Skip to content

Support EBS Task Attach non-root user mode #4757

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Aug 28, 2025
Merged

Support EBS Task Attach non-root user mode #4757

merged 10 commits into from
Aug 28, 2025

Conversation

kiryl1
Copy link
Member

@kiryl1 kiryl1 commented Aug 15, 2025
edited
Loading

Summary

Enables running ECS EC2 Tasks with EBS Task Attach Enabled as a Non Root User. The change allows the Non Root User inside of the running container to write to the attached EBS Volume.

Implementation details

  • For each container with EBSTA mounts, the Agent generates the appropriate GID
  • The GID is deterministically generated from the volume's SourceVolumeHostPath
  • The GID is added as a supplementary group to the container process via Docker's --group-add
  • After the CSI driver completes mounting the volume in NodeStageVolume, sets the mount point ownership to this GID using chown and sets permissions to 775 with setgid bit using chmod
  • Advertise a new agent capability ecs.capability.storage.ebsta-non-root-user during instance registration. This helps ECS back-end find a capable instance during task placement.

Testing

New tests cover the changes: Yes

  • Updated existing and added new unit tests.
  • New functional E2E tests to come next.

Description for the changelog

Feature: Support EBS task attach non-root user mode

Additional Information

Does this PR include breaking model changes? If so, Have you added transformation functions? No

Does this PR include the addition of new environment variables in the README? No

Licensing

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@kiryl1 kiryl1 requested a review from a team as a code owner August 15, 2025 20:57
@kiryl1 kiryl1 changed the title Added EBSTA NRU Support EBS Task Attach non-root user mode Aug 15, 2025
nineonine
nineonine previously approved these changes Aug 18, 2025
View reviewed changes
singholt
singholt requested changes Aug 18, 2025
View reviewed changes
@kiryl1 kiryl1 force-pushed the feature/ebsta-nru branch from 42d1547 to 558b9de Compare August 22, 2025 16:55
@kiryl1 kiryl1 force-pushed the feature/ebsta-nru branch from 558b9de to b1f68e0 Compare August 22, 2025 21:31
@kiryl1 kiryl1 added bot/test and removed bot/test labels Aug 22, 2025
singholt
singholt reviewed Aug 25, 2025
View reviewed changes
singholt
singholt previously approved these changes Aug 25, 2025
View reviewed changes
singholt
singholt previously approved these changes Aug 25, 2025
View reviewed changes
Copy link
Contributor

@singholt singholt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dont forget to squash your commits when merging this PR.

@kiryl1 kiryl1 force-pushed the feature/ebsta-nru branch from 06512a7 to c35f952 Compare August 26, 2025 17:56
ShelbyZ
ShelbyZ reviewed Aug 26, 2025
View reviewed changes
@kiryl1 kiryl1 merged commit 47eec36 into aws:dev Aug 28, 2025
40 of 41 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ShelbyZ ShelbyZ ShelbyZ approved these changes

@singholt singholt singholt approved these changes

@nineonine nineonine nineonine left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@kiryl1 @ShelbyZ @nineonine @singholt @amazon-ecs-bot