aws-ecs: Cloud-init script for EC2 fails when using AWS Linux 2023 #28518

juinquok · 2023-12-29T06:39:26Z

Describe the bug

When using EC2 as the capacity provider in the addAsgCapacityProvider method, the user is expected to specify the machineImageType for the capcity provider. In doing so, it will add a user data script that will inject additional data that is relevant to the user for the /etc/ecs/ecs.config file

One of the commands that is injected is:

autoScalingGroup.addUserData('sudo iptables --insert FORWARD 1 --in-interface docker+ --destination 169.254.169.254/32 --jump DROP');
autoScalingGroup.addUserData('sudo service iptables save');

On AWS Linux 2023 running the Linux 6.1.66-91.160.amzn2023.x86_64 kernel, this command results in an error when executing the cloud-init file.

+ sudo iptables --insert FORWARD 1 --in-interface docker+ --destination 169.254.169.254/32 --jump DROP
+ sudo service iptables save
The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, reload-or-restart, try-reload-or-restart, force-reload, status, condrestart). For other actions, please try to use systemctl.
2023-12-29 06:11:05,181 - cc_scripts_user.py[WARNING]: Failed to run module scripts-user (scripts in /var/lib/cloud/instance/scripts)
2023-12-29 06:11:05,184 - util.py[WARNING]: Running module scripts-user (<module 'cloudinit.config.cc_scripts_user' from '/usr/lib/python3.9/site-packages/cloudinit/config/cc_scripts_user.py'>) failed

This results in the line after

echo ECS_AWSVPC_BLOCK_IMDS=true >> /etc/ecs/ecs.config

to not get run which is not ideal.

Expected Behavior

It should successfully run the required ECS setup configs when the EC2 instance starts.

Current Behavior

The cloud-init script will fail with the error message The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, reload-or-restart, try-reload-or-restart, force-reload, status, condrestart). For other actions, please try to use systemctl.

Reproduction Steps

Start an ECS Cluster with an EC2 capacity provider and the AMI in the launch template for the autoscaling group to be the latest AWS Linux 2023 AMI (ecs.EcsOptimizedImage.amazonLinux2023(AmiHardwareType.STANDARD)). The error will occur when the instance starts up and the logs can be found in /var/log/cloud-init-output.log

Possible Solution

Introduce a new machineImageType in the addAsgCapacityProvider method and name it AMAZON_LINUX_2023. In the configureAutoScalingGroup method in cluster.ts, add in a new switch condition to render different user data for the ECS Optimized AMI for AWS Linux 2023. In particular, the sudo service iptables save will be changed to sudo iptables-save > /etc/sysconfig/iptables which will not throw the same error as above.

Additional Information/Context

No response

CDK CLI Version

2.114.1 (build 02bbb1d)

Framework Version

No response

Node.js Version

v18.17.0

OS

macOS 14.2

Language

TypeScript

Language Version

No response

Other information

No response

The text was updated successfully, but these errors were encountered:

pahud · 2024-01-02T17:30:23Z

Thank you for the possible solution. Yes this might be an option. Making this a p1 as it's not easy to work it around.

juinquok · 2024-01-03T01:35:56Z

Happy to help raise a PR to implement it if the possible solution is acceptable :)

BwL1289 · 2024-02-07T17:06:33Z

Also experiencing this. Need an option to specify AMAZON_LINUX_2023.

BwL1289 · 2024-02-08T00:37:05Z

@juinquok also happy to help with this.

Additionally, we should add a note that if you choose BOTTLEROCKET you need to be using it in your ASG machine image. Experienced a bug today that cost me a bunch of hours due to userData not being set so the ecs agent did not know the name of the cluster.

IwoTens · 2024-02-21T07:54:05Z

Just to add: We've noticed this issue with AL2 as well. We solved it by installing iptables-services in the userdata, so that the command can be run.

juinquok · 2024-02-26T05:50:09Z

@pahud Should I raise a PR to implement this change if its agreeable with the team?

pahud · 2024-04-17T17:30:24Z

@juinquok Yes feel free to submit a PR and let's move this forward.

github-actions · 2025-01-07T22:50:38Z

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

github-actions · 2025-01-07T22:50:38Z

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

…e=false` and also deprecate property (#32763) ### Issue # (if applicable) Closes #28518. ### Reason for this change When `canContainersAccessInstanceRole=false`, wrong commands are added to the ASG UserData, as described in the issue linked above. Reason for deprecating the `canContainersAccessInstanceRole` option is detailed in #32609. ### Description of changes - Added deprecation tag to all `canContainersAccessInstanceRole` options. - Created two feature flags to control the `canContainersAccessInstanceRole` behaviour - Added new commands if customer opted to use them via setting the right feature flags ### Describe any new or updated permissions being added None ### Description of how you validated changes A new integ test is added to ensure the commands in UserData executes without throwing errors. The existing integ tests are updated to have the default feature flag values and they are passing. This should prove that there will not be any change to existing CDK apps. Unit tests are added for each platform, combination of possible values for `canContainersAccessInstanceRole` + possible values for the feature flags (3 platforms * 3 possible values for `canContainersAccessInstanceRole` * 2 possible values for `@aws-cdk/aws-ecs:disableEcsImdsBlocking` * 2 possible values for `@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature` = 36 unit tests). ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

juinquok added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Dec 29, 2023

github-actions bot added the @aws-cdk/aws-ecs Related to Amazon Elastic Container label Dec 29, 2023

github-actions bot mentioned this issue Jan 1, 2024

Monthly issue metrics report - Dec 2023 #28543

Closed

pahud added p1 effort/medium Medium work item – several days of effort needs-review and removed needs-triage This issue or PR still needs to be triaged. labels Jan 2, 2024

khushail removed the needs-review label May 8, 2024

godwingrs22 self-assigned this Aug 12, 2024

samson-keung mentioned this issue Dec 24, 2024

aws-ecs: appends invalid ecs user data #32469

Closed

1 task

samson-keung mentioned this issue Jan 6, 2025

fix(ecs): outdated linux commands for canContainersAccessInstanceRole=false and also deprecate property #32763

Merged

1 task

mergify bot closed this as completed in #32763 Jan 7, 2025

mergify bot closed this as completed in bbdd42c Jan 7, 2025

github-actions bot locked as resolved and limited conversation to collaborators Jan 7, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

aws-ecs: Cloud-init script for EC2 fails when using AWS Linux 2023 #28518

aws-ecs: Cloud-init script for EC2 fails when using AWS Linux 2023 #28518

juinquok commented Dec 29, 2023

pahud commented Jan 2, 2024

juinquok commented Jan 3, 2024

BwL1289 commented Feb 7, 2024

BwL1289 commented Feb 8, 2024

IwoTens commented Feb 21, 2024

juinquok commented Feb 26, 2024

pahud commented Apr 17, 2024

github-actions bot commented Jan 7, 2025

github-actions bot commented Jan 7, 2025