Project

General

Profile

Actions

Task #2377

open

Using CLI utilities to control containers in AWS

Added by Jan Kolařík over 4 years ago. Updated over 4 years ago.

Status:
In Progress
Priority:
Normal
Assignee:
Jan Kolařík
Category:
-
Target version:
-
Start date:
07/08/2020
Due date:
% Done:

0%

Estimated time:
Owner:
Actions #1

Updated by Jan Kolařík over 4 years ago

#installation AWC CLI a AWS ECS

#configure AWS credentials
aws configure

#https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-cli-tutorial-fargate.html
#Create the task execution role
aws iam --region eu-west-1 create-role --role-name ecsTaskExecutionRole --assume-role-policy-document file://task-execution-assume-role.json

#Attach the task execution role policy:
aws iam --region eu-west-1 attach-role-policy --role-name ecsTaskExecutionRole --policy-arn arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy

#Create a CLI profile using your access key and secret key
ecs-cli configure profile --profile-name prof_kolarik --access-key xxx --secret-key xxxx

#Create a cluster configuration, which defines the AWS region to use
ecs-cli configure --cluster cl-testovaci2 --default-launch-type FARGATE --config-name cl-testovaci2 --region eu-west-1

#create cluster, VPC will be created
ecs-cli up --cluster-config cl-testovaci2 --ecs-profile prof_kolarik
##VPC created: vpc-02f20958117ea93ae
##Subnet created: subnet-0ce5c6eb7e1553214
##Subnet created: subnet-0e96095df3272fad4
##Cluster creation succeeded.

#retrieve the default security group ID for the VPC
aws ec2 describe-security-groups --filters Name=vpc-id,Values=vpc-0d3b23afa21ef55fd --region eu-west-1

#add a security group rule to allow inbound
aws ec2 authorize-security-group-ingress --group-id sg-09e5b5e1048d77700 --region eu-west-1 --ip-permissions IpProtocol=tcp,FromPort=0,ToPort=65535,IpRanges=[{CidrIp=5.181.93.121/32}]

#create docker-compose.yml + ecs-params.yml

#deploy and start
ecs-cli compose service up --create-log-groups --cluster-config cl-testovaci2 --ecs-profile prof_kolarik

#deploy and start with DNS
ecs-cli compose --project-name db service up --create-log-groups --cluster-config cl-testovaci2 --ecs-profile prof_kolarik --private-dns-namespace test1 --enable-service-discovery --vpc vpc-663ac41f

#display tasks in the cluster
ecs-cli compose service ps --cluster-config cl-testovaci2 --ecs-profile prof_kolarik

#stop task
ecs-cli compose --project-name db service down --cluster-config cl-testovaci2 --ecs-profile prof_kolarik &
ecs-cli compose --project-name app service down --cluster-config cl-testovaci2 --ecs-profile prof_kolarik &

#list namespaces
aws servicediscovery list-namespaces --region eu-west-1

#retrieve namespace
aws servicediscovery list-namespaces --no-paginate --output json| jq -r ".Namespaces[] |select ( .Name==\"test1\") |.Id"

#delete namespace
aws servicediscovery delete-namespace --id ns-cr5lkocge26azc3a --region eu-west-1

#destroy cluster
ecs-cli down --force --cluster-config cl-testovaci2 --ecs-profile prof_kolarik

Actions #2

Updated by Jan Kolařík over 4 years ago

I did some tries with containers in ECS, remarks:
1) ECS cannot have 2 services with the same name in one cluster although the namespace is different
2) It's not possible to delete ECS cluster with running tasks (either with force)
3) It's not possible to use "compose stop" without the starting yaml file
4) It's not possible to use registered domains for services in the same namespace without namespace
5) Resources allocated by ecs-cli should be released by ecs-cli, combination with aws-cli can be used when ecs-cli fails.

##create cluster and services
time ecs-cli up --vpc vpc-663ac41f --subnets subnet-5afc8900 --cluster-config cl-testovaci2 
time ecs-cli compose --project-name db service up --create-log-groups --cluster-config cl-testovaci2 --private-dns-namespace test5 --enable-service-discovery --vpc vpc-663ac41f
time ecs-cli compose --project-name app service up --create-log-groups --cluster-config cl-testovaci2 --private-dns-namespace test5 --enable-service-discovery --vpc vpc-663ac41f

##destroy services and cluster
ecs-cli compose --project-name app service down --delete-namespace --cluster-config cl-testovaci2
ecs-cli compose --project-name db service down --delete-namespace --cluster-config cl-testovaci2
ecs-cli down --force --cluster cl-testovaci2

6) releasing resources by aws-cli:
#stop and delete services in the cluster
aws ecs list-services --cluster cl-testovaci2 --output text |awk -F/ '{print $2}'|xargs -I xxxSRVxxx aws ecs delete-service --cluster cl-testovaci2 --service xxxSRVxxx --force >/dev/null

#delete resources used in the cluster created by CloudFormation (CloudFormation id uses by ECS)
for i in `aws cloudformation list-stacks |jq -r ".StackSummaries[] |select (.StackStatus==\"CREATE_COMPLETE\" or .StackStatus==\"ROLLBACK_COMPLETE\") |.StackName" |fgrep -- -cl-testovaci2`; do echo $i;aws cloudformation delete-stack --stack-name $i;done

#delete namespace
aws servicediscovery delete-namespace --id `aws servicediscovery list-namespaces --no-paginate --output json| jq -r ".Namespaces[] |select ( .Name==\"test5\") |.Id"`

#delete cluster
aws ecs delete-cluster --cluster cl-testovaci2 >/dev/null

Creating container from private repository:
1) using credentials:
create file creds_input.yml

version: '1'
registry_credentials:
  nexus.bcvsolutions.eu: 
    username: docker
    password: hovno123
    container_names:
      - mycont

run:
ecs-cli registry-creds up ./creds_input.yml --role-name secretsTaskExecutionRole

Starting containers (docker compose in ECS):
docker-compose-db.yml

version: '3'
services:
  mycont:
    image: nexus.bcvsolutions.eu:8445/postgresimage:9.6-r0 
    logging:
      driver: awslogs
      options: 
        awslogs-group: cltest2
        awslogs-region: eu-west-1
        awslogs-stream-prefix: db
    environment:
      - TZ=Europe/Prague
      - DB_NAME=czechidm
      - DB_USER=czechidm
      - DB_USERPASSWORD=xxx

Define resources in ECS, (cpu_limit: 256 is .25 vCPU):
ecs-params-db.yml
version: 1
task_definition:
  task_execution_role: ecsTaskExecutionRole
  ecs_network_mode: awsvpc
  task_size:
    mem_limit: 2GB
    cpu_limit: 256
run_params:
  network_configuration:
    awsvpc_configuration:
      subnets:
        - "subnet-5afc8900" 
      security_groups:
        - "sg-074d50b3d2674834f" 
      assign_public_ip: ENABLED

Then ECS container can be started/stopped:

time ecs-cli compose --project-name db --file docker-compose-db.yml --ecs-params ecs-params-db.yml service up --create-log-groups --cluster-config cl-testovaci2 --private-dns-namespace test5 --enable-service-discovery --vpc vpc-663ac41f

time ecs-cli compose --project-name app --file docker-compose-app.yml --ecs-params ecs-params-app.yml service up --create-log-groups --cluster-config cl-testovaci2 --private-dns-namespace test5 --enable-service-discovery --vpc vpc-663ac41f

ecs-cli compose --project-name app --file docker-compose-app.yml service down --delete-namespace --cluster-config cl-testovaci2

ecs-cli compose --project-name db --file docker-compose-db.yml service down --delete-namespace --cluster-config cl-testovaci2

Actions #3

Updated by Jan Kolařík over 4 years ago

I stuck at defining credentials for nexus docker repo. The documentation in the AWS web is not well arranged. It's useful to use help command with utilities aws and ecs-cli.

Scripts for starting images in ECS as services is at:
https://git.bcvsolutions.eu/czechidm/docker-test-environment/tree/develop/awsidmInServices

After discussion with Petr F. it was decided , that we will use simple approach at the begining - no parallel test. Also all containers will run in one task. It can be done by these commands:

TASK start:
ecs-cli compose --project-name idm --registry-creds ecs-registry-creds.yml up --cluster cl-idmtest --launch-type FARGATE --create-log-groups
TASK stop:
ecs-cli compose --project-name idm down --cluster cl-idmtest

The docker compose file in AWS doesn't allow dependencies. The most simple solution is to create new revision for the task with dependencies enabled in AWS console and then start this task definition revision:
aws ecs run-task --cluster cl-idmtest --task-definition idm:13 --launch-type FARGATE --network-configuration "awsvpcConfiguration={subnets=['subnet-5afc8900'],securityGroups=['sg-074d50b3d2674834f'],assignPublicIp='ENABLED'}" 

Actions

Also available in: Atom PDF