Updating the AWS Systems Manager agent and Amazon ECS container agent on an external instance
Your on-premises server or VM must run both the AWS Systems Manager Agent (SSM Agent) and the Amazon ECS container agent when running Amazon ECS workloads. AWS releases new versions of these agents when any capabilities are added or updated. If your external instances are using an earlier version of either agent, you can update them using the following procedures.
Updating the SSM Agent on an external instance
AWS Systems Manager recommends that you automate the process of updating the SSM Agent on your instances. They provide several methods to automate updates. For more information, see Automating updates to SSM Agent in the AWS Systems Manager User Guide.
Updating the Amazon ECS agent on an external instance
On your external instances, the Amazon ECS container agent is updated by upgrading the
ecs-init
package. Updating the Amazon ECS agent doesn't interrupt the
running tasks or services. Amazon ECS provides the ecs-init
package and
signature file in an Amazon S3 bucket in each Region. Beginning with ecs-init
version 1.52.1-1
, Amazon ECS provides separate ecs-init
packages
for use depending on the operating system and system architecture your external instance
uses.
Use the following table to determine the ecs-init
package that you should
download based on the operating system and system architecture your external instance
uses.
Note
You can determine which operating system and system architecture that your external instance uses by using the following commands.
cat /etc/os-release uname -m
Operating systems (architecture) | ecs-init package |
---|---|
CentOS 7 (x86_64) CentOS 8 (x86_64) CentOS Stream 9 (x86_64) SUSE Enterprise Server 15 (x86_64) RHEL 7 (x86_64) RHEL 8 (x86_64) |
|
CentOS 7 (aarch64) CentOS 8 (aarch64) CentOS Stream 9 (aarch64) RHEL 7 (aarch64) |
|
Debian 9 (x86_64) Debian 10 (x86_64) Debian 11 (x86_64) Debian 12 (x86_64) Ubuntu 18 (x86_64) Ubuntu 20 (x86_64) Ubuntu 22 (x86_64) Ubuntu 24 (x86_64) |
|
Debian 9 (aarch64) Debian 10 (aarch64) Debian 11 (aarch64) Debian 12 (aarch64) Ubuntu 18 (aarch64) Ubuntu 20 (aarch64) Ubuntu 22 (aarch64) Ubuntu 24 (aarch64) |
|
Follow these steps to update the Amazon ECS agent.
To update the Amazon ECS agent
-
Confirm the Amazon ECS agent version that you're running.
curl -s 127.0.0.1:51678/v1/metadata | python3 -mjson.tool
-
Download the
ecs-init
package for your operating system and system architecture. Amazon ECS provides theecs-init
package file in an Amazon S3 bucket in each Region. Make sure that you replace the<region>
identifier in the command with the Region name (for example,us-west-2
) that you're geographically closest to.amazon-ecs-init-latest.x86_64.rpm
curl -o amazon-ecs-init.rpm https://s3.
<region>
.amazonaws.com/amazon-ecs-agent-<region>
/amazon-ecs-init-latest.x86_64.rpmamazon-ecs-init-latest.aarch64.rpm
curl -o amazon-ecs-init.rpm https://s3.
<region>
.amazonaws.com/amazon-ecs-agent-<region>
/amazon-ecs-init-latest.aarch64.rpmamazon-ecs-init-latest.amd64.deb
curl -o amazon-ecs-init.deb https://s3.
<region>
.amazonaws.com/amazon-ecs-agent-<region>
/amazon-ecs-init-latest.amd64.debamazon-ecs-init-latest.arm64.deb
curl -o amazon-ecs-init.deb https://s3.
<region>
.amazonaws.com/amazon-ecs-agent-<region>
/amazon-ecs-init-latest.arm64.deb -
(Optional) Verify the validity of the
ecs-init
package file using the PGP signature.-
Download and install GnuPG. For more information about GNUpg, see the GnuPG website
. For Linux systems, install gpg
using the package manager on your flavor of Linux. -
Retrieve the Amazon ECS PGP public key.
gpg --keyserver hkp://keys.gnupg.net:80 --recv BCE9D9A42D51784F
-
Download the
ecs-init
package signature. The signature is an ASCII detached PGP signature that's stored in a file with the.asc
extension. Amazon ECS provides the signature file in an Amazon S3 bucket in each Region. Make sure that you replace the<region>
identifier in the command with the Region name (for example,us-west-2
) that you're geographically closest to.amazon-ecs-init-latest.x86_64.rpm
curl -o amazon-ecs-init.rpm.asc https://s3.
<region>
.amazonaws.com/amazon-ecs-agent-<region>
/amazon-ecs-init-latest.x86_64.rpm.ascamazon-ecs-init-latest.aarch64.rpm
curl -o amazon-ecs-init.rpm.asc https://s3.
<region>
.amazonaws.com/amazon-ecs-agent-<region>
/amazon-ecs-init-latest.aarch64.rpm.ascamazon-ecs-init-latest.amd64.deb
curl -o amazon-ecs-init.deb.asc https://s3.
<region>
.amazonaws.com/amazon-ecs-agent-<region>
/amazon-ecs-init-latest.amd64.deb.ascamazon-ecs-init-latest.arm64.deb
curl -o amazon-ecs-init.deb.asc https://s3.
<region>
.amazonaws.com/amazon-ecs-agent-<region>
/amazon-ecs-init-latest.arm64.deb.asc -
Verify the
ecs-init
package file using the key.For the
rpm
packagesgpg --verify amazon-ecs-init.rpm.asc ./amazon-ecs-init.rpm
For the
deb
packagesgpg --verify amazon-ecs-init.deb.asc ./amazon-ecs-init.deb
The following is the expected output.
gpg: Signature made Fri 14 May 2021 09:31:36 PM UTC gpg: using RSA key 50DECCC4710E61AF gpg: Good signature from "Amazon ECS <ecs-security@amazon.com>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: F34C 3DDA E729 26B0 79BE AEC6 BCE9 D9A4 2D51 784F Subkey fingerprint: D64B B6F9 0CF3 77E9 B5FB 346F 50DE CCC4 710E 61AF
-
-
Install the
ecs-init
package.For the
rpm
package on CentOS 7, CentOS 8, and RHEL 7sudo yum install -y ./amazon-ecs-init.rpm
For the
rpm
package on SUSE Enterprise Server 15sudo zypper install -y --allow-unsigned-rpm ./amazon-ecs-init.rpm
For the
deb
packagesudo dpkg -i ./amazon-ecs-init.deb
-
Restart the
ecs
service.sudo systemctl restart ecs
-
Verify the Amazon ECS agent version was updated.
curl -s 127.0.0.1:51678/v1/metadata | python3 -mjson.tool