Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,298,099
Community Members
 
Community Events
165
Community Groups

Does the BitBucket Pipeline Runners work on AWS ECS?

I am able to get the new BitBucket Pipeline Runners to work by running the docker image locally on my Ubuntu VM, it works great. Now I want to move this to the company's infrastructure on AWS ECS, is this possible?

1 answer

1 vote
Mark C Atlassian Team Aug 19, 2021

Hi @drichards-alcon,

Thanks for reach out to the community.

I can confirm that you can use Pipelines Runners on AWS as long as you're using Linux with x64 architecture.
This is also mentioned in Pipelines runners official documentation.

I also tested this on my end by spinning up an AWS EC2 instance with a Linux environment and Pipelines runners is working great.

Hope it helps and let me know if you have further questions that I can help with.

Regards,
Mark C

Thanks for the info @Mark C  I have no doubt it would run on an EC2 instance where I install docker, but will it run in an ECS Task container?

My concern is that as it is running docker in docker and needs access to the docker socket and that this would prevent it from running in the ECS model, forcing us to go down the EC2 model. As to add a new ECS Task is easy but to get approval for an EC2 instance is a bit more work.

Thanks 

Mark C Atlassian Team Aug 23, 2021

Hi @drichards-alcon

To be honest, I haven't come across a Pipelines runners use case with AWS ECS.

However, I've asked this internally.
I'm afraid there could be some constraints running Pipelines runners on AWS ECS specifically with running docker-in-docker service container that requires privileged mode.

Also, I'm not really sure if AWS ECS is allowing this already.

For this, as long as AWS ECS is allowing a docker-in-docker service container with privileged mode, you can use Pipelines runner there.

Regards,
Mark C

Makes sense, yeah the use case is that we need to access an on-prem credential vault (Saviynt) so not only do we need someplace to run a docker container, it needs to have access to the on-prem servers, which leaves us on AWS :/ 

Sounds like I will move down the EC2 with Docker path, thanks for the update!

Like Steffen Opel _Utoolity_ likes this

In this AWS blog post it states clearly ECS doesn't support docker in docker for security reasons:

Building Container Images on ECS 

Do not be mislead by the title as the solution provided is separate from the Bitbucket agent, which does require docker in docker. More details in the quote below, but you can read through the introduction for more context.

 

There are inherent risks involved in both of these approaches. Containers that have access to the host’s Docker daemon or run in privileged mode can also perform other malicious actions on the host. For example, a container with access to the host’s Docker Engine through a mounted Unix socket would have full access to the underlying Docker API. This would give the Container the privileges to start and stop any other container running on that Docker Engine, or even docker exec into other containers. Even in single-tenant ECS clusters, this can lead to severe ramifications as it exposes a back door for hostile actors.

AWS Fargate runs each container in a VM-isolated environment. It also imposes security best practices, including prohibiting running containers from mounting directories or sockets from the underlying host and preventing containers from running with additional linux capabilities or using the --privileged flag. As a result, customers cannot build container images inside Fargate containers using the builder within Docker Engine.

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Bitbucket

Git push size limits are coming to Bitbucket Cloud starting April 4th, 2022

Beginning on April 4th, we will be implementing push limits. This means that your push cannot be completed if it is over 3.5 GB. If you do attempt to complete a push that is over 3.5 GB, it will fail...

2,223 views 2 9
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you