c# - 为什么通过 API 在 Windows 容器/任务中获取 AWS 凭证会超时？

Question

根据文档，您应该能够使用以下 url 从正在运行的任务(容器)中获取分配给任务定义的角色的凭据:http://169.254.170.2 “AWS_CONTAINER_CREDENTIALS_RELATIVE_URI”，其中 AWS_CONTAINER_CREDENTIALS_RELATIVE_URI 解析为 url 的一部分。

在我的例子中，在日志文件中我可以看到它解析为: http://169.254.170.2/v2/credentials/063b6cc6-0dc7-486e-ba0a-843a308b222d

但是调用 API 会导致超时。端点未监听的原因可能是什么？

容器正在运行 windows-server-2019 的 ECS_OPTIMIZED 镜像

private static async Task<string> GetCredentials(EnvironmentOptions opts)
{
    try
    {
        using (var httpClient = new HttpClient())
        {
                using (var request = new HttpRequestMessage(new HttpMethod("GET"), $"http://169.254.170.2{opts.CredentailsUrl}"))
                {
                    var response = await httpClient.SendAsync(request);
                    return await response.Content.ReadAsStringAsync();
                }
            }
        }
        catch (Exception ex)
        {
            return $"{ex.Message} {ex.StackTrace}";
        }
    }

例如 opts.CredentailsUrl = '/v2/credentials/063b6cc6-0dc7-486e-ba0a-843a308b222d' 并从环境变量 AWS_CONTAINER_CREDENTIALS_RELATIVE_URI 中获取

我得到的错误信息是:A connection attempt failed because the connected party didn't properly respond after a period time, or established connection failed because connected host has failed respond

我真的应该找回像这样的 json 类:

{
    "AccessKeyId": "ACCESS_KEY_ID",
    "Expiration": "EXPIRATION_DATE",
    "RoleArn": "TASK_ROLE_ARN",
    "SecretAccessKey": "SECRET_ACCESS_KEY",
    "Token": "SECURITY_TOKEN_STRING"
}

在容器实例中，我从 powershell 运行以下两个命令:

Import-Module ECSTools
Initialize-ECSAgent -Cluster 'txp-dev-windows' -EnableTaskIAMRole -Version "latest"

这导致最后一行实际上从未继续(= 挂起)

019-06-07T10:15:06Z - [INFO]:Runtime is already installed.
2019-06-07T10:15:06Z - [INFO]:Docker version 18.09.4, build c3516c43ef
2019-06-07T10:15:06Z - [INFO]:Configuring ECS Host...
2019-06-07T10:15:06Z - [INFO]:Checking Hyper-V Network adapter
2019-06-07T10:15:08Z - [INFO]:Default vEthernet adapter found for nat. Using this adapter.
2019-06-07T10:15:08Z - [INFO]:VMNetwork adapter found with mac: 00-15-5D-2B-E1-89
2019-06-07T10:15:08Z - [INFO]:Checking for network adatper with mac: 00-15-5D-2B-E1-89
2019-06-07T10:15:08Z - [INFO]:Network adapter found.
2019-06-07T10:15:08Z - [INFO]:Network adapter found with mac 00-15-5D-2B-E1-89 on interface 2
2019-06-07T10:15:08Z - [INFO]:Getting subnet info from docker...
2019-06-07T10:15:08Z - [INFO]:Docker subnet: 0.0.0.0/0
2019-06-07T10:15:08Z - [INFO]:Docker gateway:
WARNING: Waiting for service 'Docker Engine (docker)' to stop...
WARNING: Waiting for service 'Docker Engine (docker)' to stop...
WARNING: Waiting for service 'Docker Engine (docker)' to stop...
WARNING: Waiting for service 'Docker Engine (docker)' to stop...
WARNING: Waiting for service 'Docker Engine (docker)' to stop...
2019-06-07T10:15:22Z - [INFO]:Docker subnet: 172.31.16.0/20
2019-06-07T10:15:22Z - [INFO]:Docker gateway: 172.31.16.1
2019-06-07T10:15:24Z - [INFO]:Getting net ip address
2019-06-07T10:15:25Z - [INFO]:IP address not found.
Name                           Value
----                           -----
PrefixLength                   32
IPAddress                      169.254.170.2
InterfaceIndex                 2



2019-06-07T10:15:25Z - [INFO]:Creating new virtual network adapter ip...
New-NetIPAddress : Element not found.
At C:\Program Files\WindowsPowerShell\Modules\ECSTools\ECSTools.psm1:1370 char:28
+             $newIpOutput = New-NetIPAddress @IPAddrParams
+                            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (MSFT_NetIPAddress:ROOT/StandardCimv2/MSFT_NetIPAddress) [New-NetIPAddress], CimException
    + FullyQualifiedErrorId : Windows System Error 1168,New-NetIPAddress

2019-06-07T10:15:25Z - [INFO]:Virtual network adapter ip created:
2019-06-07T10:15:25Z - [INFO]:Waiting for it to become available on the device...

然后我在 AWS 文档中找到了这个:任务容器引导脚本的 IAM 角色 在容器可以访问容器实例上的凭证代理以获取凭证之前，必须使用所需的网络命令引导容器。

所以我在容器程序启动时将引导脚本添加到容器程序中:

                string script = @"
$gateway = (Get-NetRoute | Where { $_.DestinationPrefix -eq '0.0.0.0/0' } | Sort-Object RouteMetric | Select NextHop).NextHop
$ifIndex = (Get-NetAdapter -InterfaceDescription 'Hyper-V Virtual Ethernet*' | Sort-Object | Select ifIndex).ifIndex
New-NetRoute -DestinationPrefix 169.254.170.2/32 -InterfaceIndex $ifIndex -NextHop $gateway
";
                using (PowerShell PowerShellInstance = PowerShell.Create())
                {
                    PowerShellInstance.AddScript(script);
                    PowerShellInstance.Invoke();
                }

但这并没有什么不同。

Answer 1

失败的确切原因尚不清楚。 EC2 实例没有为 ECS 集群正确配置，这肯定与此有关。它是手动创建的，初始化数据的 powershell 脚本将其连接到(空)集群。我不得不那样做，因为集群创建向导只允许使用 Server 2016 AMI。但今天令我惊讶的是，它还允许使用 Server 2019 AMI。与向导一起做。容器代码开始工作。