Amazon-ecs-agent: Add option to open TTY

Created on 28 Jul 2016 · 24Comments · Source: aws/amazon-ecs-agent

Right now there is no way to open TTY of a container that is launched by ECS agent. I need this option to run an interactive container inside our ECS cluster.
Specifically, I want to run rails console in our production cluster. Currently we do this by ssh'ing into the container instance and run docker run -it ... directly but this approach has several problems:

Now that ECS supports per-task IAM role, we also want an interactive container to be associated with the task IAM role
Our task definition is quite complex (volumes, network configurations, "sidekick containers" along with the main rails server container, etc...) so it is hard to emulate the TD configuration if we use docker run -it inside the container instance

So what we want to do with this tty option is: run ECS task with TTY, ssh into the container instance then docker attach to the container

kinfeature request scopECS Service scopTask Definition

Source

k2nr

👍9

Most helpful comment

@aaithal @richardpen do you know the roadmap for interactive tasks?

Had a thought that if there was an API call for createTask which would just call docker create, attaching and running via ssh would be way less hacky then what we have now, where you create a task with a process that never dies and then hope that you later remember to stop the container.

OR if there was a way of calling docker run commands as root directly on the container instance that we could be assured behaved the same as calling runTask from the API. I also use task IAM roles to fetch s3 config, and have task definition config that I want to be assured is the same between my interactive containers and app server containers. Maybe e.g. aws ecs run-local-container -it <task_definition>.

Of course the ideal scenario is just something like heroku run. Maybe you need your own ECS cli tool :)

clumsysnake on 18 Sep 2016

👍9

All 24 comments

@k2nr Currently ECS doesn't support opening TTY for containers using task definition. But you can still launch your task in ECS, then ssh into your instance and use docker exec to attach to the container.

richardpen on 2 Aug 2016

@aaithal @richardpen do you know the roadmap for interactive tasks?

Of course the ideal scenario is just something like heroku run. Maybe you need your own ECS cli tool :)

clumsysnake on 18 Sep 2016

👍9

panga on 27 Sep 2016

I have a working proof of concept for running rails console with an embedded tmux server. I'm working on a command line tool to launch it with RunTask, find the private ip of the instance to ssh to (through our bastion), ssh to that instance, and run a skinny docker container that just hosts tmux attach.

ryansch on 27 Sep 2016

👍3

are there any plans to support this? i want to gpg sign commits in the container and my builds fail with this error:

gpg: cannot open tty `/dev/tty': No such device or address

jgangemi on 6 Oct 2016

@richardpen Another issue with doing it via docker exec is that doesn't run your ENTRYPOINT command. We're using it to set up some specific environment variables, which causes a problem.

mwarkentin on 7 Feb 2017

is there any potential forward motion on this? i'd still like to use the service but want the tty option.

jgangemi on 9 Feb 2017

You have the following labels per docker container running in your EC2 Container Instance:

"Labels": {
                "com.amazonaws.ecs.cluster": "testclusty",
                "com.amazonaws.ecs.container-name": "hello",
                "com.amazonaws.ecs.task-arn": "arn:aws:ecs:us-west-2:586687105316:task/019ee91b-3d29-4872-a7cf-9f730d7d607e",
                "com.amazonaws.ecs.task-definition-family": "testhello",
                "com.amazonaws.ecs.task-definition-version": "2"
            }

You just need to ssh to one of the instances where the task currently lives and do and replace the name of the container(in my case is hello) and run it as:

sudo docker exec -ti `docker ps -q -f 'label=com.amazonaws.ecs.container-name=hello'` /bin/sh

That opens a terminal inside the container, it works with a ruby on rails image as well:

sudo docker exec -ti `docker ps -q -f 'label=com.amazonaws.ecs.container-name=hello'` bundle exec rake db:migrate

bithavoc on 16 Feb 2017

@bithavoc in real world we shouldn't have access to instance SSH, just the container :)

panga on 16 Feb 2017

👍1

@panga true, what I posted is a walk-around I guess

bithavoc on 16 Feb 2017

i just took another look on the aws side of things and it doesn't appear this is an option in the task definition either, so i'm wondering if this is possible w/o that.

jgangemi on 16 Feb 2017

is not possible to tty @jgangemi , you can still do docker exec though

bithavoc on 16 Feb 2017

Just adding my +1 for ECS supporting something like this. We have a feature in Empire for running attached processes (just like heroku run), however, it has to go entirely through Docker in order to set the Tty and OpenStdin flags when creating the container. If you could specify these flags in the ContainerDefinition, then attaching to a container started by ECS would be possible, and we could just use the RunTask api (which we'd like to use, so that AWS Roles for ECS tasks will work within these containers).

ejholmes on 1 Mar 2017

I would really like a way to run an ECS container with a TTY

revmischa on 20 Aug 2017

❤1

Gave up on this, switched to Rancher and never looked back

bithavoc on 20 Aug 2017

👍1

r1williams on 28 Aug 2017

hSATAC on 20 Oct 2017

Tensho on 11 Nov 2017

awsfanatic on 25 Feb 2018

kwent on 21 Mar 2018

You can now add tty and interactive options to your containers in your task definition. You can add these new options in the AWS Console now, and they'll be available in the AWS CLI and SDKs soon.