AWS Fargate - Volumes

Question

I am having a problem with my docker compose file: This is my docker compose file:

version: '3'

  services:
   nginx-proxy:
    image: xxxxx.dkr.ecr.xxxxx.amazonaws.com/xxxx:latest
    container_name: "nginx-proxy"
    restart: always
    ports:
     - "80:80"
     - "443:443"
    volumes:
     - /var/run/docker.sock:/tmp/docker.sock:ro
...

This is the following error:

ClientException: host.sourcePath should not be set for volumes in Fargate

My task Definition:

"mountPoints": [],
...
"volumes": [],
...
"readonlyRootFilesystem": false,

I also want my volume to be "read only".

Does anyone know which variable name I need to use on my docker composer file?

Can someone help me?

Thanks

You're using docker-compose to deploy to Fargate? Or you're trying to map your docker-compose.yml to a task definition by hand? — bluescores, Dec 17 '18 at 17:06

score 6 · Accepted Answer · answered Dec 17 '18 at 17:55

Does anyone know which variable name I need to use on my docker composer file?

Fargate does not allow you to specify the host or sourcePath for a bind mount. You can check the docs for bind volumes and the overview for Fargate task storage docs to learn more.

The big premise of Fargate is it obfuscates the underlying host from the task, so you as an end user have very little options for interacting with the host - you can't ssh to it, you can't touch its filesystem. In the case of bind mounts, you can't specify the host because you don't know the name or location of the host at deploy time, and you can't further specify the sourcePath because you can't know anything about the file system on the host.

In the instance of trying to mount the docker.sock especially, that would give you access to every container running on the host, which likely belongs to other accounts/aws users. That would be very bad all around.

Can I use a bind mount with Fargate?

Yes. Though it might be of limited usefulness since you won't be able to access the file system of the underlying host to retrieve any files passed from the container to the host.

If the sourcePath value does not exist on the host container instance, the Docker daemon creates it.

So the answer for a bind mount is essentially to not specify host, and the Docker daemon will just create a path for you. Is that helpful? Probably not in your case.

Still curious about what is the real purpose for Fargate bind mount ? The fargate isolate the underlying host so what exactly the bind mount really "mount" ? What happen if the two different users' containers bind mount to the same dir on the host ? — 鄭元傑, Dec 10 '20 at 04:53
"In the instance of trying to mount the docker.sock especially, that would give you access to every container running on the host, which likely belongs to other accounts/aws users. That would be very bad all around." This section is not true as in Fargate : Fargate Hosts are not shared between different customers, and even though they just serve one Task. Every task running with Fargate in your account , has it's own individual Fargate Host. — parsfar, May 19 '21 at 07:42
As to the purpose of Fargate bind mount, it is mainly for sharing a mount between multiple containers in the same ECS task. — Mark B, Feb 17 '22 at 13:55

AWS Fargate - Volumes

1 Answers1

Can I use a bind mount with Fargate?

Linked