-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Run SSM Agent on AWS by default #107
Comments
I am interested and happy to contribute here. I dont like option to run it via docker, as it is tool like ssh, to access host itself, not container internals. And also because agent itself are just few golang binaries, w/o any external dependencies. I been able to run agent on a host by copying files from my docker container. Below is my dockerfile to build it:
|
@dongsupark do you think its a good thing to have? I can start working on it if you feel that it could be included to the official build. |
@dongsupark only q i have (probably dummy one) is how to add package in the way that it is added only to AWS AMI |
Hi, |
@pothos ami update for me sounds like a better idea. With running over docker i see number of issues:
But yes, like an idea to make it in /usr/bin in the base |
With Docker the isolation can be minimized to share as much with the host as possible. |
I created initial version of the ebuild for the SSM. |
@pothos i still think that running it in docker is a bad idea, for the reasons listed above. Also it will be different from any other system which bundles it. About your concern about updating - i think it should be solved independently, without using A/B scheme. Either by AMI upgrade (something i am using now) or by making it via native |
Found how native updater works. It is fetching manifest from the special url (e.g. |
I think I agree with @samm-git here. We've been running the SSM agent on all our containers for a while, and not via docker. The whole point of SSM is to give you a great deal of control of the host from the AWS console/api's and to do that means you'd need to essentially mount every host directory to the docker container, which completely defeats the purpose of sandboxing it in docker in the first place. I noticed that the PR was merged a couple of days ago. Any idea when this will be available in stable? |
According to commit details, |
We wanted to enable it, but could not. |
@samm-git |
@pothos |
You can run it in Docker container https://thepracticalsysadmin.com/deploy-aws-ssm-agent-to-coreos/ but I would probably add some more Docker parameters to be able to access the host environment from within the container. |
I am doing it from userdata, without docker. I was proposing different options to solve it in flatcar but so far no luck. I personally see this as a serious issue for the flatcar/aws. |
@bjethwan i can share my recipe later if you interested. |
@dongsupark may be we should just extend oem part. size as a workaround before oem mechanism is recreated? |
Or we could host some resources that are too large elsewhere and fetch them through Ignition… |
@pothos this also could be an option, however, will require connectivity to such location, what is not always a good option. This is what i am doing now, from s3 bucket. However, still think it must be part of the base in aws. Like it is with other cloud-native distros. |
What I'm doing now is downloading SSM agent rpm file from S3 bucket stated in official AWS docs, then extract binary from the rpm. I used busybox image for extracting agent binary because Flatcar doesn't seem to contain tools required for extracting rpm files. |
@pothos i still feel that as short-term solution changing partition size is a way to go. |
With btrfs compression (just zlib for the start until GRUB gets updated) we are finally able to fit the 122 MB binaries into the OEM partition, resulting in a 37 MB used filesystem. A quick estimate: Depending on what we put in we have space for ~300 MB more Go binaries until the 128 MB filesystem is full. |
The SSM Agent is now included on the AWS image (released in next Alpha): flatcar-archive/coreos-overlay#1162 I think we can close this issue now, please try it out after the Alpha release and give your feedback, in case we need to reopen this :) |
Current situation
The agent system service for the AWS Session Manager is not installed by default. It can be started as a Docker service with a customized image.
Impact
Users don't have this functionality available unless they know the system very well and are ready to run the agent themselves.
Ideal future situation
The agent runs by default if there is no drawback.
Implementation options
Run it via Docker with a customized image as written here. There is an OEM package for EC2 but I recommend to include the service file not in the OEM package but in the regular
/usr
partition and only start it under the systemd unit condition that the kernel command line includes the OEM ID, i.e.,KernelCommandLine=flatcar.oem.id=ec2
(and maybe addKernelCommandLine=coreos.oem.id=ec2
).Build the Docker image in our quay repo and tag it with a version.
Additional information
All relevant links are in the blog post linked above.
The text was updated successfully, but these errors were encountered: