2

I need to do get the SYS_PTRACE kernel capability on my docker container. Here's the Docerrun.aws.json:

{
  "AWSEBDockerrunVersion": "1",

  "Authentication": {
    "Bucket": "some-bucket",
    "Key": "somekey"
  },
  "Image": {
    "Name": "somename",
    "Update": "true"
  },
  "Ports":[
         {
          "HostPort": 80,
          "ContainerPort": 80
         },
         a few more ports
    ]
    }

Remember, this is Amazon Linux 2, which is a whole new distribution and EB platform. We're not using Docker Compose (wherein you could add that to the yml).

I tried just adding in the following section:

"linuxParameters": {
      "capabilities": {
        "add": ["SYS_PTRACE"]
        }
      }

It was simply ignored.

Thanks!

std''OrgnlDave
  • 3,912
  • 1
  • 25
  • 34

1 Answers1

1

It seems to me, this setting is not supported in v1. When looking into the docs under section "Docker platform Configuration - without Docker Compose" [1], linuxParameters is not listed as part of "Valid keys and values for the Dockerrun.aws.json v1 file". You might have to switch to v2 by using multi container Docker. The docs for v2 state that "the container definition and volumes sections of Dockerrun.aws.json use the same formatting as the corresponding sections of an Amazon ECS task definition file". [2]
It looks like your code above would work in v2 because it is a valid task definition section, see [3].

[1] https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/single-container-docker-configuration.html
[2] https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/create_deploy_docker_v2config.html
[3] https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html

Martin Löper
  • 6,471
  • 1
  • 16
  • 40
  • Yeah, that configuration setting doesn't work. Thanks for finding out in the documentation why. But...how DOES one get SYS_PTRACE with Amazon Linux 2? In Amazon Linux 1, you'd modify the beanstalk scripts. It's just a binary blob in 2 though. – std''OrgnlDave Apr 13 '21 at 17:48
  • 1
    Could you please clarify what you mean by "get SYS_PTRACE"? I do not quite know what you try to achieve yet... If you want to provide the kernel capability to your container, you must use a Dockerrun.aws.json schema version which supports it. – Martin Löper Apr 13 '21 at 18:09
  • Something like this: https://stackoverflow.com/questions/28267419/how-can-i-run-a-docker-container-in-aws-elastic-beanstalk-with-non-default-run-p works on Docker v1 – std''OrgnlDave Apr 14 '21 at 13:13
  • Does the answer in your referenced thread solve your issue? It looks like a nice workaround to modify the docker run command via ebextensions. This should work as single container docker uses a local docker daemon instead of ECS, I guess. – Martin Löper Apr 14 '21 at 13:54