Check if nsenter is available and bind mount it on Agent container (a…

…ws#4341)
mye956 · Oct 3, 2024 · 0dbfcc6 · 0dbfcc6
1 parent 89e97e7
commit 0dbfcc6
Show file tree

Hide file tree

Showing 3 changed files with 56 additions and 1 deletion.
diff --git a/ecs-init/docker/docker_config.go b/ecs-init/docker/docker_config.go
@@ -15,8 +15,10 @@ package docker
 
 import (
 	"fmt"
+	"os"
 
 	"github.com/aws/amazon-ecs-agent/ecs-init/config"
+	"github.com/cihub/seelog"
 	ctrdapparmor "github.com/containerd/containerd/pkg/apparmor"
 	godocker "github.com/fsouza/go-dockerclient"
 )
@@ -45,6 +47,7 @@ func createHostConfig(binds []string) *godocker.HostConfig {
 		iptablesLegacyDir+":"+iptablesLegacyDir+readOnly,
 		"/usr/bin/lsblk:/usr/bin/lsblk",
 	)
+	binds = append(binds, getNsenterBinds(os.Stat)...)
 
 	logConfig := config.AgentDockerLogDriverConfiguration()
 
@@ -80,3 +83,17 @@ func createHostConfig(binds []string) *godocker.HostConfig {
 
 	return hostConfig
 }
+
+// Returns nsenter bind as a slice if nsenter is available on the host.
+// Returns an empty slice otherwise.
+func getNsenterBinds(statFn func(string) (os.FileInfo, error)) []string {
+	binds := []string{}
+	const nsenterPath = "/usr/bin/nsenter"
+	if _, err := statFn(nsenterPath); err == nil {
+		binds = append(binds, nsenterPath+":"+nsenterPath)
+	} else {
+		seelog.Warnf("nsenter not found at %s, skip binding it to Agent container: %v",
+			nsenterPath, err)
+	}
+	return binds
+}
diff --git a/ecs-init/docker/docker_config_test.go b/ecs-init/docker/docker_config_test.go
@@ -0,0 +1,38 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"). You may
+// not use this file except in compliance with the License. A copy of the
+// License is located at
+//
+//	http://aws.amazon.com/apache2.0/
+//
+// or in the "license" file accompanying this file. This file is distributed
+// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+// express or implied. See the License for the specific language governing
+// permissions and limitations under the License.
+
+package docker
+
+import (
+	"errors"
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestGetNsenterBinds(t *testing.T) {
+	t.Run("nsenter not found", func(t *testing.T) {
+		binds := getNsenterBinds(
+			func(s string) (os.FileInfo, error) { return nil, errors.New("not found") })
+		assert.Empty(t, binds)
+	})
+
+	t.Run("nsenter is found", func(t *testing.T) {
+		binds := getNsenterBinds(
+			func(s string) (os.FileInfo, error) { return nil, nil })
+		require.Len(t, binds, 1)
+		assert.Equal(t, "/usr/bin/nsenter:/usr/bin/nsenter", binds[0])
+	})
+}
diff --git a/ecs-init/docker/docker_test.go b/ecs-init/docker/docker_test.go
@@ -32,7 +32,7 @@ import (
 // Note: Change this value every time when a new bind mount is added to
 // agent for the tests to pass
 const (
-	defaultExpectedAgentBinds = 20
+	defaultExpectedAgentBinds = 21
 )
 
 func TestIsAgentImageLoadedListFailure(t *testing.T) {