[英]ECS container agent introspection iptables config
We have a container that needs to contact the ECS container agent introspection endpoint at runtime.我们有一个容器需要在运行时联系 ECS 容器代理自省端点。
The ecs task is using bridge networking mode. ecs 任务使用桥接网络模式。
The default iptables on our Amazon Linux 2 contain the following INPUT chain:我们的 Amazon Linux 2 上的默认 iptables 包含以下 INPUT 链:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:51678
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
I've added the rule ACCEPT tcp -- anywhere anywhere tcp dpt:51678
as an attempt to allow our containers to access the introspection endpoint.我添加了规则
ACCEPT tcp -- anywhere anywhere tcp dpt:51678
作为允许我们的容器访问自省端点的尝试。
However, it doesn't work.但是,它不起作用。
If I delete REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
I can access the ECS container agent introspection no issues at all.如果我
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
我可以访问 ECS 容器代理自省,完全没有问题。
It feels bad removing the REJECT all from a security standpoint.从安全的角度来看,将 REJECT 全部删除感觉很糟糕。 Am I wrong?
我错了吗? Is my attempt incorrect?
我的尝试不正确吗?
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-introspection.html https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-introspection.html
If you're wondering, this is how we are hitting the endpoint at runtime from within our container如果您想知道,这就是我们在运行时从容器内访问端点的方式
EC2_INSTANCE_ID=$(curl --silent ${ECS_CONTAINER_METADATA_URI_V4}/taskWithTags | jq -r '.ContainerInstanceTags.instanceid')
Help is greatly appreciated.非常感谢您的帮助。
The amazon Linux 2 base ami we used had a reject all saved in the iptables chain INPUT.我们使用的亚马逊 Linux 2 base ami 在 iptables 链 INPUT 中保存了全部拒绝。
Our old amazon Linux 1 instances didn't have this rule in their iptables.我们的旧亚马逊 Linux 1 实例在其 iptables 中没有此规则。
To resolve this I did an iptables --flush and then added my desired rules and saved them.为了解决这个问题,我做了一个 iptables --flush 然后添加了我想要的规则并保存了它们。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.