I am trying to use AWS ECS Fargate to run JFrog Artifactory. I’ve had it working without any issues in an EC2 instance, but ECS is giving me some problems, I believe are related to the permissions of the Artifactory account that it runs as inside the container, but I don’t know why that would cause an issue inside ECS and not when running it on EC2 since they are sourcing the same Docker image. I have attached the logs with the relevant messages here, as well as my task definition.
Things I’ve tried:
- setting the working directory to /usr/jfrog (did not change anything)
Similar issues that did not help:
[shell] [38;5;69m[INFO ][0m [] [installerCommon.sh:1670 ] [main] - Testing directory /opt/jfrog/artifactory/var has read/write permissions for user id 1030
/opt/jfrog/artifactory/app/bin/installerCommon.sh: line 1642: /opt/jfrog/artifactory/var/test-permissions: Permission denied
[shell] [38;5;69m[INFO ][0m [] [installerCommon.sh:1679 ] [main] - /opt/jfrog/artifactory/var DOES NOT have proper permissions for user id 1030
[shell] [38;5;69m[INFO ][0m [] [installerCommon.sh:1680 ] [main] - Directory: /opt/jfrog/artifactory/var, permissions: 755, owner: root, group: root
[shell] [38;5;69m[INFO ][0m [] [installerCommon.sh:1681 ] [main] - Mounted directory must have read/write permissions for user id 1030
[shell] [38;5;197m[ERROR][0m [] [installerCommon.sh:784 ] [main] - Directory /opt/jfrog/artifactory/var has bad permissions for user id 1030
{
"ipcMode": null,
"executionRoleArn": "xxx",
"containerDefinitions": [
{
"dnsSearchDomains": null,
"environmentFiles": null,
"logConfiguration": {
"logDriver": "awslogs",
"secretOptions": null,
"options": {
"awslogs-group": "/ecs/first-run-task-definition",
"awslogs-region": "us-east-1",
"awslogs-stream-prefix": "ecs"
}
},
"entryPoint": [],
"portMappings": [
{
"hostPort": 8082,
"protocol": "tcp",
"containerPort": 8082
},
{
"hostPort": 8081,
"protocol": "tcp",
"containerPort": 8081
},
{
"hostPort": 443,
"protocol": "tcp",
"containerPort": 443
}
],
"command": [],
"linuxParameters": null,
"cpu": 256,
"environment": [],
"resourceRequirements": null,
"ulimits": null,
"dnsServers": null,
"mountPoints": [
{
"readOnly": null,
"containerPath": "/var/opt/jfrog/artifactory",
"sourceVolume": "artifactory-storage"
}
],
"workingDirectory": null,
"secrets": null,
"dockerSecurityOptions": null,
"memory": null,
"memoryReservation": 512,
"volumesFrom": [],
"stopTimeout": null,
"image": "releases-docker.jfrog.io/jfrog/artifactory-pro:latest",
"startTimeout": null,
"firelensConfiguration": null,
"dependsOn": null,
"disableNetworking": null,
"interactive": null,
"healthCheck": null,
"essential": true,
"links": [],
"hostname": null,
"extraHosts": null,
"pseudoTerminal": null,
"user": null,
"readonlyRootFilesystem": null,
"dockerLabels": null,
"systemControls": null,
"privileged": null,
"name": "petclinic-container"
}
],
"memory": "512",
"taskRoleArn": "xxx",
"family": "artifactory",
"pidMode": null,
"requiresCompatibilities": [
"FARGATE"
],
"networkMode": "awsvpc",
"runtimePlatform": null,
"cpu": "256",
"inferenceAccelerators": [],
"proxyConfiguration": null,
"volumes": [
{
"fsxWindowsFileServerVolumeConfiguration": null,
"efsVolumeConfiguration": {
"transitEncryptionPort": null,
"fileSystemId": "xxx",
"authorizationConfig": {
"iam": "DISABLED",
"accessPointId": null
},
"transitEncryption": "ENABLED",
"rootDirectory": "/"
},
"name": "artifactory-storage",
"host": null,
"dockerVolumeConfiguration": null
}
],
"tags": []
}
2
Answers
It turns out the solution was very simple, and related to the permissions on the EFS disk. All of the subfolders were owned by the account it was running as, but the folder itself was not. Running
sudo chown 1030:1030 .while in the folder I was trying to mount fixed all of my problems.Before and after:
What has worked for me was adding in
user: rootto my docker-compose file.example: