While it's possible to define a string as the entrypoint when no other arguments are present, when there are values present for both the entrypoint and command fields, or there are multiple entries in either the entrypoint or command fields the values are interpolated into an array for execution. This is especially problematic when there are syntax sensitive strings that need to be preserved.

For example, when starting a Java application while passing debug options to the JVM:

The predefined ENTRYPOINT prior to Lacework Agent Sidecar introduction:

java -jar -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005 server.jar

For those unfamiliar with debugging Java applications the entire string:

"-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005"

...is passed to the JVM which will allow a developer to remotely attach to the JVM process using JDWP via a socket. "server=y" indicates it is a server process we are attaching to, "suspend=n" tells the java process not to wait during bootstrap for a debugger to attach to it, and "address=5005" is the debugging port the developer should open up a socket to. In this example it's necessary to preserve this string exactly as it is shown, however, when prepending this with the instruction to run the agent sidecar script the string becomes malformed in the resulting json.

MALFORMED EXAMPLES

The examples below shown below are not exhaustive of all the possible combinations, but meant to represent the most frequently tried. The described solution below is the only known workaround for this problem due to the way multiple arguments are handled by Docker since they are interpolated into an array using commas as the delimiter - attempts to escape the commas are unsuccessful also.

EXAMPLE 1

ENTRYPOINT:

/bin/bash, -c, /var/lib/lacework-backup/lacework-sidecar.sh, "java -jar -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005 server.jar"

COMMAND:

[LEFT BLANK]

EXAMPLE 1 JSON RESULT

"entryPoint": [

  "/bin/bash",

  "-c",

  "/var/lib/lacework-backup/lacework-sidecar.sh",

  "java",

  "-jar",

  "-agentlib:jdwp=transport=dt_socket",

  "server=y",

  "suspend=n",

  "address=5005",

  "server.jar"

],

EXAMPLE 2

ENTRYPOINT:

/bin/bash, -c, /var/lib/lacework-backup/lacework-sidecar.sh

COMMAND:

java -jar -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005 server.jar

EXAMPLE 2 JSON RESULT

"entryPoint": [

  "/var/lib/lacework-backup/lacework-sidecar.sh"

],

"command": [

  "java",

  "-jar",

  "-agentlib:jdwp=transport=dt_socket",

  "server=y",

  "suspend=n",

  "address=5005",

  "server.jar"

],

Workaround

Since the JVM arguments must be preserved as a single string, it's necessary to edit the JSON in the AWS ECS Task Definition to produce the following:

Step 1

ENTRYPOINT:

/var/lib/lacework-backup/lacework-sidecar.sh

COMMAND:

java -jar -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005 server.jar

Step 2

Having saved the task definition, from the AWS ECS console you will need to edit the json that was produced so the JVM arguments are preserved correctly in the array:

"entryPoint": [

  "bin/bash, -c, /var/lib/lacework-backup/lacework-sidecar.sh"

],

"command": [

  "java",

  "-jar",

  "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005",

  "server.jar"

],

Reference Links

You may have noticed the explicit call to use the bash shell via /bin/bash rather than the recommended default in our Lacework docs to use /bin/sh. This is intentional, Java applications use dot notated variables such as server.url, server.port for example, and these may be defined as Environment Variables in your task definition. Most shells do not handle dot notated variables and in order to preserve them you will need to use /bin/bash - you can read more about this in the article “Lacework Sidecar Agent on ECS Fargate with Dot Notated Environment Variables”