Modifying a Container from the Docker Configuration in an ECS Task
Author: W. Jenks Gibbons
A requirement to modify a container can be anything from an obstacle to a blocker in a project. For example, if you need to query the metadata endpoint from, or install software in, an ECS Windows application container a team may blocked because that is another team’s responsibility or because of change control. To get around this, we can use the entryPoint and command options in the ‘Advanced container definition parameters’ of the ECS ‘Task definition parameters’¹.
Let’s look at a practical example. In ‘Querying the EC2 Metadata Endpoint from an ECS Windows Container’, I discussed how to modify a startup script that is configured to be called from the ENTRYPOINT in the Dockerfile. This is fine, however if I don’t have the option to modify the Dockerfile and rebuild the container I need to find another solution. As noted above there not only is one, but it also streamlines our process.
Leaving the container as is, we can use the entryPoint and command options in the ECS task. Using this method we can configure our routing to reach the metadata endpoint, install software, etc.
Configuring the Routing to Hit the Metadata Endpoint
Below is the JSON from a task. NOTE: that the ‘command’ in both examples is one line the ‘\’ is for readability.
"entryPoint": [
"powershell"
],
"command": [
"$gateway = (Get-NetRoute | Where { $_.DestinationPrefix -eq '0.0.0.0/0' }\
| Sort-Object RouteMetric | Select NextHop).NextHop;$ifIndex = \
(Get-NetAdapter -InterfaceDescription \"Hyper-V Virtual Ethernet*\" | \
Sort-Object | Select ifIndex).ifIndex;New-NetRoute -DestinationPrefix \
169.254.170.2/32 -InterfaceIndex $ifIndex -NextHop $gateway \
-PolicyStore ActiveStore;New-NetRoute -DestinationPrefix \
169.254.169.254/32 -InterfaceIndex $ifIndex -NextHop $gateway \
-PolicyStore ActiveStore;$private_ip = $(curl \
-UseBasicParsing http://169.254.169.254/latest/meta-data/local-ipv4);\
..."
],This overrides the ENTRYPOINT in the Dockerfile and rather than calling our start-up script it passes the ‘command’ to the entryPoint which is PowerShell.
Downloading and Installing Software
We use the entryPoint and command again.
"entryPoint": [
"powershell"
],
"command": [
"...\
$ErrorActionPreference = 'Stop';$ProgressPreference = \
'SilentlyContinue';(New-Object System.Net.WebClient).\
DownloadFile('https://github.com/.../releases/download/v'\
+ $env:MSI_VERSION + '/<msi_name>-' + $env:MSI_VERSION +\
'-x64.msi', '<msi_name>.msi');Start-Process -Wait msiexec -ArgumentList '/i\
<msi_name>.msi /quiet /qn /norestart /log <msi_name>-msi-installer.log';\
...
],These are two practical examples of how a requirement to change a container can be met without changing the container, but rather using the Docker Configuration in the ECS Task.
“Have fun!
¹ This article will not delve into the technical details of the entryPoint and command options in the ‘Advanced container definition parameters’ of the ECS ‘Task definition parameters’ To understand how the task definition works with the related Docker commands see the referenced documentation. Another article that may be helpful is “Docker RUN vs CMD vs ENTRYPOINT”.
