I'm having an issue creating an AWS ECS Fargate-type task that needs docker "-cap-add" runtime options. The AWS documentation seems to be either incomplete or ambiguous regarding this feature.
My container needs to mount a CIFS filesystem and when I run it in Docker I use the command:
docker run --cap-add SYS_ADMIN --cap-add DAC_READ_SEARCH -it alpine-cifs-python sh
It works as expected. AWS docs seem to indicate that "capabilities" are supported in various documents. For exampe the following:
Says:
If you are using tasks that use the Fargate launch type, capabilities is supported but the add parameter described below is not supported.
So "capabilities" is supported but "add" is not. It's NOT clear what that means and I've tried any number of combinations of this in my CloudFormation YAML and none work without throwing an error.
I've been working with something like this:
LinuxParameters:
Capabilities:
Add:
- SYS_ADMIN
- DAC_READ_SEARCH
#KernelCapabilities:
#- 'SYS_ADMIN'
#- 'DAC_READ_SEARCH'
But this returns an error when I try to deploy:
Fargate does not allow adding Linux Capabilities. (Service: AmazonECS; Status Code: 400; Error Code: ClientException; Request ID: f7368ec6-38a6-4a0b-b8ec-7eb078ea5367)
If I leave out the "Add" parameter, I get:
Value of property Capabilities must be an object
I have not been successful in finding any example of how to implement "capabilities" in a Fargate ECS task.
What am I missing? Thanks!
