AWS Codebuild does not seem to not honor ENTRYPOINT command

[vibhuyadav]

Description

I added an ENTRYPOINT to a custom Docker Image I built. Once the image is finished building, I upload it to the ECR and then use it in one of my AWS Codebuild projects. It seems that whatever is inside the ENTRYPOINT script does not run for some reason. I am trying to configure AWS cli to assume a role in a separate account to perform a deployment.

Files

Dockerfile

# Copyright 2017-2017 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Licensed under the Amazon Software License (the "License"). You may not use this file except in compliance with the License.
# A copy of the License is located at
#
#    http://aws.amazon.com/asl/
#
# or in the "license" file accompanying this file.
# This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, express or implied.
# See the License for the specific language governing permissions and limitations under the License.
#

FROM ubuntu:14.04.5

ENV DOCKER_BUCKET="download.docker.com" \
    DOCKER_VERSION="17.09.0-ce" \
    DOCKER_CHANNEL="stable" \
    DOCKER_SHA256="a9e90a73c3cdfbf238f148e1ec0eaff5eb181f92f35bdd938fd7dab18e1c4647" \
    DIND_COMMIT="3b5fac462d21ca164b3778647420016315289034" \
    DOCKER_COMPOSE_VERSION="1.21.2" \
    GITVERSION_VERSION="3.6.5"

# Install git, SSH, and other utilities
RUN set -ex \
    && echo 'Acquire::CompressionTypes::Order:: "gz";' > /etc/apt/apt.conf.d/99use-gzip-compression \
    && apt-get update \
    && apt install -y apt-transport-https \
    && apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF \
    && echo "deb https://download.mono-project.com/repo/ubuntu stable-trusty main" | tee /etc/apt/sources.list.d/mono-official-stable.list \
    && apt-get update \
    && apt-get install software-properties-common -y --no-install-recommends \
    && apt-add-repository ppa:git-core/ppa \
    && apt-get update \
    && apt-get install git=1:2.* -y --no-install-recommends \
    && git version \
    && apt-get install -y --no-install-recommends openssh-client=1:6.6* \
    && mkdir ~/.ssh \
    && touch ~/.ssh/known_hosts \
    && ssh-keyscan -t rsa,dsa -H github.com >> ~/.ssh/known_hosts \
    && ssh-keyscan -t rsa,dsa -H bitbucket.org >> ~/.ssh/known_hosts \
    && chmod 600 ~/.ssh/known_hosts \
    && apt-get install -y --no-install-recommends \
       wget=1.15-* python=2.7.* python2.7-dev=2.7.* fakeroot=1.20-* ca-certificates \
       tar=1.27.* gzip=1.6-* zip=3.0-* jq=1.3-1.1ubuntu1.1 autoconf=2.69-* automake=1:1.14.* \
       bzip2=1.0.* file=1:5.14-* g++=4:4.8.* gcc=4:4.8.* imagemagick=8:6.7.* \
       libbz2-dev=1.0.* libc6-dev=2.19-* libcurl4-openssl-dev=7.35.* libdb-dev=1:5.3.* \
       libevent-dev=2.0.* libffi-dev=3.1~* libgeoip-dev=1.6.* libglib2.0-dev=2.40.* \
       libjpeg-dev=8c-* libkrb5-dev=1.12+* liblzma-dev=5.1.* \
       libmagickcore-dev=8:6.7.* libmagickwand-dev=8:6.7.* libmysqlclient-dev=5.5.* \
       libncurses5-dev=5.9+* libpng12-dev=1.2.* libpq-dev=9.3.* libreadline-dev=6.3-* \
       libsqlite3-dev=3.8.* libssl-dev=1.0.* libtool=2.4.* libwebp-dev=0.4.* \
       libxml2-dev=2.9.* libxslt1-dev=1.1.* libyaml-dev=0.1.* make=3.81-* \
       patch=2.7.* xz-utils=5.1.* zlib1g-dev=1:1.2.* unzip=6.0-* curl=7.35.* \
       e2fsprogs=1.42.* iptables=1.4.* xfsprogs=3.1.* xz-utils=5.1.* \
       mono-devel less=458-* groff=1.22.* liberror-perl=0.17-* \
       asciidoc=8.6.* build-essential=11.* bzr=2.6.* cvs=2:1.12.* cvsps=2.1-* docbook-xml=4.5-* docbook-xsl=1.78.* dpkg-dev=1.17.* \
       libdbd-sqlite3-perl=1.40-* libdbi-perl=1.630-* libdpkg-perl=1.17.* libhttp-date-perl=6.02-* \
       libio-pty-perl=1:1.08-* libserf-1-1=1.3.* libsvn-perl=1.8.* libsvn1=1.8.* libtcl8.6=8.6.* libtimedate-perl=2.3000-* \
       libunistring0=0.9.* libxml2-utils=2.9.* libyaml-perl=0.84-* python-bzrlib=2.6.* python-configobj=4.7.* \
       sgml-base=1.26+* sgml-data=2.0.* subversion=1.8.* tcl=8.6.* tcl8.6=8.6.* xml-core=0.13+* xmlto=0.0.* xsltproc=1.1.*

# Install chrome
RUN wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | apt-key add - \
    && echo 'deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main' | tee /etc/apt/sources.list.d/google-chrome.list \
    && apt-get update \
    && apt-get install -y google-chrome-stable --force-yes \
    && curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - \
    && echo 'deb https://dl.yarnpkg.com/debian/ stable main' | tee /etc/apt/sources.list.d/yarn.list \
    && apt-get update && apt-get install -y yarn \
    && rm -rf /var/lib/apt/lists/* \
    && apt-get clean

# Download and set up GitVersion
RUN set -ex \
    && wget "https://github.com/GitTools/GitVersion/releases/download/v${GITVERSION_VERSION}/GitVersion_${GITVERSION_VERSION}.zip" -O /tmp/GitVersion_${GITVERSION_VERSION}.zip \
    && mkdir -p /usr/local/GitVersion_${GITVERSION_VERSION} \
    && unzip /tmp/GitVersion_${GITVERSION_VERSION}.zip -d /usr/local/GitVersion_${GITVERSION_VERSION} \
    && rm /tmp/GitVersion_${GITVERSION_VERSION}.zip \
    && echo "mono /usr/local/GitVersion_${GITVERSION_VERSION}/GitVersion.exe \$@" >> /usr/local/bin/gitversion \
    && chmod +x /usr/local/bin/gitversion

# Install Docker
RUN set -ex \
    && curl -fSL "https://${DOCKER_BUCKET}/linux/static/${DOCKER_CHANNEL}/x86_64/docker-${DOCKER_VERSION}.tgz" -o docker.tgz \
    && echo "${DOCKER_SHA256} *docker.tgz" | sha256sum -c - \
    && tar --extract --file docker.tgz --strip-components 1  --directory /usr/local/bin/ \
    && rm docker.tgz \
    && docker -v \
# set up subuid/subgid so that "--userns-remap=default" works out-of-the-box
    && addgroup dockremap \
    && useradd -g dockremap dockremap \
    && echo 'dockremap:165536:65536' >> /etc/subuid \
    && echo 'dockremap:165536:65536' >> /etc/subgid \
    && wget "https://raw.githubusercontent.com/docker/docker/${DIND_COMMIT}/hack/dind" -O /usr/local/bin/dind \
    && curl -L https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-Linux-x86_64 > /usr/local/bin/docker-compose \
    && chmod +x /usr/local/bin/dind /usr/local/bin/docker-compose \
# Ensure docker-compose works
    && docker-compose version

# Install dependencies by all python images equivalent to buildpack-deps:jessie
# on the public repos.

RUN set -ex \
    && wget "https://bootstrap.pypa.io/2.6/get-pip.py" -O /tmp/get-pip.py \
    && python /tmp/get-pip.py \
    && pip install awscli==1.* \
    && rm -fr /var/lib/apt/lists/* /tmp/* /var/tmp/*

VOLUME /var/lib/docker

COPY dockerd-entrypoint.sh /usr/local/bin/

ENV NODE_VERSION="8.11.0"

# gpg keys listed at https://github.com/nodejs/node#release-team
RUN set -ex \
    && for key in \
      94AE36675C464D64BAFA68DD7434390BDBE9B9C5 \
      B9AE9905FFD7803F25714661B63B535A4C206CA9 \
      77984A986EBC2AA786BC0F66B01FBB92821C587A \
      56730D5401028683275BD23C23EFEFE93C4CFFFE \
      71DCFD284A79C3B38668286BC97EC7A07EDE3FC1 \
      FD3A5288F042B6850C66B31F09FE44734EB7990E \
      8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \
      C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8 \
      DD8F2338BAE7501E3DD5AC78C273792F7D83545D \
      9554F04D7259F04124DE6B476D5A82AC7E37093B \
      93C7E9E91B49E432C2F75674B0A78B0A6C481CF6 \
      114F43EE0176B71C7BC219DD50A3051F888C628D \
      7937DFD2AB06298B2293C3187D33FF9D0246406D \
    ; do \
      gpg --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys "$key" || \
      gpg --keyserver hkp://ipv4.pool.sks-keyservers.net --recv-keys "$key" || \
      gpg --keyserver hkp://pgp.mit.edu:80 --recv-keys "$key" ; \
    done

RUN set -ex \
	&& wget "https://nodejs.org/download/release/v$NODE_VERSION/node-v$NODE_VERSION-linux-x64.tar.gz" -O node-v$NODE_VERSION-linux-x64.tar.gz \
	&& wget "https://nodejs.org/download/release/v$NODE_VERSION/SHASUMS256.txt.asc" -O SHASUMS256.txt.asc \
	&& gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \
	&& grep " node-v$NODE_VERSION-linux-x64.tar.gz\$" SHASUMS256.txt | sha256sum -c - \
		&& tar -xzf "node-v$NODE_VERSION-linux-x64.tar.gz" -C /usr/local --strip-components=1 \
		&& rm "node-v$NODE_VERSION-linux-x64.tar.gz" SHASUMS256.txt.asc SHASUMS256.txt \
		&& ln -s /usr/local/bin/node /usr/local/bin/nodejs \
		&& rm -fr /var/lib/apt/lists/* /tmp/* /var/tmp/*

RUN npm set unsafe-perm true

COPY ./aws-configure-entrypoint.sh /aws-configure-entrypoint.sh
RUN chmod +x /aws-configure-entrypoint.sh
# Run all the aws configure commands
ENTRYPOINT [ "./aws-configure-entrypoint.sh" ]

CMD [ "node" ]

aws-configure-entrypoint.sh

#!/bin/sh
set -e

mkdir ~/.aws
cd ~/.aws
echo [profile eng-tooling-cd] > config
echo aws_access_key_id=$AWS_ACCESS_KEY_ID >> config
echo aws_secret_access_key=	AWS_SECRET_ACCESS_KEY >> config
echo output=json >> config
echo [default] >> config
echo source_profile=eng-tooling-cd >> config
# The role to assume in a seperate account
echo 'role_arn=arn:aws:iam::0000000000:role/cd-role' >> config
# To test if the bucket got created in the seperate account
aws s3api create-bucket --bucket i-was-created-by-assuming-a-role --region $AWS_REGION

exec "$@"

When I spin up a container off the Image I built locally, it works fine given I put correct role and env values in the entrypoint script. But it does not work when using with Codebuild.

I am also using a Codebuild project to build these images if anyone's interested -

version: 0.2

phases:
  install:
    commands:
      - apt-get update -y
  pre_build:
    commands:
      - echo Logging into the ECR
      - $(aws ecr get-login --no-include-email --region $AWS_REGION)
  build:
    commands:
#       - docker build -t cicd/ubuntu/java/openjdk-8:latest ../ubuntu/java/openjdk-8/
#       - docker tag cicd/ubuntu/java/openjdk-8:latest 0000000000.dkr.ecr.us-east-1.amazonaws.com/cicd/ubuntu/java/openjdk-8:latest
      - docker build -t cicd/ubuntu/nodejs/8.11.0:latest terraform/ci/codebuild_images/ubuntu/nodejs/8.11.0/
      - docker tag cicd/ubuntu/nodejs/8.11.0:latest 0000000000.dkr.ecr.us-east-1.amazonaws.com/cicd/ubuntu/nodejs/8.11/0:latest
#       - docker build -t cicd/ubuntu/dot-net/core-2.1:latest ../ubuntu/dot-net/core-2.1/
#       - docker tag cicd/ubuntu/dot-net/core-2.1:latest 0000000000.dkr.ecr.us-east-1.amazonaws.com/cicd/ubuntu/dot-net/core-2.1:latest
  post_build:
    commands:
      # - docker push 0000000000.dkr.ecr.us-east-1.amazonaws.com/cicd/ubuntu/java/openjdk-8:latest
      - docker push 0000000000.dkr.ecr.us-east-1.amazonaws.com/cicd/ubuntu/nodejs/8.11/0:latest
      # - docker push 0000000000.dkr.ecr.us-east-1.amazonaws.com/cicd/ubuntu/dot-net/core-2.1:latest

[vibhuyadav]

I was able to get past this by assuming a role in a different account in the buildspec. I could not do it in the Docker Image itself to boot with different ~/.aws/config each time because the Entrypoint is disabled in AWS Codebuild. I can understand why! Don't want to mine bitcoins in the Entrypoint 🗡

[awszhen]

Hi @vibhuyadav , AWS CodeBuild does not honor ENTRYPOINT command. Thanks!

[nhoughto]

So aws images themselves seem to use entrypoint scripts, but without declaring it in the dockerfile, I wonder if aws owned images are being treated differently?

https://github.com/aws/aws-codebuild-docker-images/tree/master/ubuntu/docker/18.09.0

Otherwise using the otb aws docker image in codebuild would never start dockerd..

[ncronquist]

@awszhen I realize this is a pretty old issue, but the open issue for allowing a custom entrypoint (#254) is locked to collaborators only.

Is there any update to this functionality at all?

I built a docker image to use with codebuild that runs docker in docker. I know I can start docker in each individual codebuild file using the nohup command documented in the AWS Docker in custom image sample for Codebuild documentation, but since this image is going to be used by multiple teams across dozens of codebuilds, it would be nice if I could get docker to start automatically as it does using the default aws codebuild images.