Telegraf on AWS ECS: how can I install additional packages?

NNNN · April 12, 2024, 9:33am

Hi,

I sucessfully ran Telegraf on AWS Elastic Container Service (ECS). The task configuration included the following command:

"/bin/bash", "-c",
 telegraf --config https://eu-central-1-1.aws.cloud2.influxdata.com/api/v2/telegrafs/0123456abcd"

Now I need to change the Telegraf configuration because I need to switch from username / password login (provided in the Telegraf config) to a certificate based authentication. So my new Telegraf configuration looks something like this:

[[inputs.mqtt_consumer]]
  servers = ["abcd1234-ats.iot.eu-west-1.amazonaws.com"]
  tls_ca = "/tmp/telegraf/AmazonRootCA1.pem"
  tls_cert = "/tmp/telegraf/cert.pem"
  tls_key = "/tmp/telegraf/key.pem"

The certificates and CA files are on S3 which I want to copy over at the start of the docker image by using the AWS CLI. This means that I need to install some packages like aws cli and copy over some files into the docker container at startup time. I had several unsuccessful attempts to change my AWS ECS docker config command.
For example:

/bin/bash, -c,

mkdir /tmp/aws-cli;
cd /tmp/aws-cli;
curl https://s3.amazonaws.com/aws-cli/awscli-bundle.zip -o awscli-bundle.zip;
apt-get update;
apt-get install -y unzip;
unzip awscli-bundle.zip;
ln -s /usr/bin/python3 /usr/bin/python;
apt install -y python3.11-venv;
./awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/aws;

mkdir /tmp/telegraf;
cd /tmp/telegraf;
aws s3 cp s3://my-bucket/telegraf-certificate.pem cert.pem;
chmod a+r cert.pem;
aws s3 cp s3://my-bucket/telegraf-private.pem.key key.pem;
chmod a+r key.pem;
aws s3 cp s3://my-bucket/AmazonRootCA1.pem AmazonRootCA1.pem;
chmod a+r AmazonRootCA1.pem;

telegraf --config https://eu-central-1-1.aws.cloud2.influxdata.com/api/v2/telegrafs/abcd0123456

AWS Cloud Watch shows following error because the docker container runs as a non-root user (as announced here) and so ‘apt-get’ fails:

E: List directory /var/lib/apt/lists/partial is missing. - Acquire (13: Permission denied))

How can I install the AWS CLI in the ‘telegraf:latest’ image, ideally without creating my own image but to just configure my ECS task to retrieve the latest image and install the packages?

jpowers · April 12, 2024, 12:22pm

As the error message says you don’t have permission to apt. Most likely you need to run that command as root via sudo apt-get update.

NNNN · April 12, 2024, 1:16pm

sudo doesn’t seem to be an option, if I add it before the relevant commands, it prints:

/bin/bash: line 1: sudo: command not found

jpowers · April 12, 2024, 1:36pm

Ah that’s right, you would need to install packages as root then.

The better solution is to create a custom image, given that is essentially what you are doing. Additionally, the entry point script that we use to prevent running as root might be causing you issues with running those various commands.

NNNN · April 12, 2024, 2:59pm

So, no way to “inject” my packages as ‘root’ at the beginning and then switching back to user “telegraf”? I tried to do this in ECS’s command field but failed to make it run…

Topic		Replies	Views
Can't run telegraf on AWS EC2 ( Amazon Linux ) telegraf	2	808	June 22, 2021
Configuring Telegraf Kafka input SSL telegraf	1	1220	June 10, 2021
Credential_process support for AWS CloudWatch plugin telegraf	2	540	February 20, 2021
Telegraf kube_inventory plugin for aws eks Telegraf telegraf , kubernetes , plugin	2	484	November 8, 2022
How to configure Telegraf on Windows server to read certificates Telegraf	1	482	October 11, 2023

Telegraf on AWS ECS: how can I install additional packages?

Related Topics