ebextensions hack to allow for privileged containers on amazon beanstalk. .config goes in .ebextensions/ directory of your eb project root. .sh files go in .ebextensions/files/ NOTE! You cannot use privileged: true and essential: true in your Dockerrun.aws.json at the same time with this hack. They are mutually exclusive!

0001_privileged_containers.config

container_commands:
  01-move-restart-hook:
    command: cp -f .ebextensions/files/00_restart_containers_with_privileges.sh /opt/elasticbeanstalk/hooks/appdeploy/post/00_restart_containers_with_privileges.sh && chmod 755 /opt/elasticbeanstalk/hooks/appdeploy/post/00_restart_containers_with_privileges.sh
  02-move-stop-hook:
    command: cp -f .ebextensions/files/02stop_privileged_containers.sh /opt/elasticbeanstalk/hooks/appdeploy/pre/02stop_privileged_containers.sh && chmod 755 /opt/elasticbeanstalk/hooks/appdeploy/pre/02stop_privileged_containers.sh

00_restart_containers_with_privileges.sh

#!/bin/bash

set -ex

. /opt/elasticbeanstalk/hooks/common.sh

EB_CONFIG_APP_STAGING=$(/opt/elasticbeanstalk/bin/get-config container -k app_deploy_dir)
export DOCKERRUN_AWS_JSON=$EB_CONFIG_APP_STAGING/Dockerrun.aws.json

while read -r container_short_name; do
  CURRENT_CONTAINER_ID=$(docker ps --no-trunc -q --filter=name=.$container_short_name)
  CONTAINER_LONG_NAME=$(docker inspect --format='{{.Name}}' $CURRENT_CONTAINER_ID)
  CURRENT_CONFIG=$(docker inspect --format='{{json .Config}}' $CURRENT_CONTAINER_ID)
  NEW_HOST_CONFIG=$(docker inspect --format='"HostConfig":{{json .HostConfig}}' $CURRENT_CONTAINER_ID | sed 's/\"Privileged\":false/\"Privileged\":true/I')
  echo "Stopping unprivileged $CONTAINER_LONG_NAME"
  docker stop $CURRENT_CONTAINER_ID
  docker rm $CURRENT_CONTAINER_ID
  NEW_CONTAINER_ID=$(curl --unix-socket /var/run/docker.sock -X POST -H "Content-Type: application/json" http:/containers/create?name=$CONTAINER_LONG_NAME -d "${CURRENT_CONFIG%?},$NEW_HOST_CONFIG}" | jq -r '.Id')
  echo "Starting privileged $CONTAINER_LONG_NAME"
  docker start $NEW_CONTAINER_ID
  sed -i "s/$CURRENT_CONTAINER_ID/$NEW_CONTAINER_ID/g" /var/lib/ecs/data/ecs_agent_data.json
done <<< "$(jq -r '.containerDefinitions[] | select(.privileged == true) | .name' $DOCKERRUN_AWS_JSON)"

02stop_privileged_containers.sh

#!/bin/bash

set -ex

. /opt/elasticbeanstalk/hooks/common.sh

EB_CONFIG_APP_CURRENT=$(/opt/elasticbeanstalk/bin/get-config container -k app_deploy_dir)
export DOCKERRUN_AWS_JSON=$EB_CONFIG_APP_CURRENT/Dockerrun.aws.json

while read -r container_short_name; do
  CURRENT_CONTAINER_ID=$(docker ps -q --filter=name=.$container_short_name)
  if [[ ! -z $CURRENT_CONTAINER_ID && "FOOBAR$CURRENT_CONTAINER_ID" != "FOOBAR" ]]; then
    CONTAINER_LONG_NAME=$(docker inspect --format='{{.Name}}' $CURRENT_CONTAINER_ID)
    echo "Stopping unprivileged $CONTAINER_LONG_NAME"
    docker stop $CURRENT_CONTAINER_ID || true
    docker rm $CURRENT_CONTAINER_ID || true
  fi
done <<< "$(jq -r '.containerDefinitions[] | select(.privileged == true) | .name' $DOCKERRUN_AWS_JSON)"

Dockerrun.aws.json

{
  "AWSEBDockerrunVersion": 2,
  "containerDefinitions": [
    {
      "name": "happy_container_name",
      "image": "tutum.co/happy/happy_container",
      "memory": 128,
      "essential": false,
      "privileged": true
    }
  ]
}
      

This doesn't work if your container has essential set to true or if your container has a link to another container.

It will be stop and another new privileged container will be start, so the link is broken.