Running the EC agent artifact within a docker image is not recommended due the dependancy of the underlying linux cgroup with docker.

The cgroup lives in the docker core which by design requires a sudoer permission from the guest system. Docker users who wish to level up the security by running a non-sudoer user inside the container should avoid the volume-sharing on the guest host.

Because of this, it is highly recommended to running this image as a rootless/unpriviliged container. Please refer to runc and linux cgroup man man cgroups for further study.

The open-source projects adoption flow- cgroup >> runc + nsenter >> moby >> docker

The root permission per se defeats the purpose of EC rootless-connectivity model and ultimately create several security leaks on the guest host. However, it is worth to note that running a standalone agent does NOT require a sudoer/root permission. Please refer to the agent source code repo for the standalone deployment. Users with restrict security environemnt one such as AWS GovCloud should consider using a self-build image based on the spec examples in this repo.

The EC Agent OCI image is currently maintained on public docker hub; the usage spec avaialble in several compute environments. Visit the EC usage examples or the wiki if new to EC.

OCI (Open Container Initiative) is a contionue trademark of the Open Container Initiative Community and currently governed by the community charters

docker pull enterpriseconnect/build:v1beta

• v1, latest
• v1beta
• v1.1beta

• v1 refers to the image to build agent #212+-relate releases.
• v1beta refers to the image to build agent #1724+-relate releases.
• v1.1beta refers to the image to build agent #2721+-relate releases.

docker pull enterpriseconnect/agent:v1beta

• v1, latest, v1-slim
• v1-python, v1-ci
• v1beta, v1beta-slim
• v1beta-python, v1beta-ci
• v1beta-build
• v1-build

• v1 refers to agent #212 release.
• v1beta include agent #1724 candidate release.
• <tag>-build include the series of tool to build out an agent release.

In this container spec example, the pre-defined agent image is launched by using docker. The agent flags in this example are converted into several environment variables that are required based on the <path/to/this/repo>/spec/<agent-mode>.yml for a EC usage. For instance, to launch a client-mode agent container, it is required to ingest env vars EC_AID, EC_TID, EC_HST, etc.

The env variables specified in --env-file will need to be replaced by a series of relevant flags as it is shown in the example yaml file.

docker run --env-file client.list \
  enterpriseconnect/agent:v1

For the usage of docker flag -e, please refer to this example

When deploy the agent in a k8s instance, the necessary environment variables as specified in the example /path/to/the/repo/k8s/agent-<object>.yml. k8s users may utilise any custom objects such as a configmap plugin to help in its configuration.