[04] Task Definitions Flashcards

1
Q

What are the two options for logging stdout/stderr from containers?

A

Docker logging driver e.g. awslogs, Sidecar container e.g. AWS Firelens

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are Docker logging drivers?

A

Built into the Docker daemon

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What Docker logging drivers are supported on Fargate?

A

awslogs, splunk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What Docker logging drivers are supported on EC2?

A

awslogs, fluentd, gelf, json-file, journald, logentries, syslog, splunk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the components of the logConfiguration object in a task definition?

A

logDriver, option and secretOptions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What role is used to connect send logs to CloudWatch when using Docker logging drivers?

A

The execution role

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the default mode for awslogs Docker logging driver?

A

blocking

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What mode is recommended for awslogs Docker logging driver?

A

non-blocking

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is a sidecar container?

A

A container that runs alongside the main application

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What port does the FireLens log router listen on?

A

24224

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What type of container dependency is recommended when using FireLens?

A

A container dependency to ensure the log router starts before the application container

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

When is a container dependency required for FireLens?

A

For bridge networking mode

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What role is used by the sidecar container to send logs?

A

The task role

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the PROVISIONING state?

A

The state a task will be in while ECS is performing additional provisioning steps

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What options are available for passing secrets to containers in ECS?

A

Automatically expose the secrets as environment variables by setting the secrets field in the container definition(s) to reference secrets stored in Secrets Manager or AWS Systems Manager parameter store, update their application to directly pull secrets from Secrets Manager or SSM using the AWS SDK, in the case of logging, the logConfiguration field in the container definition can reference secrets in Secrets Manager or SSM, for private registry authentication, only Secrets Manager is supported, or for EC2, the ECS agent can be configured by setting ECS_ENGINE_AUTH_TYPE and ECS_ENGINE_AUTH_DATA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What role is used when automatically exposing secrets as environment variables?

A

The execution role

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What role is used when the application pulls secrets directly from Secrets Manager or SSM?

A

The task role

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

How can you troubleshoot issues with secrets in ECS?

A

Check CloudTrail, as all operations which access secrets are recorded

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What CloudTrail events are recorded when accessing secrets from Secrets Manager?

A

The API secretsmanager:GetSecretValue is recorded

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What CloudTrail events are recorded when accessing secrets from SSM?

A

Calls will be made to ssm:GetParameters & secretsmanager:GetSecretValue (note that the actual secret is stored in Secrets Manager because SSM parameter store only stores a pointer)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What other CloudTrail events may be recorded when accessing secrets?

A

There will be calls to KMS (e.g. kms:Decrypt) if the secrets are encrypted with a CMK

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Are secrets injected as environment variables updated automatically?

A

No, secrets injected as environment variables are not updated automatically

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What Linux networking mode allocates an ENI to each task?

A

awsvpc

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What networking mode is recommended for both Linux and Windows tasks?

A

awsvpc

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
What networking mode allows traffic to be audited using VPC Flow Logs?
awsvpc
26
What networking mode allows containers in the same task to communicate using localhost without configuring links?
awsvpc
27
What is the default networking mode for Linux tasks?
bridge
28
What Linux networking mode binds a host port to a container port if hostPort is set?
bridge
29
What is the default networking mode for Windows tasks?
default
30
What Linux networking mode uses the host's network and requires hostPort?
host
31
What Linux networking mode prevents external network connectivity?
none
32
What load balancer type is not supported for awsvpc networking mode?
Classic load balancers
33
What Linux parameter controls the maximum number of files allowed for networking?
The nofile ulimit
34
What parameters control the size of the read and write buffers for networking performance tuning?
sysctl net settings
35
What state will a task be in while ECS is performing additional steps for it?
PROVISIONING state
36
What state is a task in while ECS is performing additional provisioning steps?
PROVISIONING
37
What memory-related container settings can be configured for Linux-based EC2 instances?
maxSwap and swappiness
38
What is maxSwap used for?
Controls the amount of swap memory a container can use
39
What does swappiness control?
The aggressiveness by which the container utilises swap space
40
What signal is sent to PID 1 when a container needs to stop?
SIGTERM
41
What signal is sent if the application doesn't stop gracefully within the stopTimeout period?
SIGKILL
42
What type of image tags are recommended for storing container images used with ECS?
Immutable image tags in ECR
43
Why are immutable image tags recommended for ECS?
To ensure the same task definition always launches the same containers
44
When it comes to resources, what is not supported for EC2 Windows instances?
Task-level CPU or memory settings
45
What should be used instead of task-level CPU/memory settings for EC2 Windows?
Per-container limits
46
What is the minimum memory that the Docker 20.10.0 or later daemon reserves for a container?
6MiB
47
What is required to use a GPU with ECS?
The GPU variant of the ECS-optimised AMI, setting ECS_ENABLE_GPU_SUPPORT to true, setting NVIDIA environment variables or using a pre-configured base image
48
How are Neuron resource requirements defined for ECS tasks?
Using linuxParameters to assign a specific device to the task
49
What is the PROVISIONING state?
The state a task will be in while ECS is performing additional steps
50
What identifies a task definition?
family name and sequential revision number
51
What are the three possible states that a task definition may be in?
ACTIVE, INACTIVE, DELETE_IN_PROGRESS
52
What is the ACTIVE state for a task definition?
the task definition can be used to run tasks and create services
53
What is the INACTIVE state for a task definition?
new tasks can't be launched using the task definition, but existing services and task are unaffected
54
What is the DELETE_IN_PROGRESS state?
the task has been marked for deletion
55
What will block a task definition from being deleted?
Tasks, services and deployments which reference a task definition
56
What types of data volumes can be used with ECS tasks?
Bind mounts, Docker volumes, EBS volumes, EFS volumes, FSx volumes.
57
What is a bind mount?
A file or directory stored on the host that is referenced by the container.
58
On what launch types are bind mounts supported?
EC2 & Fargate.
59
What task definition parameters are relevant for bind mounts on Fargate?
ephemeralStorage
60
How can data be pre-populated into a bind mount?
By using a VOLUME Dockerfile directive.
61
What are Docker volumes?
Volumes managed by Docker and created on the host EC2 instance.
62
What volume driver is supported for Windows tasks?
local
63
On what launch types can EBS volumes be attached?
Linux tasks running on Fargate or EC2.
64
How are EBS volumes created for tasks?
New volumes are either empty or launched from a snapshot. Existing volumes can't be used.
65
What controls the deletion of EBS volumes attached to service tasks?
Volumes attached to service tasks are always deleted upon task termination.
66
How does ECS authenticate to create and attach EBS volumes?
Using the infrastructure IAM role.
67
What permissions are required for a container to write to a mounted EBS volume?
The container must run as a root user.
68
Where is EBS volume configuration defined?
In the service definition. The task definition only includes a volume with 'configuredAtLaunch'.
69
On what launch types can EFS volumes be attached?
Linux tasks running on Fargate or EC2.
70
How is authentication handled for EFS volumes?
Authentication uses the task role, or security groups if no role is provided.
71
What manages EFS volumes on EC2?
The ECS volume plugin.
72
What manages EFS volumes on Fargate?
A supervisor container.
73
What configuration is recommended for the ECS_ENGINE_TASK_CLEANUP_WAIT_DURATION when using EFS?
Set it lower than the default value.
74
How can access to an EFS volume be restricted?
By using an EFS access point and restricting task role access.
75
What additional requirements exist for using FSx volumes?
The EC2 container instance must be joined to an Active Directory domain.
76
How should credentials for accessing an FSx volume be stored?
In Secrets Manager or SSM and referenced in the task definition.