Installation
WhaTap Amazon ECS Monitoring collects resource usage for each Docker container in real time via the META API and Cgroup directory. It retrieves and collects the status of Amazon ECS service, deployment, and container's instance through the WhaTap tasks linked with the Amazon ECS API.
To install the WhaTap agent, you need permission to access AWS resources. Please make sure you have the following permissions in advance.
Required Roles
-
Script Executor
- iam:CreateRole, iam:CreatePolicy, iam:AttachRolePolicy
- ecs:RegisterTaskDefinition, ecs:CreateService
- ecs:Describe*, ecs:List*
- ec2:DescribeSubnets, ec2:DescribeSecurityGroups
-
ECS Task Role (WhatapEcsReadonly)
- ecs:Describe*, ecs:List*
To use the WhaTap monitoring service, you must first sign up and create a project. For more information on signing up, see this document.
Creating a project
Create a project before installing the agent.
-
Log in to the WhaTap Monitoring Service.
-
In the left side menu, click All Projects > + Project.
-
On the Select product screen, select the product you want to install.
-
Enter or select the following items:
-
Project name: Enter the project name.
-
Data server region: Select the data server region. A region is a group of data centers that provide cloud services. Your data will be stored in the selected region.
-
Time zone: Set the time zone to be used for alerts and report generation.
-
Notification language setting: Set the language for alert notifications. (Supports Korean and English)
-
Project groups: Group multiple projects for easier management. Select a group if applicable.
-
Project description: Add additional details or a description for your project.
-
-
After completing all settings, click the Creating a project button.
If you add a project while an organization is selected, you must set the Groups of organization field.
For more information about groups, see the related document.
Preliminary inspection
-
AWS CLI
For more information about installation, see the following.
-
Amazon ECS CLI
For more information about installation, see the following.
-
Python 2.x/3.x
For analysis of the json documents by the script, installation is required.
- After downloading the WhaTap image (whatap/ecs_mon) for installation, it is recommended to register it in the user registry.
- The 6600 port must be open to send data to the WhaTap server.
Supported Platforms & Products
Items are distinguished depending on the launch type of Amazon ECS. Monitoring targets are task, service, deployment, and container instance.
-
EC2 Launch Type: Task, Service, Deployment, Container Instance
-
Fargate Launch Type: Task, Service, Deployment
The following monitoring procedures are also divided into the procedure for EC2 Launch Type monitoring and the procedure for Fargate Launch Type monitoring.
For more information about the Amazon ECS launch types, see the following.
Monitoring procedure
-
By referencing the installation guide section
tab, release the WhaTap Amazon ECS agent through the dedicated task or sidecar. -
By referencing the installation guide section
tab, start the WhaTap monitoring service by enabling the monitoring service.
EC2 Launch Type
-
If you have created a project and then checked the Preliminary inspection, go to the installation guide section under Management > Agent Installation.
-
In the Create Task tab, select EC2 Launch Type.
-
Run the following script to create daemon type tasks. Add
CLUSTERandREGIONand then setACCESSKEYandWHATAP_HOSTto communicate with the collection server.Linux#!/usr/bin/env bash
export ACCESSKEY=x4u5j20mdbj98-x3btmtjfhffmrc-z6ogidu7vm3shg
export WHATAP_HOST=127.0.0.1
export CLUSTER=xxxx
export REGION=xxxx
export LAUNCH_TYPE=EC2
cat >whatap_ecs.json <<EOL
{ "containerDefinitions": [ {
"name": "whatap-node-agent",
"image": "whatap/ecs_mon",
"cpu": 100,
"memory": 50,
"essential": true,
"mountPoints": [{
"containerPath": "/var/run/docker.sock",
"sourceVolume": "docker_sock",
"readOnly": true},{
"containerPath": "/rootfs",
"sourceVolume": "rootfs",
"readOnly": true}],
"environment": [{
"name": "ACCESSKEY",
"value": "$ACCESSKEY"
},{
"name": "WHATAP_HOST",
"value": "$WHATAP_HOST"}
],
"linuxParameters": {
"capabilities": {
"add": [
"SYS_ADMIN",
"SYS_RESOURCE",
"SYS_PTRACE",
"NET_ADMIN",
"NET_BROADCAST",
"NET_RAW",
"IPC_LOCK",
"CHOWN"]
}}}],
"requiresCompatibilities": ["EC2"],
"volumes": [{
"host": {"sourcePath": "/var/run/docker.sock"},
"name": "docker_sock"},{
"host": {"sourcePath": "/"},
"name": "rootfs"}],
"family": "whatap-agent-task"}
EOL
aws ecs register-task-definition \
--cli-input-json file://$(pwd)/whatap_ecs.json \
--region $REGION
aws ecs create-service --cluster $CLUSTER \
--service-name whatap-node-agent \
--task-definition whatap-agent-task \
--scheduling-strategy DAEMON \
--launch-type $LAUNCH_TYPE \
--region $REGION-
The following are the items required to run the script.
-
ACCESSKEY(WhaTap project access key) -
WHATAP_HOST(WhaTap collection region IP) -
REGION(AWS Region) -
CLUSTER(ECS Cluster)
-
-
Fargate Launch Type
-
If you have created a project and then checked the Preliminary inspection, go to the installation guide section under Management > Agent Installation.
-
In the Create Task tab, select Fargate Launch Type.
-
Run the script to create the AWS ECS API Readonly IAM role.
NoteIt is required for the WhaTap task to query the ECS service and collect service status in real time.
-
The following are the items required to run the script.
ACCESSKEY(WhaTap project access key)WHATAP_HOST(WhaTap collection region IP; multiple IPs are connected with/)REGION(AWS Region)PROFILE(ECS Profile)CLUSTER(ECS Cluster)CLUSTER_CONFIG(ECS Cluster Config)TASK_EXECUTION_ROLE(Executing the WhaTap agent's ECS task)SUBNET_1(WhaTap agent's Task SUBNET#1)SUBNET_2(WhaTap agent's Task SUBNET#2)SGGRP(WhaTap agent's Task Security Group)
-
See the following example:
Linux#!/usr/bin/env bash
export REGION=xxxxx
export WHATAP_ECS_ROLE_READONLY=WhatapEcsReadonly
export WHATAP_ECS_POLICY_READONLY=WhatapEcsReadonly
cat >ecs_trust.json <<EOL
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOL
aws iam create-role --role-name $WHATAP_ECS_ROLE_READONLY --assume-role-policy-document file://ecs_trust.json | python -c 'import json,sys;print(json.load(sys.stdin)["Role"]["Arn"])' > role_arn.txt
cat >ecs_readonly.json <<EOL
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:Describe*",
"ecs:List*"
],
"Resource": [
"*"
]
}
]
}
EOL
aws iam --region $REGION create-policy --policy-name $WHATAP_ECS_POLICY_READONLY \
--policy-document file://ecs_readonly.json | python -c 'import json,sys;print(json.load(sys.stdin)["Policy"]["Arn"])' > policy_arn.txt
export POLICY_ARN=$(cat policy_arn.txt)
aws iam --region $REGION attach-role-policy --role-name $WHATAP_ECS_ROLE_READONLY \
--policy-arn $POLICY_ARN
-
-
Start the whatap-single agent with the created IAM ROLE. Service status is collected in real time by using the ECS API.
Linux#!/usr/bin/env bash
export ACCESSKEY=xxxx-xxxx-xxxx
export WHATAP_HOST=xxx.xxx.xxx
export PROFILE=xxxxx
export REGION=xxxxx
export CLUSTER=xxxxx
export CLUSTER_CONFIG=xxxx
export TASK_EXECUTION_ROLE=xxxx
export SUBNET_1=xxxx
export SUBNET_2=xxxx
export SGGRP=xxxx
export WHATAP_ECS_ROLE_READONLY=WhatapEcsReadonly
export PROJNAME=whatap-monitoring
export LAUNCH_TYPE=FARGATE
export WHATAP_ROLE_ARN=$(cat role_arn.txt)
cat >docker-compose.yml <<EOL
version: '3'
services:
whatap-ecs-agent:
image: whatap/ecs_mon
environment:
- ACCESSKEY=$ACCESSKEY
- WHATAP_HOST=$WHATAP_HOST
- FARGATE_HELPER=true
EOL
cat >ecs-params.yml <<EOL
version: 1
task_definition:
task_execution_role: $TASK_EXECUTION_ROLE
task_role_arn: "$WHATAP_ROLE_ARN"
ecs_network_mode: awsvpc
task_size:
mem_limit: 0.5GB
cpu_limit: 256
run_params:
network_configuration:
awsvpc_configuration:
subnets:
- "$SUBNET_1"
- "$SUBNET_2"
security_groups:
- "$SGGRP"
assign_public_ip: ENABLED
EOL
ecs-cli compose --project-name $PROJNAME service up \
--cluster-config $CLUSTER_CONFIG \
--ecs-profile $PROFILE --region $REGION -
Release the WhaTap sidecar agent to the end user task as follows. Add
ACCESSKEYandWHATAP_HOSTas environment variables to allow communication with the collection server.Linuxversion: '3'
services:
xxxxx:
image: xxxx
ports:
- "xx:xx"
...
whatap-ecs-agent:
image: whatap/ecs_mon
environment:
- ACCESSKEY=
- WHATAP_HOST=
Activate monitoring
In the Start Monitoring tab, select Activate monitoring to start the monitoring service.
-
Enabling the monitoring service
-
Disabling the monitoring service
Precautions upon removal
To completely avoid incurring costs, delete the following items:
-
ECS Service:
whatap-ecs-agent -
Task Sidecar:
whatap-ecs-agent -
Role:
WhatapEcsReadonly