[04] Task Definitions Flashcards

1
Q

What are the two options for logging stdout/stderr from containers?

A

Docker logging driver e.g. awslogs, Sidecar container e.g. AWS Firelens

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are Docker logging drivers?

A

Built into the Docker daemon

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What Docker logging drivers are supported on Fargate?

A

awslogs, splunk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What Docker logging drivers are supported on EC2?

A

awslogs, fluentd, gelf, json-file, journald, logentries, syslog, splunk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the components of the logConfiguration object in a task definition?

A

logDriver, option and secretOptions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What role is used to connect send logs to CloudWatch when using Docker logging drivers?

A

The execution role

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the default mode for awslogs Docker logging driver?

A

blocking

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What mode is recommended for awslogs Docker logging driver?

A

non-blocking

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is a sidecar container?

A

A container that runs alongside the main application

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What port does the FireLens log router listen on?

A

24224

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What type of container dependency is recommended when using FireLens?

A

A container dependency to ensure the log router starts before the application container

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

When is a container dependency required for FireLens?

A

For bridge networking mode

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What role is used by the sidecar container to send logs?

A

The task role

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the PROVISIONING state?

A

The state a task will be in while ECS is performing additional provisioning steps

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What options are available for passing secrets to containers in ECS?

A

Automatically expose the secrets as environment variables by setting the secrets field in the container definition(s) to reference secrets stored in Secrets Manager or AWS Systems Manager parameter store, update their application to directly pull secrets from Secrets Manager or SSM using the AWS SDK, in the case of logging, the logConfiguration field in the container definition can reference secrets in Secrets Manager or SSM, for private registry authentication, only Secrets Manager is supported, or for EC2, the ECS agent can be configured by setting ECS_ENGINE_AUTH_TYPE and ECS_ENGINE_AUTH_DATA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What role is used when automatically exposing secrets as environment variables?

A

The execution role

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What role is used when the application pulls secrets directly from Secrets Manager or SSM?

A

The task role

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

How can you troubleshoot issues with secrets in ECS?

A

Check CloudTrail, as all operations which access secrets are recorded

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What CloudTrail events are recorded when accessing secrets from Secrets Manager?

A

The API secretsmanager:GetSecretValue is recorded

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What CloudTrail events are recorded when accessing secrets from SSM?

A

Calls will be made to ssm:GetParameters & secretsmanager:GetSecretValue (note that the actual secret is stored in Secrets Manager because SSM parameter store only stores a pointer)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What other CloudTrail events may be recorded when accessing secrets?

A

There will be calls to KMS (e.g. kms:Decrypt) if the secrets are encrypted with a CMK

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Are secrets injected as environment variables updated automatically?

A

No, secrets injected as environment variables are not updated automatically

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What Linux networking mode allocates an ENI to each task?

A

awsvpc

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What networking mode is recommended for both Linux and Windows tasks?

A

awsvpc

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What networking mode allows traffic to be audited using VPC Flow Logs?

A

awsvpc

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What networking mode allows containers in the same task to communicate using localhost without configuring links?

A

awsvpc

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What is the default networking mode for Linux tasks?

A

bridge

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What Linux networking mode binds a host port to a container port if hostPort is set?

A

bridge

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What is the default networking mode for Windows tasks?

A

default

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What Linux networking mode uses the host’s network and requires hostPort?

A

host

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What Linux networking mode prevents external network connectivity?

A

none

32
Q

What load balancer type is not supported for awsvpc networking mode?

A

Classic load balancers

33
Q

What Linux parameter controls the maximum number of files allowed for networking?

A

The nofile ulimit

34
Q

What parameters control the size of the read and write buffers for networking performance tuning?

A

sysctl net settings

35
Q

What state will a task be in while ECS is performing additional steps for it?

A

PROVISIONING state

36
Q

What state is a task in while ECS is performing additional provisioning steps?

A

PROVISIONING

37
Q

What memory-related container settings can be configured for Linux-based EC2 instances?

A

maxSwap and swappiness

38
Q

What is maxSwap used for?

A

Controls the amount of swap memory a container can use

39
Q

What does swappiness control?

A

The aggressiveness by which the container utilises swap space

40
Q

What signal is sent to PID 1 when a container needs to stop?

A

SIGTERM

41
Q

What signal is sent if the application doesn’t stop gracefully within the stopTimeout period?

A

SIGKILL

42
Q

What type of image tags are recommended for storing container images used with ECS?

A

Immutable image tags in ECR

43
Q

Why are immutable image tags recommended for ECS?

A

To ensure the same task definition always launches the same containers

44
Q

When it comes to resources, what is not supported for EC2 Windows instances?

A

Task-level CPU or memory settings

45
Q

What should be used instead of task-level CPU/memory settings for EC2 Windows?

A

Per-container limits

46
Q

What is the minimum memory that the Docker 20.10.0 or later daemon reserves for a container?

A

6MiB

47
Q

What is required to use a GPU with ECS?

A

The GPU variant of the ECS-optimised AMI, setting ECS_ENABLE_GPU_SUPPORT to true, setting NVIDIA environment variables or using a pre-configured base image

48
Q

How are Neuron resource requirements defined for ECS tasks?

A

Using linuxParameters to assign a specific device to the task

49
Q

What is the PROVISIONING state?

A

The state a task will be in while ECS is performing additional steps

50
Q

What identifies a task definition?

A

family name and sequential revision number

51
Q

What are the three possible states that a task definition may be in?

A

ACTIVE, INACTIVE, DELETE_IN_PROGRESS

52
Q

What is the ACTIVE state for a task definition?

A

the task definition can be used to run tasks and create services

53
Q

What is the INACTIVE state for a task definition?

A

new tasks can’t be launched using the task definition, but existing services and task are unaffected

54
Q

What is the DELETE_IN_PROGRESS state?

A

the task has been marked for deletion

55
Q

What will block a task definition from being deleted?

A

Tasks, services and deployments which reference a task definition

56
Q

What types of data volumes can be used with ECS tasks?

A

Bind mounts, Docker volumes, EBS volumes, EFS volumes, FSx volumes.

57
Q

What is a bind mount?

A

A file or directory stored on the host that is referenced by the container.

58
Q

On what launch types are bind mounts supported?

A

EC2 & Fargate.

59
Q

What task definition parameters are relevant for bind mounts on Fargate?

A

ephemeralStorage

60
Q

How can data be pre-populated into a bind mount?

A

By using a VOLUME Dockerfile directive.

61
Q

What are Docker volumes?

A

Volumes managed by Docker and created on the host EC2 instance.

62
Q

What volume driver is supported for Windows tasks?

A

local

63
Q

On what launch types can EBS volumes be attached?

A

Linux tasks running on Fargate or EC2.

64
Q

How are EBS volumes created for tasks?

A

New volumes are either empty or launched from a snapshot. Existing volumes can’t be used.

65
Q

What controls the deletion of EBS volumes attached to service tasks?

A

Volumes attached to service tasks are always deleted upon task termination.

66
Q

How does ECS authenticate to create and attach EBS volumes?

A

Using the infrastructure IAM role.

67
Q

What permissions are required for a container to write to a mounted EBS volume?

A

The container must run as a root user.

68
Q

Where is EBS volume configuration defined?

A

In the service definition. The task definition only includes a volume with ‘configuredAtLaunch’.

69
Q

On what launch types can EFS volumes be attached?

A

Linux tasks running on Fargate or EC2.

70
Q

How is authentication handled for EFS volumes?

A

Authentication uses the task role, or security groups if no role is provided.

71
Q

What manages EFS volumes on EC2?

A

The ECS volume plugin.

72
Q

What manages EFS volumes on Fargate?

A

A supervisor container.

73
Q

What configuration is recommended for the ECS_ENGINE_TASK_CLEANUP_WAIT_DURATION when using EFS?

A

Set it lower than the default value.

74
Q

How can access to an EFS volume be restricted?

A

By using an EFS access point and restricting task role access.

75
Q

What additional requirements exist for using FSx volumes?

A

The EC2 container instance must be joined to an Active Directory domain.

76
Q

How should credentials for accessing an FSx volume be stored?

A

In Secrets Manager or SSM and referenced in the task definition.