Containers-roadmap: [ECS] Pre-install AWS SSM Agent on the ECS-optimized Amazon Linux 2 AMI

Created on 1 Aug 2019 · 17Comments · Source: aws/containers-roadmap

We are considering adding the AWS SSM Agent to the ECS-optimized Amazon Linux 2 AMI. SSM Agent makes it possible for Systems Manager to update, manage, and configure EC2 instances. Please let us know your interest in this potential improvement by reacting with a 👍 on the issue if you want it to be implemented. Additional feedback and comments also appreciated!

ECS

Source

coultn

👍92

Most helpful comment

If you could also install the AWS Inspector agent that would also be useful

lloydpick on 1 Aug 2019

👍8

All 17 comments

Why would we want to promote updates like this instead of embracing immutability?

brentryan on 1 Aug 2019

If you could also install the AWS Inspector agent that would also be useful

lloydpick on 1 Aug 2019

👍8

I love this idea.

matthewcummings on 1 Aug 2019

Yes, can we get this in v1 of aws linux.

ghost on 1 Aug 2019

Why would we want to promote updates like this instead of embracing immutability?

Can you explain more what you mean? The proposed change is a change to the AMI used by ECS. So it would still be immutable in the sense that you don't need install extra software on the instance yourself.

coultn on 1 Aug 2019

Why would we want to promote updates like this instead of embracing immutability?

Can you explain more what you mean? The proposed change is a change to the AMI used by ECS. So it would still be immutable in the sense that you don't need install extra software on the instance yourself.

for us, it will save about 45 seconds of our ami customisation, but they nice thing is i never now need to worry about ami build failures if there is an issue with the SSM source.

ghost on 1 Aug 2019

My only issue with installing it by default is that you’re promoting others to use this agent to update your ECS instances instead of leveraging immutability and using new AMI’s to push out any updates. Also, installing by default bloats the image more as well as consumes resources that may be needed especially when leveraging t3.nano and other smaller instance types.

I don’t have an issue with it being an option but I’m not sure it’s the right default option. What would I need to do if I didn’t want this? Will there be a setting to at least disable by default in user data scripts upon launch?

brentryan on 2 Aug 2019

👍3

This would be very useful. We just updated to the Amazon Linux 2 images and I was surprised that this still had to be installed.

ngamradt-turner on 6 Aug 2019

The SSM and Inspector agents should be installed on all AWS AMIs as a standard. The sooner the better. Please make it happen.

dfuentes77 on 5 Sep 2019

👎1

What about EC2 Instance Connect? I'm torn between using that and the SSM agent.

matthewcummings on 6 Sep 2019

I was assuming that it was based off Amazon Linux which does have ssm-agent pre-installed?

lifeofguenter on 18 Sep 2019

Now that EKS managed nodes shipped, this is much more needed. Relying on SSH keypair is really not convenient, and there is no possibility to deploy it using userdata anymore

https://aws.amazon.com/about-aws/whats-new/2019/11/amazon-eks-adds-support-for-provisioning-and-managing-kubernetes-worker-nodes/

pierresteiner on 21 Nov 2019

Now that EKS managed nodes shipped, this is much more needed. Relying on SSH keypair is really not convenient, and there is no possibility to deploy it using userdata anymore

https://aws.amazon.com/about-aws/whats-new/2019/11/amazon-eks-adds-support-for-provisioning-and-managing-kubernetes-worker-nodes/

Just to be clear, this issue is specifically for the ECS-optimized AMI, not the EKS-optimized AMI. If you need SSM pre-installed on the EKS-optimizd AMI, that is a separate feature request. Thanks!

coultn on 21 Nov 2019

Absolutely not interested in additional agents being baked in to this Ami. I assume anyone who needs it has already written the automation for the install. If you change it now you'll just be adding a bunch of work for everyone to either remove the install automation or, as in my case, add the uninstall automation.

I think the images should be as light as possible. Let each customer decide what they want.

wimnat on 4 Jan 2020

👍4 😕2 👎2

Makes perfect sense.

mapdegree on 3 Feb 2020

@wimnat I don't think that is a logic conclusion.

If you want something really slim or lightweight, you can always opt-in for an alternative distribution (debian, ubuntu, etc).

The reason for Amazon Linux is described here: https://aws.amazon.com/amazon-linux-ami/

AWS Integration
The Amazon Linux AMI includes packages and configurations that provide tight integration with Amazon Web Services. The Amazon Linux AMI comes pre-installed with many AWS API tools and CloudInit.

Additionally this is the AMI used internally by default (ECS, EKS, etc.) - so it only makes sense for us to be able to use services and tools out-of-the-box, especially since ssm is a very crucial part to connect to the machine in first place (replacing ssh). It is not anymore a "nice to have" but for some cases really a bare minimum.

I do agree though, this is not super important, as many of us surely already have the proper automation in place to make sure required tools are installed and setup.

lifeofguenter on 4 Feb 2020

👍1

Launched: Amazon ECS-optimized Linux 2 AMIs now come with pre-installed AWS Systems Manager Agent.

This capability is now available in all commercial AWS regions, see Region table. You can get started with pre-installed SSM agent version 2.3.714.0 using the Amazon ECS-optimized Amazon Linux 2 AMIs with the ECS agent version 1.36.2. For more information please see AWS documentation.

Note: It is advised that you should disable any automation to install the SSM agent in your ECS-Optimized AMIs.