ECS Flashcards
ECS summary
ECS use to?
What types and explain each, three total
ECS used to run Docker
- ECS Classic: Run EC2 and run containers too
- Fargate: ECS serverless , share resources, no more ec2 provisioning.
- EKS: Managed Kubernetes by AWS
ECS CLASSIC: what it uses what configuration is needed, where? What program is required? how is it organized?
ECS classic uses EC2 instances to run Containers.
These containers coordinate through an agent called
ECS AGENT
Configuration of ECS happens via the file
/ETC/ECS/ECS.CONFIG with the cluster name
Multiple containers of same type requirements:
A. DONT SPECIFY HOST PORT JUST USE CONTAINER PORT
B. NEED TO USE ALB WITH DYNAMIC PORT MAPPING
C. EC2 SECURITY GROUP MUST ALLOW TRAFFIC FROM ALB ON ALL PORTS
**specify container port, the host port will be random, ALB will need to direct traffic out on all ports. Coming in the Dynamic port forwarding will need to route traffic between random ports to containers. **
ECS task IAM roles, will need to be created for each service ECS needs to access. For multiple services by different tasks we will need to create additional roles, best practice is a role for each type of task.
NOTE: securiity groups are assigned to instance level NOT task level
CONTAINER PORT - PortMapping
Dynamic port forwarding
Dynamic Port Forwarding (SOCKS) Dynamic Port Forwarding allows a communication not on a single port, but across a range of ports.
PortMapping
PDF
Port mappings allow containers to access ports on the host container instance to send or receive traffic. Port mappings are specified as part of the container definition.
If you are using containers in a task with the awsvpc or host network mode, exposed ports should be specified using containerPort. The hostPort can be left blank or it must be the same value as the containerPort.
After a task reaches the RUNNING status, manual and automatic host and container port assignments are visible in the networkBindings section of DescribeTasks API responses.
ECR
Store Docket Images in AWS ECR
Tightly integrated with IAM
AWS CLI V1
$(aws ecr get-login –noinclude-email –region eu-west-1)
aws ecr get-login : Generates docker login command
execute output of ECR GET-LOGIN command
AWS CLI V2
1. aws ecr get-login-password –region eu-west-1
- docker login –username AWS –password-stdin…
* 123456789.dkr.ecr.eu-west-1.amazonaws.com *(url)
**This version pipes section 1 into section 2. Get-login-password {1} command is used to access the docker login command [2}. **
PUSH AND PULL:
Docker Push: FULL URL INCLUDING ECR REPOSITORY
Docker pull: FULL URL INCLUDING ECR REPOSITORY
If EC2 cannot pull or push, CHECK IAM PERMISSIONS
FARGATE
NO Ec2 Instances
AWS provisions and assigns a ELASTIC IP address
You will provision and specify
VCPU
MEMORY
-containers can share them
IAM: For docker tasks you will need to specify IAM roles for each type of interaction to AWS services. Roles should be least priv model so create multiple roles for separate differing tasks.
TO INCREASE, INCREASE TASK NUMBER. no EC2
ECS TASK DEFINITION
Metadata: JSON: Tells ECS how to run docker container. INFORMATION: Image name Port binding for container and host Memory and CPU Environment variables etc. PARAMETERS ARE ALSO
“placementstrategy”
Binpack
Random
Spread
task placement constraint:
DistinctInstance
Memberof
ECS SERVICE
Define how many tasks to run and how they should run. COORDINATION BETWEEN TASKS IN SAME CLUSTERS
Linked via
NLB ALB ELB
Ensure that tasks are running across EC2 Fleet.
ECS cloudwatch
ECS integration Cloudwatch LOGS
Setup logging at TASK DEFINITION level
Each container has separate log stream
EC2 instance profile needs correct IAM permissions
EC2 instance profile
Each Ec2 Agent, is attached to an EC2 instance. They launch the Containers
“EC2 Instance profiles” act on EC2 level, this is used by ECS agent to use this role to:
- Make api calls to ECS service
- Pull Docker images from ECR
- Send logs to Cloudwatch Logs
EC2 instance profile
Each Ec2 Agent, is attached to an EC2 instance. They launch the Containers
IAM PERMISSION BELOW:
“EC2 Instance profiles” act on EC2 level, this is used by ECS agent to use this role to:
1. Make api calls to ECS service
2. Pull Docker images from ECR
3. Send logs to Cloudwatch Logs
Task placement:
ONLY FOR ECS and EC2, NOT FARGATE
ECS service must determine how to place items baesd on CPU/ MEMORY/ Available Ports
scaling needs a decider for which to add onto, or where to terminate.
to help with this we define:
TASK PLACEMENT STRATEGY
TASK PLACEMENT CONSTRAINTS
TASK PLACEMENT STRATEGY
Best effort strategy to place items.
Best effort strategy
- ID instance that satisfy CPU/memory/port requirements in task definition (where it can go)
- identify task placement constraint
- identify instances that satisfy task placement strategy*
- select a placement
Task definition parameters: *task placement strategy* Binpack Random Spread
“placementstrategy”
Binpack
Random
Spread
1. Binpack, pack instances with as many containers as possible until full [ JSON "placementstrategy"
Field: Memory Type: Binpack ] *this max memory until getting another instance ----------------------------------- 2. Random, choose whatever randomly [ JSON "placementstrategy"
Type: random ] *no logic ------------------------------------ 3. Spread, evenly distribute [ JSON "placementstrategy"
Field: attribute: Availabilityzone
Type: random
]
*Spread according to field listed, in this case its availability zone
====================
CAN BE MIXED!!!!
[
JSON
“placementstrategy”
Field: Memory
Type: Binpack
Field:instanceID
type:random
]
Task definition parameters:
ECS task placement constraint:
DistinctInstance
Memberof
DistinctInstance: Each task on different container instance
Memberof: places task on instances that satisfy an expression
"placementConstraints": [
{
"type":distinctinstance"
}
]
ECS auto scaling
CPU and RAM tracked in Cloudwatch at ECS service level
Target tracking: keep average metric
Step: scale based on alarms
scheduled: based on predictable changes
ECS service scaling (TASK level)
Ec2 (Instance level)
Fargate (serverless)
