[ECS] Feature request: IMDSv2 support

[logsnitch]

AWS announced support for IMDSv2 on November 19th here:
https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/

You can launch an instance or update one after the fact to disallow the old metadata service, i.e. with:

aws ec2 modify-instance-metadata-options --instance-id <INSTANCE_ID> --http-token required --http-endpoint enabled

I've tried deploying this on my ecs-cluster and it causes the ecs-agent to fail to boot. I believe the fix should be as simple as updating the aws-sdk-go version - it's currently 1.25.19 and support for the new metadata service was added in 1.25.38:
https://github.com/aws/aws-sdk-go/releases/tag/v1.25.38

Supporting Log Snippets

With the v2 metadata api in enforce mode you'll see the following in ecs-init.log:

2019-12-27T22:45:29Z [INFO] Loading configuration
2019-12-27T22:45:29Z [INFO] Image excluded from cleanup: amazon/amazon-ecs-agent:latest
2019-12-27T22:45:29Z [INFO] Image excluded from cleanup: amazon/amazon-ecs-pause:0.1.0
2019-12-27T22:45:29Z [WARN] Unable to fetch user data: EC2MetadataError: failed to make EC2Metadata request caused by:
2019-12-27T22:45:29Z [CRITICAL] Unable to communicate with EC2 Metadata service to infer region: EC2MetadataRequestError: failed to get EC2 instance identity document
caused by: EC2MetadataError: failed to make EC2Metadata request
caused by: 2019-12-27T22:45:29Z [CRITICAL] Configuration key not set, key: AWSRegion
2019-12-27T22:45:29Z [CRITICAL] Error loading config: Multiple error:
        0: Missing required fields: AWSRegion

Thanks!

[fierlion]

I'll put this in the feature request queue. I'll also test with the latest aws-sdk-go to check to see how easy this fix is. Thanks for the request!

[fierlion]

aws/amazon-ecs-init#281 (ecs-init update)
aws/amazon-ecs-agent#2326 (ecs-agent update)

[fierlion]

These changes are available in the most recently released ECS-optimized AMIs with ecs-agent >= 1.36.1 and ecs-init >= 1.36.1-1

I tested on Amazon Linux 2 and Amazon Linux by stopping ecs service on each, then running the command to update each to use IMDSv2:

$ aws ec2 modify-instance-metadata-options --instance-id <id> --http-token required --http-endpoint enabled --region us-west-2

then I restarted ECS service and ran several tasks successfully.

And my ecs-init.log is perfectly clean

2020-01-23T23:24:09Z [INFO] pre-start
2020-01-23T23:24:09Z [INFO] start
2020-01-23T23:24:09Z [INFO] Container name: /ecs-agent
2020-01-23T23:24:09Z [INFO] Removing existing agent container ID: <id>
2020-01-23T23:24:09Z [INFO] Starting Amazon Elastic Container Service Agent
...

[logsnitch]

It doesn't seem to work for me. I'm running ami amzn2-ami-ecs-hvm-2.0.20200115-x86_64-ebs (ami-07a63940735aebd38), with ecs-init 1.36.1:

[ec2-user@ip-10-0-5-227 ecs]$ /usr/libexec/amazon-ecs-init version
ecs-init version 1.36.1 (*527631e1)

I'm not sure what the command is to output the agent version but the ECS dashboard shows I'm running 1.36.1 and doesn't show the "outdated agent" warning.

After I put imdsv2 into enforce mode and kill all my tasks they fail to start up again. Tailing the ecs logs I see:

level=info time=2020-01-24T00:04:50Z msg="TaskHandler: Adding event: TaskChange: [arn:aws:ecs:us-east-1:229179926283:task/main/34bddaa84bcf438c8e7e211670bec034 -> STOPPED, Known Sent: NONE, PullStartedAt: 2020-01-24 00:04:50.634332727 +0000 UTC m=+419.764626484, PullStoppedAt: 2020-01-24 00:04:50.714903599 +0000 UTC m=+419.845197416, ExecutionStoppedAt: 2020-01-24 00:04:50.972887233 +0000 UTC m=+420.103180960, arn:aws:ecs:us-east-1:229179926283:task/main/34bddaa84bcf438c8e7e211670bec034 flashpaper -> STOPPED, Reason CannotStartContainerError: Error response from daemon: failed to initialize logging driver: failed to create Cloudwatch log stream: NoCredentialProviders: no valid providers in chain. Deprecated.\n\tFor verbose messaging see aws.Config.CredentialsChainVerboseErrors, Known Sent: NONE] sent: false" module=task_handler.go

After I modify-instance-metadata-options back to optional the containers start up successfully

[fierlion]

So it looks like that's the latest (1.36.1) us-east-1 AL2 ECS-optimized AMI.

Is this still the command you're using to put imdsv2 into enforce mode?

aws ec2 modify-instance-metadata-options --instance-id <INSTANCE_ID> --http-token required --http-endpoint enabled

Did you stop the ecs service (sudo systemctl stop ecs) before putting it in enforce mode, then start it again (sudo systemctl start ecs) after putting it into enforce mode?
Please go into as much detail as possible about how you're testing this so I can better repro your issue.

[logsnitch]

Is this still the command you're using to put imdsv2 into enforce mode?

Yes, that is the exact command. I first ran that and then restarted ecs (sudo systemctl restart ecs). All of my existing containers were already running so I stopped them from the ECS dashboard and they failed to restart, so then I tailed the logs and found the NoCredentialProviders error

[fierlion]

Ok give me a bit to look into this.

[fierlion]

I'm able to reproduce your issue with my previous ECS-optimized AL2 AMI in us-east-1 which has ecs-init version 1.35.0 (*7216f783). I start agent using sudo systemctl start ecs, then start a container. I then use the command

aws ec2 modify-instance-metadata-options --instance-id <INSTANCE_ID> --http-token required --http-endpoint enabled

My agent is still fine, as is my container.
When I run sudo systemctl stop ecs and sudo systemctl start ecs Agent container will fail to come up and will start retries.

...
2020-01-24T20:19:09Z [WARN] ECS Agent failed to start, retrying in 2.066145821s
2020-01-24T20:19:11Z [INFO] Container name: /ecs-agent
2020-01-24T20:19:11Z [INFO] Removing existing agent container ID: 
2020-01-24T20:19:11Z [INFO] Starting Amazon Elastic Container Service Agent
2020-01-24T20:19:11Z [INFO] Agent exited with code 1
2020-01-24T20:19:11Z [WARN] ECS Agent failed to start, retrying in 4.235010051s
2020-01-24T20:19:15Z [INFO] Container name: /ecs-agent
2020-01-24T20:19:15Z [INFO] Removing existing agent container ID: 
2020-01-24T20:19:15Z [INFO] Starting Amazon Elastic Container Service Agent
2020-01-24T20:19:16Z [INFO] Agent exited with code 1
2020-01-24T20:19:16Z [WARN] ECS Agent failed to start, retrying in 8.287113937s
2020-01-24T20:19:24Z [INFO] Container name: /ecs-agent
2020-01-24T20:19:24Z [INFO] Removing existing agent container ID: 
2020-01-24T20:19:24Z [INFO] Starting Amazon Elastic Container Service Agent
2020-01-24T20:19:25Z [INFO] Agent exited with code 1
2020-01-24T20:19:25Z [WARN] ECS Agent failed to start, retrying in 15.04916732s
2020-01-24T20:19:40Z [INFO] Container name: /ecs-agent
2020-01-24T20:19:40Z [INFO] Removing existing agent container ID: 
...

While these retries are in progress, I set the http-token to optional

aws ec2 modify-instance-metadata-options --instance-id <INSTANCE_ID> --http-token optional --http-endpoint enabled

My agent container immediately starts up successfully.

2020-01-24T20:19:40Z [INFO] Starting Amazon Elastic Container Service Agent

and my docker ps:

$ docker ps
CONTAINER ID        IMAGE                            COMMAND               CREATED             STATUS                             PORTS               NAMES
<id>        amazon/amazon-ecs-agent:latest   "/agent"              15 seconds ago      Up 14 seconds (health: starting)                       ecs-agent
<id>        busybox:latest                   "sh -c 'sleep 300'"   2 minutes ago       Up 2 minutes (healthy)                                 ecs-health

So I see an issue with 1.35.0.

[fierlion]

on an instance of the latest ECS-optimized AMI in us-east-1 ami-07a63940735aebd38 with init/agent 1.36.1 I run the same test:

I start up a task and check docker ps

$ docker ps
CONTAINER ID        IMAGE                            COMMAND               CREATED             STATUS                           PORTS               NAMES
<id>        busybox:latest                   "sh -c 'sleep 300'"   3 seconds ago       Up 1 second (health: starting)                       ecs-health
<id>       amazon/amazon-ecs-agent:latest   "/agent"              3 hours ago         Up 3 hours (healthy)                                 ecs-agent

I then use the command to put imdsv2 into enforce mode:

aws ec2 modify-instance-metadata-options --instance-id <INSTANCE_ID> --http-token required --http-endpoint enabled

and then I run sudo systemctl stop ecs and then sudo systemctl start ecs and I see that my agent comes up fine now. my healthcheck container is still alive as well:

$ docker ps
CONTAINER ID        IMAGE                            COMMAND               CREATED             STATUS                            PORTS               NAMES
<id>        amazon/amazon-ecs-agent:latest   "/agent"              10 seconds ago      Up 9 seconds (health: starting)                       ecs-agent
<id>        busybox:latest                   "sh -c 'sleep 300'"   3 minutes ago       Up 3 minutes (healthy)                                ecs-health

and my full ecs-init.log:

2020-01-24T17:58:37Z [INFO] pre-start
2020-01-24T17:58:38Z [INFO] start
2020-01-24T17:58:38Z [INFO] No existing agent container to remove.
2020-01-24T17:58:38Z [INFO] Starting Amazon Elastic Container Service Agent
2020-01-24T20:37:29Z [INFO] stop
2020-01-24T20:37:29Z [INFO] Stopping Amazon Elastic Container Service Agent
2020-01-24T20:37:29Z [INFO] Container name: /ecs-health
2020-01-24T20:37:29Z [INFO] Container name: /ecs-health
2020-01-24T20:37:29Z [INFO] Container name: /ecs-agent

Please follow these exact steps on a fresh instance of ami-07a63940735aebd38 and let me know if what you see differs.

[logsnitch]

I'm able to reproduce your commands and output fully, the agent starts successfully:

2020-01-24T21:01:08Z [INFO] pre-start
2020-01-24T21:01:08Z [INFO] start
2020-01-24T21:01:08Z [INFO] Container name: /ecs-website-112-website-def685abc2bac680c501
2020-01-24T21:01:08Z [INFO] Container name: /ecs-website-112-website-e09ccfa7bbbfb5b55300
2020-01-24T21:01:08Z [INFO] Container name: /ecs-flashpaper-6-flashpaper-f0c4f1d7e3d7f8df8201
2020-01-24T21:01:08Z [INFO] Container name: /ecs-fetcher-26-fetcher-98baf98fa4a3b7d2e401
2020-01-24T21:01:08Z [INFO] Container name: /ecs-agent
2020-01-24T21:01:08Z [INFO] Removing existing agent container ID: da95762733a08e0d4ee1dfeba83016da84e6a975cb7e3cf42002c0744982c52d
2020-01-24T21:01:08Z [INFO] Starting Amazon Elastic Container Service Agent

However new tasks are not able to start - I kill any existing task and see the output I'd pasted above with NoCredentialProviders

[fierlion]

Note: I'm focused on the agent in my tests based on the initial description above:

I've tried deploying this on my ecs-cluster and it causes the ecs-agent to fail to boot.

Once we've clarified that the agent issue is out of the way we can focus on task-specific issues.

[fierlion]

When try to run a task which logs to cloudwatch I see:

Status reason | CannotStartContainerError: Error response from daemon: failed to initialize logging driver: failed to create Cloudwatch log stream: NoCredentialProviders: no valid providers in chain. Deprecated. For verbose messaging see aws.Config.CredentialsChainVerbo...

[fenxiong]

However new tasks are not able to start - I kill any existing task and see the output I'd pasted above with NoCredentialProviders

@logsnitch Is your container using awslogs log driver? If so, I think the failure is because Docker's awslogs log driver is still using an old aws go sdk, and it will need to be updated in order to avoid the issue.

Also, assuming you are using awslogs log driver, a possible workaround is to specify "executionRoleArn" to be an execution role that has cloudwatch access (instruction to create execution role is here). This is because in the case that task execution role is specified, the log driver will use the credentials from the role, rather than calling imds endpoint to get instance credentials (which will fail because it's using old sdk).