This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
Running dotnet-monitor in a docker sidecar (not root) #7715
Labels
documentation
Improvements or additions to documentation
Comments
jamescarter-le
added
the
documentation
Welcome to dotnet-monitor!Thanks for creating your first issue; let us know what you think of dotnet-monitor by filling out our survey. |
|
Related: dotnet/dotnet-docker#6081 |
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
Documentation Request
Running dotnet-monitor in a docker sidecar container mode, when using non-root users (default for dotnet-monitor, and aspnet images).
I am adding dotnet-monitor to AWS ECS container, as a side-car. I'm unable to get dotnet-monitor to read the socket file from the app when running both as their default users. I understand that the default UID of aspnet and (I suppose) dotnet-monitor is 1000 (app).
This gives me Permission Denied from IpcSocket. Running them both as root does solve this problem, however I would like to drop down to the default permission set as recommend by Microsoft and the default containers.
I attach a normal Docker volume (non persistent) to both containers, and do not specify their UID when starting them. This gives me permission denied.
I've tried setting both their users to 'app', '1000', '1654', but none of these settings work.
What am I missing here? I feel like a little more documentation on this (mostly likely the default?) configuration would be very useful.
Previous documentation
Existing docker compose for this scenario
Configuration example
{ "taskDefinitionArn": "arn:aws:ecs:eu-west-1:myaws:task-definition/MyContainerTask:30", "containerDefinitions": [ { "name": "MyContainer", "image": "myaws.dkr.ecr.eu-west-1.amazonaws.com/mycontainer:latest", "cpu": 0, "memory": 448, "links": [], "portMappings": [ { "name": "http", "containerPort": 8080, "hostPort": 0, "protocol": "tcp", "appProtocol": "http" } ], "essential": true, "entryPoint": [], "command": [], "environment": [ { "name": "OTEL_ENDPOINT", "value": "http://otel-collector.sandbox.local:4317" }, { "name": "DOTNET_DiagnosticPorts", "value": "/diag/dotnet-monitor.sock,nosuspend" }, { "name": "DOTNET_gcServer", "value": "1" } ], "environmentFiles": [], "mountPoints": [ { "sourceVolume": "diagnostics", "containerPath": "/diag", "readOnly": false } ], "volumesFrom": [], "secrets": [], "dnsServers": [], "dnsSearchDomains": [], "extraHosts": [], "dockerSecurityOptions": [], "dockerLabels": {}, "ulimits": [], "logConfiguration": { "logDriver": "awslogs", "options": { "awslogs-group": "logs-from-ecs", "mode": "non-blocking", "awslogs-multiline-pattern": "^(trace|debug|info|warn|error|critical|none)", "awslogs-region": "eu-west-1", "awslogs-stream-prefix": "containers" }, "secretOptions": [] }, "systemControls": [], "credentialSpecs": [] }, { "name": "dotnet-monitor", "image": "mcr.microsoft.com/dotnet/monitor:9", "cpu": 256, "memory": 512, "links": [], "portMappings": [ { "containerPort": 52323, "hostPort": 0, "protocol": "tcp" } ], "essential": false, "entryPoint": [], "command": [], "environment": [ { "name": "DOTNETMONITOR_Urls", "value": "http://+:52323" }, { "name": "DOTNETMONITOR_DiagnosticPort__ConnectionMode", "value": "Listen" }, { "name": "DOTNETMONITOR_Storage__DumpTempFolder", "value": "/diag/dumps" }, { "name": "DOTNETMONITOR_DiagnosticPort__EndpointName", "value": "/diag/dotnet-monitor.sock" } ], "environmentFiles": [], "mountPoints": [ { "sourceVolume": "diagnostics", "containerPath": "/diag", "readOnly": false } ], "volumesFrom": [], "secrets": [ { "name": "Authentication__MonitorApiKey__Subject", "valueFrom": "arn:aws:secretsmanager:eu-west-1:myaws:secret:DotnetMonitorAuthentication:Subject::" }, { "name": "Authentication__MonitorApiKey__PublicKey", "valueFrom": "arn:aws:secretsmanager:eu-west-1:myaws:secret:DotnetMonitorAuthentication:PublicKey::" } ], "dnsServers": [], "dnsSearchDomains": [], "extraHosts": [], "dockerSecurityOptions": [], "dockerLabels": {}, "ulimits": [], "logConfiguration": { "logDriver": "awslogs", "options": { "awslogs-group": "logs-from-ecs", "mode": "non-blocking", "awslogs-region": "eu-west-1", "awslogs-stream-prefix": "containers" }, "secretOptions": [] }, "systemControls": [], "credentialSpecs": [] } ], "family": "MyContainerTask", "taskRoleArn": "arn:aws:iam::myaws:role/Exec-0GqZn4YCDiZp", "executionRoleArn": "arn:aws:iam::myaws:role/Exec-ApgSEYISB08l", "networkMode": "bridge", "revision": 30, "volumes": [ { "name": "diagnostics", "host": {} } ], "status": "ACTIVE", "requiresAttributes": [ { "name": "com.amazonaws.ecs.capability.logging-driver.awslogs" }, { "name": "ecs.capability.execution-role-awslogs" }, { "name": "com.amazonaws.ecs.capability.ecr-auth" }, { "name": "com.amazonaws.ecs.capability.docker-remote-api.1.19" }, { "name": "ecs.capability.secrets.asm.environment-variables" }, { "name": "com.amazonaws.ecs.capability.docker-remote-api.1.17" }, { "name": "com.amazonaws.ecs.capability.docker-remote-api.1.28" }, { "name": "com.amazonaws.ecs.capability.docker-remote-api.1.30" }, { "name": "com.amazonaws.ecs.capability.task-iam-role" }, { "name": "ecs.capability.execution-role-ecr-pull" }, { "name": "com.amazonaws.ecs.capability.docker-remote-api.1.18" } ], "placementConstraints": [], "compatibilities": [ "EC2" ], "requiresCompatibilities": [ "EC2" ], "registeredAt": "2024-11-28T15:38:24.620Z", "registeredBy": "", "tags": [] }The text was updated successfully, but these errors were encountered: