Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ECS Agent AppArmor support (aka Ubuntu 22+ support) #4062

Merged
merged 3 commits into from
Dec 20, 2023
Merged

ECS Agent AppArmor support (aka Ubuntu 22+ support) #4062

merged 3 commits into from
Dec 20, 2023

Conversation

sparrc
Copy link
Contributor

@sparrc sparrc commented Dec 18, 2023

Summary

This is a followup to #3941. That PR was reverted because an issue was discovered that affects customers who are running Ubuntu on the EC2 launch type. This issue was not discovered pre-launch because our team was not testing Ubuntu on the EC2 launch type, we only tested Ubuntu on the EXTERNAL launch type in our automated regression testing.

Since then we have added support for testing Ubuntu on the EC2 launch type to our automated regression testing framework, and have fixed the AppArmor DENY that was causing the issue on Ubuntu on EC2 (network netlink permission)

This change will introduce ecs-agent-default apparmor profile which adds support for ubuntu22 platforms as with Ubuntu 22, Ubuntu defaults both to docker 20.10.x+ and CgroupsV2. Creating ECS’s cgroups require extra DBUSpermissions in CgroupsV2. This ecs-default apparmor profile will provide the required permissions.

Implementation details

The changs are in ecs-init:

  • engine.go is updated with PreStartAppArmor which checks if the host is apparmor supported and loadDefaultProfile if supported
  • app-armor.go is added to load the ecs-default profile: checks of the profile is already loaded. If not it will create and write to the file and load the profile using apparmor_parser.
  • docker_config.go is updated to hostConfig.SecurityOpt if the host is apparmor supported
  • Removed ecs-init/config/development.go as it is no longer used by our team, it is interfering with our ecs-int development process for debugging and running ecs-init.

Testing

New tests cover the changes: yes

  • unit tests added as part of this PR
  • full functional test suite has been run on Ubuntu 18, 20, 22 on both the EXTERNAL and EC2 launch types.

Description for the changelog

Enhancement: Add AppArmor support

Licensing

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@sparrc sparrc requested a review from a team as a code owner December 18, 2023 23:39
@sparrc sparrc changed the base branch from master to dev December 18, 2023 23:39
@sparrc sparrc mentioned this pull request Dec 18, 2023
Closed
chienhanlin
chienhanlin reviewed Dec 19, 2023
View reviewed changes
ecs-init/apparmor/apparmor_test.go Outdated Show resolved Hide resolved
ecs-init/apparmor/apparmor.go Show resolved Hide resolved
chienhanlin
chienhanlin previously approved these changes Dec 19, 2023
View reviewed changes
@sparrc sparrc dismissed stale reviews from prateekchaudhry and chienhanlin via 6c59cb4 December 19, 2023 23:08
@sparrc sparrc force-pushed the apparmor-support-v3 branch 2 times, most recently from 6c59cb4 to 760d8f8 Compare December 19, 2023 23:08
sparrc and others added 3 commits December 19, 2023 15:38
@sparrc
AppArmor support initial commit
ae4d116
@SreeeS @sparrc
Add apparmor support
84a32ca
@sparrc
Update AppArmor support for all ECS launch types.
66dc2d5 
- Adjust ecs-agent-default profile to allow full range of required
  permissions for all agent launch types.
- Support ECS_AGENT_APPARMOR_PROFILE env var for opting into alternate
  profiles, or to 'unconfined' profile.
@sparrc sparrc force-pushed the apparmor-support-v3 branch from 760d8f8 to 66dc2d5 Compare December 19, 2023 23:38
@sparrc sparrc merged commit 5815336 into aws:dev Dec 20, 2023
38 checks passed
@sparrc sparrc deleted the apparmor-support-v3 branch December 20, 2023 16:53
@mye956 mye956 mentioned this pull request Jan 9, 2024
Merged
This was referenced Jan 16, 2024
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chienhanlin chienhanlin chienhanlin approved these changes

@prateekchaudhry prateekchaudhry prateekchaudhry approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@sparrc @prateekchaudhry @chienhanlin @amazon-ecs-bot @SreeeS