, 2018

+1 for Fargate

@lngphp

This comment has been minimized.

lngphp commented Aug 7, 2018

++Fargate

@patrickdizon

This comment has been minimized.

patrickdizon commented Aug 13, 2018

+1 for Fargate

@dalegaspi

This comment has been minimized.

dalegaspi commented Aug 14, 2018

+1 on Fargate i can't believe this feature is missing from the get-go. 😐

@JamesRyanATX

This comment has been minimized.

JamesRyanATX commented Aug 20, 2018

For Fargate, has anyone had luck opening ssh access to the container? Yes I do believe that would require an image with sshd2 and a known key (not ideal!), and opening port 22.

@enthal I have been able to do this in Fargate. The process is the same as with opening any other TCP port (Dockerfile, container settings, and security group).

@enthal

This comment has been minimized.

enthal commented Aug 20, 2018

@ JamesRyanATX great. How did you manage keys in practice? Making it possible is not the same as making it secure (without making it cumbersome). Did you do anything other than bake the private key into the docker image? Thanks! :)

@JamesRyanATX

This comment has been minimized.

JamesRyanATX commented Aug 20, 2018

@enthal you just want to SSH into the container, right? If so, then your Docker image only needs the public key. Your private key is used in the handshake as normal.

@gotexis

This comment has been minimized.

gotexis commented Sep 2, 2018

+10 for Fargate though I dont even use Fargate

@ronkorving

This comment has been minimized.

ronkorving commented Sep 3, 2018

I would be awesome if we could do this from the SDK:

const instances = await ecs.listContainerInstances({ cluster }).promise();
const arn = instances.data.containerInstanceArns[0];

const { stdout, stderr } = await ecs.exec(arn, '/bin/ps', ['aux']).promise();

Something like that...

@whatch

This comment has been minimized.

whatch commented Oct 5, 2018

I think there's a general need to be able to run a command against all the running tasks in a service. I think it would be ideal to extend the config service to be able to do this. There's times when all I want is for the running service task to refresh a configuration, for example, The most efficient way to do this now, and which is not reliable in my opinion, and totally overkill, is to update the service. I say not reliable because updating the service does NOT absolutely replace all running tasks. I've consistently gotten flaky results with this, to the point where I don't even bother with it anymore. I will first kill the tasks, by hand, then update the service. Yeah, that needs to be fixed, too, such that we can confirm how long a task has been running would be ideal.

@andrii-rubtsov

This comment has been minimized.

andrii-rubtsov commented Oct 19, 2018

+1 for Fargate

@davidarmstronglewis

This comment has been minimized.

davidarmstronglewis commented Oct 24, 2018

Bumping up into this issue as well. +1 for a good solution

@bhoormeena

This comment has been minimized.

bhoormeena commented Nov 9, 2018

+1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment