Skip to content

HelpersTask1207_Debug_dind_and_sibling_container_issue_on_containerized_workflow#1208

Open
heanhsok wants to merge 2 commits intomasterfrom
HelpersTask1207_Debug_dind_and_sibling_container_issue_on_containerized_workflow
Open

HelpersTask1207_Debug_dind_and_sibling_container_issue_on_containerized_workflow#1208
heanhsok wants to merge 2 commits intomasterfrom
HelpersTask1207_Debug_dind_and_sibling_container_issue_on_containerized_workflow

Conversation

@heanhsok
Copy link
Copy Markdown
Contributor

Task #1207
Pre-commit checks:
All checks passed ✅

Pre-commit checks:
All checks passed ✅
@heanhsok heanhsok self-assigned this Apr 22, 2026
@heanhsok heanhsok requested review from Shayawnn and gpsaggese April 22, 2026 08:30
@heanhsok
Copy link
Copy Markdown
Contributor Author

Adding this check back (https://github.com/causify-ai/helpers/pull/1203/changes#r3113612752), as we need to ensure it does not cause issues when running on ECS Fargate through Airflow, since ECS Fargate does not support either DinD or sibling containers.

See: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/fargate-security-considerations.html

  • No privileged containers or access - Features such as privileged containers or access are currently unavailable on Fargate. This will affect uses cases such as running Docker in Docker.

  • Limited access to Linux capabilities - The environment in which containers run on Fargate is locked down. Additional Linux capabilities, such as CAP_SYS_ADMIN and CAP_NET_ADMIN, are restricted to prevent a privilege escalation. Fargate supports adding the CAP_SYS_PTRACE Linux capability to tasks to allow observability and security tools deployed within the task to monitor the containerized application.

  • No access to the underlying host - Neither customers nor AWS operators can connect to a host running customer workloads. You can use ECS exec to run commands in or get a shell to a container running on Fargate. You can use ECS exec to help collect diagnostic information for debugging. Fargate also prevents containers from accessing the underlying host’s resources, such as the file system, devices, networking, and container runtime.

  • Networking - You can use security groups and network ACLs to control inbound and outbound traffic. Fargate tasks receive an IP address from the configured subnet in your VPC.

FYI @PomazkinG @gpsaggese @Shayawnn

@heanhsok heanhsok requested a review from PomazkinG April 22, 2026 08:46
@heanhsok heanhsok added the PR for reviewers The PR needs to be reviewed by RPs label Apr 22, 2026
Copy link
Copy Markdown
Contributor

@PomazkinG PomazkinG left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall LG since it solves the problem at hand

Leaving a non-blocking comment

Comment thread helpers/hserver.py
"""
if not has_docker():
return False
# This check is required to ensure it does not cause issues when running on ECS
Copy link
Copy Markdown
Contributor

@PomazkinG PomazkinG Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think here we want to return False if we are inside AirFlow.

This is a proxy for "if we are inside AirFlow"

if not has_dind_support() and not use_docker_sibling_containers():

We used to use is_inside_ecs_container() previously for that. However, I am not sure if that still would work. Or maybe we can create a new function that detects if we are running smth via AirFlow

Just leaving a TODO is fine

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

PR for reviewers The PR needs to be reviewed by RPs

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants