66

I use to connect to EC2 container instances following this steps, https://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance-connect.html wondering how I can connect to FARGATE-managed container instances instead.

Valy Dia
  • 2,781
  • 2
  • 12
  • 32
Stefano Messina
  • 1,796
  • 1
  • 17
  • 22

5 Answers5

37

Starting from the middle of March 2021, executing a command in the ECS container is possible when the container runs in AWS Fargate. Check the blog post Using Amazon ECS Exec to access your containers on AWS Fargate and Amazon EC2.

Quick checklist:

  1. Enable command execution in the service.
  2. Make sure to use the latest platform version in the service.
  3. Add ssmmessages:.. permissions to the task execution role.
  4. Force new deployment for the service to run tasks with command execution enabled.

AWS CLI command to run bash inside the instance:

aws ecs execute-command  \
    --region eu-west-1 \
    --cluster [cluster-name] \
    --task [task id, for example 0f9de17a6465404e8b1b2356dc13c2f8] \
    --container [container name from the task definition] \
    --command "/bin/bash" \
    --interactive

The setup explained above should allow to run the /bin/bash command and get an interactive shell into the container running on AWS Fargate. Please check the documentation Using Amazon ECS Exec for debugging for more details.

Victor Smirnov
  • 3,450
  • 4
  • 30
  • 49
  • Does anyone know if `ecs exec` is supposed to be able to access ANY container running on Fargate, even those deployed to EKS clusters (as opposed to ECS). The docs for `ecs exec` don't mention EKS at all and are quite ambiguou on this question. – timblaktu Nov 12 '21 at 21:28
  • I found this page to be more to the point & easier to understand then the one linked above: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-exec.html – jlhasson Jun 19 '22 at 22:41
  • @jlhasson, thank you for the reference. I included it in the answer. – Victor Smirnov Jun 20 '22 at 05:08
30

Looking on that issue on github https://github.com/aws/amazon-ecs-cli/issues/143 I think it's not possible to make docker exec from remote host into container on ECS Fargate. You can try to run ssh daemon and your main process in one container using e.g. systemd (https://docs.docker.com/config/containers/multi-service_container/) and connect to your container using SSH but generally it's not good idea in containers world.

Jakub Bujny
  • 4,400
  • 13
  • 27
  • 4
    Thanks for that! I'm going to try this: https://github.com/aws/amazon-ecs-cli/issues/143#issuecomment-414415329 (Well, it's not about being a good or a bad idea if you need to debug something in dev before it gets to prod) – Stefano Messina Sep 13 '18 at 11:34
  • I'm happy that I helped! I would really appreciate if you could accept my answer :) – Jakub Bujny Sep 13 '18 at 11:40
  • I didn't try that actually, I disabled FARGATE deployment to SSH into the container. – Stefano Messina Sep 13 '18 at 13:15
  • 7
    I can confirm, yes you can SSH into a Fargate container by running sshd and properly configuring the security group. – bluescores Sep 19 '18 at 09:45
  • 3
    @bluescores - any chance you could elaborate on your solution? – Ilya Dec 23 '18 at 22:48
  • 2
    You just need an docker image that has ssh enabled or mod one. How to mod will vary considerably depending on what is in the initial image. Remember you can run anything in a container and SSHD is just another service. The whole run one thing in a container is one way to use them but is is not necessarily the correct or only way, it it just a specific use case of them that suits a CI/Devops environment. Have a look at lxc/lxd, freebsd jails, or solaris zones. They are all containers but setup to look more like full machines ie multiple processes, services, user accounts etc. – krad Feb 13 '19 at 10:19
  • Having said that fargate is geared up for one service. – krad Feb 13 '19 at 10:19
  • 1
    Could this be helpful? https://github.com/aws/containers-roadmap/issues/187#issuecomment-490347856 – Jan Richter Jun 02 '19 at 01:37
  • 2021: it IS possible now. See Victor Smirnov's answer below or read this: https://aws.amazon.com/about-aws/whats-new/2021/03/amazon-ecs-now-allows-you-to-execute-commands-in-a-container-running-on-amazon-ec2-or-aws-fargate/ – Pierre Nov 17 '21 at 19:09
10

It is possible, but not easy.straight forward. Shortly: install SSH, don't expose ssh port out from VPC, add bastion host, SSH through bastion.

A little bit more details:

  • spin up SSHD with password-less authentication. Docker instructions
  • Fargate Task: Expose port 22
  • Configure your VPC, instructions
  • create EC2 bastion host
  • From there SSH into your Task's IP address
Артур Курицын
  • 3,512
  • 2
  • 16
  • 10
  • What if the PortMapping is already mapped to 80 for the webserver? https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_PortMapping.html#ECS-Type-PortMapping-hostPort – Jack Chi Oct 12 '20 at 05:08
9

Enable execute command on service.

aws ecs update-service --cluster <Cluster> --service <Service> --enable-execute-command

Connect to fargate task.

aws ecs execute-command --cluster <Cluster> \
    --task <taskId> \
    --container <ContainerName> \
    --interactive \
    --command "/bin/sh"

Ref - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-exec.html

tumbudu
  • 699
  • 11
  • 26
  • In case of error "$ bash <( curl -Ls https://raw.githubusercontent.com/aws-containers/amazon-ecs-exec-checker/main/check-ecs-exec.sh ) " – tumbudu Dec 21 '21 at 11:09
3

Here is an example of adding SSH/sshd to your container to gain direct access:

# Dockerfile
FROM alpine:latest

RUN apk update && apk add --virtual --no-cache \
  openssh

COPY sshd_config /etc/ssh/sshd_config

RUN mkdir -p /root/.ssh/
COPY authorized-keys/*.pub /root/.ssh/authorized_keys
RUN cat /root/.ssh/authorized-keys/*.pub > /root/.ssh/authorized_keys
RUN chown -R root:root /root/.ssh && chmod -R 600 /root/.ssh

COPY docker-entrypoint.sh /usr/local/bin/
RUN chmod +x /usr/local/bin/docker-entrypoint.sh
RUN ln -s /usr/local/bin/docker-entrypoint.sh /

# We have to set a password to be let in for root - MAKE THIS STRONG.
RUN echo 'root:THEPASSWORDYOUCREATED' | chpasswd

EXPOSE 22
ENTRYPOINT ["docker-entrypoint.sh"]

# docker-entrypoint.sh
#!/bin/sh

if [ "$SSH_ENABLED" = true ]; then
  if [ ! -f "/etc/ssh/ssh_host_rsa_key" ]; then
    # generate fresh rsa key
    ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa
  fi
  if [ ! -f "/etc/ssh/ssh_host_dsa_key" ]; then
    # generate fresh dsa key
    ssh-keygen -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa
  fi

  #prepare run dir
  if [ ! -d "/var/run/sshd" ]; then
    mkdir -p /var/run/sshd
  fi

  /usr/sbin/sshd

  env | grep '_\|PATH' | awk '{print "export " $0}' >> /root/.profile
fi

exec "$@"

More details here: https://github.com/jenfi-eng/sshd-docker

nitsujri
  • 1,448
  • 2
  • 16
  • 29