ecs optimized ami - 1.1.18 error

Question

ecs optimized ami - 1.1.18 error

Opened this issue 6 years ago · 2 comments

Hello,

when running the role with the AWS ecs optimized ami (eu-west-2 | amzn-ami-2018.03.h-amazon-ecs-optimized | ami-0cb31bf24b130a0f9) task 1.1.18 failed. with the following error. Has this been tested or dose anybody have any experance with this ?

i have pulled out the preflight checks as i know there is support issues with 2018 verstion of aws linux with Ansible.

    amazon-ebs: TASK [cis-amazon-linux : 1.1.18 - Ensure sticky bit is set on all world-writable directories] ***
    amazon-ebs: fatal: [127.0.0.1]: FAILED! => {"changed": true, "cmd": "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t", "delta": "0:00:00.453499", "end": "2018-10-29 09:27:57.286881", "msg": "non-zero return code", "rc": 123, "start": "2018-10-29 09:27:56.833382", "stderr": "chmod: cannot access ‘/var/lib/docker/containers/b907f3a94f3d731b339ad3d513b8b00b78d894227bd6a7655fa583a22d0295e3/mounts/shm’: No such file or directory", "stderr_lines": ["chmod: cannot access ‘/var/lib/docker/containers/b907f3a94f3d731b339ad3d513b8b00b78d894227bd6a7655fa583a22d0295e3/mounts/shm’: No such file or directory"], "stdout": "", "stdout_lines": []}

Answer 1 · 2018-11-26T18:32:26.000Z

Hi @steven-cuthill-otm,
I test the roles locally using "mvbcoding/awslinux" vagrant image and did not get the specific error.
I am guessing the issue is something to do with the OS running in a container which have very restrictive permissions.

Question, what output do you get when you run this command?
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null

Answer 2 · 2019-02-27T20:23:09.000Z

sorted this, its because on the ECS Image the ecs agent is actually running is a container has locks on parts of the fs.

to get around this simple stop the docker daemon run the paybooks and then kick it up up when your done. here is a snippet from my packer builder.

    {
        "execute_command": "echo 'ec2-user' | {{.Vars}} sudo -S -E bash '{{.Path}}'",
        "type": "shell",
        "inline_shebang":"/bin/sh -x",
        "inline": [
            "docker ps",
            "ps aux | grep docker-containerd",
            "service docker stop"

        ]
    },
    {
        "type": "ansible-local",
        "playbook_file": "ansible/playbook.yml",
        "playbook_dir": "ansible"
    },
    {
        "execute_command": "echo 'ec2-user' | {{.Vars}} sudo -S -E bash '{{.Path}}'",
        "type": "shell",
        "inline": [
            "rm -rf /tmp/*",
            "rm -f /tmp/.ansible-lock.*",
            "service docker start && sleep 10",
            "start ecs",
            "docker ps"
        ]
    }