介紹

ECS Pricing

There is no additional charge for Amazon ECS. You pay for AWS resources

Model

• Amazon EC2 Launch Type Model
• AWS Fargate Launch Type Model

Notes

• amazon-ecs-agent 及用戶的 container 都係用 ec2-user 去執行.

目錄

• Fargate V.S. EC2
• ECS Tutorials
• 建立 ECS 應用
• Task Definition parameters
• Tasks healthy
• ECR
• AWSVPC Trunking
• Container Insights

 

---

Fargate V.S. EC2

 

Fargate

You pay for the amount of vCPU and memory resources that your containerized application requests.

vCPU and memory resources are calculated from the time your container images are pulled until the Amazon ECS Task terminates

不用管理 EC2 的 Instance (OS upgrade / patch)

Fargate only supports container images hosted on Elastic Container Registry (ECR) or Docker Hub.

Task storage is ephemeral. After a Fargate task stops, the storage is deleted.

EC2

• Data volumes that can be used: Docker volumes, Bind mounts
• Private repositories

 

---

ECS Tutorials

 

Task Definition <- LaunchConfig for a docker container

Settings Example:

• exposed port,
• docker image,
• cpu shares,
• memory requirement,
• command to run and
• environmental variables.

每個 "Task Definition" 都可以多過一個 container

Task

This is a running container with Task Definition config

多數是行一段時間 1 次就完

Service

Defines long running tasks of the Task Definition.

Scheduler Strategies

responsible for placing tasks within your cluster.

REPLICA

places and maintains the desired number of tasks across your cluster

By default, the service scheduler spreads tasks across Availability Zones.

DAEMON

deploys exactly one task on each active container instance

----

Cluster

A logic group of EC2 instances. (Region-specific)

When using the EC2 launch type, then your clusters are a group of container instances you manage.

These clusters can contain multiple different container instance types

Container Agent

ecs-agent is only supported on Amazon EC2 instances.

Container Instance

A part of an ECS Cluster and the "ecs-agent" running on it.

i.e.

Amazon ECS-Optimized Amazon Linux 2 (AL2) x86_64 AMI

ECS Application type

"service" / "task"

"service"

• 支援: Replica / Daemon 設定
• 支援: Load balancing

"task"

• 行一次就完

Replica & Daemon

• Replica - Place and maintain a desired number of tasks across your cluster.
• Daemon - Place and maintain one copy of your task on each container instance.

 

---

建立 ECS 應用

 

步驟: Cluster > Container Instance > Task Definition > ECR > Task / Service

Step 1: Create a Cluster

# "clusterName": "default"

aws ecs create-cluster

* By default, your account receives a "default" cluster when you launch your first container instance.
If you do create your own, non-default, cluster, you must specify --cluster cluster_name for each command

aws ecs create-cluster --cluster-name MyCluster

checking

aws ecs list-clusters

{
    "clusterArns": [
        "arn:aws:ecs:ap-east-1:ID:cluster/default"
    ]
}

Step 2: Launch an Instance with the Amazon ECS AMI

• AMI

Amazon ECS-Optimized Amazon Linux 2 (AL2) x86_64 AMI

describe-images

• user_data

By default, your container instance launches into your "default" cluster

To launch into a non-default cluster, choose the Advanced Details list.

#!/bin/bash
echo ECS_CLUSTER=your_cluster_name >> /etc/ecs/ecs.config

• Container instances need access to communicate with the Amazon ECS service endpoint.

所以 Instance 要有 public ip 上網 / VPC 有 ECS service endpoint

• IAM permissions

container instance 要有 ecsInstanceRole IAM permissions 才可以連接 cluster

Checking

aws ecs list-container-instances --cluster MyCluster

aws ecs describe-container-instances --cluster MyCluster --container-instances container_instance_ID

aws ec2 describe-instances --instance-id instance_id

Step 3: Register a Task Definition

 * Task Definition 不是在 Cluster 之下的

sleep360.json

{
  "containerDefinitions": [
    {
      "name": "sleep",
      "image": "busybox",
      "command": [
        "sleep",
        "360"
      ],
      "essential": true
    }
  ],
  "family": "sleep360"
}

aws ecs register-task-definition --cli-input-json file://sleep360.json

aws ecs list-task-definitions

{
    "taskDefinitionArns": [
        "arn:aws:ecs:ap-east-1:AC_ID:task-definition/sleep360:1"
    ]
}

P.S.

aws ecs deregister-task-definition --task-definition sleep360

Step 4: Run a Task

aws ecs run-task --cluster MyCluster --task-definition sleep360 --count 1

--task-definition family:revision

If a revision isn't specified, the latest ACTIVE revision is used.

--count 1

The number of instantiations of the specified task to place on your cluster.

You can specify up to 10 tasks for each call.

Checking

aws ecs list-tasks --cluster MyCluster

aws ecs describe-tasks --cluster MyCluster --task task_ID

 

---

Task Definition parameters

 

https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html

More than 1 containers in a task 作用:

• containers share a common lifecycle
• containers must run on the same underlying host(localhost port)
• require that your containers share resources(data volumes)

ContainerDefinitions

describe the different containers that make up your task.

i.e.

"containerDefinitions": [
  {
    "name": "sample-app",
    "command": [
      "/bin/sh -c \"echo ... \""
    ],
    "entryPoint": [
      "sh",
      "-c"
    ],
    "essential": true,
    "image": "httpd:2.4",
    "portMappings": [
      {
        "containerPort": 80,
        "hostPort": 80,
        "protocol": "tcp"
      }
    ]
  }
]

非必須設定

• command
• entryPoint
• essential

image

By default, images in the Docker Hub registry are available.

Other repositories are specified with either repository-url/image:tag or repository-url/image@digest

Images in Amazon ECR repositories can be specified by either using

registry/repository:tag or registry/repository@digest

essential(Default: true)

true, and that container fails or stops for any reason,

all other containers that are part of the task are stopped.

All tasks must have at least one essential container.

logConfiguration

ie.

    "logConfiguration": {
      "logDriver": "awslogs",
      "options": {
        "awslogs-group": "/ecs/fargate-task-definition",
        "awslogs-region": "ap-east-1",
        "awslogs-stream-prefix": "ecs"
      }
    },

cpu, memory

 * 有分 "task-level memory value" 及 "container-level memory value"

If you use the EC2 launch type, this field is optional.

The amount (in MiB) of memory used by the task.

256 (.25 vCPU)

i.e.

{
  "containerDefinitions": [
    {
      "memoryReservation": 300,
      "cpu": 1024,
      ...      
    }
  ],
  "memory": "512",
  "cpu": "2048",
  ...
}

memory(hard limit)

If your container attempts to exceed the memory specified here, the container is killed.

memoryreservation(soft limit)

When system memory is under heavy contention, Docker attempts to keep the container memory to this soft limit.

If a task-level memory value is not specified,
you must specify a non-zero integer for one or both of memory or memoryReservation in a container definition.

NetworkMode

none, bridge(ec2 default), awsvpc, and host

Fargate 必須是 awsvpc

awsvpc

enabling you to use security groups and network monitoring tools
Because each task gets its own elastic network interface (ENI)

portMappings

Port mappings allow containers to access ports on the host container instance to send or receive traffic.

awsvpc / host network mode, you should only specify the containerPort.

bridge network mode: container automatically receives a host port in the ephemeral port range

Family

A family groups multiple versions of a task definition.

ECS gives sequential revision numbers to each task definition that you add.

 

---

連到 Container 的 Shell

 

aws ecs list-clusters

aws ecs execute-command --cluster cluster-web-ecs --task ID \
--container web-container --interactive --command "/bin/bash"

 

---

Service

 

Create

ALB='targetGroupArn=arn:aws:elasticloadbalancing:ap-east-1:AC_ID:targetgroup/Lab7-web-tg/TG_ID,containerName=web1,containerPort=80'
NET='awsvpcConfiguration={subnets=[subnet-a-ID,subnet-b-ID,subnet-c-ID],securityGroups=[sg-ID]}'

aws ecs create-service \
--cluster MyCluster \
--launch-type EC2 \
--service-name MyWebService \
--task-definition MyWebTask \
--desired-count 1 \
--network-configuration "$NET" \
--load-balancers $ALB

Opts

--service-name
--task-definition
--desired-count           # "--scheduling-strategy  REPLICA" 才用
--launch-type             # EC2|FARGATE|EXTERNAL
--network-configuration   # awsvpcConfiguration={subnets=[string,string],securityGroups=[string,string],assignPublicIp=string}
--load-balancers          # targetGroupArn=string,loadBalancerName=string,containerName=string,containerPort=integer

List

aws ecs list-services --cluster MyCluster

{
    "serviceArns": [
        "arn:aws:ecs:ap-east-1:AC_ID:service/MyCluster/MyWebService"
    ]
}

Update

update-service

ie.

aws ecs update-service --cluster MyCluster --service MyWebService --desired-count 0

 * --desired-count 的改變不影響 "Task definition: revision"

ie.

當 container image 係 least 時, "--force-new-deployment" 會影響 "Task definition" 內的 更新

aws ecs update-service --cluster MyCluster --service MyWebService --force-new-deployment

ie.

aws ecs update-service --cluster MyCluster --service MyWebService --task-definition MyWebTask

--task-definition family[:revision]

If a revision is  not  specified, the  latest  ACTIVE revision is used.
If you modify the task definition with UpdateService ,
ECS spawns a task with the new version of the task definition and
then stops an old task after the new version is running.

Delete

delete-service

i.e.

aws ecs delete-service --cluster MyCluster --service MyWebService

An error occurred (InvalidParameterException) when calling the DeleteService operation:
 The service cannot be stopped while it is scaled above 0.

aws ecs update-service --cluster MyCluster --service MyWebService --desired-count 0

aws ecs delete-service --cluster MyCluster --service MyWebService

 

---

Tasks healthy

 

healthy = task in the RUNNING state & ALB report as healthy

ECS container agent only monitors and reports on the health checks specified in the task definition.

=> ECS does not monitor Docker health checks that are embedded in
      a container image and not specified in the container definition.

 

---

ECR

 

Private registry

A container image in a private registry outside of Amazon ECR.

You provide the credentials needed to authenticate to the private registry.

You must store the credentials as an AWS Secrets Manager secret.

The Private registry authenticationoption turns the feature on or off.

The Secrets Manager ARN or name is where you specify the Amazon Resource Name (ARN) of the secret.

This feature requires the use of the task execution IAM role

Upload image 到 ECR

#1 建立 ecr 的 repos

aws ecr create-repository --repository-name my-ecr-repo

aws ecr describe-repositories

#2 Login ECR

repositoryUri="ACCOUNT_ID.dkr.ecr.ap-east-1.amazonaws.com/my-ecr-repo"

# podman logout

aws ecr get-login-password --region ap-east-1 | podman login --username AWS --password-stdin "$repositoryUri"

Login Succeeded!

#3 用 dockerfile 建立 image

podman build -t web:v1 .

# 由於沒有 tag, 會相當於 my-ecr-repo:latest

podman tag web:v1 $repositoryUri

podman images

#4 將 image push 到 ecr 上的 repos

podman push $repositoryUri

aws ecr list-images --repository-name my-ecr-repo

{
    "imageIds": [
        {
            "imageDigest": "sha256:...",
            "imageTag": "latest"
        }
    ]
}

Update Image

podman tag web:v2 $repositoryUri

podman push $repositoryUri

Getting image source signatures
Copying blob b365b46d1be3 skipped: already exists
...
Copying blob 2313381a5461 done
Writing manifest to image destination
Storing signatures

# 舊那個 Image tag 會變成 "-", 新那個會叫 "least"

aws ecr list-images --repository-name my-ecr-repo

{
    "imageIds": [
        {
            "imageDigest": "sha256:..."
        },
        {
            "imageDigest": "sha256:...",
            "imageTag": "latest"
        }
    ]
}

Tag

retag without pulling or pushing the image

#1 獲得 Image 的 MANIFEST

MANIFEST=$(aws ecr batch-get-image --repository-name my-ecr-repo --image-ids imageTag=latest --output text --query images[].imageManifest)

# --image-ids 可以用 "imageDigest" / "imageTag"

aws ecr put-image --repository-name my-ecr-repo --image-tag v1 --image-manifest "$MANIFEST"

刪除 tag

aws ecr batch-delete-image \
    --repository-name my-ecr-repo \
    --image-ids imageTag=v1 imageTag=v2

刪除 image

# 當 image 連 1 個 tag 也沒有時就會被刪除

aws ecr batch-delete-image \
    --repository-name my-ecr-repo \
    --image-ids imageTag=v0

 

---

AWSVPC Trunking

 

Amazon EC2 instance types

t3.micro

• Maximum network interfaces: 2
• Private IPv4 addresses per interface: 2

ENI trunking

This feature is only supported on specific Amazon EC2 instance types.

Enable

ECS Account Setting > AWSVPC Trunking

This setting only applies to new Linux instances that are launched after you change this setting.

ALB Settings

If your service's task definition uses the awsvpc network mode (required for the AWS Fargate launch type),
 you must choose IP as the target type.

 

---

Container Insights

 

收費項目

1. CloudWatch metrics
2. CloudWatch Logs

Metrics

• Every cluster reports 8 metrics;
• every task reports 6 metrics;
• and every service reports 11 metrics.
• All CloudWatch metrics are prorated on an hourly basis.