In the case of AWS Fargate, it is inconvenient that I can not investigate because it is not in the container that is running when there is a problem, so I investigated how to enter the container.
If you use ssm-agent, you don't have to open the SSH port and manage the public key to SSH, so I used ssm-agent.
Since it uses a session manager, it has the following merits.
https://docs.aws.amazon.com/ja_jp/systems-manager/latest/userguide/activations.html
Access to your Amazon EC2 instance is available at no additional charge.
https://github.com/f96q/fargate-ssm-sample
Includes Terraform to create an environment that runs on Dockerfile and AWS Fargate
Dockerfile
When using with Alpine, there is no ssm-agent package, so you need to bring it from the source, build it, and install it.
For other Linux distortions, we may provide an ssm-agent package that you can install, in which case you only need to install that package. https://docs.aws.amazon.com/ja_jp/systems-manager/latest/userguide/sysman-manual-agent-install.html
ARG GOLANG_TAG=1.14.4-alpine3.12
ARG ALPINE_TAG=3.12
# ssm agenet builder
FROM golang:$GOLANG_TAG as ssm-agent-builder
ARG SSM_AGENT_VERSION=2.3.1205.0
RUN apk add --no-cache \
'make~=4.3-r0' \
'git~=2.26.2-r0' \
'gcc~=9.3.0-r2' \
'libc-dev~=0.7.2-r3' \
'bash~=5.0.17-r0'
RUN wget -q https://github.com/aws/amazon-ssm-agent/archive/${SSM_AGENT_VERSION}.tar.gz && \
mkdir -p /go/src/github.com && \
tar xzf ${SSM_AGENT_VERSION}.tar.gz && \
mv amazon-ssm-agent-${SSM_AGENT_VERSION} /go/src/github.com/amazon-ssm-agent && \
echo ${SSM_AGENT_VERSION} > /go/src/github.com/amazon-ssm-agent/VERSION
WORKDIR /go/src/github.com/amazon-ssm-agent
RUN gofmt -w agent && make checkstyle || ./Tools/bin/goimports -w agent && \
make build-linux
# merge image
FROM alpine:$ALPINE_TAG
RUN apk add --no-cache \
'jq~=1' \
'aws-cli~=1.18.55-r0' \
'sudo~=1.9.0-r0'
RUN adduser -D ssm-user && \
echo "Set disable_coredump false" >> /etc/sudo.conf && \
echo "ssm-user ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/ssm-agent-users && \
mkdir -p /etc/amazon/ssm
COPY --from=ssm-agent-builder /go/src/github.com/amazon-ssm-agent/bin/linux_amd64/ /usr/bin
COPY --from=ssm-agent-builder /go/src/github.com/amazon-ssm-agent/bin/amazon-ssm-agent.json.template /etc/amazon/ssm/amazon-ssm-agent.json
COPY --from=ssm-agent-builder /go/src/github.com/amazon-ssm-agent/bin/seelog_unix.xml /etc/amazon/ssm/seelog.xml
COPY docker-entrypoint.sh /
ENTRYPOINT ["/docker-entrypoint.sh"]
CMD ["amazon-ssm-agent"]
docker-entrypoint.sh
#!/bin/sh
set -e
AWS_REGION=${AWS_REGION:-}
SSM_ACTIVATION=$(aws ssm create-activation --default-instance-name "fargate-ssm" --iam-role "service-role/AmazonEC2RunCommandRoleForManagedInstances" --registration-limit 1 --region $AWS_REGION)
export SSM_ACTIVATION_CODE=$(echo $SSM_ACTIVATION | jq -r .ActivationCode)
export SSM_ACTIVATION_ID=$(echo $SSM_ACTIVATION | jq -r .ActivationId)
amazon-ssm-agent -register -code $SSM_ACTIVATION_CODE -id $SSM_ACTIVATION_ID -region $AWS_REGION
exec "$@"
https://aws.amazon.com/jp/systems-manager/pricing/#On-Premises_Instance_Management
Do the following because you will be charged for the time you are running.
Recommended Posts