Amazon EC2 Container Service
Developer Guide (API Version 2014-11-13)

Manually Updating the Amazon ECS Container Agent (for Non-Amazon ECS-optimized AMIs)

To manually update the Amazon ECS container agent (for non-Amazon ECS-optimized AMIs)

  1. Log into your container instance via SSH.

  2. Check to see if your agent uses the ECS_DATADIR environment variable to save its state.

    [ec2-user ~]$ docker inspect ecs-agent | grep ECS_DATADIR




    If the previous command does not return the ECS_DATADIR environment variable, you must stop any tasks running on this container instance before updating your agent. Newer agents with the ECS_DATADIR environment variable save their state and you can update them while tasks are running without issues.

  3. Stop the Amazon ECS container agent.

    [ec2-user ~]$ docker stop ecs-agent
  4. Delete the agent container.

    [ec2-user ~]$ docker rm ecs-agent
  5. Run the following commands on your container instance to enable IAM roles for tasks. For more information, see IAM Roles for Tasks.

    [ec2-user ~]$ sysctl -w net.ipv4.conf.all.route_localnet=1 [ec2-user ~]$ iptables -t nat -A PREROUTING -p tcp -d --dport 80 -j DNAT --to-destination [ec2-user ~]$ iptables -t nat -A OUTPUT -d -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 51679
  6. Pull the latest Amazon ECS container agent image from Docker Hub.

    [ec2-user ~]$ docker pull amazon/amazon-ecs-agent:latest


    Pulling repository amazon/amazon-ecs-agent
    a5a56a5e13dc: Download complete
    511136ea3c5a: Download complete
    9950b5d678a1: Download complete
    c48ddcf21b63: Download complete
    Status: Image is up to date for amazon/amazon-ecs-agent:latest
  7. Run the latest Amazon ECS container agent on your container instance.


    You should use Docker restart policies or a process manager (such as upstart or systemd) to treat the container agent as a service or a daemon and ensure that it is restarted if it exits. For more information, see Automatically start containers and Restart policies in the Docker documentation. The Amazon ECS-optimized AMI uses the ecs-init RPM for this purpose, and you can view the source code for this RPM on GitHub.

    The following example agent run command is broken into separate lines to show each option.

    • The --env=ECS_CLUSTER=cluster_name option is not required if you want to register into your default cluster.

    • You can optionally store your agent environment variables in a file (which can be downloaded to your container instances from Amazon S3 at launch time using EC2 user data) and pass them all at one time with the --env-file path_to_env_file option. This is recommended for sensitive information such as authentication credentials for private repositories. For more information, see Storing Container Instance Configuration in Amazon S3 and Private Registry Authentication.

    • If your task definitions specify log configuration options for a particular log driver, the Amazon ECS container agent running on your container instances must register the specified log driver with the ECS_AVAILABLE_LOGGING_DRIVERS environment variable. For example, to register a container instance with the json-file and awslogs logging drivers, add the --env=ECS_AVAILABLE_LOGGING_DRIVERS='["json-file","awslogs"]' option to the docker run command below. For more information, see Amazon ECS Container Agent Configuration.

    • Operating systems with SELinux enabled require the --privileged option in your docker run command. In addition, for SELinux-enabled container instances, we recommend that you add the :Z option to the /log and /data volume mounts; however, the host mounts for these volumes must exist before you run the command or you will receive a no such file or directory error. Take the following action if you experience difficulty running the Amazon ECS agent on an SELinux-enabled container instance:

      • Create the host volume mount points on your container instance.

        $ sudo mkdir -p /var/log/ecs $ sudo mkdir -p /var/lib/ecs/data
      • Add the --privileged option to the docker run command below.

      • Append the :Z option to the /log and /data container volume mounts (for example, --volume=/var/log/ecs/:/log:Z) to the docker run command below.

    For more information about these and other agent runtime options, see Amazon ECS Container Agent Configuration.

    ubuntu:~$ sudo docker run --name ecs-agent \ --detach=true \ --restart=on-failure:10 \ --volume=/var/run/docker.sock:/var/run/docker.sock \ --volume=/var/log/ecs/:/log \ --volume=/var/lib/ecs/data:/data \ --net=host \ --env=ECS_LOGFILE=/log/ecs-agent.log \ --env=ECS_LOGLEVEL=info \ --env=ECS_DATADIR=/data \ --env=ECS_CLUSTER=cluster_name \ --env=ECS_ENABLE_TASK_IAM_ROLE=true \ --env=ECS_ENABLE_TASK_IAM_ROLE_NETWORK_HOST=true \ amazon/amazon-ecs-agent:latest


    If you receive an Error response from daemon: Cannot start container message, you can delete the failed container with the sudo docker rm ecs-agent command and try running the agent again.