[04] Task Definitions Flashcards by Marrick Lip

What are the two options for logging stdout/stderr from containers?

Docker logging driver e.g. awslogs, Sidecar container e.g. AWS Firelens

How well did you know this?

Not at all

Perfectly

What are Docker logging drivers?

Built into the Docker daemon

How well did you know this?

Not at all

Perfectly

What Docker logging drivers are supported on Fargate?

awslogs, splunk

How well did you know this?

Not at all

Perfectly

What Docker logging drivers are supported on EC2?

awslogs, fluentd, gelf, json-file, journald, logentries, syslog, splunk

How well did you know this?

Not at all

Perfectly

What are the components of the logConfiguration object in a task definition?

logDriver, option and secretOptions

How well did you know this?

Not at all

Perfectly

What role is used to connect send logs to CloudWatch when using Docker logging drivers?

The execution role

How well did you know this?

Not at all

Perfectly

What is the default mode for awslogs Docker logging driver?

blocking

How well did you know this?

Not at all

Perfectly

What mode is recommended for awslogs Docker logging driver?

non-blocking

How well did you know this?

Not at all

Perfectly

What is a sidecar container?

A container that runs alongside the main application

How well did you know this?

Not at all

Perfectly

What port does the FireLens log router listen on?

24224

How well did you know this?

Not at all

Perfectly

What type of container dependency is recommended when using FireLens?

A container dependency to ensure the log router starts before the application container

How well did you know this?

Not at all

Perfectly

When is a container dependency required for FireLens?

For bridge networking mode

How well did you know this?

Not at all

Perfectly

What role is used by the sidecar container to send logs?

The task role

How well did you know this?

Not at all

Perfectly

What is the PROVISIONING state?

The state a task will be in while ECS is performing additional provisioning steps

How well did you know this?

Not at all

Perfectly

What options are available for passing secrets to containers in ECS?

Automatically expose the secrets as environment variables by setting the secrets field in the container definition(s) to reference secrets stored in Secrets Manager or AWS Systems Manager parameter store, update their application to directly pull secrets from Secrets Manager or SSM using the AWS SDK, in the case of logging, the logConfiguration field in the container definition can reference secrets in Secrets Manager or SSM, for private registry authentication, only Secrets Manager is supported, or for EC2, the ECS agent can be configured by setting ECS_ENGINE_AUTH_TYPE and ECS_ENGINE_AUTH_DATA

How well did you know this?

Not at all

Perfectly

What role is used when automatically exposing secrets as environment variables?

The execution role

How well did you know this?

Not at all

Perfectly

What role is used when the application pulls secrets directly from Secrets Manager or SSM?

The task role

How well did you know this?

Not at all

Perfectly

How can you troubleshoot issues with secrets in ECS?

Check CloudTrail, as all operations which access secrets are recorded

How well did you know this?

Not at all

Perfectly

What CloudTrail events are recorded when accessing secrets from Secrets Manager?

The API secretsmanager:GetSecretValue is recorded

How well did you know this?

Not at all

Perfectly

What CloudTrail events are recorded when accessing secrets from SSM?

Calls will be made to ssm:GetParameters & secretsmanager:GetSecretValue (note that the actual secret is stored in Secrets Manager because SSM parameter store only stores a pointer)

How well did you know this?

Not at all

Perfectly

What other CloudTrail events may be recorded when accessing secrets?

There will be calls to KMS (e.g. kms:Decrypt) if the secrets are encrypted with a CMK

How well did you know this?

Not at all

Perfectly

Are secrets injected as environment variables updated automatically?

No, secrets injected as environment variables are not updated automatically

How well did you know this?

Not at all

Perfectly

What Linux networking mode allocates an ENI to each task?

awsvpc

How well did you know this?

Not at all

Perfectly

What networking mode is recommended for both Linux and Windows tasks?

awsvpc

How well did you know this?

Not at all

Perfectly

What networking mode allows traffic to be audited using VPC Flow Logs?

awsvpc

What networking mode allows containers in the same task to communicate using localhost without configuring links?

awsvpc

What is the default networking mode for Linux tasks?

bridge

What Linux networking mode binds a host port to a container port if hostPort is set?

bridge

What is the default networking mode for Windows tasks?

default

What Linux networking mode uses the host's network and requires hostPort?

host

What Linux networking mode prevents external network connectivity?

none

What load balancer type is not supported for awsvpc networking mode?

Classic load balancers

What Linux parameter controls the maximum number of files allowed for networking?

The nofile ulimit

What parameters control the size of the read and write buffers for networking performance tuning?

sysctl net settings

What state will a task be in while ECS is performing additional steps for it?

PROVISIONING state

What state is a task in while ECS is performing additional provisioning steps?

PROVISIONING

What memory-related container settings can be configured for Linux-based EC2 instances?

maxSwap and swappiness

What is maxSwap used for?

Controls the amount of swap memory a container can use

What does swappiness control?

The aggressiveness by which the container utilises swap space

What signal is sent to PID 1 when a container needs to stop?

SIGTERM

What signal is sent if the application doesn't stop gracefully within the stopTimeout period?

SIGKILL

What type of image tags are recommended for storing container images used with ECS?

Immutable image tags in ECR

Why are immutable image tags recommended for ECS?

To ensure the same task definition always launches the same containers

When it comes to resources, what is not supported for EC2 Windows instances?

Task-level CPU or memory settings

What should be used instead of task-level CPU/memory settings for EC2 Windows?

Per-container limits

What is the minimum memory that the Docker 20.10.0 or later daemon reserves for a container?

6MiB

What is required to use a GPU with ECS?

The GPU variant of the ECS-optimised AMI, setting ECS_ENABLE_GPU_SUPPORT to true, setting NVIDIA environment variables or using a pre-configured base image

How are Neuron resource requirements defined for ECS tasks?

Using linuxParameters to assign a specific device to the task

What is the PROVISIONING state?

The state a task will be in while ECS is performing additional steps

What identifies a task definition?

family name and sequential revision number

What are the three possible states that a task definition may be in?

ACTIVE, INACTIVE, DELETE_IN_PROGRESS

What is the ACTIVE state for a task definition?

the task definition can be used to run tasks and create services

What is the INACTIVE state for a task definition?

new tasks can't be launched using the task definition, but existing services and task are unaffected

What is the DELETE_IN_PROGRESS state?

the task has been marked for deletion

What will block a task definition from being deleted?

Tasks, services and deployments which reference a task definition

What types of data volumes can be used with ECS tasks?

Bind mounts, Docker volumes, EBS volumes, EFS volumes, FSx volumes.

What is a bind mount?

A file or directory stored on the host that is referenced by the container.

On what launch types are bind mounts supported?

EC2 & Fargate.

What task definition parameters are relevant for bind mounts on Fargate?

ephemeralStorage

How can data be pre-populated into a bind mount?

By using a VOLUME Dockerfile directive.

What are Docker volumes?

Volumes managed by Docker and created on the host EC2 instance.

What volume driver is supported for Windows tasks?

local

On what launch types can EBS volumes be attached?

Linux tasks running on Fargate or EC2.

How are EBS volumes created for tasks?

New volumes are either empty or launched from a snapshot. Existing volumes can't be used.

What controls the deletion of EBS volumes attached to service tasks?

Volumes attached to service tasks are always deleted upon task termination.

How does ECS authenticate to create and attach EBS volumes?

Using the infrastructure IAM role.

What permissions are required for a container to write to a mounted EBS volume?

The container must run as a root user.

Where is EBS volume configuration defined?

In the service definition. The task definition only includes a volume with 'configuredAtLaunch'.

On what launch types can EFS volumes be attached?

Linux tasks running on Fargate or EC2.

How is authentication handled for EFS volumes?

Authentication uses the task role, or security groups if no role is provided.

What manages EFS volumes on EC2?

The ECS volume plugin.

What manages EFS volumes on Fargate?

A supervisor container.

What configuration is recommended for the ECS_ENGINE_TASK_CLEANUP_WAIT_DURATION when using EFS?

Set it lower than the default value.

How can access to an EFS volume be restricted?

By using an EFS access point and restricting task role access.

What additional requirements exist for using FSx volumes?

The EC2 container instance must be joined to an Active Directory domain.

How should credentials for accessing an FSx volume be stored?

In Secrets Manager or SSM and referenced in the task definition.