Task #2377
open
Using CLI utilities to control containers in AWS
Added by Jan Kolařík almost 4 years ago. Updated almost 4 years ago.
0%
Updated by Jan Kolařík almost 4 years ago
#installation AWC CLI a AWS ECS
#configure AWS credentials
aws configure
#https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-cli-tutorial-fargate.html
#Create the task execution role
aws iam --region eu-west-1 create-role --role-name ecsTaskExecutionRole --assume-role-policy-document file://task-execution-assume-role.json
#Attach the task execution role policy:
aws iam --region eu-west-1 attach-role-policy --role-name ecsTaskExecutionRole --policy-arn arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
#Create a CLI profile using your access key and secret key
ecs-cli configure profile --profile-name prof_kolarik --access-key xxx --secret-key xxxx
#Create a cluster configuration, which defines the AWS region to use
ecs-cli configure --cluster cl-testovaci2 --default-launch-type FARGATE --config-name cl-testovaci2 --region eu-west-1
#create cluster, VPC will be created
ecs-cli up --cluster-config cl-testovaci2 --ecs-profile prof_kolarik
##VPC created: vpc-02f20958117ea93ae
##Subnet created: subnet-0ce5c6eb7e1553214
##Subnet created: subnet-0e96095df3272fad4
##Cluster creation succeeded.
#retrieve the default security group ID for the VPC
aws ec2 describe-security-groups --filters Name=vpc-id,Values=vpc-0d3b23afa21ef55fd --region eu-west-1
#add a security group rule to allow inbound
aws ec2 authorize-security-group-ingress --group-id sg-09e5b5e1048d77700 --region eu-west-1 --ip-permissions IpProtocol=tcp,FromPort=0,ToPort=65535,IpRanges=[{CidrIp=5.181.93.121/32}]
#create docker-compose.yml + ecs-params.yml
#deploy and start
ecs-cli compose service up --create-log-groups --cluster-config cl-testovaci2 --ecs-profile prof_kolarik
#deploy and start with DNS
ecs-cli compose --project-name db service up --create-log-groups --cluster-config cl-testovaci2 --ecs-profile prof_kolarik --private-dns-namespace test1 --enable-service-discovery --vpc vpc-663ac41f
#display tasks in the cluster
ecs-cli compose service ps --cluster-config cl-testovaci2 --ecs-profile prof_kolarik
#stop task
ecs-cli compose --project-name db service down --cluster-config cl-testovaci2 --ecs-profile prof_kolarik &
ecs-cli compose --project-name app service down --cluster-config cl-testovaci2 --ecs-profile prof_kolarik &
#list namespaces
aws servicediscovery list-namespaces --region eu-west-1
#retrieve namespace
aws servicediscovery list-namespaces --no-paginate --output json| jq -r ".Namespaces[] |select ( .Name==\"test1\") |.Id"
#delete namespace
aws servicediscovery delete-namespace --id ns-cr5lkocge26azc3a --region eu-west-1
#destroy cluster
ecs-cli down --force --cluster-config cl-testovaci2 --ecs-profile prof_kolarik
Updated by Jan Kolařík almost 4 years ago
I did some tries with containers in ECS, remarks:
1) ECS cannot have 2 services with the same name in one cluster although the namespace is different
2) It's not possible to delete ECS cluster with running tasks (either with force)
3) It's not possible to use "compose stop" without the starting yaml file
4) It's not possible to use registered domains for services in the same namespace without namespace
5) Resources allocated by ecs-cli should be released by ecs-cli, combination with aws-cli can be used when ecs-cli fails.
##create cluster and services time ecs-cli up --vpc vpc-663ac41f --subnets subnet-5afc8900 --cluster-config cl-testovaci2 time ecs-cli compose --project-name db service up --create-log-groups --cluster-config cl-testovaci2 --private-dns-namespace test5 --enable-service-discovery --vpc vpc-663ac41f time ecs-cli compose --project-name app service up --create-log-groups --cluster-config cl-testovaci2 --private-dns-namespace test5 --enable-service-discovery --vpc vpc-663ac41f ##destroy services and cluster ecs-cli compose --project-name app service down --delete-namespace --cluster-config cl-testovaci2 ecs-cli compose --project-name db service down --delete-namespace --cluster-config cl-testovaci2 ecs-cli down --force --cluster cl-testovaci2
6) releasing resources by aws-cli:
#stop and delete services in the cluster
aws ecs list-services --cluster cl-testovaci2 --output text |awk -F/ '{print $2}'|xargs -I xxxSRVxxx aws ecs delete-service --cluster cl-testovaci2 --service xxxSRVxxx --force >/dev/null
#delete resources used in the cluster created by CloudFormation (CloudFormation id uses by ECS)
for i in `aws cloudformation list-stacks |jq -r ".StackSummaries[] |select (.StackStatus==\"CREATE_COMPLETE\" or .StackStatus==\"ROLLBACK_COMPLETE\") |.StackName" |fgrep -- -cl-testovaci2`; do echo $i;aws cloudformation delete-stack --stack-name $i;done
#delete namespace
aws servicediscovery delete-namespace --id `aws servicediscovery list-namespaces --no-paginate --output json| jq -r ".Namespaces[] |select ( .Name==\"test5\") |.Id"`
#delete cluster
aws ecs delete-cluster --cluster cl-testovaci2 >/dev/null
Creating container from private repository:
1) using credentials:
create file creds_input.yml
version: '1'
registry_credentials:
nexus.bcvsolutions.eu:
username: docker
password: hovno123
container_names:
- mycont
run:
ecs-cli registry-creds up ./creds_input.yml --role-name secretsTaskExecutionRole
Starting containers (docker compose in ECS):
docker-compose-db.yml
version: '3'
services:
mycont:
image: nexus.bcvsolutions.eu:8445/postgresimage:9.6-r0
logging:
driver: awslogs
options:
awslogs-group: cltest2
awslogs-region: eu-west-1
awslogs-stream-prefix: db
environment:
- TZ=Europe/Prague
- DB_NAME=czechidm
- DB_USER=czechidm
- DB_USERPASSWORD=xxx
Define resources in ECS, (cpu_limit: 256 is .25 vCPU):
ecs-params-db.yml
version: 1
task_definition:
task_execution_role: ecsTaskExecutionRole
ecs_network_mode: awsvpc
task_size:
mem_limit: 2GB
cpu_limit: 256
run_params:
network_configuration:
awsvpc_configuration:
subnets:
- "subnet-5afc8900"
security_groups:
- "sg-074d50b3d2674834f"
assign_public_ip: ENABLED
Then ECS container can be started/stopped:
time ecs-cli compose --project-name db --file docker-compose-db.yml --ecs-params ecs-params-db.yml service up --create-log-groups --cluster-config cl-testovaci2 --private-dns-namespace test5 --enable-service-discovery --vpc vpc-663ac41f time ecs-cli compose --project-name app --file docker-compose-app.yml --ecs-params ecs-params-app.yml service up --create-log-groups --cluster-config cl-testovaci2 --private-dns-namespace test5 --enable-service-discovery --vpc vpc-663ac41f ecs-cli compose --project-name app --file docker-compose-app.yml service down --delete-namespace --cluster-config cl-testovaci2 ecs-cli compose --project-name db --file docker-compose-db.yml service down --delete-namespace --cluster-config cl-testovaci2
Updated by Jan Kolařík almost 4 years ago
I stuck at defining credentials for nexus docker repo. The documentation in the AWS web is not well arranged. It's useful to use help command with utilities aws and ecs-cli.
Scripts for starting images in ECS as services is at:
https://git.bcvsolutions.eu/czechidm/docker-test-environment/tree/develop/awsidmInServices
After discussion with Petr F. it was decided , that we will use simple approach at the begining - no parallel test. Also all containers will run in one task. It can be done by these commands:
TASK start: ecs-cli compose --project-name idm --registry-creds ecs-registry-creds.yml up --cluster cl-idmtest --launch-type FARGATE --create-log-groups TASK stop: ecs-cli compose --project-name idm down --cluster cl-idmtest
The docker compose file in AWS doesn't allow dependencies. The most simple solution is to create new revision for the task with dependencies enabled in AWS console and then start this task definition revision:
aws ecs run-task --cluster cl-idmtest --task-definition idm:13 --launch-type FARGATE --network-configuration "awsvpcConfiguration={subnets=['subnet-5afc8900'],securityGroups=['sg-074d50b3d2674834f'],assignPublicIp='ENABLED'}"