Containers-roadmap: Port mappings: add support of port ranges
Hi there!
Some applications do require wide range of open ports and the only option we have at the moment is to set them explicitly (e.g. one by one) when defining tasks.
I think that it would be useful to allow use of port ranges, like
{
"hostPorts": 3000-3025,
"containerPorts": 3000-3025,
"protocol": "tcp"
}
Also, I've noticed that ecs-agent throws an error if there is > 100 ports specified in task definition, regardless of port numbers:
Run tasks failed
Reasons : RESOURCE:PORTS
Please advice.
tuusberg
All 34 comments
You're correct that we don't currently support specifying port ranges directly in task definitions.
I made sure the feature of port ranges is being tracked internally.
There is indeed a limit on the number of reserved and utilized ports. This limit, per the docs, is 50.
If you have more information on your use-case, it could help us in evaluating that limit.
Best,
Euan
euank
on 23 Dec 2015
It would be nice to have this feature as I have a similar use case where the application requires a large number of ports (1 thousand ports) in order to communicate with the another instance running on a different host.
gkyar
on 21 Feb 2016
+1
margusbirk
on 19 Apr 2016
Since docker supports port ranges I would expect that it should be possible to specify port ranges by ECS agent too.
Also I can easily image use-case where wide range or ports should be used, for example video conference SFU which can handle up to 10k WebRTC connections.
z0r1k
on 23 May 2016
+1
wei-m-teh
on 9 Jun 2016
馃憤
chenliu0831
on 9 Jun 2016
+1
WebRTC / RTP
(Should be easy to do, since it's now supported in docker)
dolgafar
on 5 Jul 2016
+1
Is there any status on the progress of this?
I'll add FTP to the mix of use cases.
bhendo
on 14 Sep 2016
+1
sebalas
on 30 Sep 2016
+1
tobiasc
on 30 Sep 2016
+1
RyanBowlby-Reflektion
on 17 Oct 2016
I would also like this to allow us to restrict containers to different ports so I can define security groups and only allow upstream services to access specific services running in ECS.
jamiegs
on 14 Nov 2016
+1
@euank I know this has been added to the use cases already, but FTP is what we require this for. We're adding passive ports in manually and we can only allow 49 concurrent PASV connections with the 50 port limit (with 1 for the control port on 21).
adamdunkley
on 24 Dec 2016
+1
pirasakat
on 6 Jan 2017
+1
At the very least the docs should mention ports parameter syntax is only partially supported.
http://docs.aws.amazon.com/AmazonECS/latest/developerguide/cmd-ecs-cli-compose.html
The way it's written currently implies that the listed parameters are supported as per the linked docker compose syntax (v1&2) docs, which prominently show examples of the use of ranges: https://docs.docker.com/compose/compose-file/compose-file-v2/#ports
mihbor
on 19 Apr 2017
At least, the 50 ports limit should throw an useful error message in the agent. Currently it just shows this misleading events message (in the AWS console):
service [...] was unable to place a task because no container instance met all of its requirements. The closest matching container-instance [...] is already using a port required by your task.
Dominik-K
on 20 Apr 2017
+1
marccardinal
on 26 Apr 2017
Couchbase server cluster using ECS Weave but managing ports is becoming a pain:
21100 to 21299 (inclusive) Node to Node communication
liafizan
on 1 Jun 2017
+1 I'm hosting a ftp proxy daemon, and it needs to support a range of ports for passive mode. The range is 200 ports, and is impossible to achieve at the moment. Are there any plans to support this?
bs-thomas
on 1 Jul 2017
+1
minzhang28
on 27 Jul 2017
+1
aabrahamian
on 23 Aug 2017
This is important requirement and we are going to hugely use ECS. Are you guys working on it ? When this could be available?
nswarnkar
on 25 Aug 2017
I created this issue more than a year ago.
Is there a chance that you guys would implement this feature in the near future?
tuusberg
on 26 Aug 2017
For those who are trying to setup an FTP server inside a ECS task container and are trying to allow PASV connections and bump into the limitations of ECS-agent. Please know that there is a simple solution that does not require you to define all potential dynamic pasv ports that you defined in your server configuration.
You simply need to set the NetworkMode of your TaskDefinition to 'host' instead of 'bridge'. This gives the container access to ports it dynamically opens (as is the case with passive FTP connections).
Obviously in your security group you still need to allow the dynamic range you use, but here you can use a range.
Hope this helps somebody, I lost quite some time trying to get this to work
brainframe-me
on 19 Sep 2017
This is also a major blocker for us, is there a timeline for this?
houqp
on 20 Oct 2017
Confirmed that using NetworkMode: host instead of bridge does not require you to explicitly expose ports. Rather, all traffic to the host is directly mapped to the same port on the container. We've successfully run an RTP proxy for WebRTC inside ECS.
phil-lavin
on 27 Nov 2017
For those who are trying to setup an FTP server inside a ECS task container and are trying to allow PASV connections and bump into the limitations of ECS-agent. Please know that there is a simple solution that does not require you to define all potential dynamic pasv ports that you defined in your server configuration.
You simply need to set the NetworkMode of your TaskDefinition to 'host' instead of 'bridge'. This gives the container access to ports it dynamically opens (as is the case with passive FTP connections).
Obviously in your security group you still need to allow the dynamic range you use, but here you can use a range.
Hope this helps somebody, I lost quite some time trying to get this to work
Thank you very much, after struggling for two days, this finally helped !
Anamican
on 15 Nov 2018
Obviously in your security group you still need to allow the dynamic range you use, but here you can use a range.
Does this mean we can specify a narrower range of ports in the Security Group? is there a setting to match the dynamic port range to the Security group port range... IE we dont need 20,000 ports as a possibility.
houey
on 6 May 2019
+1
Erlang node clustering. Ports 4369 and the range 9100 - 9155 are the default.
kerryjj
on 18 Oct 2019
+1
ccapndave
on 3 Feb 2020
+1
kazz187
on 7 Feb 2020
+1 (FTP)
bramevo
on 20 Feb 2020
+1
Running dask worker with --nprocs > 1 assigns multiple ports that can be controlled by specifying a range i.e. --worker-port 9000:9100.
Currently it requires to add all the ports individually.
asandeep
on 17 Jul 2020
+1 as per PCI DSS requirements of not having that huge amount of open ports.
luis02lopez
on 15 Aug 2020
Related issues
tabern
路
3Comments
sarath9985
路
3Comments
jeremietharaud
路
3Comments
clareliguori
路
3Comments
yinshiua
路
3Comments
Most helpful comment
For those who are trying to setup an FTP server inside a ECS task container and are trying to allow PASV connections and bump into the limitations of ECS-agent. Please know that there is a simple solution that does not require you to define all potential dynamic pasv ports that you defined in your server configuration.
You simply need to set the NetworkMode of your TaskDefinition to 'host' instead of 'bridge'. This gives the container access to ports it dynamically opens (as is the case with passive FTP connections).
Obviously in your security group you still need to allow the dynamic range you use, but here you can use a range.
Hope this helps somebody, I lost quite some time trying to get this to work