- Amazon EC2 Container Services
- 1.0: Container Architecture
- 1.1: Amazon EC2 Introduction
- 2.0: Creating an ECS User and Group
- 2.1: Logging into the Console
- 2.2: Create Instance Key-Pairs
- 2.3: Create a Cluster Virtual Private Cloud
- 2.4: Security Groups and ECS Clusters
- 2.5: Installing AWS CLI
- 3.0: Using the Wizard for Sample Cluster Creation
- 3.1: Exploring the Sample Cluster
- 3.2: Customizing the EC2 Cluster
- 3.3: Cluster Security Group Customization
- 3.4: Container Instance Scaling
- 3.5: ELB - Container Registration and Config
- 3.6: ECS - Creating a Custom Container
- 3.7: Creating a Custom Task Definition for our Containers in ECS
- 3.8: Running Multiple Container Types in the Cluster
- 4.0: Troubleshooting
Goals
- Create a User and Look at Security Settings
- Create a Role and Generate a Key Pair
- Create a VPC for our Cluster
- Create a Security Group for our Cluster
- Install and Configure the AWS CLI
Components and Usage
- Clusters
- Container instances (how to register too)
- The Agent
- Scheduling Tasks
- Repositories
- IAM Policies and Roles
Highly scalable and fast container management service. Easily can start, stop and manage containers on a cluster comprised of Amazon EC2 instances.
What makes up the ECS?
- Clusters - the grouping of container instances that we 'do stuff' on.
- Container instances - EC2 Instances running the ECS agent and registered in a cluster.
- Task Definitions - Description of an application with one or more container definitions.
- Scheduling - How we get our tasks on the container instances.
- Servies - An ECS service allows us to run or maintain a number of instances of a task definition.
- Tasks - an instance of a Task definition
- Containers - A Linux Container (Docker for example) created as part of a Task.
In the console, go to Identity and Access Management.
If you create the secret access key, make sure you download it and provide it for login.
Ensure that you also create a group for this that is specific to the EC2 Container service.
Normally we wouldn't recommend Admin access, but you want to assign a group security policy so future users added can get these group policies and we can manage it at a group level.
From the AWS IAM panel, we can just into the new ecsadmin
group and now we can create some sign in passwords from Security Credentials
.
Now with the alias link we have from the main dashboard, we can use that give other users a chance to log in.
It is very important that we want the alias used wherever possible instead of your account number.
Now, once the user signs in, they have a chance to see a new password.
THIS IS HOW WE MAINTAIN THE SECURITY WITH GRANUAL PERSMISSIONS FOR OTHERS TO USE
Head to EC2 Virtual Servers > Network and Security > Key Pairs
- you can import a key pair or create a key-pair. This is used to SSH in securely.
Create and save that file and store it somewhere securely.
If we use ssh-agent bash
, that will launch a shell where we can run ssh-add key-pair.pem
added to the key exchange, and now we can ssh -i key-pair.pem [email protected]
(ensure an instance is running).
ssh-agent bash
ssh-add key-pair.pem
ssh -i key-pair.pem [email protected]
In the VPC section of AWS, in the list of VPCs you can see a list of the VPCs and there can be allocated a default if you haven't named one.
Create a VPC, give is a name tag, the CIDR block is the network range eg. 10.17.0.0/16
(16 is as large as we can make our VPC) and we can choose the VPC to be Default
or Dedicated
.
Once the instance config is up, we can choose Actions > Edit DHCP Options
which will edit how those addresses/options are set. Currently the /16 address range will be 10.17.0.1
but the config will basically assign ranges between .2 and .253. We can change that range with DHCP Options Set
if we want to.
DHCP means Dynamic Host Configuration Protocol
.
We can also assign a DNS resolution if we didn't want them publicly available by name, we can say don't do it.
Now we can go back and apply a security group.
Back in the EC2 > Network and Security > Security Groups
, we can now create a security group.
As you create this, you will give it a name and choose the VPC associated! This will be where we select the ECS_VPC
we created.
As for the inbound and outbound rules, we add an inbound SSH rule for TCP, port 22, Anywhere which will allow in SSH connections.
As a second option, we choose HTTPS and a HTTP role as well.
For the Outbound
, we want SSH to anywhere and HTTP and HTTPS as well. After configuring our services, we may want to choose a more restricive kind of traffic.
Again, from here, we can edit the inbound and outbound rules too.
We recommend that you only open up SSH to a few IP ranges.
pip3 install awscli
which will give us access to using the command line.
aws configure
allows us to put in our id and secret key, and commands such as aws ec2 describe-regions
allow us to see available regions for instances.
In the ECS Wizard, let's click Get Started
.
This will deploy an EC2 Container Service in a particular region.
We want to add some information about Tasks
which is how we get things to run on ECS.
Give the task a definition name ecs-sample-web-app-static
as an example.
Container name we want to run could be ecs-sample-web
.
Image is the image format we want to run.
The ports can be configured depending on what ports we have exposed on the security settings.
If we look at the advanved settings, we can look at environment, network settings etc.
We can also mount additional volumes external from the container.
On the next step, we can edit the Service name and we can also have a multiple number of tasks running.
We can also do elastic load balancing too.
These containers also run in a cluster. We can choose what instance type we want, and a number of instances.
Key-Pairs are also region specific and you'll need a new key-pair for another cluster in a different region.
We need to make sure ecsinstanceRole
IAM policy is also currently allowed.
In the review, you will get an overview of what is being created and the cluster configuration.
If we now view this service in Clusters
, it will show us our cluster and the current task that is running.
If we look at Task Definition
we can use actions to do thingsl like run tasks.
When we launched the cluster, we had 2 instances running EC2 instances.
If we now go to EC2 > Instances
, we should be able to now see our running instances!
If we grab the IP, we can now use that pem file and AWS CLI. Again, run the ssh-agent
and ssh-add
etc.
At the IP itself, we can see that the website is now running, but the second instance isn't running the container... why? Because it is a cluster. Even though we have two INSTANCES running we only configured ONE service running ONE task with ONE task definition.
A lot of this is because we haven't set the ELB. Since we didn't add a ELB, we will only see the container on the first EC2 we launched.
What we can do for our security groups is edit the settings that need to be changed or deploy a cluster and do that manually.
In the previous lessons, we quickly went through the ECS Wizard.
Let's take a look at how we can set up a cluster with a basic web app.
If we head back to the EC2 container service, let's walk through how we can customize our cluster initially and can use it in a manner more enterprise ready.
Task Definition
- give a solid name about least definition to a task definition
- again, select the mappings etc that you want
Now, in the advaned options, we want to make some changes.
Handy inclusions will be our environment variables.
Now, when the host starts, the container will start this image.
In this case, we will also define a load balance on a particular port.
Since we still have a very restricive security group, we still cannot SSH in. Why is that? We can configure our security groups.
How can we connect using SSH even when we have a key pair already?
The reason we cannot, is that during the initial launch, we don't have a way to apply another security group to another instance.
So in the EC2 > Instances
, we can view the Security Group being used as the source. If we click onto it, it will take us to the container security group.
Now if we look at the inbound and outbound rules!
There is a ECSAllowedPorts
and the ELBAllowedPorts
, and we are allow to enter one if we allowed in the ELB security group. Effectively, the ELB permissions are imported directly to the ECS allowed ports.
So we can in fact now add in the SSH IP that we want to use. As soon as we save, it immediately applies to our instance!
If we now run ps aux | grep http
we can now see the shell script we have run to launch the container.
We have the ability in the EC2 instances live into our cluster.
In ECS > Clusters > ECS Instance > Scale ECS Instances
we can choose what we are scaling. If will load it with reference to the ELB but it won't be auto setup.
If we head to EC2 > Instances
is our new instane configured exactly the same way as the original one.
Once the EC2 is up, the container won't be showing up on the IP just yet. If we SSH into that address, we can see that it is running but no http
service is running.
Head back to ECS
and we can see in the clusters that we only have one running task.
Now, if we select Clusters > Task
, we run a new task and choose our task definition. We still only need to run 1 task, since we just ran 1 additional instance. It's a 1-to-1 relationship.
Something that is cool, is that just because we are running a new task, we don't have to choose the same definition eg. like how we are running a database to support the cluster.
Once that task is running, if we now check that IP, we can now see the website is actually running.
Now that we have two instances running, but the load balancer on has 1 of 1 instances.
What we have to do in EC2 > Load Balancers > Status
, we click on it and edit the instances. The the ELB has already registered that there is another container instance (as you'll be able to see) so we click on it and then we select save.
Now we have multiple nodes, and the ELB will now use round robin to choose the node to use.
Load balancers do not currently store session state by default, which can be a trouble if you are running with round robin. You need to turn on Stickiness on the Port Configuration in order to keep sessions.
We can enabled Load Balancer
generated cookies or appliation generated cookie stickiness. Application will look for a cookie you set.
Generally you just want 5 minutes or so or you could suffer from affinity overload
if one server gets overloaded.
What we can do for loading containers is run from Docker Hub.
If you are going to use a propriatary system, use a private Docker Hub repo.
This example is given from AWS Labs.
The Dockerfile will be used to get a base image we want it built on and then we can declare variables that we want associated with it.
In this example, we will run docker build -t username/name-of-repo
and it will work from the Dockerfile and line everything up.
After the build, it will now be another image we can run against.
docker run -p 80:80 latest123/amazon-ecs-sample:latest
We can run docker ps
to ensure it is running and then we should be able to check localhost and see it all running.
docker login
will sign us into our Docker account and the credentials will be saved.
Now if we docker push
, we can push that image.
We can now see that our repo has been pushed up to the account.
With the repo available for a docker pull, what we can now do is create a new task definition that will apply to a running task definition.
Creating the task definition
- Can be done by either console or CLI
Select ECS > Task Definitions > Create a new definition
.
Example console-task-def-latest-sampleweb
.
What we can do is now add a container! We can also do a configure via JSON.
How do we do that? We can add a config.json
file that has all of the details.
In the example config that we paste in here from the AWSLabs example, we just need to change the Image that we wish to change.
Once we have created that task definition, we can head back to Clusters and see the task there.
Now that the task definition is done, how can we use that in our cluster? As we've seen before, we can scale the cluster with the additional instances.
Before we can apply a task to, we need to scale the instances.
Once the new EC2 instance is up, we can again check that it isn't running if we check the Public IP.
Back in ECS > Clusters > ECS Instances
, we have two tasks running and we can now run a new task.
One thing to notice is that the task definition list cannot be removed.
Once the task has run, get the IP that is provisioned and see if you can head to it - which you can!
- Service Health is important to decide if it's with the cluster and not AWS.
- Another option is to check events.
- Check the instances, which also has deeper information
- Check the Load Balancer have the in service status. - Health checks here can be configured.
- We can check the cluster itself - Check primary service is
ACTIVE
- Check the instances and the tasks