ECS

Question 1

ECS clusters

Answer 1

are logical grouping of EC2 instances

Question 2

the EC2 instances we’re going to launch will run

Answer 2

ECS agents = just a Docker container on each EC2 instance.

they will register our EC2 instance with the ECS cluster

Question 3

The EC2 instances are a little bit special

Answer 3

they don’t run the plain Amazon Linux 2 AMI.

They run the special ECS AMI

Question 4

tasks definitions

Answer 4

metadata in JSON form to tell ECS how to run a Docker Container

image name, the port binding for the container and the host, memory and CPU that are required, the environment variables, networking informationetc

Question 5

tasks and roles (exam)

Answer 5

the task can have an IAM role

If a task cannot do anything, it cannot pull an image
from the ECR, it cannot talk to S3 or whatever,

if a container can’t do this, well it’s because it’s missing a task role so we could assign a role

Question 6

ECS services

Answer 6

1. help define how many tasks should be run and how
2. they ensure that the number of tasks desired is running across our fleet of EC2 instances
3. can be linked to LB
4. are created inside the ECS cluster

Question 7

Replica type of ECS services

Answer 7

tries to run as many tasks as possible

Question 8

Daemon type of ECS services

Answer 8

tries to run only one task on each ECS instance in the cluster

(for monitoring and gathering metrics for ex.)

Question 9

you can run several identical containers using (exam)

Answer 9

dynamic port forwarding

you roll out as many containers as you want and each of them has a dynamically assigned port (host port is left empty, 0 means random). To the outside they are available on 80, and Load Balancer will distribute requests across them

DNS name of Load Balancer is then used as entry point

Question 10

EC2 Instance Profile

Answer 10

we have an EC2 Instance and it is running the ECS Agent. That’s what makes this EC2 Instance part of ECS. To make it work, we need to attach an
EC2 Instance Profile (IAM role = ECS instance role).

ECS agent will use that role to make API calls to the ECS service to register the instance, for example, with their ECS cluster, to send the container logs of any task rerun to CloudWatch Logs and also will be used to pull images from ECR

ECS agent has integration with ECS Service, CloudWatch Logs, and the ECR Service through the EC2 Instance profile.

Question 11

on your EC2 Instances, you can run some tasks that may interact with other it via services and so each task needs

Answer 11

ECS Task Role (IAM role). This will allow each task to have a specific role with the minimum permissions.

for example, we will create an ECS Task Role A that we will attach to the Task A, and this task role may allow us to write to an Amazon S3 Bucket.

you want to use different task roles for different ECS Services and tasks that you run.

Question 12

And where do you define the task role?

Answer 12

you define them in the task definition.

in the IAM console you can search for ECS and see all ECS related roles. You can also create a new role –> scroll to ECS and select it –> select use case, for ex., access to S3

Question 13

Which ECS config must you enable in /etc/ecs/ecs.config to allow your ECS tasks to endorse IAM roles?

Answer 13

ECS_ENABLE_TASK_IAM_ROLE

Question 14

You are looking to push Docker images into ECR with your AWS CodePipeline and CodeBuild. The last step fails with an authorization issue. What is the issue?

Answer 14

Any permissions issues against ECR is most likely due to IAM policies

double check your IAM permissions for CodeBuild service

Question 15

You are looking to run multiple instances of the same application on the same EC2 instance and expose it with a load balancer. The application is available as a Docker container. You should use

Answer 15

Application load balancer + ECS

Uses the dynamic port feature

Question 16

You are running a web application on ECS, the Docker image is stored on ECR, and trying to launch two containers of the same type on EC2. The first container starts, but the second one doesn’t. You have checked and there’s enough CPU and RAM available on the EC2 instance. What’s the problem?

Answer 16

the host port is defined in the task definition

To enable random host port, set host port = 0 (or empty), which allows multiple containers of the same type to launch on the same instance

Question 17

You have started an EC2 instance and it’s not registered with the ECS cluster. What could be the reason

Answer 17

1. the ECS agent not running
2. AMI used isn’t AWS ECS AMI
3. EC2 instance is missing IAM permissions

can not be the reason

security groups on EC2 instance are misconfigured
security groups do not matter when an instance registers with the ECS service

Question 18

Which commands must be used to pull an image from ECR? (CLI v1)

Answer 18

$(aws ecr get-login –no-include-email –region eu-west-I)

docker pull $ECR_IMAGE_URL

Question 19

You would like to run 4 ECS services on your ECS cluster, which need access to various services. What is the best practice?

Answer 19

create 4 ECS task roles and attach them to the relevant ECS task definition

Question 20

Which task cluster placement is the MOST cost-efficient?

Answer 20

binpack

Question 21

when you create a task of type EC2 and you have a cluster, you must figure out where to place the task based on the available memory, CPU and ports on your target EC2 instances. If the ECS service has a new container, a new task that it wants to place on your EC2 instances, it needs to figure out where to place it. Whenever a service scales in, the ECS service needs to determine which ECS task to terminate

Answer 21

you can define a task placement strategy and task placement constraints. This is only working for when you use ECS launched on EC2 instances. Not for Fargate because for Fargate, AWS figures out for you where to start the container and you don’t manage any backend instances

when ECS places tasks, it will use the following

1. identify instances that satisfy the CPU, memory and port requirements in the task definition.
2. look at the task placement constraints
3. try to identify the instance that satisfies best the task placement strategy.

Question 22

binpack task placement strategy

Answer 22

will place tasks based on the least available amount of CPU or memory to help you minimize the number of instances in use.

it’s going to try to fill up that EC2 instance all the way with containers and then when it can’t put any more containers on that one EC2 instance, it’s going to place EC2 containers on another EC2 instance.

brings the most cost saving because it will minimize the number of EC2 instances in use and try to maximize the utilization of one EC2 instance at a time.

Question 23

random task placement strategy

Answer 23

places the tasks randomly.

we have two EC2 instance and tasks are being added,
then they will just be placed randomly and there is no logic to it.

Question 24

spread task placement strategy

Answer 24

spread is based on the specified value. (instance id
or ECS availability zones and so on.)

we have three EC2 instances and they are in three different availability zones. And we configure spread on AZ. That means that the task will be spread evenly
across AZs.
So my first task may be on AZ-A then AZ-B then AZ-C.

maximizes the high availability of our ECS service
by spreading the tasks on the EC2 instances.

Question 25

task placements strategies can be mixed together.

Answer 25

we can have a spread on availability zone and then a spread on instance id. Or we can have a spread on availability zone and then a binpack on memory.

Question 26

distinctInstance task placement constraint

Answer 26

each task should be placed on a different container instance. So you will never have two tasks on the same instance.

Question 27

memberOf task placement constraint

Answer 27

we want to place task on instances that satisfy an expression that can be defined using the Cluster Query Language

we want to say that the instance type must be of type t2. And so what we are saying here is that all these tasks should be placed only on t2 instances.

Question 28

in /etc/ecs/ecs.config you need to configure the following

Answer 28

ECS_CLUSTER = MyCluster
ECS_ENGINE_AUTH_DATA={}
ECS_AVAILABLE_LOGGING_DRIVERS=[]
ECS_ENABLE_TASK_IAM_ROLE=true

Question 29

ECS_ENGINE_AUTH_DATA in /etc/ecs/ecs.config

Answer 29

Example values: dockercfg | docker

The dockercfg format uses the authentication information stored in the configuration file that is created when you run the docker login command. You can create this file by running docker login on your local system and entering your registry user name, password, and email address. You can also log in to a container instance and run the command there. Depending on your Docker version, this file is saved as either ~/.dockercfg or ~/.docker/config.json.

The docker format uses a JSON representation of the registry server that the agent should authenticate with. It also includes the authentication parameters required by that registry (such as user name, password, and the email address for that account).

(DockerHub for ex.)

Question 30

ECS_AVAILABLE_LOGGING_DRIVERS

Answer 30

Example values: [“awslogs”,”fluentd”,”gelf”,”json-file”,”journald”,”splunk”,”logentries”,”syslog”]

for ex., if you to use CloudWatch logging

The logging drivers available on the container instance. The Amazon ECS container agent running on a container instance must register the logging drivers available on that instance with the ECS_AVAILABLE_LOGGING_DRIVERS environment variable before containers placed on that instance can use log configuration options for those drivers in tasks.

Question 31

ECS_ENABLE_TASK_IAM_ROLE

Answer 31

Whether IAM roles for tasks should be enabled on the container instance for task containers with the bridge or default network modes.

Question 32

service auto scaling

Answer 32

CPU and RAM are tracked as metrics in CloudWatch at the ECS service level
we can define a service auto scaling based on these CloudWatch metrics.

1. target tracking
2. step scaling
3. scheduled scaling

if you set up a Fargate ECS service with service auto scaling, it is going to be serverless, and so the service
can scale on its own, and we don’t need to worry about the infrastructure that it relies on,

Question 33

service auto scaling - target tracking

Answer 33

you want to target a specific average of a CloudWatch metric, for example you wanna say “CPU transition should be at 60% across my ECS service.”

Question 34

service auto scaling - step scaling

Answer 34

scale based on CloudWatch alarms (s. auto scaling policies)

Question 35

scheduled scaling

Answer 35

to scale based on predictable changes. (s. auto scaling policies)

Question 36

the service scaling at the task level is not equal to the EC2 auto scaling at the instance level!!!

Answer 36

if you scale up or down your ECS service, that doesn’t mean that your EC2 auto scaling group at the instance level will scale up or down.

Question 37

Cluster Capacity Provider

Answer 37

is used in association with a cluster to determine the infrastructure that a task runs on

1. for ECS and Fargate, the Fargate and Fargate_Spot capacity providers are added automatically, and this will provision for us the Fargate infrastructure, even though we don’t really see it
2. for ECS on EC2 we can associate the capacity provider with an auto scaling group. Auto scaling group can automatically add EC2 instances when needed.

Question 38

Cluster Capacity Provider - how it works

Answer 38

when you run a task or a service, you define a capacity provider strategy, to prioritize in which provider to run.

We have two EC2 instances, and they’re packed
with ECS tasks, and the average CPU utilization is less than 30%, but your EC2 instances have no more capacity, and they’re full, so we’re going to create a new task, and if that task is assigned to a Cluster Capacity Provider, the Capacity Provider will automatically launch a new ECS instance, a new EC2 instance running on the ECS. And it will put the task there as well.