I am trying to use AWS ECS Fargate to run JFrog Artifactory. I've had it working without any issues in an EC2 instance, but ECS is giving me some problems, I believe are related to the permissions of the Artifactory account that it runs as inside the container, but I don't know why that would cause an issue inside ECS and not when running it on EC2 since they are sourcing the same Docker image. I have attached the logs with the relevant messages here, as well as my task definition.
Things I've tried:
Similar issues that did not help:
[shell] [38;5;69m[INFO ][0m [] [installerCommon.sh:1670 ] [main] - Testing directory /opt/jfrog/artifactory/var has read/write permissions for user id 1030
/opt/jfrog/artifactory/app/bin/installerCommon.sh: line 1642: /opt/jfrog/artifactory/var/test-permissions: Permission denied
[shell] [38;5;69m[INFO ][0m [] [installerCommon.sh:1679 ] [main] - /opt/jfrog/artifactory/var DOES NOT have proper permissions for user id 1030
[shell] [38;5;69m[INFO ][0m [] [installerCommon.sh:1680 ] [main] - Directory: /opt/jfrog/artifactory/var, permissions: 755, owner: root, group: root
[shell] [38;5;69m[INFO ][0m [] [installerCommon.sh:1681 ] [main] - Mounted directory must have read/write permissions for user id 1030
[shell] [38;5;197m[ERROR][0m [] [installerCommon.sh:784 ] [main] - Directory /opt/jfrog/artifactory/var has bad permissions for user id 1030
{
"ipcMode": null,
"executionRoleArn": "xxx",
"containerDefinitions": [
{
"dnsSearchDomains": null,
"environmentFiles": null,
"logConfiguration": {
"logDriver": "awslogs",
"secretOptions": null,
"options": {
"awslogs-group": "/ecs/first-run-task-definition",
"awslogs-region": "us-east-1",
"awslogs-stream-prefix": "ecs"
}
},
"entryPoint": [],
"portMappings": [
{
"hostPort": 8082,
"protocol": "tcp",
"containerPort": 8082
},
{
"hostPort": 8081,
"protocol": "tcp",
"containerPort": 8081
},
{
"hostPort": 443,
"protocol": "tcp",
"containerPort": 443
}
],
"command": [],
"linuxParameters": null,
"cpu": 256,
"environment": [],
"resourceRequirements": null,
"ulimits": null,
"dnsServers": null,
"mountPoints": [
{
"readOnly": null,
"containerPath": "/var/opt/jfrog/artifactory",
"sourceVolume": "artifactory-storage"
}
],
"workingDirectory": null,
"secrets": null,
"dockerSecurityOptions": null,
"memory": null,
"memoryReservation": 512,
"volumesFrom": [],
"stopTimeout": null,
"image": "releases-docker.jfrog.io/jfrog/artifactory-pro:latest",
"startTimeout": null,
"firelensConfiguration": null,
"dependsOn": null,
"disableNetworking": null,
"interactive": null,
"healthCheck": null,
"essential": true,
"links": [],
"hostname": null,
"extraHosts": null,
"pseudoTerminal": null,
"user": null,
"readonlyRootFilesystem": null,
"dockerLabels": null,
"systemControls": null,
"privileged": null,
"name": "petclinic-container"
}
],
"memory": "512",
"taskRoleArn": "xxx",
"family": "artifactory",
"pidMode": null,
"requiresCompatibilities": [
"FARGATE"
],
"networkMode": "awsvpc",
"runtimePlatform": null,
"cpu": "256",
"inferenceAccelerators": [],
"proxyConfiguration": null,
"volumes": [
{
"fsxWindowsFileServerVolumeConfiguration": null,
"efsVolumeConfiguration": {
"transitEncryptionPort": null,
"fileSystemId": "xxx",
"authorizationConfig": {
"iam": "DISABLED",
"accessPointId": null
},
"transitEncryption": "ENABLED",
"rootDirectory": "/"
},
"name": "artifactory-storage",
"host": null,
"dockerVolumeConfiguration": null
}
],
"tags": []
}
It turns out the solution was very simple, and related to the permissions on the EFS disk. All of the subfolders were owned by the account it was running as, but the folder itself was not. Running sudo chown 1030:1030 . while in the folder I was trying to mount fixed all of my problems.
Before and after:
ubuntu@ip-10-0-1-29:/mnt/efs/fs1$ ls -la
total 40
drwxr-xr-x 10 root root 6144 Apr 6 21:40 .
drwxr-xr-x 3 root root 4096 Apr 5 07:40 ..
drwxr-xr-x 2 1030 1030 6144 Apr 6 21:40 artifactory
drwxr-xr-x 9 1030 1030 6144 Apr 5 07:26 backup
drwxr-xr-x 9 1030 1030 6144 Apr 5 07:26 bootstrap
drwxr-xr-x 11 1030 1030 6144 Apr 5 07:27 data
drwxr-xr-x 12 1030 1030 6144 Apr 5 07:26 etc
drwxr-xr-x 4 1030 1030 6144 Apr 5 07:27 log
drwxr-xr-x 8 1030 1030 6144 Apr 6 21:18 var
drwxr-xr-x 9 1030 1030 6144 Apr 5 07:26 work
ubuntu@ip-10-0-1-29:/mnt/efs/fs1$ sudo chown 1030:1030 .
ubuntu@ip-10-0-1-29:/mnt/efs/fs1$ ls -la
total 40
drwxr-xr-x 10 1030 1030 6144 Apr 6 21:40 .
drwxr-xr-x 3 root root 4096 Apr 5 07:40 ..
drwxr-xr-x 2 1030 1030 6144 Apr 6 21:40 artifactory
drwxr-xr-x 9 1030 1030 6144 Apr 5 07:26 backup
drwxr-xr-x 9 1030 1030 6144 Apr 5 07:26 bootstrap
drwxr-xr-x 11 1030 1030 6144 Apr 5 07:27 data
drwxr-xr-x 12 1030 1030 6144 Apr 5 07:26 etc
drwxr-xr-x 4 1030 1030 6144 Apr 5 07:27 log
drwxr-xr-x 8 1030 1030 6144 Apr 6 21:18 var
drwxr-xr-x 9 1030 1030 6144 Apr 5 07:26 work