這個議題比我想像中麻煩了點,讓我回憶起 2009 年寫的 AWS 筆記,那時同事一開始還只在用 Firefox extension 管理 AWS EC2 呢 XD 我覺得這理論上要能都透過網頁搞定才對,先把目前研究的過程筆記一下。
總之,要能像 ssh 遠端(docker exec -it ContainerID bash)進去 AWS ECS container 的關鍵之處:
- 使用 awscli 做事
- AWS ECS 的 Task 定義,基礎設施需求 -> 任務角色,需要指定一下角色,例如 ecsTaskExecutionRole
- AWS IAM -> ecsTaskExecutionRole -> 添加 AmazonSSMManagedInstanceCore 權限
- AWS ECS -> Cluster -> Service ,需要用 awscli 啟動 enable-execute-command ,並且重新更新服務,使之生效
- 使用 aws 指令登入
首先,先下載 awscli 並且版本要夠新:
安裝後檢查版本,版本太低會無法完成任務:
% aws --versionaws-cli/2.24.5 Python/3.12.6 Darwin/24.3.0 exe/x86_64
接著還要安裝 Session Manager plugin,此例紀錄 Mac with Apple silicon 版:
% curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/mac_arm64/sessionmanager-bundle.zip" -o "sessionmanager-bundle.zip"% unzip sessionmanager-bundle.zip% sudo ./sessionmanager-bundle/install -i /usr/local/sessionmanagerplugin -b /usr/local/bin/session-manager-plugin
基本的環境已準備好了,下一刻是查看自己的 AWS ECS 的任務定義是否有把 任務角色 設定好,這部就維持用網頁吧:
若你的 AWS ECS 上定義的 Task 只有一個,也可以偷懶靠 awscli 操作(在此就不贅述 AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_DEFAULT_REGION 部分),會用到的指令:
aws ecs list-task-definition-families --status ACTIVEaws ecs list-task-definitions --family-prefix webappaws ecs describe-task-definition --task-definition webapp:3
連續技,快速檢查 taskRoleArn 跟 executionRoleArn:
% NamespaceID=$(aws ecs list-task-definition-families --status ACTIVE | jq -r '.families[0]') ; echo "Namespace: $NamespaceID" ; TaskID=$(aws ecs list-task-definitions --family-prefix "$NamespaceID" | jq -r '.taskDefinitionArns[0]') ; echo "Task: $TaskID" ; aws ecs describe-task-definition --task-definition "$TaskID" | jq ".taskDefinition | { taskRoleArn: .taskRoleArn, executionRoleArn: .executionRoleArn}"Namespace: myapp-taskTask: arn:aws:ecs:ap-northeast-1:####:task-definition/myapp-task:2{"taskRoleArn": "arn:aws:iam::####:role/ecsTaskExecutionRole","executionRoleArn": "arn:aws:iam::####:role/ecsTaskExecutionRole"}
接下來,若 AWS ECS Cluster 還沒有建立任何 Service,用指令查:
% aws ecs list-tasks --cluster myapp-cluster{"taskArns": []}
接著我們在 AWS ECS 網頁端起了一個 Service 名為 myapp-service ,在創建過程中沒看到啟用 enable-execute-command,這時在網頁上查看也是顯示 "ECS 執行: 關閉"
接下來用 aws cli 查詢:
% aws ecs list-tasks --cluster myapp-cluster{"taskArns": ["arn:aws:ecs:ap-northeast-1:####:task/myapp-cluster/#TASKID#"]}% TaskID=$(aws ecs list-tasks --cluster myapp-cluster | jq -r '.taskArns[0]') ; echo "TaskID: $TaskID" ; aws ecs describe-tasks --cluster myapp-cluster --tasks $TaskID | jq '.tasks[0] | { "clusterArn": .clusterArn, "taskArn": .taskArn, "taskDefinitionArn": .taskDefinitionArn, "group": .group, "healthStatus": .healthStatus, "desiredStatus": .desiredStatus, "enableExecuteCommand": .enableExecuteCommand, "containers-name": [.containers |.[] | { "name":.name, "runtimeId": .runtimeId} ] }'TaskID: arn:aws:ecs:ap-northeast-1:####:task/myapp-cluster/#TASKID#{"clusterArn": "arn:aws:ecs:ap-northeast-1:####:cluster/myapp-cluster","taskArn": "arn:aws:ecs:ap-northeast-1:####:task/myapp-cluster/#TASKID#","taskDefinitionArn": "arn:aws:ecs:ap-northeast-1:####:task-definition/myapp-task:2","group": "service:myapp-service","healthStatus": "HEALTHY","desiredStatus": "RUNNING","enableExecuteCommand": false,"containers-name": [{"name": "php-fpm-docker","runtimeId": "#TASKID#-#ContainerID#"},{"name": "web-docker","runtimeId": "#TASKID#-#ContainerID#"}]}
可以看到 enableExecuteCommand 為 false
這時候,如果透過 aws cli 來設法登入到 Container:
% aws ecs execute-command --cluster myapp-cluster --task #TASKID# --container #containers#name# --command "/bin/bash" --interactiveThe Session Manager plugin was installed successfully. Use the AWS CLI to start a session.An error occurred (InvalidParameterException) when calling the ExecuteCommand operation: Unable to start session because the container doesn’t exist. Specify a valid container and try again.
接著,使用 aws cli 來啟動 enableExecuteCommand 吧:
% aws ecs update-service --cluster myapp-cluster --service arn:aws:ecs:ap-northeast-1:####:service/myapp-cluster/myapp-service --enable-execute-command{"service": {..."enableExecuteCommand": true,...}}
可以看到 enableExecuteCommand 被標記成 true 了,這時還需要重新發布服務,可以重網頁去觸發,或是靠指令觸發:
% aws ecs update-service --cluster myapp-cluster --service arn:aws:ecs:ap-northeast-1:####:service/myapp-cluster/myapp-service --force-new-deployment
當服務發布完畢後,在網頁上就可以看到改變,或是用指令在查一次:
% TaskID=$(aws ecs list-tasks --cluster myapp-cluster | jq -r '.taskArns[0]') ; echo "TaskID: $TaskID" ; aws ecs describe-tasks --cluster myapp-cluster --tasks $TaskID | jq '.tasks[0] | { "clusterArn": .clusterArn, "taskArn": .taskArn, "taskDefinitionArn": .taskDefinitionArn, "group": .group, "healthStatus": .healthStatus, "desiredStatus": .desiredStatus, "enableExecuteCommand": .enableExecuteCommand, "containers-name": [.containers |.[] | { "name":.name, "runtimeId": .runtimeId} ] }'TaskID: arn:aws:ecs:ap-northeast-1:####:task/myapp-cluster/#TASKID#{"clusterArn": "arn:aws:ecs:ap-northeast-1:####:cluster/myapp-cluster","taskArn": "arn:aws:ecs:ap-northeast-1:####:task/myapp-cluster/#TASKID#","taskDefinitionArn": "arn:aws:ecs:ap-northeast-1:####:task-definition/myapp-task:2","group": "service:myapp-service","healthStatus": "HEALTHY","desiredStatus": "RUNNING","enableExecuteCommand": true,"containers-name": [{"name": "php-fpm-docker","runtimeId": "#TASKID#-#CONTAINERID#"},{"name": "web-docker","runtimeId": "#TASKID#-#CONTAINERID#"}]}
如此,就可以正式遠端進去一下:
% aws ecs execute-command --cluster myapp-cluster --task #TASKID# --container web-docker --command "/bin/bash" --interactiveThe Session Manager plugin was installed successfully. Use the AWS CLI to start a session.Starting session with SessionId: ecs-execute-command-################ip-123-45-6-123:/var/www/html#
收工
參考資料:
沒有留言:
張貼留言