DocsAWS 101Blog
← Back to Blog

EKS k3s boot fix, SNS FIFO → standard SQS, RDS maintenance window

May 11, 2026 · v1.3.35

Three correctness fixes.

EKS CreateCluster — k3s now starts

The k3s server container was being launched with a granular cap_add list and unconfined seccomp/apparmor in an attempt to avoid privileged mode. k3s server mode remounts /sys/fs/cgroup, and no capability set short of --privileged permits that — so the container exited on boot with failed to evacuate root cgroup: mkdir /sys/fs/cgroup/init: read-only file system, breaking EKS cluster creation entirely.

The container is now launched with privileged=True. The cap_add list is retained as defence-in-depth for hardened Docker setups. This is a documented host-security trade-off: the k3s container has significant access on the Docker host. Acceptable for local development against an emulator; should be considered before running MiniStack EKS on shared infrastructure. Omitting the Docker socket mount cleanly disables k3s and falls back to a static EKS mock. Reported by @zkoncir.

SNS FIFO topic → standard SQS queue

Subscribing a standard SQS queue to a FIFO SNS topic used to fail with InvalidParameterException: Topic with FIFO requires a subscription to a FIFO SQS Queue. That was the AWS rule — until 2023-09-14, when AWS added support for FIFO topics fanning out to standard SQS queues.

The stale validation is removed. The existing fanout path already attaches MessageGroupId and MessageDeduplicationId to delivered messages, and SQS standard queues ignore those fields — matching real AWS, where consumers of a standard queue subscribed to a FIFO topic "may receive messages out of order, and more than once." Contributed by @ellouzeskandercs.

RDS CreateDBInstance honors PreferredMaintenanceWindow

CreateDBInstance was hardcoding PreferredMaintenanceWindow to sun:05:00-sun:06:00 on the instance record, silently discarding any caller-supplied value. ModifyDBInstance and the cluster-level PreferredMaintenanceWindow already worked, so the divergence was per-instance and only on create. The create path now reads the user value and falls back to the default only when none is supplied.

Surfaced by Terraform aws_rds_cluster_instance.preferred_maintenance_window round-trip diffing against a real-AWS capture. Contributed by @jayjanssen.

Upgrade

docker pull ministackorg/ministack:1.3.35
docker run -d -p 4566:4566 ministackorg/ministack:1.3.35

Or pin in compose.yaml:

services:
  ministack:
    image: ministackorg/ministack:1.3.35
    ports:
      - "4566:4566"

Ship together

Shipped by the MiniStack community. Contributions credited throughout. GitHub · r/ministack