Allow us to specify how long to wait for the task to start
I'm using the attached files to build and spin up a Fartgate Windows 2019 container and it takes 10-15 min to start, which is much longer than the default wait time of WaitUntilTasksRunningWithContext (5 minutes).
You can override the time out in go (see https://github.com/aws/aws-sdk-go/issues/3844 ). Please increase it, or allow us to specify what the timeout should be. (I'm trying to port the stuff you wrote for Debian @ https://gitlab.com/tmaczukin-test-projects/fargate-driver-debian to Windows) I can ssh into the instance when I launch the ECS task manually, but I would like to include windows based CI/CD to our legacy code using the fargate executor driver.
docker-entrypoint.sh DOCKERFILE sshd_config
DOCKERFILE
FROM mcr.microsoft.com/windows/servercore:1809
# Add root user so gitlab runner can ssh into server as "root"
#RUN NET USER root /RANDOM /ADD
RUN NET USER root /ADD
RUN NET localgroup Administrators root /ADD
USER root
# Install Microsoft Build Tools 2019
ADD https://aka.ms/vs/16/release/vs_buildtools.exe vs_buildtools.exe
RUN (START /WAIT vs_buildtools.exe --quiet --wait --norestart --nocache \
--installPath "C:\BuildTools" \
##--includeRecommended \
##--includeOptional \
# https://docs.microsoft.com/en-us/visualstudio/install/workload-component-id-vs-build-tools?view=vs-2019
--add Microsoft.Component.MSBuild \
--add Microsoft.Net.Component.4.8.SDK \
--add Microsoft.VisualStudio.Component.NuGet.BuildTools \
--add Microsoft.VisualStudio.Component.Roslyn.Compiler \
#--add Microsoft.Net.Component.4.5.1.TargetingPack \
#--add Microsoft.Net.Component.4.5.2.TargetingPack \
#--add Microsoft.Net.Component.4.5.TargetingPack \
#--add Microsoft.Net.Component.4.6.TargetingPack \
#--add Microsoft.Net.Component.4.TargetingPack \
--add Microsoft.Net.ComponentGroup.TargetingPacks.Common \
--add Microsoft.Net.Component.4.6.1.TargetingPack \
--add Microsoft.Net.Component.4.6.2.TargetingPack \
--add Microsoft.VisualStudio.Component.WebDeploy \
--add Microsoft.VisualStudio.Component.AspNet45 \
--add Microsoft.Component.MSBuild \
--add Microsoft.VisualStudio.Component.Roslyn.LanguageServices \
--add Microsoft.VisualStudio.Component.CoreBuildTools \
--add Microsoft.VisualStudio.Component.VC.Tools.x86.x64 \
--add Microsoft.VisualStudio.Component.Windows10SDK.18362 \
|| IF "%ERRORLEVEL%"=="3010" EXIT 0)
# Install Microsoft Build Tools 2022
# ADD https://aka.ms/vs/17/release/vs_buildtools.exe vs_buildtools.exe
# RUN (START /WAIT vs_buildtools.exe --quiet --wait --norestart --nocache \
# --installPath "C:\BuildTools" \
# --includeRecommended \
# --includeOptional \
# # https://docs.microsoft.com/en-us/visualstudio/install/workload-component-id-vs-build-tools?view=vs-2022
# #--add Microsoft.VisualStudio.Workload.ManagedDesktopBuildTools \
# --add Microsoft.VisualStudio.Workload.MSBuildTools \
# #--add Microsoft.VisualStudio.Workload.OfficeBuildTools \
# --add Microsoft.VisualStudio.Workload.WebBuildTools \
# --add Microsoft.VisualStudio.Component.VC.Tools.x86.x64 \
# --add Microsoft.VisualStudio.Component.Windows11SDK.22000 \
# || IF "%ERRORLEVEL%"=="3010" EXIT 0)
RUN DEL vs_buildtools.exe
# Include path to VsDevCmd because AWS CodeBuild ignores ENTRYPOINT
# https://github.com/aws/aws-codebuild-docker-images/issues/254
RUN SETX PATH "%PATH%;C:\BuildTools\Common7\Tools"
RUN powershell -c Install-WindowsFeature NET-Framework-45-ASPNET
RUN powershell -c Install-WindowsFeature Web-Asp-Net45
# Include AWS CLI
RUN START /WAIT msiexec.exe /a https://awscli.amazonaws.com/AWSCLIV2.msi /quiet /q /norestart /l!*vx "%temp%\aws.log" TARGETDIR=C:\awscli
RUN SETX PATH "%PATH%;C:\awscli\Amazon\AWSCLIV2"
# Install python
# ADD https://www.python.org/ftp/python/3.7.9/python-3.7.9-amd64.exe python.exe
# RUN python.exe /quiet InstallAllUsers=1 Include_debug=1 Include_symbols=1
#
# ADD https://www.python.org/ftp/python/3.8.9/python-3.8.9-amd64.exe python.exe
# RUN python.exe /quiet InstallAllUsers=1 Include_debug=1 Include_symbols=1
#
# ADD https://www.python.org/ftp/python/3.9.9/python-3.9.9-amd64.exe python.exe
# RUN python.exe /quiet InstallAllUsers=1 Include_debug=1 Include_symbols=1
# RUN DEL python.exe
#
# ENV PYTHONBREAKPOINT 0
# Install AWS SSM
ADD https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/windows_amd64/AmazonSSMAgentSetup.exe AmazonSSMAgentSetup.exe
RUN AmazonSSMAgentSetup.exe /install /quiet /norestart /log "%TEMP%\AmazonSSMAgentSetup.log"
RUN DEL AmazonSSMAgentSetup.exe
RUN sc.exe config AmazonSSMAgent start= demand
# Install SSH server
ADD https://github.com/PowerShell/Win32-OpenSSH/releases/download/V8.6.0.0p1-Beta/OpenSSH-Win64.zip OpenSSH.zip
RUN tar -xf OpenSSH.zip -C "%ProgramFiles%"
RUN del OpenSSH.zip
RUN Rename "%ProgramFiles%\OpenSSH-Win64" OpenSSH
RUN powershell -ExecutionPolicy Bypass -File "%ProgramFiles%\OpenSSH\install-sshd.ps1"
RUN ssh-keygen -f "%PROGRAMDATA%\ssh\ssh_host_ed25519_key" -N "" -t ed25519
RUN ssh-keygen -f "%PROGRAMDATA%\ssh\ssh_host_ecdsa_key" -N "" -t ecdsa
RUN ssh-keygen -f "%PROGRAMDATA%\ssh\ssh_host_rsa_key" -N "" -t rsa
# start and stop SSH to generate sshd_config
#RUN NET START sshd && NET STOP sshd
#RUN powershell -C "New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22"
EXPOSE 22
# Install git
ADD https://github.com/git-for-windows/git/releases/download/v2.35.1.windows.2/Git-2.35.1.2-64-bit.exe git.exe
RUN git.exe /VERYSILENT /ALLUSERS /NORESTART /COMPONENTS="gitlfs"
RUN del git.exe
# Install gitlab runner
ARG GITLAB_RUNNER_VERSION
ADD https://gitlab-runner-downloads.s3.amazonaws.com/v14.5.1/binaries/gitlab-runner-windows-amd64.exe gitlab-runner.exe
RUN mkdir "%ProgramFiles%\GitLab-Runner"
RUN copy gitlab-runner.exe "%ProgramFiles%\GitLab-Runner"
RUN SETX PATH "%PATH%;%ProgramFiles%\GitLab-Runner"
# Install AWS x-ray
ADD https://s3.dualstack.us-west-2.amazonaws.com/aws-xray-assets.us-west-2/xray-daemon/aws-xray-daemon-windows-service-3.x.zip xray.zip
RUN mkdir C:\aws-xray-daemon
RUN tar -xf xray.zip -C C:\aws-xray-daemon
RUN del xray.zip
RUN powershell -c "New-Service -Name AWSXRayDaemon -BinaryPathName """""""""C:\aws-xray-daemon\xray.exe -f C:\aws-xray-daemon\xray-daemon.log""""""""" -StartupType Manual"
#Install Powershell
ADD https://github.com/PowerShell/PowerShell/releases/download/v7.2.1/PowerShell-7.2.1-win-x64.zip PowerShell.zip
RUN mkdir "%ProgramFiles%\PowerShell\7"
RUN tar -xf PowerShell.zip -C "%ProgramFiles%\PowerShell\7"
RUN del PowerShell.zip
RUN SETX PATH "%PATH%;%ProgramFiles%\PowerShell\7"
#Install VIM
ADD https://ftp.nluug.nl/pub/vim/pc/vim82w32.zip vim.zip
RUN mkdir "%ProgramFiles%\vim"
RUN tar -xf vim.zip -C "%ProgramFiles%"
RUN del vim.zip
RUN SETX PATH "%PATH%;%ProgramFiles%\vim\vim82"
COPY sshd_config sshd_config
RUN MOVE sshd_config "%PROGRAMDATA%\ssh"
COPY docker-entrypoint.ps1 docker-entrypoint.ps1
ENTRYPOINT ["pwsh.exe", "-ExecutionPolicy", "Bypass", "-File", "C:\\docker-entrypoint.ps1"]
docker-entrypoint.sh
function StoreAWSTemporarySecurityCredentials {
# Skip AWS credentials processing if their relative URI is not present.
if ($null -eq $env:AWS_CONTAINER_CREDENTIALS_RELATIVE_URI)
{
return
}
# Create a folder to store AWS settings if it does not exist.
$USER_AWS_SETTINGS_FOLDER = "$env:USERPROFILE\.aws"
New-Item -Path $USER_AWS_SETTINGS_FOLDER -ItemType "directory" -Force
# Query the unique security credentials generated for the task.
# https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html
$AWS_CREDENTIALS = curl.exe -L 169.254.170.2$env:AWS_CONTAINER_CREDENTIALS_RELATIVE_URI | ConvertFrom-Json -AsHashtable
# Create a file to store the temporary credentials on behalf of the user.
$USER_AWS_CREDENTIALS_FILE="$USER_AWS_SETTINGS_FOLDER/credentials"
New-Item $USER_AWS_CREDENTIALS_FILE -ItemType "file" -Force
# Set the temporary credentials to the default AWS profile.
#
# S3 note: if you want to sign your requests using temporary security
# credentials, the corresponding security token must be included.
# https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#UsingTemporarySecurityCredentials
Set-Content -Path $USER_AWS_CREDENTIALS_FILE -Encoding utf8 -NoNewline -Value @"
[default]
aws_access_key_id=$($AWS_CREDENTIALS.AccessKeyId)
aws_secret_access_key=$($AWS_CREDENTIALS.SecretAccessKey)
aws_session_token=$($AWS_CREDENTIALS.Token)
region=$($env:AWS_REGION)
"@
echo 'Starting AWS SSM Agent.'
Start-Service -Name AmazonSSMAgent
echo 'Starting AWS X-Ray Daemon.'
Start-Service -Name AWSXRayDaemon
}
function SetUpSSH {
# Block the container to start without an SSH public key.
if ($null -eq $env:SSH_PUBLIC_KEY)
{
echo 'Need your SSH public key as the SSH_PUBLIC_KEY environment variable.'
exit 1
}
# Copy contents from the `SSH_PUBLIC_KEY` environment variable
# to the `${USER_SSH_KEYS_FOLDER}/authorized_keys` file.
#:C:/Users/root/.ssh/authorized_keys
New-Item -Path "$env:USERPROFILE\.ssh" -ItemType "directory" -Force
#New-Item -Path "$env:WINDIR\.ssh" -ItemType "directory" -Force
#Set-Content -Path "$env:USERPROFILE\..\root.$env:COMPUTERNAME\.ssh\authorized_keys" -Encoding utf8 -NoNewline -Value $env:SSH_PUBLIC_KEY
Set-Content -Path "$env:USERPROFILE\.ssh\authorized_keys" -Encoding utf8 -NoNewline -Value $env:SSH_PUBLIC_KEY
#Set-Content -Path "$env:WINDIR\.ssh\authorized_keys" -Encoding utf8 -NoNewline -Value $env:SSH_PUBLIC_KEY
#Set-Content -Path "$env:PROGRAMDATA\ssh\authorized_keys" -Encoding utf8 -NoNewline -Value $env:SSH_PUBLIC_KEY
& $env:ProgramFiles\OpenSSH\FixHostFilePermissions.ps1 -Confirm:$false
#Set-Content -Path "$env:PROGRAMDATA\ssh\administrators_authorized_keys" -Encoding utf8 -NoNewline -Value $env:SSH_PUBLIC_KEY
#Set-ItemProperty "$env:USERPROFILE\..\root.$env:COMPUTERNAME\.ssh\authorized_keys" -name IsReadOnly -Value True
#Set-ItemProperty "$env:USERPROFILE\.ssh\authorized_keys" -name IsReadOnly -Value True
#Set-ItemProperty "$env:WINDIR\.ssh\authorized_keys" -name IsReadOnly -Value True
#Set-ItemProperty "$env:PROGRAMDATA\ssh\authorized_keys" -name IsReadOnly -Value True
#& icacls "$env:USERPROFILE\..\root.$env:COMPUTERNAME\.ssh\authorized_keys" /inheritance:r /grant "Administrators:F" /grant "SYSTEM:F"
#& icacls "$env:USERPROFILE\..\root\.ssh\authorized_keys" /inheritance:r /grant "Administrators:F" /grant "SYSTEM:F"
# Clear the `SSH_PUBLIC_KEY` environment variable.
Remove-Item -Path Env:\SSH_PUBLIC_KEY
# HACK: sshd fails when running under this account... Get the following error
# debug1: get_user_token - unable to generate user token for root as i am not running as system
# We will run it under LOCALSYSTEM by using the sshd service
echo 'Starting SSH server.'
Start-Service -Name sshd
echo 'Started SSH server.'
(Get-Service -Name sshd).WaitForStatus("Stopped")
echo 'Exiting.'
}
StoreAWSTemporarySecurityCredentials
SetUpSSH
sshd_config
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey __PROGRAMDATA__/ssh/ssh_host_rsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_dsa_key
HostKey __PROGRAMDATA__/ssh/ssh_host_ecdsa_key
HostKey __PROGRAMDATA__/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
# For this to work you will also need host keys in %programData%/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# GSSAPI options
#GSSAPIAuthentication no
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp sftp-server.exe
# Example of overriding settings on a per-user basis
#Match User anoncvs
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
#Match Group administrators
# AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
PubkeyAuthentication yes
#PermitRootLogin yes
PasswordAuthentication no
#PermitEmptyPasswords yes
SyslogFacility LOCAL0
LogLevel DEBUG3
PermitUserEnvironment yes
StrictModes no
ChallengeResponseAuthentication no