forked from bottlerocket-os/bottlerocket
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ecs.service
43 lines (41 loc) · 2.01 KB
/
ecs.service
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
[Unit]
Description=Amazon Elastic Container Service - container agent
Documentation=https://aws.amazon.com/documentation/ecs/
Requires=docker.service
After=docker.service configured.target
Wants=network-online.target configured.target
[Service]
Type=simple
Restart=on-failure
RestartPreventExitStatus=5
RestartSec=1s
EnvironmentFile=-/etc/ecs/ecs.config
EnvironmentFile=/etc/network/proxy.env
Environment=ECS_CHECKPOINT=true
# Grant ECS tasks access to the ECS task metadata endpoint
ExecStartPre=/sbin/iptables -t nat -A PREROUTING -d 169.254.170.2/32 \
-p tcp -m tcp --dport 80 -j DNAT --to-destination 127.0.0.1:51679
ExecStartPre=/sbin/iptables -t nat -A OUTPUT -d 169.254.170.2/32 \
-p tcp -m tcp --dport 80 -j REDIRECT --to-ports 51679
# Grant access to the ECS Introspection server
ExecStartPre=/sbin/iptables -t nat -A PREROUTING -d 172.17.0.1/32 \
-p tcp -m tcp --dport 51678 -j DNAT --to-destination 127.0.0.1:51678
ExecStartPre=/sbin/iptables -t nat -A OUTPUT -d 172.17.0.1/32 \
-p tcp -m tcp --dport 51678 -j REDIRECT --to-ports 51678
ExecStartPre=/sbin/iptables -t filter -I INPUT --dst 127.0.0.0/8 ! \
--src 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
ExecStart=/usr/bin/amazon-ecs-agent
# Remove access to the ECS task metadata endpoint from ECS tasks
ExecStopPost=-/sbin/iptables -t nat -D PREROUTING -d 169.254.170.2/32 \
-p tcp -m tcp --dport 80 -j DNAT --to-destination 127.0.0.1:51679
ExecStopPost=-/sbin/iptables -t nat -D OUTPUT -d 169.254.170.2/32 \
-p tcp -m tcp --dport 80 -j REDIRECT --to-ports 51679
# Remove access to the ECS Introspection server
ExecStopPost=-/sbin/iptables -t nat -D PREROUTING -d 172.17.0.1/32 \
-p tcp -m tcp --dport 51678 -j DNAT --to-destination 127.0.0.1:51678
ExecStopPost=-/sbin/iptables -t nat -D OUTPUT -d 172.17.0.1/32 \
-p tcp -m tcp --dport 51678 -j REDIRECT --to-ports 51678
ExecStopPost=-/sbin/iptables -t filter -D INPUT --dst 127.0.0.0/8 ! \
--src 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
[Install]
WantedBy=multi-user.target