[04] Task Definitions

Question 1

What are the two options for logging stdout/stderr from containers?

Answer 1

Docker logging driver e.g. awslogs, Sidecar container e.g. AWS Firelens

Question 2

What are Docker logging drivers?

Answer 2

Built into the Docker daemon

Question 3

What Docker logging drivers are supported on Fargate?

Answer 3

awslogs, splunk

Question 4

What Docker logging drivers are supported on EC2?

Answer 4

awslogs, fluentd, gelf, json-file, journald, logentries, syslog, splunk

Question 5

What are the components of the logConfiguration object in a task definition?

Answer 5

logDriver, option and secretOptions

Question 6

What role is used to connect send logs to CloudWatch when using Docker logging drivers?

Answer 6

The execution role

Question 7

What is the default mode for awslogs Docker logging driver?

Answer 7

blocking

Question 8

What mode is recommended for awslogs Docker logging driver?

Answer 8

non-blocking

Question 9

What is a sidecar container?

Answer 9

A container that runs alongside the main application

Question 10

What port does the FireLens log router listen on?

Answer 10

24224

Question 11

What type of container dependency is recommended when using FireLens?

Answer 11

A container dependency to ensure the log router starts before the application container

Question 12

When is a container dependency required for FireLens?

Answer 12

For bridge networking mode

Question 13

What role is used by the sidecar container to send logs?

Answer 13

The task role

Question 14

What is the PROVISIONING state?

Answer 14

The state a task will be in while ECS is performing additional provisioning steps

Question 15

What options are available for passing secrets to containers in ECS?

Answer 15

Automatically expose the secrets as environment variables by setting the secrets field in the container definition(s) to reference secrets stored in Secrets Manager or AWS Systems Manager parameter store, update their application to directly pull secrets from Secrets Manager or SSM using the AWS SDK, in the case of logging, the logConfiguration field in the container definition can reference secrets in Secrets Manager or SSM, for private registry authentication, only Secrets Manager is supported, or for EC2, the ECS agent can be configured by setting ECS_ENGINE_AUTH_TYPE and ECS_ENGINE_AUTH_DATA

Question 16

What role is used when automatically exposing secrets as environment variables?

Answer 16

The execution role

Question 17

What role is used when the application pulls secrets directly from Secrets Manager or SSM?

Answer 17

The task role

Question 18

How can you troubleshoot issues with secrets in ECS?

Answer 18

Check CloudTrail, as all operations which access secrets are recorded

Question 19

What CloudTrail events are recorded when accessing secrets from Secrets Manager?

Answer 19

The API secretsmanager:GetSecretValue is recorded

Question 20

What CloudTrail events are recorded when accessing secrets from SSM?

Answer 20

Calls will be made to ssm:GetParameters & secretsmanager:GetSecretValue (note that the actual secret is stored in Secrets Manager because SSM parameter store only stores a pointer)

Question 21

What other CloudTrail events may be recorded when accessing secrets?

Answer 21

There will be calls to KMS (e.g. kms:Decrypt) if the secrets are encrypted with a CMK

Question 22

Are secrets injected as environment variables updated automatically?

Answer 22

No, secrets injected as environment variables are not updated automatically

Question 23

What Linux networking mode allocates an ENI to each task?

Answer 23

awsvpc

Question 24

What networking mode is recommended for both Linux and Windows tasks?

Answer 24

awsvpc

Question 25

What networking mode allows traffic to be audited using VPC Flow Logs?

Answer 25

awsvpc

Question 26

What networking mode allows containers in the same task to communicate using localhost without configuring links?

Answer 26

awsvpc

Question 27

What is the default networking mode for Linux tasks?

Answer 27

bridge

Question 28

What Linux networking mode binds a host port to a container port if hostPort is set?

Answer 28

bridge

Question 29

What is the default networking mode for Windows tasks?

Answer 29

default

Question 30

What Linux networking mode uses the host’s network and requires hostPort?

Answer 30

host

Question 31

What Linux networking mode prevents external network connectivity?

Answer 31

none

Question 32

What load balancer type is not supported for awsvpc networking mode?

Answer 32

Classic load balancers

Question 33

What Linux parameter controls the maximum number of files allowed for networking?

Answer 33

The nofile ulimit

Question 34

What parameters control the size of the read and write buffers for networking performance tuning?

Answer 34

sysctl net settings

Question 35

What state will a task be in while ECS is performing additional steps for it?

Answer 35

PROVISIONING state

Question 36

What state is a task in while ECS is performing additional provisioning steps?

Answer 36

PROVISIONING

Question 37

What memory-related container settings can be configured for Linux-based EC2 instances?

Answer 37

maxSwap and swappiness

Question 38

What is maxSwap used for?

Answer 38

Controls the amount of swap memory a container can use

Question 39

What does swappiness control?

Answer 39

The aggressiveness by which the container utilises swap space

Question 40

What signal is sent to PID 1 when a container needs to stop?

Answer 40

SIGTERM

Question 41

What signal is sent if the application doesn’t stop gracefully within the stopTimeout period?

Answer 41

SIGKILL

Question 42

What type of image tags are recommended for storing container images used with ECS?

Answer 42

Immutable image tags in ECR

Question 43

Why are immutable image tags recommended for ECS?

Answer 43

To ensure the same task definition always launches the same containers

Question 44

When it comes to resources, what is not supported for EC2 Windows instances?

Answer 44

Task-level CPU or memory settings

Question 45

What should be used instead of task-level CPU/memory settings for EC2 Windows?

Answer 45

Per-container limits

Question 46

What is the minimum memory that the Docker 20.10.0 or later daemon reserves for a container?

Answer 46

6MiB

Question 47

What is required to use a GPU with ECS?

Answer 47

The GPU variant of the ECS-optimised AMI, setting ECS_ENABLE_GPU_SUPPORT to true, setting NVIDIA environment variables or using a pre-configured base image

Question 48

How are Neuron resource requirements defined for ECS tasks?

Answer 48

Using linuxParameters to assign a specific device to the task

Question 49

What is the PROVISIONING state?

Answer 49

The state a task will be in while ECS is performing additional steps

Question 50

What identifies a task definition?

Answer 50

family name and sequential revision number

Question 51

What are the three possible states that a task definition may be in?

Answer 51

ACTIVE, INACTIVE, DELETE_IN_PROGRESS

Question 52

What is the ACTIVE state for a task definition?

Answer 52

the task definition can be used to run tasks and create services

Question 53

What is the INACTIVE state for a task definition?

Answer 53

new tasks can’t be launched using the task definition, but existing services and task are unaffected

Question 54

What is the DELETE_IN_PROGRESS state?

Answer 54

the task has been marked for deletion

Question 55

What will block a task definition from being deleted?

Answer 55

Tasks, services and deployments which reference a task definition

Question 56

What types of data volumes can be used with ECS tasks?

Answer 56

Bind mounts, Docker volumes, EBS volumes, EFS volumes, FSx volumes.

Question 57

What is a bind mount?

Answer 57

A file or directory stored on the host that is referenced by the container.

Question 58

On what launch types are bind mounts supported?

Answer 58

EC2 & Fargate.

Question 59

What task definition parameters are relevant for bind mounts on Fargate?

Answer 59

ephemeralStorage

Question 60

How can data be pre-populated into a bind mount?

Answer 60

By using a VOLUME Dockerfile directive.

Question 61

What are Docker volumes?

Answer 61

Volumes managed by Docker and created on the host EC2 instance.

Question 62

What volume driver is supported for Windows tasks?

Answer 62

local

Question 63

On what launch types can EBS volumes be attached?

Answer 63

Linux tasks running on Fargate or EC2.

Question 64

How are EBS volumes created for tasks?

Answer 64

New volumes are either empty or launched from a snapshot. Existing volumes can’t be used.

Question 65

What controls the deletion of EBS volumes attached to service tasks?

Answer 65

Volumes attached to service tasks are always deleted upon task termination.

Question 66

How does ECS authenticate to create and attach EBS volumes?

Answer 66

Using the infrastructure IAM role.

Question 67

What permissions are required for a container to write to a mounted EBS volume?

Answer 67

The container must run as a root user.

Question 68

Where is EBS volume configuration defined?

Answer 68

In the service definition. The task definition only includes a volume with ‘configuredAtLaunch’.

Question 69

On what launch types can EFS volumes be attached?

Answer 69

Linux tasks running on Fargate or EC2.

Question 70

How is authentication handled for EFS volumes?

Answer 70

Authentication uses the task role, or security groups if no role is provided.

Question 71

What manages EFS volumes on EC2?

Answer 71

The ECS volume plugin.

Question 72

What manages EFS volumes on Fargate?

Answer 72

A supervisor container.

Question 73

What configuration is recommended for the ECS_ENGINE_TASK_CLEANUP_WAIT_DURATION when using EFS?

Answer 73

Set it lower than the default value.

Question 74

How can access to an EFS volume be restricted?

Answer 74

By using an EFS access point and restricting task role access.

Question 75

What additional requirements exist for using FSx volumes?

Answer 75

The EC2 container instance must be joined to an Active Directory domain.

Question 76

How should credentials for accessing an FSx volume be stored?

Answer 76

In Secrets Manager or SSM and referenced in the task definition.