如何使用 Amazon Linux 2、单容器、无 Docker 在 AWS Elastic Beanstalk 上获取 SYS_PTRACE

Question

I need to do get the SYS_PTRACE kernel capability on my docker container. Here's the Docerrun.aws.json:

{
  "AWSEBDockerrunVersion": "1",

  "Authentication": {
    "Bucket": "some-bucket",
    "Key": "somekey"
  },
  "Image": {
    "Name": "somename",
    "Update": "true"
  },
  "Ports":[
         {
          "HostPort": 80,
          "ContainerPort": 80
         },
         a few more ports
    ]
    }

Remember, this is Amazon Linux 2, which is a whole new distribution and EB platform. We're not using Docker Compose (wherein you could add that to the yml).

I tried just adding in the following section:

"linuxParameters": {
      "capabilities": {
        "add": ["SYS_PTRACE"]
        }
      }

It was simply ignored.

Thanks!

Answer 1

It seems to me, this setting is not supported in v1 . When looking into the docs under section " Docker platform Configuration - without Docker Compose " [1], linuxParameters is not listed as part of "Valid keys and values for the Dockerrun.aws.json v1 file". You might have to switch to v2 by using multi container Docker. The docs for v2 state that "the container definition and volumes sections of Dockerrun.aws.json use the same formatting as the corresponding sections of an Amazon ECS task definition file". [2]
It looks like your code above would work in v2 because it is a valid task definition section, see [3].

[1] https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/single-container-docker-configuration.html
[2] https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/create_deploy_docker_v2config.html
[3] https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html