Deprecate ECS settings applier

Release.toml

@@ -292,4 +292,7 @@ version = "1.20.0"
     "migrate_v1.20.0_corndog-services-cfg-v0-1-0.lz4",
     "migrate_v1.20.0_bootstrap-containers-config-file-v0-1-0.lz4",
     "migrate_v1.20.0_bootstrap-containers-services-cfg-v0-1-0.lz4",
+    "migrate_v1.20.0_remove-ecs-settings-applier.lz4",
+    "migrate_v1.20.0_update-ecs-config-path.lz4",
+    "migrate_v1.20.0_update-ecs-config-template-path.lz4",
 ]

packages/ecs-agent/ecs-agent.spec

@@ -35,16 +35,18 @@ Source2: https://%{vpccni_goimport}/archive/%{vpccni_gitrev}/%{vpccni_gorepo}.ta
 Source101: ecs.service
 Source102: ecs-tmpfiles.conf
 Source103: ecs-sysctl.conf
-Source104: ecs.config
+Source104: ecs-base-conf
 Source105: pause-image-VERSION
 Source106: pause-config.json
 Source107: pause-manifest.json
 Source108: pause-repositories
 # Bottlerocket-specific - version data can be set with linker options
 Source109: version.go
+Source110: ecs-defaults.conf
+Source111: ecs-nvidia.conf
 
 # Mount for writing ECS agent configuration
-Source200: etc-ecs.mount
+Source200: etc-systemd-system-ecs.service.d.mount
 
 # Ecs logdog configuration
 Source300: logdog.ecs.conf
@@ -86,6 +88,21 @@ Requires: %{_cross_os}amazon-ssm-agent
 %description
 %{summary}.
 
+%package config
+Summary: Base configuration files for the ECS agent
+Requires: %{name}
+
+%description config
+%{summary}.
+
+%package nvidia-config
+Summary: NVIDIA specific configuration files for the ECS agent
+Requires: %{name}
+Requires: %{name}-config
+
+%description nvidia-config
+%{summary}.
+
 %prep
 # After prep runs, the directory setup looks like this:
 # %{_builddir} [root]
@@ -260,9 +277,14 @@ install -D -p -m 0755 %{vpccni_gorepo}-%{vpccni_gitrev}/vpc-eni %{buildroot}%{_c
 install -d %{buildroot}%{_cross_unitdir}
 install -D -p -m 0644 %{S:101} %{S:200} %{buildroot}%{_cross_unitdir}
 
+install -d %{buildroot}%{_cross_unitdir}/ecs.service.d/
+install -D -p -m 0644 %{S:110} %{buildroot}%{_cross_unitdir}/ecs.service.d/00-defaults.conf
+install -D -p -m 0644 %{S:111} %{buildroot}%{_cross_unitdir}/ecs.service.d/20-nvidia.conf
+
 install -D -p -m 0644 %{S:102} %{buildroot}%{_cross_tmpfilesdir}/ecs.conf
 install -D -p -m 0644 %{S:103} %{buildroot}%{_cross_sysctldir}/90-ecs.conf
-install -D -p -m 0644 %{S:104} %{buildroot}%{_cross_templatedir}/ecs.config
+
+install -D -p -m 0644 %{S:104} %{buildroot}%{_cross_templatedir}/ecs-base-conf
 
 # Directory for agents used by the ECS agent, e.g. SSM, Service Connect
 %global managed_agents %{_cross_libexecdir}/amazon-ecs-agent/managed-agents
@@ -333,11 +355,17 @@ install -p -m 0644 %{S:300} %{buildroot}%{_cross_datadir}/logdog.d
 %{_cross_libexecdir}/amazon-ecs-agent/vpc-eni
 %{_cross_libexecdir}/amazon-ecs-agent/managed-agents
 %{_cross_unitdir}/ecs.service
-%{_cross_unitdir}/etc-ecs.mount
+%{_cross_unitdir}/etc-systemd-system-ecs.service.d.mount
 %{_cross_tmpfilesdir}/ecs.conf
 %{_cross_sysctldir}/90-ecs.conf
-%{_cross_templatedir}/ecs.config
 %{_cross_libdir}/amazon-ecs-agent/amazon-ecs-pause.tar
 %{_cross_datadir}/logdog.d/logdog.ecs.conf
 
+%files config
+%{_cross_templatedir}/ecs-base-conf
+%{_cross_unitdir}/ecs.service.d/00-defaults.conf
+
+%files nvidia-config
+%{_cross_unitdir}/ecs.service.d/20-nvidia.conf
+
 %changelog

packages/ecs-agent/ecs-base-conf

@@ -0,0 +1,59 @@
+[required-extensions]
+autoscaling = "v1"
+container-registry = "v1"
+os = "v1"
+std = { version = "v1", helpers = ["default", "negate_or_else"] }
+ecs = { version = "v1", helpers = ["ecs_metadata_service_limits"] }
++++
+# Configurations set through the API; default values match the default values in the agent
+[Service]
+Environment=ECS_AWSVPC_BLOCK_IMDS="{{default "false" settings.ecs.awsvpc-block-imds}}"
+Environment=ECS_BACKEND_HOST="{{default "" settings.ecs.backend-host}}"
+Environment=ECS_CONTAINER_STOP_TIMEOUT="{{default "30s" settings.ecs.container-stop-timeout}}"
+Environment=ECS_CLUSTER="{{default "" settings.ecs.cluster}}"
+Environment=ECS_ENABLE_CONTAINER_METADATA="{{default "false" settings.ecs.enable-container-metadata}}"
+Environment=ECS_ENABLE_SPOT_INSTANCE_DRAINING="{{default "false" settings.enable-spot-instance-draining}}"
+Environment=ECS_ENGINE_TASK_CLEANUP_WAIT_DURATION="{{default "3h" settings.ecs.task-cleanup-wait}}"
+Environment=ECS_IMAGE_CLEANUP_INTERVAL="{{default "30m" settings.ecs.image-cleanup-wait}}"
+Environment=ECS_IMAGE_MINIMUM_CLEANUP_AGE="{{default "1h" settings.ecs.image-cleanup-age}}"
+Environment=ECS_IMAGE_PULL_BEHAVIOR="{{default "default" settings.ecs.image-pull-behavior}}"
+Environment=ECS_LOGLEVEL="{{settings.ecs.loglevel}}"
+Environment=ECS_NUM_IMAGES_DELETE_PER_CYCLE="{{default 5 settings.ecs.image-cleanup-delete-per-cycle}}"
+Environment=ECS_RESERVED_MEMORY="{{default 0 settings.ecs.reserved-memory}}"
+Environment=ECS_TASK_METADATA_RPS_LIMIT="{{ecs_metadata_service_limits settings.ecs.metadata-service-rps settings.ecs.metadata-service-burst}}"
+Environment=ECS_WARM_POOLS_CHECK="{{default "false" settings.autoscaling.should-wait}}"
+
+# Boolean configurations whose values are inverted in the API
+Environment=ECS_PRIVILEGED_DISABLED="{{negate_or_else true settings.ecs.allow-privileged-containers}}"
+Environment=ECS_DISABLE_IMAGE_CLEANUP="{{negate_or_else false settings.ecs.image-cleanup-enabled}}"
+
+Environment=ECS_INSTANCE_ATTRIBUTES='{ "bottlerocket.variant": "{{os.variant_id}}"
+    {{~#if settings.ecs.instance-attributes~}}
+    {{~#each settings.ecs.instance-attributes}} ,"{{@key}}": "{{this}}" {{~/each~}}
+    {{~/if~}}}'
+
+{{#if settings.ecs.logging-drivers }}
+Environment=ECS_AVAILABLE_LOGGING_DRIVERS='[
+    {{~#each settings.ecs.logging-drivers~}}
+    {{~#unless @first~}}, {{~/unless~}}
+    "{{this}}"
+    {{~/each~}}]'
+{{/if}}
+
+{{#if settings.container-registry.credentials~}}
+Environment=ECS_ENGINE_AUTH_TYPE=dockercfg
+
+Environment=ECS_ENGINE_AUTH_DATA='{
+    {{~#each settings.container-registry.credentials~}}
+    {{~#unless @first~}},{{~/unless~}}
+    {{~#if (eq registry "docker.io" )~}}
+    "https://index.docker.io/v1/":
+    {{~else~}}
+    "{{registry}}":
+    {{~/if~}}
+    {"email": "."
+        {{~#if auth~}},"auth": "{{{auth}}}"{{/if}}
+        {{~#if username~}},"username": "{{{username}}}"{{/if}}
+        {{~#if password~}},"password": "{{{password}}}"}{{/if}}
+    {{~/each~}}}}'
+{{/if}}

packages/ecs-agent/ecs-defaults.conf

@@ -0,0 +1,12 @@
+[Service]
+# Path overrides
+Environment=ECS_AUDIT_LOGFILE="/var/log/ecs/audit.log"
+Environment=ECS_CNI_PLUGINS_PATH="/usr/libexec/amazon-ecs-agent"
+Environment=ECS_DATADIR="/var/lib/ecs/data"
+Environment=ECS_LOGFILE="/var/log/ecs/ecs-agent.log"
+# Default configurations
+Environment=ECS_ENABLE_AWSLOGS_EXECUTIONROLE_OVERRIDE="true"
+Environment=ECS_ENABLE_TASK_IAM_ROLE="true"
+Environment=ECS_ENABLE_TASK_IAM_ROLE_NETWORK_HOST="true"
+Environment=ECS_ENABLE_TASK_ENI="true"
+Environment=ECS_SELINUX_CAPABLE="true"

packages/ecs-agent/ecs-nvidia.conf

@@ -0,0 +1,2 @@
+[Service]
+Environment=ECS_ENABLE_GPU_SUPPORT="true"

packages/ecs-agent/ecs.service

@@ -10,7 +10,6 @@ Type=simple
 Restart=always
 RestartPreventExitStatus=5
 RestartSec=5
-EnvironmentFile=-/etc/ecs/ecs.config
 EnvironmentFile=/etc/network/proxy.env
 Environment=ECS_CHECKPOINT=true
 # Grant ECS tasks access to the ECS task metadata endpoint

packages/ecs-agent/etc-ecs.mount → packages/ecs-agent/etc-systemd-system-ecs.service.d.mount

@@ -1,5 +1,5 @@
 [Unit]
-Description=ECS agent Configuration Directory (/etc/ecs)
+Description=ECS agent drop-ins Directory (/etc/systemd/system/ecs.service.d)
 DefaultDependencies=no
 Conflicts=umount.target
 Before=local-fs.target umount.target
@@ -8,7 +8,7 @@ Wants=selinux-policy-files.service
 
 [Mount]
 What=tmpfs
-Where=/etc/ecs
+Where=/etc/systemd/system/ecs.service.d
 Type=tmpfs
 Options=nosuid,nodev,noexec,noatime,mode=0750,context=system_u:object_r:secret_t:s0
 

packages/os/os.spec

@@ -119,10 +119,6 @@ Requires: %{_cross_os}shibaken
 Requires: %{_cross_os}cfsignal
 %endif
 
-%if %{with ecs_runtime}
-Requires: %{_cross_os}ecs-settings-applier
-%endif
-
 %if %{with nvidia_flavor}
 Requires: %{_cross_os}driverdog
 %endif
@@ -248,13 +244,6 @@ Summary: Bottlerocket certificates handler
 %description -n %{_cross_os}certdog
 %{summary}.
 
-%if %{with ecs_runtime}
-%package -n %{_cross_os}ecs-settings-applier
-Summary: Settings generator for ECS
-%description -n %{_cross_os}ecs-settings-applier
-%{summary}.
-%endif
-
 %if %{with aws_k8s_family}
 %package -n %{_cross_os}pluto
 Summary: Dynamic setting generator for kubernetes
@@ -370,7 +359,6 @@ echo "** Output from non-static builds:"
     -p shimpei \
     -p bloodhound \
     -p xfscli \
-    %{?with_ecs_runtime: -p ecs-settings-applier} \
     %{?with_aws_platform: -p shibaken -p cfsignal} \
     %{?with_aws_k8s_family: -p pluto} \
     %{?with_k8s_runtime: -p static-pods} \
@@ -396,7 +384,6 @@ for p in \
   signpost updog metricdog logdog \
   ghostdog bootstrap-containers \
   shimpei bloodhound bottlerocket-checks \
-  %{?with_ecs_runtime: ecs-settings-applier} \
   %{?with_aws_platform: shibaken cfsignal} \
   %{?with_aws_k8s_family: pluto} \
   %{?with_k8s_runtime: static-pods} \
@@ -644,11 +631,6 @@ install -p -m 0644 %{S:400} %{S:401} %{S:402} %{buildroot}%{_cross_licensedir}
 %files -n %{_cross_os}logdog
 %{_cross_bindir}/logdog
 
-%if %{with ecs_runtime}
-%files -n %{_cross_os}ecs-settings-applier
-%{_cross_bindir}/ecs-settings-applier
-%endif
-
 %if %{with aws_platform}
 %files -n %{_cross_os}shibaken
 %{_cross_bindir}/shibaken

sources/Cargo.toml

@@ -9,7 +9,6 @@ members = [
     "api/corndog",
     "api/datastore",
     "api/early-boot-config",
-    "api/ecs-settings-applier",
     "api/netdog",
     "api/sundog",
     "api/schnauzer",
@@ -78,6 +77,9 @@ members = [
     "api/migration/migrations/v1.20.0/corndog-services-cfg-v0-1-0",
     "api/migration/migrations/v1.20.0/bootstrap-containers-config-file-v0-1-0",
     "api/migration/migrations/v1.20.0/bootstrap-containers-services-cfg-v0-1-0",
+    "api/migration/migrations/v1.20.0/remove-ecs-settings-applier",
+    "api/migration/migrations/v1.20.0/update-ecs-config-path",
+    "api/migration/migrations/v1.20.0/update-ecs-config-template-path",
 
     "bloodhound",