Amazon-ecs-agent: Request: Support for tmpfs parameter when launching containers

Created on 3 Aug 2016 · 34Comments · Source: aws/amazon-ecs-agent

There is now support in the docker engine for a tmpfs flag that mounts a tmpfs file system into the running container. I believe this was added with docker v1.10.0. I would very much like to use this as a mechanism to store config secrets (such as PGP keys, DB passwords, etc...) I do not see a way currently to pass this option in to the ECS TaskDefinition. The syntax for the docker run command with this parameter looks like this:

docker run -ti --tmpfs /secrets:rw,noexec,nosuid,size=100m ubuntu:14.04 bash

kinfeature request scopECS Service scopPlacement scopTask Definition

Source

CameronGo

👍48

Most helpful comment

While the use of tmpfs mounts for secrets is also interesting, another use case for this feature would be to allow containers running under ECS to more easily run in read-only mode; e.g. by mounting tmpfs filesystems on /tmp, /var/run, etc.

ceharris on 8 Aug 2016

👍11

All 34 comments

ceharris on 8 Aug 2016

👍11

This would be highly appreciated!

I would like to run some containers read only and use --tmpfs to give them some read/write space they can use (it is ephermal data anyways). This would substantially lower the pressure on EBS io.

Overbryd on 22 Sep 2016

👍2

raygunsix on 28 Nov 2016

👎3

+1 I would also like to run read only and need this to move forward with that

rhuddleston on 16 Dec 2016

+1, nice to have

cyrilchampier on 23 Jan 2017

Running containers with a read-only root filesystem is now part of the CIS benchmark, and thus it won't be long before organizations start insisting on having this Docker functionality when running on ECS. It's possible run read-only now, but without having tmpfs for scratch space, it's hard to use effectively.

ceharris on 24 Jan 2017

👍3

+1 such a simple and effective security option to use read-only with tmpfs

philenz on 27 Feb 2017

osiegmar on 12 Mar 2017

👎1

nomnux on 6 Apr 2017

👎1

Prendo93 on 18 Apr 2017

👎1

This would be useful for us as well

seren on 26 Jun 2017

A specific use case for this is the storage of the Varnish VSM file, where Varnish is very sensitive to slowdowns in writes to this temporary file. Mounting this directory into tmpfs would insulate it against EBS latencies.

jhmartin on 2 Aug 2017

In some cases, it's sufficient with using /dev/shm (which is tmpfs and has 64M by default).

piotrbulinski on 9 Aug 2017

@piotrbulinski I looked at that, but unfortunately my Varnish VSM file is about 80MB.

jhmartin on 9 Aug 2017

@jhmartin indeed, in some cases it will not be enough. Unfortunately for you the --shm-size is not supported either (#787)...

piotrbulinski on 9 Aug 2017

I don't like being just another +1 but this is essential for running readonly containers

coen-hyde on 16 Aug 2017

+1... @jhmartin, in the meantime you can increase the size of /dev/shm as a workaround.

sdesalas on 29 Aug 2017

+1 to being able to use tmpfs in ecs and elasticbeanstalk

kerryjj on 27 Sep 2017

bryjawink on 2 Oct 2017

👎1

bruceharrison1984 on 9 Oct 2017

👎1

Htarlov on 11 Oct 2017

👎1

jayaskren on 18 Oct 2017

👎1

dond00m on 18 Oct 2017

👎1

asieira on 26 Oct 2017

👎1

Actually, --tmpfs doesn't allow you to set options. Ideally, we should be able to specify the tmpfs size and default file mode as per --mount type=tmpfs.

My use case is a per-container RAM disk for a sqlite database when running https://github.com/mlsecproject/gglsbl-rest in my ECS cluster, for performance reasons.

asieira on 26 Oct 2017