Merge pull request aws#198 from adnxn/mount-cert-path

Author: adnxn

.travis.yml

@@ -1,7 +1,7 @@
 language: go
 sudo: false
 go:
-    - 1.7
+    - 1.9
 before_install: ./scripts/hack/symlink-gopath-travisci
 install:
     - go get golang.org/x/tools/cover

ecs-init/config/common.go

@@ -147,3 +147,11 @@ func DockerUnixSocket() (string, bool) {
 func CgroupMountpoint() string {
 	return cgroupMountpoint
 }
+
+// HostCertsDirPath() returns the CA store path on the host
+func HostCertsDirPath() string {
+	if _, err := os.Stat(hostCertsDirPath); err != nil {
+		return ""
+	}
+	return hostCertsDirPath
+}

ecs-init/config/config_al2.go

@@ -15,4 +15,7 @@
 
 package config
 
-const cgroupMountpoint = "/sys/fs/cgroup"
+const (
+	cgroupMountpoint = "/sys/fs/cgroup"
+	hostCertsDirPath = "/etc/pki/tls/certs"
+)

ecs-init/config/config_suse_ubuntu.go

@@ -15,4 +15,7 @@
 
 package config
 
-const cgroupMountpoint = "/sys/fs/cgroup"
+const (
+	cgroupMountpoint = "/sys/fs/cgroup"
+	hostCertsDirPath = ""
+)

ecs-init/config/config_unspecified.go

@@ -15,4 +15,7 @@
 
 package config
 
-const cgroupMountpoint = "/cgroup"
+const (
+	cgroupMountpoint = "/cgroup"
+	hostCertsDirPath = "/etc/pki/tls/certs"
+)

ecs-init/docker/docker.go

@@ -220,6 +220,11 @@ func (c *Client) getContainerConfig() *godocker.Config {
 		"ECS_ENABLE_TASK_IAM_ROLE_NETWORK_HOST": "true",
 	}
 
+	// for al, al2 add host ssl cert directory envvar if available
+	if certDir := config.HostCertsDirPath(); certDir != "" {
+		envVariables["SSL_CERT_DIR"] = certDir
+	}
+
 	// merge in platform-specific environment variables
 	for envKey, envValue := range getPlatformSpecificEnvVariables() {
 		envVariables[envKey] = envValue
@@ -276,6 +281,13 @@ func (c *Client) getHostConfig() *godocker.HostConfig {
 		config.CacheDirectory() + ":" + config.CacheDirectory(),
 		config.CgroupMountpoint() + ":" + DefaultCgroupMountpoint,
 	}
+
+	// for al, al2 add host ssl cert directory mounts
+	if certDir := config.HostCertsDirPath(); certDir != "" {
+		certsPath := certDir + ":" + certDir + readOnly
+		binds = append(binds, certsPath)
+	}
+
 	binds = append(binds, getDockerPluginDirBinds()...)
 	return createHostConfig(binds)
 }

ecs-init/docker/docker_test.go

@@ -22,13 +22,16 @@ import (
 	"github.com/golang/mock/gomock"
 )
 
+// expectedAgentBinds is the total number of agent host config binds.
+// Note: Change this value every time when a new bind mount is added to
+// agent for the tests to pass
 const (
-	// expectedAgentBinds is the total number of agent host config binds.
-	// Note: Change this value every time when a new bind mount is added to agent for
-	// the tests to pass
-	expectedAgentBinds = 13
+	expectedAgentBindsUnspecifiedPlatform = 14
+	expectedAgentBindsSuseUbuntuPlatform  = 13
 )
 
+var expectedAgentBinds = expectedAgentBindsUnspecifiedPlatform
+
 func TestIsAgentImageLoadedListFailure(t *testing.T) {
 	mockCtrl := gomock.NewController(t)
 	defer mockCtrl.Finish()
@@ -244,6 +247,14 @@ func validateCommonCreateContainerOptions(opts godocker.CreateContainerOptions,
 
 	hostCfg := opts.HostConfig
 
+	// for hosts that do not have cert directories explicity mounted, ignore
+	// host cert directory configuration.
+	// TODO (adnxn): ideally, these should be behind build flags.
+	// https://github.com/aws/amazon-ecs-init/issues/131
+	if certDir := config.HostCertsDirPath(); certDir == "" {
+		expectedAgentBinds = expectedAgentBindsSuseUbuntuPlatform
+	}
+
 	if len(hostCfg.Binds) != expectedAgentBinds {
 		t.Errorf("Expected exactly %d elements to be in Binds, but was %d", expectedAgentBinds, len(hostCfg.Binds))
 	}