Last active
December 21, 2015 20:35
-
-
Save jessesanford/5a012218889831926169 to your computer and use it in GitHub Desktop.
ebextensions hack to allow for privileged containers on amazon beanstalk. .config goes in .ebextensions/ directory of your eb project root. .sh files go in .ebextensions/files/ NOTE! You cannot use privileged: true and essential: true in your Dockerrun.aws.json at the same time with this hack. They are mutually exclusive!
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
container_commands: | |
01-move-restart-hook: | |
command: cp -f .ebextensions/files/00_restart_containers_with_privileges.sh /opt/elasticbeanstalk/hooks/appdeploy/post/00_restart_containers_with_privileges.sh && chmod 755 /opt/elasticbeanstalk/hooks/appdeploy/post/00_restart_containers_with_privileges.sh | |
02-move-stop-hook: | |
command: cp -f .ebextensions/files/02stop_privileged_containers.sh /opt/elasticbeanstalk/hooks/appdeploy/pre/02stop_privileged_containers.sh && chmod 755 /opt/elasticbeanstalk/hooks/appdeploy/pre/02stop_privileged_containers.sh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -ex | |
. /opt/elasticbeanstalk/hooks/common.sh | |
EB_CONFIG_APP_STAGING=$(/opt/elasticbeanstalk/bin/get-config container -k app_deploy_dir) | |
export DOCKERRUN_AWS_JSON=$EB_CONFIG_APP_STAGING/Dockerrun.aws.json | |
while read -r container_short_name; do | |
CURRENT_CONTAINER_ID=$(docker ps --no-trunc -q --filter=name=.$container_short_name) | |
CONTAINER_LONG_NAME=$(docker inspect --format='{{.Name}}' $CURRENT_CONTAINER_ID) | |
CURRENT_CONFIG=$(docker inspect --format='{{json .Config}}' $CURRENT_CONTAINER_ID) | |
NEW_HOST_CONFIG=$(docker inspect --format='"HostConfig":{{json .HostConfig}}' $CURRENT_CONTAINER_ID | sed 's/\"Privileged\":false/\"Privileged\":true/I') | |
echo "Stopping unprivileged $CONTAINER_LONG_NAME" | |
docker stop $CURRENT_CONTAINER_ID | |
docker rm $CURRENT_CONTAINER_ID | |
NEW_CONTAINER_ID=$(curl --unix-socket /var/run/docker.sock -X POST -H "Content-Type: application/json" http:/containers/create?name=$CONTAINER_LONG_NAME -d "${CURRENT_CONFIG%?},$NEW_HOST_CONFIG}" | jq -r '.Id') | |
echo "Starting privileged $CONTAINER_LONG_NAME" | |
docker start $NEW_CONTAINER_ID | |
sed -i "s/$CURRENT_CONTAINER_ID/$NEW_CONTAINER_ID/g" /var/lib/ecs/data/ecs_agent_data.json | |
done <<< "$(jq -r '.containerDefinitions[] | select(.privileged == true) | .name' $DOCKERRUN_AWS_JSON)" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -ex | |
. /opt/elasticbeanstalk/hooks/common.sh | |
EB_CONFIG_APP_CURRENT=$(/opt/elasticbeanstalk/bin/get-config container -k app_deploy_dir) | |
export DOCKERRUN_AWS_JSON=$EB_CONFIG_APP_CURRENT/Dockerrun.aws.json | |
while read -r container_short_name; do | |
CURRENT_CONTAINER_ID=$(docker ps -q --filter=name=.$container_short_name) | |
if [[ ! -z $CURRENT_CONTAINER_ID && "FOOBAR$CURRENT_CONTAINER_ID" != "FOOBAR" ]]; then | |
CONTAINER_LONG_NAME=$(docker inspect --format='{{.Name}}' $CURRENT_CONTAINER_ID) | |
echo "Stopping unprivileged $CONTAINER_LONG_NAME" | |
docker stop $CURRENT_CONTAINER_ID || true | |
docker rm $CURRENT_CONTAINER_ID || true | |
fi | |
done <<< "$(jq -r '.containerDefinitions[] | select(.privileged == true) | .name' $DOCKERRUN_AWS_JSON)" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"AWSEBDockerrunVersion": 2, | |
"containerDefinitions": [ | |
{ | |
"name": "happy_container_name", | |
"image": "tutum.co/happy/happy_container", | |
"memory": 128, | |
"essential": false, | |
"privileged": true | |
} | |
] | |
} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This doesn't work if your container has essential set to true or if your container has a link to another container.
It will be stop and another new privileged container will be start, so the link is broken.