[04] Task Definitions Flashcards
What are the two options for logging stdout/stderr from containers?
Docker logging driver e.g. awslogs, Sidecar container e.g. AWS Firelens
What are Docker logging drivers?
Built into the Docker daemon
What Docker logging drivers are supported on Fargate?
awslogs, splunk
What Docker logging drivers are supported on EC2?
awslogs, fluentd, gelf, json-file, journald, logentries, syslog, splunk
What are the components of the logConfiguration object in a task definition?
logDriver, option and secretOptions
What role is used to connect send logs to CloudWatch when using Docker logging drivers?
The execution role
What is the default mode for awslogs Docker logging driver?
blocking
What mode is recommended for awslogs Docker logging driver?
non-blocking
What is a sidecar container?
A container that runs alongside the main application
What port does the FireLens log router listen on?
24224
What type of container dependency is recommended when using FireLens?
A container dependency to ensure the log router starts before the application container
When is a container dependency required for FireLens?
For bridge networking mode
What role is used by the sidecar container to send logs?
The task role
What is the PROVISIONING state?
The state a task will be in while ECS is performing additional provisioning steps
What options are available for passing secrets to containers in ECS?
Automatically expose the secrets as environment variables by setting the secrets field in the container definition(s) to reference secrets stored in Secrets Manager or AWS Systems Manager parameter store, update their application to directly pull secrets from Secrets Manager or SSM using the AWS SDK, in the case of logging, the logConfiguration field in the container definition can reference secrets in Secrets Manager or SSM, for private registry authentication, only Secrets Manager is supported, or for EC2, the ECS agent can be configured by setting ECS_ENGINE_AUTH_TYPE and ECS_ENGINE_AUTH_DATA
What role is used when automatically exposing secrets as environment variables?
The execution role
What role is used when the application pulls secrets directly from Secrets Manager or SSM?
The task role
How can you troubleshoot issues with secrets in ECS?
Check CloudTrail, as all operations which access secrets are recorded
What CloudTrail events are recorded when accessing secrets from Secrets Manager?
The API secretsmanager:GetSecretValue is recorded
What CloudTrail events are recorded when accessing secrets from SSM?
Calls will be made to ssm:GetParameters & secretsmanager:GetSecretValue (note that the actual secret is stored in Secrets Manager because SSM parameter store only stores a pointer)
What other CloudTrail events may be recorded when accessing secrets?
There will be calls to KMS (e.g. kms:Decrypt) if the secrets are encrypted with a CMK
Are secrets injected as environment variables updated automatically?
No, secrets injected as environment variables are not updated automatically
What Linux networking mode allocates an ENI to each task?
awsvpc
What networking mode is recommended for both Linux and Windows tasks?
awsvpc
What networking mode allows traffic to be audited using VPC Flow Logs?
awsvpc
What networking mode allows containers in the same task to communicate using localhost without configuring links?
awsvpc
What is the default networking mode for Linux tasks?
bridge
What Linux networking mode binds a host port to a container port if hostPort is set?
bridge
What is the default networking mode for Windows tasks?
default
What Linux networking mode uses the host’s network and requires hostPort?
host
What Linux networking mode prevents external network connectivity?
none
What load balancer type is not supported for awsvpc networking mode?
Classic load balancers
What Linux parameter controls the maximum number of files allowed for networking?
The nofile ulimit
What parameters control the size of the read and write buffers for networking performance tuning?
sysctl net settings
What state will a task be in while ECS is performing additional steps for it?
PROVISIONING state
What state is a task in while ECS is performing additional provisioning steps?
PROVISIONING
What memory-related container settings can be configured for Linux-based EC2 instances?
maxSwap and swappiness
What is maxSwap used for?
Controls the amount of swap memory a container can use
What does swappiness control?
The aggressiveness by which the container utilises swap space
What signal is sent to PID 1 when a container needs to stop?
SIGTERM
What signal is sent if the application doesn’t stop gracefully within the stopTimeout period?
SIGKILL
What type of image tags are recommended for storing container images used with ECS?
Immutable image tags in ECR
Why are immutable image tags recommended for ECS?
To ensure the same task definition always launches the same containers
When it comes to resources, what is not supported for EC2 Windows instances?
Task-level CPU or memory settings
What should be used instead of task-level CPU/memory settings for EC2 Windows?
Per-container limits
What is the minimum memory that the Docker 20.10.0 or later daemon reserves for a container?
6MiB
What is required to use a GPU with ECS?
The GPU variant of the ECS-optimised AMI, setting ECS_ENABLE_GPU_SUPPORT to true, setting NVIDIA environment variables or using a pre-configured base image
How are Neuron resource requirements defined for ECS tasks?
Using linuxParameters to assign a specific device to the task
What is the PROVISIONING state?
The state a task will be in while ECS is performing additional steps
What identifies a task definition?
family name and sequential revision number
What are the three possible states that a task definition may be in?
ACTIVE, INACTIVE, DELETE_IN_PROGRESS
What is the ACTIVE state for a task definition?
the task definition can be used to run tasks and create services
What is the INACTIVE state for a task definition?
new tasks can’t be launched using the task definition, but existing services and task are unaffected
What is the DELETE_IN_PROGRESS state?
the task has been marked for deletion
What will block a task definition from being deleted?
Tasks, services and deployments which reference a task definition
What types of data volumes can be used with ECS tasks?
Bind mounts, Docker volumes, EBS volumes, EFS volumes, FSx volumes.
What is a bind mount?
A file or directory stored on the host that is referenced by the container.
On what launch types are bind mounts supported?
EC2 & Fargate.
What task definition parameters are relevant for bind mounts on Fargate?
ephemeralStorage
How can data be pre-populated into a bind mount?
By using a VOLUME Dockerfile directive.
What are Docker volumes?
Volumes managed by Docker and created on the host EC2 instance.
What volume driver is supported for Windows tasks?
local
On what launch types can EBS volumes be attached?
Linux tasks running on Fargate or EC2.
How are EBS volumes created for tasks?
New volumes are either empty or launched from a snapshot. Existing volumes can’t be used.
What controls the deletion of EBS volumes attached to service tasks?
Volumes attached to service tasks are always deleted upon task termination.
How does ECS authenticate to create and attach EBS volumes?
Using the infrastructure IAM role.
What permissions are required for a container to write to a mounted EBS volume?
The container must run as a root user.
Where is EBS volume configuration defined?
In the service definition. The task definition only includes a volume with ‘configuredAtLaunch’.
On what launch types can EFS volumes be attached?
Linux tasks running on Fargate or EC2.
How is authentication handled for EFS volumes?
Authentication uses the task role, or security groups if no role is provided.
What manages EFS volumes on EC2?
The ECS volume plugin.
What manages EFS volumes on Fargate?
A supervisor container.
What configuration is recommended for the ECS_ENGINE_TASK_CLEANUP_WAIT_DURATION when using EFS?
Set it lower than the default value.
How can access to an EFS volume be restricted?
By using an EFS access point and restricting task role access.
What additional requirements exist for using FSx volumes?
The EC2 container instance must be joined to an Active Directory domain.
How should credentials for accessing an FSx volume be stored?
In Secrets Manager or SSM and referenced in the task definition.
