Best way to install security updates on amazon ECS instances

amazon-web-services ansible ansible-playbook

We're using Ansible to roll out security updates on all our EC2 instances which are running stateful services such as databases, search engines etc. This works fine.

I'm wondering what is the best way to make security updates on the ECS instances (which are running stateless web applications in Docker containers). Due to automatic scaling there is a lot of dynamics in the number of instances and their IP addresses. Ansible uses a hardcoded list of IP addresses (the hosts file), so it seems to not really fit the purpose.

Is it even a good idea to update these instances or should we rather tear them down and spawn new ones every once in a while?

Any best practices from DevOps folks out there?

Update:

I found out that Ansible supports dynamic inventory. There is a script that fetches information about the hosts from AWS and generates a dynamic inventory for Ansible, this works fine.

However, one problem remains. Whenever there is a new host that I had not connected to before, the following message is displayed and must be confirmed manually. 

The authenticity of host '10.0.1.247 (10.0.1.247)' can't be established.
ECDSA key fingerprint is SHA256:GSogs6P6CzbOzLm9ByWsXkfz7/2A4qwj4PDvczApS/I.
Are you sure you want to continue connecting (yes/no)? yes

This is very annoying as I want to implement a fully automated update mechanism. Is there a solution for this problem?


Whenever there is a new host that I had not connected to before, the following message is displayed and must be confirmed manually. [ ] Is there a solution for this problem?

Modify the ssh_connection of the ansible.cfg, so that it contains -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null arguments.

For example:

[ssh_connection]
ssh_args = -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o IdentitiesOnly=yes -o ControlMaster=auto -o ControlPersist=60s

Upgrading a container in place is a complete anti-pattern. It is cumbersome, as you need to upgrade each one of them and possibly commit each one of them.

Instead, update the image used to spawn your containers. This is normally done by having a section on your Dockerfile to ensure the image is up to date, so the process of patching is basically rebuilding the image. As an example:

FROM centos:7.2.1511
MAINTAINER Jane Doe <[email protected]>

RUN yum update -y && \
    yum install -y \
      bar \
      foo && \
    yum clean all
# The rest of your Dockerfile

Rolling out the new image, though, is where I find ECS lacking. You need to build an strategy yourself to ensure no downtime.

It is also a best practice to have a service scanning the images in your registry for vulnerabilities.

Patching the host OS (which might require a reboot) without downtime, is yet another area where I found ECS lacking orchestration capabilities, as in, nothing out of the box is built into the product other than ELB balancing between nodes.

Other container platforms (such as OpenShift) have the ability of evacuating containers (pods,since this is kubernetes) from nodes, and scheduling them elsewhere. The load balancer is aware of this changes, ensuring zero downtime. Additionally,the OS typically used with OpenShift has an improved patching mechanism based on RPM OSTree that greatly reduces the complexity of patchingthe host operating system.

Related

Recover from Cisco ASA 5508-X internal flash failure?
Auto Scaling AWS Lightsail
CentOS/RHEL 7 LVM Partitioning in Kickstart?
How to map a domain name to a load balancer in google cloud platform?
ANAME / ALIAS records for BIND
Fix ZFS DEGRADED pool that had hot spare
Forwarding real remote IP to proxied server with nginx
OpenVPN reconnect after server restart
Study Tips and Techniques for Self-Oriented Students
Is 2018 special because of these properties?
If $f^2$ and $f^3$ are $C^{\infty}(\mathbb R)$ then $f$ is $C^{\infty}(\mathbb R)$
What's known about this combinatorial game?