SUSE Linux Enterprise Server as ECS Anywhere Host

On May 27, 2021 AWS announced  the availability of ECS Anywhere . There is also a home lab setup guide.

ECS is a container orchestration service and with the addition of “Anywhere” the service can now reach into your Data Center to orchestrate your containerized applications.

The important pieces to make this work are the Amazon SSM Agent, the Amazon ECS init code and the Amazon ECS Agent. The ECS agent itself runs in a container that gets pulled from an S3 bucket in AWS. The container is built by AWS.

With the release of version 3.0.1209 of the amazon-ssm-agent and version 1.52.1 of the amazon-ecs-init packages in the SUSE Public Cloud Module repository it is now possible to use the SUSE built and supported packages to enable your SLES 15 SP2 and later and SLES 12 SP5 systems to integrate with an AWS ECS cluster. The packages are also in openSUSE and in the openSUSE Build Service . Prior to the release of these package versions support of ECS Anywhere was provided by AWS for the AWS build packages that get installed when executing the ecs-anywhere-install.sh script that is part of the amazon-ecs-init source tree.

Setting up the network constructs for the communication between your Data Center and AWS is independent of the functionality of ECS Anywhere itself and as such I will not cover the network connectivity aspect. Everything can run over the Internet, but you probably want to set up a VPN connection or have a direct link when you expand your ECS cluster to your Data Center.

If you want to use the SUSE provided packages only a few steps are required as outlined below. Make sure the Public Cloud and Container modules are enabled on your system. One last note before we get into the details. It is possible to connect the cluster nodes to ECS without installing the aws-cli on the cluster nodes. Meaning all the aws commands shown can be executed on a different system. For simplicity I will assume that the aws-cli package is (gets) installed on the systems that are targeted to be part of the ECS cluster.

zypper in amazon-ecs-init amazon-ssm-agent aws-cli

The aws command line tools use credentials either from a configuration file ~/.aws/config or try to find the pertinent information in the execution environment. The environment variables that will need to be set in this case are

AWS_DEFAULT_REGION
AWS_SECRET_ACCESS_KEY
AWS_ACCESS_KEY_ID

The config file is in INI format. Please consult the AWS cli documentation.

The examples assume a setup such that no ‘–profile’ and ‘–region’ arguments are required. This makes the example commands shorter.

You want to create a new IAM role or if you already have an IAM role you want to use for ECS Anywhere you want to make sure the role has the proper setting. I will assume that your are starting from scratch.

Create a file named ssm-trust-policy.json with the following content:

{
“Version”: “2012-10-17”,
“Statement”: {
“Effect”: “Allow”,
“Principal”: {“Service”: [
“ssm.amazonaws.com”
]},
“Action”: “sts:AssumeRole”
}
}

Let’s create the role. I will use $ROLE_NAME as placeholder for you to substitute with a name to your liking.

aws iam create-role –role-name $ROLE_NAME –assume-role-policy-document file://ssm-trust-policy.json
aws iam attach-role-policy –role-name $ROLE_NAME –policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
aws iam attach-role-policy –role-name $ROLE_NAME –policy-arn arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role

You can verify the role setup with

aws iam list-attached-role-policies –role-name $ROLE_NAME

If you already have an ECS cluster you want to expand into your DC just use the name of the existing cluster as the substitute for $CLUSTER_NAME. Again I assume you are staring from scratch and as such we need to create a cluster first.

Next we want to create an activation code for the SSM agent

aws ssm create-activation –iam-role $ROLE_NAME | tee ssm-activation.json

You will need this data in the next step. Note the activation keys expire. As such depending on how many nodes you set up and how long that takes you may have to re-generate the keys.

Everything that follows must be executed on the system that will become part of the ECS cluster, as root.

Next register the system with SSM

amazon-ssm-agent -register -code “$CODE” -id “$ID” -region “AWS_DEFAULT_REGION”

With the system registered you can now start the amazon ssm agent service

systemctl enable amazon-ssm-agent.service
systemctl start amazon-ssm-agent.service

And to verify everything is in good order run

systemctl status amazon-ssm-agent.service

When the service is first started it provides warning messages about log setup. These can be ignored. You will see “Worker ssm-agent-worker (pid:SOME_NUMBER) started” in the output and with that everything is in order.

Now we need to setup the config files for ECS and then we’re done

echo “ECS_CLUSTER=$CLUSTER_NAME” >>/etc/ecs/ecs.config
mkdir /var/lib/ecs
echo “AWS_DEFAULT_REGION=$AWS_DEFAULT_REGION” >>/var/lib/ecs/ecs.config
echo “ECS_EXTERNAL=true” >>/var/lib/ecs/ecs.config

If you have multiple systems you are integrating into a cluster you can copy these configuration files around.

systemctl enable docker.service
systemctl start docker.service
systemctl enable amazon-ecs.service
systemctl start amazon-ecs.service

And to verify everything is working run

systemctl status amazon-ecs.service

Last but not least verify that your system in included in the cluster

aws ecs list-container-instances –cluster $CLUSTER_NAME

And that was it. For details about deploying tasks and how ECS works from the command line or the Web UI please consult the relevant AWS documentation.