Questions tagged with Containers

I want to deploy python flask app on aws lambda using lambda container. I tried using sam. It didn't work. It was expecting a lambda handler function. Is there a way of writing lambda handler to translate it to flask format?

We would like to migrate some workloads from Beanstalk to EKS. What is the best way to generate container image manifests from Beanstalk applications, is there any automation / script solultion for this?

Hi, I am trying to configure access to a private container registry from EKS (running on VPC with private subnets) Access to the container registry is done via authentication through cloudflared with mTLS certs, which makes it a bit complicated to configure on our EKS cluster as AWS guidelines only show support for configuring private registry authentication using dockercfg and docker formats. https://docs.aws.amazon.com/AmazonECS/latest/developerguide/private-auth-container-instances.html I have tried using the dockercfg credentials stored in a secret (referencing it with imagePullSecrets in the pod manifest) but it does not work as cloudflared mTLS cert-based authentication is required in addition to pull the image. Is there anyway to configure this? Or it is maybe a better option to start using AWS ECR and just pull images from there directly?

Does Fargate always use a VPC? And if you don't specify a VPC, it uses the default VPC in the customer account? And if you don't have a default VPC, it creates it for you? The [ClusterProps definition in the CDK guide](https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ecs/ClusterProps.html) for Python say: > **vpc (Optional[IVpc])** – The VPC where your ECS instances will be running or your ENIs will be deployed. *Default: - creates a new VPC with two AZs* So it seems like, in this regard ECS Fargate is not like AWS Lambda, where you can either run functions without a VPC (the default for AWS Lambda, a VPC 100% transparent to the user), or select a VPC. If Fargate always uses a VPC, I suppose the reason is because container-technologies are tightly bound to IP-based private and public network, unlike AWS Lambda, which uses ARNs.

Hello, I am working with AWS ECS capacity providers to scale out instances for jobs we run. Those jobs have a large variation in the amount of memory that is needed per ECS task. Those memory needs are set at the task and container level. We have a capacity provider that is connected to an EC2 auto scaling group (asg). The asg has the instance selection so that we specify instance attributes. Here we gave it a large range for memory and cpu, and it shows hundreds of possible instances. When we run a small job (1GB of memory) it scales up a `m5.large` and `m6i.large` instance and the job runs. This is great because our task runs but the instance it selected is much larger than our needs. We then let the asg scale back down to 0. We then run a large job (16GB) and it begins scaling up. But it starts the same instance types as before. The instance types have 8GB of memory when our task needs double that on a single instance. In the case of the small job I would have expected the capacity provider to scale up only 1 instance that was closer in size to the memory needs to the job (1GB). And for the larger job I would have expected the capacity provider to scale up only 1 instance that had more than 16GB of memory to accommodate the job (16GB). Questions: * Is there a way to get capacity providers and autoscaling groups to be more responsive to the resource needs of the pending tasks? * Are there any configs I might have wrong? * Am I understanding something incorrectly? Are there any resources you would point me towards? * Is there a better approach to accomplish what I want with ECS? * Is the behavior I outlined actually to be expected? Thank you

Hello. I've an ECS cluster (EC2 based) attached to a CSP. The service scaling out is OK, but it isn't scaling IN. And I've already checked the scale in protection and it's disabled (Disable Scale In: false) Description of the environment: - 1 cluster (ec2-based), 2 services - Services are attached to an ALB (registering and deregistering fine) - Services are with autoscaling enabled, checking memory (above 90%), NO scale in protection,1 task minimum, 3 tasks max. - Services are using a Capacity Service provider, apparently working as intended: it's creating new EC2 instances when new tasks are provisioned and dropping when they're with 0 tasks running, registering and deregistering as expected. - The cloudwatch alarms are working fine, Alarming when expected (with Low and High usages) Description of the test and what's "not working": - Started with 1 task for each service and 1 instance for both services. - I've managed to enter one of the containers and run a memory test, increasing its usage to over 90% - The service detected it and asked for the provision of a new task. - There were no instances that could allocate the new task, so the ECS asked for the CSP/Auto Scaling Group a new ec2 instance - The new instance was provisioned, registered in the cluster and ran the new task. - The service's memory usage avg. decreased from ~93% to ~73% (average from the sum of both tasks) - All's fine, the memory stress ran for 20 minutes. - After the memory stress was over, the memory usage dropped to ~62% - The cloudwatch alarm was triggered (maybe even before, when it was with 73% usage, I didn't check it) - The service is still running 2 tasks right now (after 3 hours or more) and it's not decreasing the Desired Count from 2 to 1. Is there anything that I'm missing here? I've already done a couple of tests, trying to change the service auto scaling thresholds and other configurations, but nothing is changing this behaviour. Any help would be appreciated. Thanks in advance.

We are trying to launch and connect to an instance of Google Chrome within a custom Docker container Lambda runtime. It runs locally 100% fine using Runtime Interface Emulator. We think it may be due to a difference in the Docker config when running it on Lambda compared to locally, preventing our runtime from accessing `localhost`. We've tried many different suggestions instead of `localhost` and also tweaked the network settings on the Docker image, but with no luck. Code: https://bitbucket.org/rapidspike/workspace/snippets/KMMa9B On line 37 `remoteInterface()` can also take a host as well as a port, but it defaults to `localhost`. We have tried `0.0.0.0`, `http://host.docker.internal` and a bunch of other suggestions including using Lambda's env variables to get the IP of container at runtime. Has anyone had similar problems or know of anything we should look into?

I have a manifest file which looks like : ``` { "Platform": { "os": "all" }, "Lifecycle": { "Setenv": { "ENDPOINT": "Test_endpoint" }, "Run": "docker rm core -f && docker rm A -f && docker rm B -f && docker rm C -f && docker-compose -f {artifacts:path}/docker-compose.yml up -d" }, "Artifacts": [ { "URI": "docker:D" }, { "URI": "s3://bucket/docker-compose.yml" }, { "URI": "docker:C" }, { "URI": "docker:B" }, { "URI": "docker:A" } ] } ``` and in docker compose file ``` service: image: "XXXXX.dkr.ecr.us-east-1.amazonaws.com/service-1.0:latest" container_name: service network_mode: host environment: AWS_GG_NUCLEUS_DOMAIN_SOCKET_FILEPATH_FOR_COMPONENT: ${AWS_GG_NUCLEUS_DOMAIN_SOCKET_FILEPATH_FOR_COMPONENT} SVCUID: ${SVCUID} AWS_CONTAINER_CREDENTIALS_FULL_URI: ${AWS_CONTAINER_CREDENTIALS_FULL_URI} AWS_CONTAINER_AUTHORIZATION_TOKEN: ${AWS_CONTAINER_AUTHORIZATION_TOKEN} AWS_REGION: ${AWS_REGION} AWS_IOT_THING_NAME: ${AWS_IOT_THING_NAME} ENDPOINT: ${ENDPOINT} depends_on: - core - ledservice - scannerservice volumes: - ${AWS_GG_NUCLEUS_DOMAIN_SOCKET_FILEPATH_FOR_COMPONENT}:${AWS_GG_NUCLEUS_DOMAIN_SOCKET_FILEPATH_FOR_COMPONENT} command: --uri localhost:4400 --port 9100 --name stow ``` But i am unable to retrieve the value of ENDPOINT in my docker container using System.getEnv("ENDPOINT") or print all the environment variable using printenv on SSH. Value being returned is 'ENDPOINT=' i.e. empty. What am i doing wrong here? because i could not find much references where Setenv is being used or how to use it using docker.

We are designing the architecture of a microservice solution where, 1. We will have tens of container-based microservices deployed in the EKS cluster. 2. Our microservices are java spring boot applications 3. There will be base infrastructure components such as VPC, Subnets, CloudFront, EKS, ALB, etc. 4. There will be infrastructure components shared across multiple microservices such as RDS, EFS, API Gateway, etc. 5. Each microservice could have its own dedicated cloud infrastructure (DynamoDB, SQS, etc.). 6. We will be using AWS CDK for deploying all the infrastructure components (3,4 and 5). 7. In addition to infrastructure components we will have Kubernetes configurations such as helm, configmap, policy as code (PoC) components related to OPA policies, Monitoring As code components etc. associated with each microservice. We are trying to figure out an appropriate Git repository structure here. A few things we already decided to do are the following. * Have CDK code for the base infra (3) and shared infra (4) in a single GitRepo and manage the deployment of it through some infra pipeline separately. * Each springboot microservice will have its own application Git Repositories which will be tied up with its own codepipeline CI process that builds the container and registers in ECR upon commits at the main branch (trunk-based model). The confusion we have here is where to store the infrastructure code that is associated with each microservice (items 5 and 7 in the above list). We thought of two options here and we find merits and demerits to both the options. **Option#1** : Keep the infra codes ( 5 & 7) related to the microservices in the application repository associated with the microservice. **Pros** * Easy to sync application and infra changes together as it's in a single repo. Infra and app changes can be deployed together and roll back together as well. **Cons** * Since app and infra codes are stored in the same repo, any infra change could trigger the app build pipeline. And similarly, an app code change could trigger automated infra deployment pipelines (if we have an automated CDK deployment pipeline). Considering app build is part of the CI process and infra deployment falls into the CD part, it would be tough to manage the CI/CD pipeline efficiently. * Typically CI jobs would initiate code scans, code coverage checks, container scans etc. we wouldn't want to trigger those CI stages for simple changes in the infra segment of the code such as a change in configuration item or change in monitoring as a code component etc. * In the standard CI/CD pipeline, after the docker container is built and registered in ECR repo, the container tag will be updated in the helm configuration (which is now stored in the app repository), this could trigger the CI flow again. * In CD pipeline we typically execute automated E2E test, API test etc. One wouldn't want them to be triggered for simple infra changes alone. **Option#2** : Each microservice will have two repositories. One for keeping the application code, and another one for keeping all the infrastructure code (5 & 7) associated with it. **Pros** * Isolation between infra and application codes enables us to segregate CI and CD processes without conflict. **Cons** * It would be challenging to sync application and infra changes as they are now in two different repositories. **Our question is** , * Looking at various articles, there are multiple ways to do it, but we would request advice from AWS community what is the best repo design that suits our unique case explained above. * Do you have any specific advice on how infra associated with a microservice (CDK) and app container deployment in EKS can be integrated in a single deployment pipeline Reference materials used https://devops.stackexchange.com/questions/12803/best-practices-for-app-and-infrastructure-code-repositories https://www.youtube.com/watch?v=MeU5_k9ssrs https://www.youtube.com/watch?v=f5EpcWp0THw

I have created a component using GreengrassV2 and running multiple containers inside this component. Now, my requirement is to call API Gateway and fetch some data into one of the docker containers running on the local device inside the component. I am using "import com.amazonaws.auth.DefaultAWSCredentialsProviderChain;" for fetching the credentials but getting ``` 05:45:06.476 INFO - Calling API Gateway with request params com.amazon.spiderIoT.stowWorkcell.entities.ApiGatewayRequest@e958e637 Exception in thread "main" com.amazonaws.SdkClientException: Unable to load AWS credentials from any provider in the chain: [EnvironmentVariableCredentialsProvider: Unable to load AWS credentials from environment variables (AWS_ACCESS_KEY_ID (or AWS_ACCESS_KEY) and AWS_SECRET_KEY (or AWS_SECRET_ACCESS_KEY)), SystemPropertiesCredentialsProvider: Unable to load AWS credentials from Java system properties (aws.accessKeyId and aws.secretKey), WebIdentityTokenCredentialsProvider: To use assume role profiles the aws-java-sdk-sts module must be on the class path., com.amazonaws.auth.profile.ProfileCredentialsProvider@7c36db44: profile file cannot be null, com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper@6c008c24: Failed to connect to service endpoint: ] at com.amazonaws.auth.AWSCredentialsProviderChain.getCredentials(AWSCredentialsProviderChain.java:136) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.getCredentialsFromContext(AmazonHttpClient.java:1269) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.runBeforeRequestHandlers(AmazonHttpClient.java:845) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:794) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:781) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:755) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:715) at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:697) at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:561) at com.amazon.spiderIoT.stowWorkcell.client.ApiGatewayClient.execute(ApiGatewayClient.java:134) at com.amazon.spiderIoT.stowWorkcell.client.ApiGatewayClient.execute(ApiGatewayClient.java:79) at com.amazon.spiderIoT.stowWorkcell.StowWorkcellService.startMQTTSubscriberForSortLocationEvents(StowWorkcellService.java:120) at com.amazon.spiderIoT.stowWorkcell.StowWorkcellService.onInitialize(StowWorkcellService.java:65) at com.amazon.spideriot.sdk.service.Service.run(Service.java:79) at com.amazon.spiderIoT.stowWorkcell.StowWorkcellServiceDriver.main(StowWorkcellServiceDriver.java:26) ``` My dependencyConfiguration looks like :- ``` { "aws.greengrass.TokenExchangeService": { "componentVersion": "2.0.3", "DependencyType": "HARD" }, "aws.greengrass.DockerApplicationManager": { "componentVersion": "2.0.4" }, "aws.greengrass.Cloudwatch": { "componentVersion": "3.0.0" }, "aws.greengrass.Nucleus": { "componentVersion": "2.4.0", "configurationUpdate": { "merge": "{\"logging\":{\"level\":\"INFO\"}, \"iotRoleAlias\": \"GreengrassV2TestCoreTokenExchangeRoleAlias\"}" } }, "aws.greengrass.LogManager": { "componentVersion": "2.2.3", "configurationUpdate": { "merge": "{\"logsUploaderConfiguration\":{\"systemLogsConfiguration\": {\"uploadToCloudWatch\": \"true\",\"minimumLogLevel\": \"INFO\",\"diskSpaceLimit\": \"10\",\"diskSpaceLimitUnit\": \"MB\",\"deleteLogFileAfterCloudUpload\": \"false\"},\"componentLogsConfigurationMap\": {\"LedService\": {\"minimumLogLevel\": \"INFO\",\"diskSpaceLimit\": \"20\",\"diskSpaceLimitUnit\": \"MB\",\"deleteLogFileAfterCloudUpload\": \"false\"}}},\"periodicUploadIntervalSec\": \"5\"}" } } } ``` Java code for using AWS credentials ``` public class APIGatewayModule extends AbstractModule { @Provides @Singleton public AWSCredentialsProvider getAWSCredentialProvider() { return new DefaultAWSCredentialsProviderChain(); } @Provides @Singleton public ApiGatewayClient getApiGatewayClient(final AWSCredentialsProvider awsCredentialsProvider) { System.out.println("Getting client configurations"); final com.amazonaws.ClientConfiguration clientConfiguration = new com.amazonaws.ClientConfiguration(); System.out.println("Got client configurations" + clientConfiguration); return new ApiGatewayClient(clientConfiguration, Region.getRegion(Regions.fromName("us-east-1")), awsCredentialsProvider, AmazonHttpClient.builder().clientConfiguration(clientConfiguration).build()); } } ``` I have been following this doc: https://docs.aws.amazon.com/greengrass/v2/developerguide/device-service-role.html My question is regarding everywhere in this document, it is mentioned that "AWS IoT Core credentials provider", what credentials provider should we use? Also, as mentioned in this doc we should use --provision true when "When you run the AWS IoT Greengrass Core software, you can choose to provision the AWS resources that the core device requires." But we started without this flag, how can this be tackled and is there any other document that provides reference to using credentials provider and calling API Gateway from AWS SDK Java. On SSH to docker, i could find that the variable is set ``` AWS_CONTAINER_CREDENTIALS_FULL_URI=http://localhost:38135/2016-11-01/credentialprovider/ ``` But unable to curl from docker to this URL, is this how this is suppose to work?

We have a fleet of EC2 instances that are used to run one Docker container per instance. These instances are pretty large and use AWS EBS as storage backend as storage io requirements are pretty high. The docker containers are run using basic docker-compose on the EC2 instances and these docker-compose files are managed by ansible globally. The workload requires quite a lot of cpu and iops so EBS as a storage is a requirement This is a legacy setup and at some point we need to move over away from docker compose to something more flexible and modern. The workload specifics where one huge container is used per host makes me think that this is not really a case for kubernetes or ECS, especially when EBS are in the mix too. At least not vanilla kubernetes in the sense I understand how kubernetes work. Could anyone point me to a right direction here?

can we run app2container directly on the source code instead of published files, usecase: we have a requirement to run app2container (.net framework 4.5.2) we do not have access to publish files but the source code and need to containerize the applications. (migration not in scope for now) so is it possible to run app2container directly on the source code.

I I have performed some AWS Glue version 3.0 jobs testing using Docker containers as detailed [here](https://aws.amazon.com/blogs/big-data/develop-and-test-aws-glue-version-3-0-jobs-locally-using-a-docker-container/). The following code outputs two lists, one per connection, with the names of the tables in a database: ```python import boto3 db_name_s3 = "s3_connection_db" db_name_mysql = "glue_catalog_mysql_connection_db" def retrieve_tables(database_name): session = boto3.session.Session() glue_client = session.client("glue") response_get_tables = glue_client.get_tables(DatabaseName=database_name) return response_get_tables s3_tables_list = [table_dict["Name"] for table_dict in retrieve_tables(db_name_s3)["TableList"]] mysql_tables_list = [table_dict["Name"] for table_dict in retrieve_tables(db_name_mysql)["TableList"]] print(f"These are the tables from {db_name_s3} db: {s3_tables_list}\n") print(f"These are the tables from {db_name_mysql} db {mysql_tables_list}") ``` Now, I try to create a dynamic dataframe with the *from_catalog* method in this way: ```python import sys from pyspark.context import SparkContext from awsglue.context import GlueContext from awsglue.job import Job from awsglue.dynamicframe import DynamicFrame source_activities = glueContext.create_dynamic_frame.from_catalog( database = db_name, table_name =table_name ) ``` When `database="s3_connection_db"`, everything works fine, however, when I set `database="glue_catalog_mysql_connection_db"`, I get the following error: ```python Py4JJavaError: An error occurred while calling o45.getDynamicFrame. : java.lang.ClassNotFoundException: com.mysql.cj.jdbc.Driver ``` I understand the issue is related to the fact that I am trying to fetch data from a mysql table but I am not sure how to solve this. By the way, the job runs fine on the Glue console. I would really appreciate some help, thanks!

I have this docker file that displays the wine version: ``` FROM electronuserland/builder:wine ENTRYPOINT [ "wine", "--version" ] ``` When running this on my local docker, it returns the version of wine. ``` >> docker build -t wine-version . >> docker run wine-version >> wine-7.0 ``` but when I uploaded it to AWS ECR and use it as my lambda function container, it printed `exited with error: signal: segmentation fault` Arch: x86_64 Expectation: wine version should be printed on the logs. ``` START RequestId: bc7b454b-22c9-4373-aaa3-091c8c4fa17c Version: $LATEST END RequestId: bc7b454b-22c9-4373-aaa3-091c8c4fa17c REPORT RequestId: bc7b454b-22c9-4373-aaa3-091c8c4fa17c Duration: 4.32 ms Billed Duration: 5 ms Memory Size: 128 MB Max Memory Used: 3 MB RequestId: bc7b454b-22c9-4373-aaa3-091c8c4fa17c Error: Runtime exited with error: signal: segmentation fault Runtime.ExitError ```

I have a django web app hosted via elastic beanstalk Due to the fact that ./platform/hooks/postdeploy migrate command seems to no longer be working ([https://repost.aws/questions/QUciLyPjuLThyZ-uLafausLg/elastic-beanstalk-database-migrations-no-longer-running]()) I have tried to use container commands in my django.config file instead ``` container_commands: 00_test_output: command: "echo 'testing.....'" 01_migrate: command: "source /var/app/venv/staging-LQM1lest/bin/activate && python manage.py migrate --noinput" leader_only: true ``` This, however, provokes the error on deployment: ``` 2022-05-25 08:03:36 WARN LoadBalancer awseb-e-g-AWSEBLoa-Q8MLS7VPZA00 could not be found. 2022-05-25 08:03:36 ERROR Failed to deploy application. ERROR: ServiceError - Failed to deploy application. ``` This error occurs even if only the `00_test_output` command is included. Does anyone have an idea as to why the loadbalancer cannot be found when container commands are added?

Hi, I have a WebSocket deployed in ECS with load balancers on top of that and use the VPC link to link the API gateway with the ECS. For some unknown reason, I was able to connect to the API Gateway WebSocket successfully but can't send the data to the ECS. I send the message with the action "sub" but nothing hit the Docker container in the ECS. Is that because it is not possible to have the API Gateway WebSocket with load balancer and ECS connected by the VPC link? Can that be achievable? Or is the API Gateway WebSocket can only talk with Lambda?

Trying to establish a connection from an AWS Fargate task in ECS to an external SFTP server. But the connection cannot be established despite providing the necessary Keys (required to build the connection) in the code. Objective is to connect to the SFTP server download files from there, process them and upload them to some other destination.

Hello, I have followed all of the tutorials on how to build an AWS Lambda function as a container image. I am also using the AWS SAM SDK as well. What I don't understand is how do I figure out my end-point URL mapping from within my image to the Lambda function? For example in my docker image that I am using the AWS Python 3.9 image where I install some other packages and my python requirements and my handler is defined as: summarizer_function_lambda.postHandler My python file being copied into the image is the same name as above but without the .postHandler My AWS SAM Template has: AWSTemplateFormatVersion: "2010-09-09" Transform: AWS::Serverless-2016-10-31 Description: AWS Lambda dist-bart-summarizer function # More info about Globals: https://github.com/awslabs/serverless-application-model/blob/master/docs/globals.rst Globals: Function: Timeout: 3 Resources: DistBartSum: Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction Properties: FunctionName: DistBartSum ImageUri: <my-image-url> PackageType: Image Events: SummarizerFunction: Type: Api # More info about API Event Source: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#api Properties: Path: /postHandler Method: POST So what is my actual URI path to do my POST call either locally or once deployed on Lambda?? When I try and do a CURL command I get an "{"message": "Internal server error"}% " curl -XPOST "https://<my-aws-uri>/Prod/postHandler/" -d '{"content": "Test data.\r\n"}' So I guess my question is how do you "map" your handler definitions from within a container all the way to the end point URI?

When using Step Functions with a container service like EKS or ECS how does output work for those steps? From the below two linked questions it seems as if input is done by either passing the input to the command override or by passing it as an environment variable. How do these jobs return output to be consumed by the following step? Input questions: * https://repost.aws/questions/QUQqIMl4s6QFKWtGeABPhgVA/step-functions-pass-input-into-fargate-instance * https://repost.aws/questions/QUCWMj_HPIQi6nmpUrbS3UTQ/step-functions-lambda-and-ecs **EDIT** According to this blog there isn't a way to output from ECS or Fargate tasks. So the outputs need to be deterministic based on the previous inputs. Can anyone confirm this and does this go for EKS as well? https://nuvalence.io/blog/aws-step-function-integration-with-ecs-or-fargate-tasks-data-in-and-out

Hello, We encountered troubles with ECS on Docker on EC2. Some tasks stay a long time in provisionning state while an EC2 is available and others tasks with the same docker image and parameters succeed to start. Then, the status goes from PROVISIONNING to STOPPED with reason : "Task failed to start". I have no logs, or info on the containers in ECS console and Cloudwatch, and did not find any tips in the EC2 logs... Any idea on why we have this behaviour ? or a way to have more traces to investigate ? Thanks Valentin

I would like to deploy a multi tenant web application say `webapp.com` and I would like each customer to have their own subdomain like `app.customer1.webapp.com`, `api.customer1.webapp.com`, `app.customer2.webapp.com`, `api.customer2.webapp.com`, etc. This was each customer has their own API and Web App URL. I would like all web app urls to go to the same instance of the application but load a different configuration for each customer - each customer has their own cognito userpool. Similarly for API but I would need to authenticate based on Bearer Token and Domain used. For the backend I think I will have a dynamodb table to hold the details of each customer. The web app is NextJS app so I think I will use a fargate cluster for both the web app and api (I want to avoid API Gateway and lambda). I will also use CDK for all infrastructure so I might also use it to bootstrap each customer using a stack that consists of Route53 configs and other resources like userpool that is unique to each customer. What is the easiest way to achieve this (preferably with CDK) ?

Hello! I've just deployed my first container in lightsail. I'm getting some internal errors and some services and files inside the container need configuring. Problem is, for me to configure something and check if it works, I need to do it locally, then build the container, then push it to lightsail, which is a lengthy process. What I want to do is, like on my local docker machine, get a CLI inside the container. That'll help configure services, as well as check the logs, but I can't seem to find a way to do that. Is there a way to access a CLI and the files inside the container?

We are running EKS cluster with m5.12xlarge as worker nodes. Looking at cloudwatch logs we can see that "PLEG is not healthy: pleg was last seen active 3.xxm ago" error happens very frequently causing instability in our cluster. What could be the possible causes or any other underlying issue? Added details of our cluster below EKS version: v1.21.5-eks-9017834 Container Runtime: Docker Docker Version ``` Docker version 20.10.7, build f0df350 ``` Containerd Version ``` container d - 1.4.6 d71fcd7d8303cbf684402823e425e9dd2e99285d ``` runc version : ``` 1.0.0 commit: 84113eef6fc27af1b01b3181f31bbaf708715301 spec: 1.0.2-dev go: go1.15.14 libseccomp: 2.4.1 ```

I have a use case where i'd like a nodegroup to be zero and to scale up automatically when we deploy a workload. The kubectl deployment scales correctly if the desiredcount is 1 or above but its stuck on a loop when the initial count 0. I see this issue https://github.com/aws/containers-roadmap/issues/724 still open. Is this still a shortcoming? Are there any potential workarounds for this?

I'm following the helloworld tutorial in the Developer guide, I have added the Dockerfile and entrypoint.sh and runned all the terminal command, but when I run the command: > docker push $ecruri/$simapp the output I obtain is the following: > 50b01f0b27b7: Retrying in 1 second > 397a6b9fcc38: Retrying in 1 second >... > b97da005ff37: Waiting >... > EOF And the repository is empty. (The same goes for $robotapp) Any ideas?

Hi all, I don't know what I've done in the Console, but I am no longer able to update a service with FARGATE containers. Note this is the "classic" experience and not the New ECS Experience. Under "Step 1: Configure service", there is a section "Task Placement" with Placement Templates=Custom, zero Strategies, and 1 Constraint=DistinctInstance. I left it as Custom but **deleted the Constraint**. When I try to save the service, I get a red error "Failed updating Service : Placement constraints are not supported with FARGATE launch type. Funny enough, when I go back to "Step 1: Configure service", the "Task Placement" section is not there. Any ideas? Do I need to attack this problem from the CLI? Thanks!

I have an image that binds to port 80 as a **non-root** user. I can run it locally (macOS Monterey, Docker Desktop 4.7.1) absolutely fine. When I try and run it as part of an ECS service on Fargate it fails as so: **Failed to bind to 0.0.0.0/0.0.0.0:80** **caused by SocketException: Permission denied** Fargate means I have to run the task in network mode `awsvpc` - not sure if that's related? Any views on what I'm doing wrong? The [best practices document](https://docs.aws.amazon.com/AmazonECS/latest/bestpracticesguide/bestpracticesguide.pdf) suggests that I should be running as non-root (p.83) and that under awsvpc it's reasonable to expose port 80 (diagram on p.23). FWIW here's a mildly cut down version the JSON from my task definition: ``` { "taskDefinitionArn": "arn:aws:ecs:us-east-1:<ID>:task-definition/mything:2", "containerDefinitions": [ { "name": "mything", "image": "mything:latest", "cpu": 0, "memory": 1024, "portMappings": [ { "containerPort": 80, "hostPort": 80, "protocol": "tcp" } ], "essential": true, "environment": [] } ], "family": "mything", "executionRoleArn": "arn:aws:iam::<ID>:role/ecsTaskExecutionRole", "networkMode": "awsvpc", "revision": 2, "volumes": [], "status": "ACTIVE", "requiresAttributes": [ { "name": "com.amazonaws.ecs.capability.logging-driver.awslogs" }, { "name": "ecs.capability.execution-role-awslogs" }, { "name": "com.amazonaws.ecs.capability.ecr-auth" }, { "name": "com.amazonaws.ecs.capability.docker-remote-api.1.19" }, { "name": "ecs.capability.execution-role-ecr-pull" }, { "name": "com.amazonaws.ecs.capability.docker-remote-api.1.18" }, { "name": "ecs.capability.task-eni" } ], "placementConstraints": [], "compatibilities": [ "EC2", "FARGATE" ], "runtimePlatform": { "operatingSystemFamily": "LINUX" }, "requiresCompatibilities": [ "FARGATE" ], "cpu": "256", "memory": "1024", "tags": [] } ```

I have a rails api running on AppRunner and I can't find a way to ssh into the container so I can run migrations or any other one off rake tasks that I anticipate.

TLDR: I inherited a Wordpress site that I now manage that had a DevOps deployment pipeline that worked when the site was low to medium traffic, but now the site consistently gets high-traffic and I'm trying to improve the deployment pipeline. The site I inherited uses Lightsail instances and a Lightsail load balancer in conjunction with one RDS database instance and an S3 bucket for hosted media. When I inherited the site, the deployment pipeline from the old developer was: *Scale site down to one instance, make changes to that one instance, once changes are complete, clone that updated instance as many times as you need* This worked fine when the site mostly ran with only one instance except during peak traffic times. However, now at all times we have 3-5 instances as even our "off-peak" traffic is really high requiring multiple instances. I'd like to improve the deployment pipeline to allow for deployment during peak-traffic times without issues. I'm worried about updating multiples instances behind the load balancer one by one sequentially because we have Session Persistence disabled to allow for more evenly distributed load balancing. And I'm worried a user hopping to different instances that have a different functions.php file will cause issues. Should I just enable session persistence when I want to make updates and sequentially updates instances behind the load balancer one by one? Or is there a better suited solution? Should I move to a containers setup? I'm admittedly a novice with AWS so any help is greatly appreciated. Really just looking for general advice and am confident I can figure out how to implement a suggested best-practice solution. Thanks!

We are developing a custom model monitoring container to be used to interact with Sagemaker's model monitoring API, as we require additional custom metrics. One of our requirements is for these metrics to populate and visualize appropriately in Studio visualization tabs, e.g. Data Quality, Model Quality, and Explainability. **None of the built-in containers are an option for us, and we are trying to interop with the Monitoring APIs as seamlessly as possible.** The docs specify the container contracts for output, specifically *statistics.json*, *constraints.json*, and *constraint_violations.json*. However, the docs are not clear on what JSON files to emit for specifically *custom Model Quality metrics*. There does not appear to be a provided schema. Things I have tried: - Emitting CloudWatch metrics to a different namespace, *sagemaker/Endpoint/model-quality-metrics* - Attempting to retrofit the statistics.json file to also include Model Quality metrics. Is there a separate JSON file I should write to */opt/ml/processing/resultdata* for our custom model quality metrics to populate the Studio visualization tab? Specifically, where do the base containers look for this JSON report: https://docs.aws.amazon.com/sagemaker/latest/dg/model-monitor-model-quality-metrics.html

Hello, I need to run my lightsail container service with privileged mode. How can I do that? This is because my container has mount to an S3 bucket where I used s3fs. But for this to be successful the container needs to run with --privileged mode. Thanks in advance!

I'm getting this error when I try to connect to my Fargate ECS container using ECS Exec feature: ``` An error occurred (TargetNotConnectedException) when calling the ExecuteCommand operation: The execute command failed due to an internal error. Try again later. ``` The task's role was missing the SSM permissions, I added them, but the error persists. Below is the output of the [amazon-ecs-exec-checker](https://github.com/aws-containers/amazon-ecs-exec-checker) tool: ``` Prerequisites for check-ecs-exec.sh v0.7 ------------------------------------------------------------- jq | OK (/usr/bin/jq) AWS CLI | OK (/usr/local/bin/aws) ------------------------------------------------------------- Prerequisites for the AWS CLI to use ECS Exec ------------------------------------------------------------- AWS CLI Version | OK (aws-cli/2.2.1 Python/3.8.8 Linux/5.13.0-39-generic exe/x86_64.ubuntu.20 prompt/off) Session Manager Plugin | OK (1.2.295.0) ------------------------------------------------------------- Checks on ECS task and other resources ------------------------------------------------------------- Region : us-west-2 Cluster: removed Task : removed ------------------------------------------------------------- Cluster Configuration | Audit Logging Not Configured Can I ExecuteCommand? | arn:aws:iam::removed ecs:ExecuteCommand: allowed ssm:StartSession denied?: allowed Task Status | RUNNING Launch Type | Fargate Platform Version | 1.4.0 Exec Enabled for Task | OK Container-Level Checks | ---------- Managed Agent Status ---------- 1. RUNNING for "api-staging" ---------- Init Process Enabled (api-staging:14) ---------- 1. Enabled - "api-staging" ---------- Read-Only Root Filesystem (api-staging:14) ---------- 1. Disabled - "api-staging" Task Role Permissions | arn:aws:iam::removed ssmmessages:CreateControlChannel: allowed ssmmessages:CreateDataChannel: allowed ssmmessages:OpenControlChannel: allowed ssmmessages:OpenDataChannel: allowed VPC Endpoints | Found existing endpoints for vpc-removed: - com.amazonaws.us-west-2.s3 SSM PrivateLink "com.amazonaws.us-west-2.ssmmessages" not found. You must ensure your task has proper outbound internet connectivity. Environment Variables | (api-staging:14) 1. container "api-staging" - AWS_ACCESS_KEY: not defined - AWS_ACCESS_KEY_ID: defined - AWS_SECRET_ACCESS_KEY: defined ``` The output has only green and yellow markers, no red ones, which means Exec should work. But it doesn't. Any ideas why?

I created ecs and service, and in the event tab, I could see the following phrase. (fargate) "service xxxx was unable to place a task because your account is currently blocked." It's the first time I've seen this phrase, and I'm not sure how to deal with it.

Hi, i'm trying to run postfix/dovcot containers using docker-compose on a new Linux AMI based vm i just created. docker daemon issues an error: "Error response from daemon: driver failed programming external connectivity on endpoint <XXXXXX Container name XXXXX> (582c7551d1c87e6131cb153b1dee9f9c1d0bd5ea1eaedfe070d7952276547569): Error starting userland proxy: listen tcp4 0.0.0.0:25: bind: address already in use" indeed ,running ``` sudo lsof -i:25 |grep LISTEN ``` shows that the port is used. this is the output : ``` master 3038 root 13u IPv4 17945 0t0 TCP localhost:smtp (LISTEN) ``` What am i missing here ? why is that port taken ? i read some comments on the net saying that Amazon prevent using port 25 by default - is that the case here ? Thanks in advance Sivan

I'd like my Linux docker container to have access to S3 as a bind mount. The only thing I'm finding so far is s3fs, for example, https://github.com/s3fs-fuse/docker-s3fs-client. Is that recommended, or is there some better way? Ideally I'd see something detailed on docs.aws.amazon.com, but I'm not seeing anything there on s3fs.

Can multiple developers use our same AWS Account. If so, what is the difference between Root access and Console Access? Where should I set the new developer up? He will need to create containers, configure servers and clients in macOS.

Hi I'd like to ask if anyone was able to successfully migrate their existing Multi-container Docker running on 64bit Amazon Linux which is about to be deprecated to the newer ECS running on 64bit Amazon Linux 2? I followed the steps outlined in this document: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/migrate-to-ec2-AL2-platform.html using the AWS CLI to upgrade our environment. It did upgrade it to the new platform however I'm getting a 502 Bad Gateway in my webpage. The document says no configuration needs to be changed on the source code as well as in the Dockerrun.aws.json v2 file. Is there any additional configuration I'm missing? When I rolled-back the platform to the previous one (Multi-container Docker running on 64bit Amazon Linux) - it went back to normal.

Hello! I wish to run some short lived tasks on AWS Lightsail Containers. The container boots, performs some work which may take anywhere from a handful of seconds to serveral hours, and then it exits once complete. Is AWS Lightsail Containers suitable for this workload? In the documentation I got the impression that it was intended for long-lived HTTP services that do not terminate. Thanks, Louis

Hello! I wish to run some "background workers" on AWS Lightsail Containers. The container boots, connects to a work queue system (such as AWS SQS or RabbitMQ) and continues running as it performs work from the queue. At no point does it start a HTTP interface, and due to limitations of the programming language and libraries used I am unable to add one. Is AWS Lightsail Containers suitable for this workload? It looks like a great service, but I could not determine if the HTTP interface was always required. Thanks, Louis

I am getting this error but I am not able to SSH into the instance. I have already restarted it but still can't ssh into the instance. What should I do? The steps to replicate this are: 1) We create an AMI 2) We create an instance based on that AMI 3) We get reachability failed, status impaired error 4) System log says: Failed to start LSB: Bring up/down networking and Started Crash recovery kernel arming . Thanks in advance

I am trying out GreenGrass v2 to see if it would fit our need to deploy our stack using docker-compose to our IoT devices. I have followed the steps [here](https://docs.aws.amazon.com/greengrass/v2/developerguide/run-docker-container.html) and setup a device with a deployment (i.e. 1.0.1). I am not exactly clear how components interact with docker-compose, it seems that even when I stop a container manually, it will reset on reboot. That is not a problem, but it also looks like when I publish a new deployment (i.e. 1.0.2), I still have containers from 1.0.1 still running, which ends up throwing errors because they are trying to access the same ressource. What is the correct approach to stop the docker-compose stack when I deploy a new update ?

Hi, I followed the wizard to create an ECS/fargate cluster and a basic step function state machine. I was able to run the state machine once (after working through a few permissions issues), though the container exited. I updated the task definition (specifically, all I changed was the container's entrypoint and command), and I'm now encountering a new IAM issue despite not (to my knowledge) changing anything related to the state machine or cluster's roles. ``` Error ECS.AccessDeniedException Cause User: arn:aws:sts::****:assumed-role/StepFunctions-hello-role-****/**** is not authorized to perform: ecs:RunTask on resource: arn:aws:ecs:us-west-2:****:task-definition/hello-task:2 because no identity-based policy allows the ecs:RunTask action (Service: AmazonECS; Status Code: 400; Error Code: AccessDeniedException; Proxy: null) ``` Is there a particular resource that needs to have this role/policy assigned that I'm missing? I don't know how to set or access permissions for "assumed roles" before or after the state machine runs. Thanks!

I'm running a single container setup on Elastic Beanstalk using the Amazon Linux 2 Docker platform. The container is running a third-party image that is fully functional only when its hostname matches an issued license file. With the previous iteration of Docker platform on Amazon Linux, it was possible (though never officially supported) to override the `docker run` command by using an `ebextension` to patch the `/opt/elasticbeanstalk/hooks/appdeploy/pre/04run.sh` script to inject `-h MY_HOST`. This does not seem to work on Amazon Linux 2. Is there any officially supported way to set the hostname of a container running on Elastic Beanstalk using the Amazon Linux 2 Docker platform? Thanks for any help you can provide.

I'm wanting to send UDP traffic to an EC2 host in the same VPC as an ECS instance and I can only get it to work by testing with allowing all source IPs in the security group for the EC2 instance. With RDS it's always worked fine to use the RDS instance's security group ID as source in the ECS container's security group, but that isn't working here, where I'd use the ECS container's SG as source for the UDP port in the EC2 instance's SG. I tried using something like 172.30.0.0/16 to allow all VPC traffic, but that doesn't work either. Are ECS instances in my VPC? Thanks for any help.

Afternoon all. We have a project that as the title said, the developers will do their magic, then push a docker image up to ECR. The initial test was all manual, ran a few containers on different ports, manually setup the listeners and all good. So the next step it to automate. I want to let them update the ECR/docker image and once done have that update the servers one at a time the way my current code-deploy works. I am trying to read and understand the difference or benefits to using a ECS cluster vs an Elastic Beanstalk as well as understand a bit more from the high level as I am going to need redundancy, autoscaling, etc. So, a brief answer on where to start with what would be great, but basically I need to create a service that starts X amount of docker containers per instance, then they get added to the target group / ELB. Thanks for the advice!

For a job, I run puppeteer in the headful mode in AWS Batch. I found a docker file that uses the image `node:16.5-slim`, then downloads Chrome, and then uses Xvfb. If I run it on an EC2 instance with GPU, Chrome still uses the integrated video card (llvmpipe) not taking advantage of the powerful Nvidia GPU. I found online a couple of attempts, one I heard they had to switch to Windows (not supported by AWS Batch). They also used an AMI only available on EC2: https://stackoverflow.com/questions/67813309/run-headful-chromium-with-nvidia-gpu-and-xvfb-on-ec2-instance-with-prime And the other solution also doesn't seem to be suitable because of its complexity to set up: https://boygiandi.medium.com/ch%E1%BA%A1y-chrome-v%E1%BB%9Bi-gpu-tr%C3%AAn-instance-ec2-aws-69369d73235a I wonder if there is a docker image I could use as a starting point where the Nvidia GPU is already set up and Chrome could take advantage of it with only a few extra configurations. Thanks!

I have had multiple builds set up in AWS CodeBuild that run terraform code. I am using Terraform version 1.0.11 with kreuzwerker/docker provider 2.16 and aws provider version 4.5.0. Yesterday, builds stopped working because when docker_image_registry deletes the old image I receive `Error: Got error getting registry image digest: Got bad response from registry: 405 Method Not Allowed`. I have not changed any code, I'm using the same `aws/codebuild/standard:4.0` build image. Note that I have another API in a different region (`us-west-1`) with the exact same code, and it still works. Here should be enough code to figure out what's going on: ``` locals { ecr_address = format("%v.dkr.ecr.%v.amazonaws.com", data.aws_caller_identity.current.account_id, var.region) environment = terraform.workspace name = "${local.environment}-${var.service}" os_check = data.external.os.result.os == "Windows" ? "Windows" : "Unix" } variable "region" { default = "us-east-2" } provider "aws" { region = var.region } provider "docker" { host = local.os_check == "Windows" ? "npipe:////.//pipe//docker_engine" : null registry_auth { address = local.ecr_address username = data.aws_ecr_authorization_token.token.user_name password = data.aws_ecr_authorization_token.token.password } } data "external" "git_hash" { program = local.os_check == "Windows" ? ["Powershell.exe", "./Scripts/get_sha.ps1"] : ["bash", "./Scripts/get_sha.sh"] } data "aws_caller_identity" "current" {} data "aws_ecr_authorization_token" "token" { registry_id = data.aws_caller_identity.current.id } resource "aws_ecr_repository" "repo" { name = lower(local.name) image_tag_mutability = "MUTABLE" image_scanning_configuration { scan_on_push = true } tags = merge(local.common_tags, tomap({ "Name" = local.name })) } resource "aws_ecr_lifecycle_policy" "policy" { repository = aws_ecr_repository.repo.name policy = <<EOF { "rules": [ { "rulePriority": 1, "description": "Keep only last 10 images, expire all others", "selection": { "tagStatus": "any", "countType": "imageCountMoreThan", "countNumber": 10 }, "action": { "type": "expire" } } ] } EOF } resource "docker_registry_image" "image" { name = format("%v:%v", aws_ecr_repository.repo.repository_url, data.external.git_hash.result.sha) build { context = replace(trimsuffix("${path.cwd}", "/Terraform"), "/${var.company}.${var.service}", "") dockerfile = "./${var.company}.${var.service}/Dockerfile" } lifecycle { create_before_destroy = true } } ```

We plan to provide a machine learning algorithm via a [container image](https://docs.aws.amazon.com/sagemaker/latest/dg/model-monitor-byoc-containers.html) and are concerned about. Is it possible that other parties download the docker image for local inspection?

we created and manage our EKS cluster with eksctl for quite a while. Now we are faced with a use-case where we need multiple interfaces in a pod. EKS supports multus to do exactly this. All documentations I'm able to find start with a cloudformation script to setup new nodegroups. Im not exactly sure how to integrate this into our existsing workflow with eksctl. We already have running nodes. So I just skipped that step and installed the multus daemonset with the existing nodes and tried to assign a second interface to a container which didnt work. I checked the cloudformation script and it does multus spefic stuff (Im not familiar with cloudformation scripts) . Q: Can I somehow patch existing nodes in order to support Multus?

I am trying to run a simple TagUI flow as a Lambda function using container images. I have made a Dockerfile using the bootstrap and function.sh from [this tutorial](https://aripalo.com/blog/2020/aws-lambda-container-image-support/): ``` FROM amazon/aws-lambda-provided:al2 RUN yum install -y wget nano php java-1.8.0-openjdk unzip procps RUN curl https://intoli.com/install-google-chrome.sh | bash RUN wget https://github.com/kelaberetiv/TagUI/releases/download/v6.46.0/TagUI_Linux.zip \ && unzip TagUI_Linux.zip \ && rm TagUI_Linux.zip \ && ln -sf /var/task/tagui/src/tagui /usr/local/bin/tagui \ && tagui update RUN sed -i 's/no_sandbox_switch=""/no_sandbox_switch="--no-sandbox"/' /var/task/tagui/src/tagui ADD tr.tag /var/task/tagui/src/tr.tag WORKDIR /var/runtime/ COPY bootstrap bootstrap RUN chmod 755 bootstrap WORKDIR /var/task/ COPY function.sh function.sh RUN chmod 755 function.sh CMD [ "function.sh.handler" ] ``` My function.sh: ``` function handler () { cp -r /var/task/tagui/src/* /tmp; chmod 755 /tmp/tagui; OUTPUT=$(/tmp/tagui /tmp/tr.tag -h); echo "${OUTPUT}"; } ``` Notes: - the sed line is required to get TagUI running in docker images. - tr.tag is just a simple flow to do a password reset on a webapp so I can confirm the container has run. - everything has to be run in /tmp as that is the only folder Lambda can write to in the container and TagUI creates a load of temporary files during execution. When I run as a Lambda I get the error: ```./tmp/tagui/src/tagui: line 398: 56 Trace/breakpoint trap (core dumped) $chrome_command --user-data-dir="$TAGUI_DIR/chrome/tagui_user_profile" $chrome_switches $window_size $headless_switch $no_sandbox_switch > /dev/null 2>&1``` When I run the container from Docker it runs perfectly. I have tried increasing both the memory and timeout of the function. The end goal I am trying to achieve is to have a Lambda function triggered by an API gateway that can receive a TagUI RPA flow and run it.

Hi, we are experiencing a strange behavior in our pipeline flow. Step from source pulling e image building are correctly marked as succeeded in pipeline but the procedure fall in a "in progress" state for the deploy step. Anyway, when I check ECR panel, I can see the image correctly deployed to cluster. Nothing was changed in the last days about the pipeline setting up, just as usual new commits. Logs are clean and nothing can point me to resolve this issue. Is there something that I can check further to fix this situation? Thanks!

For processing genomics datasets in containers launched from AWS Batch, is it possible to stream the data directly from S3, using an approach similar to SageMaker [pipe mode](https://aws.amazon.com/blogs/machine-learning/using-pipe-input-mode-for-amazon-sagemaker-algorithms/) (or [fast file mode](https://aws.amazon.com/about-aws/whats-new/2021/10/amazon-sagemaker-fast-file-mode/))? Also, are there any hardware limitations that I should be aware of? For example, in [this article](https://aws.amazon.com/premiumsupport/knowledge-center/s3-maximum-transfer-speed-ec2/), the maximum transfer speed between EC2 and S3 is 100 Gbps (VPC endpoints and public IPs in the same region). In a 2018 article, the bandwidth between EC2 and S3 was [stated as 25 Gbps](https://aws.amazon.com/blogs/aws/the-floodgates-are-open-increased-network-bandwidth-for-ec2-instances/)

Hi There I am new to computer clouding and I have been asked if I could run a latency test on our system. Basically our hardware communicates via the internet to our application which is hosted on AWS Cloud using Fargate with AWS ECS to run containers (as detailed below). My question is, is it possible to run a latency test when our application is structured on the cloud and structured in such way? UI Hosting: AWS Fargate with AWS ECS to run containers, NLB, AWS Ireland region. Backend: AWS ECS with AWS EC2 to run containers, AWS ECS with AWS Fargate, AWS Ireland region.

I have utilised docker buildx and CodeBuild to build my docker image with multiple architectures. However if I try to use the parent manifest image, which should select the correct architecture based on the host OS, I cannot create my Lambda. I get the error stating **The image manifest or layer media type for the source image <imageECRdetailsHere> is not supported.** However, if I specifically chose the image created for said architecture it will work. I feel that this is a failing of Lambda Container images as one of the key points of having a manifest with multiple architectures is that I do not need to be specific about the image / platform when pulling the image. Am I missing something here, or is this currently completely unsupported by AWS Lambda? The image manifest matches the docker v2 specification, and works when pulling the image locally, and both work by forcing the --platform option. Is this a bug, a missing feature or just blatantly not supported? The Lambda documentation states images that meet the manifest specifications are supported, but it appears that does not extend to manifest lists which are supported by the Docker image manifest V2, schema 2, which is supposed to be supported.

Hello, I would like to connect to my **ElastiCache** (redis) from a **Lightsail container**, but I can't change the subnet group (**VPC**) settings for my container. Is it possible or not? Regards.

I am trying to run a public docker container (published by a 3rd party) on Lightsail, as opposed to on ECS. The issue I am having is that I need persistent storage, as the application is stateful. Having created a Lightsail block storage disk, I don't see a way to attache/mount it on the container. Is there such an option or are Lightsail containers only intended for stateless application use cases? Thanks!

Hello, I am setting up a Yellowfin [deployment](https://wiki.yellowfinbi.com/display/yfcurrent/Install+in+a+Container) using their stock app-only [image](https://hub.docker.com/r/yellowfinbi/yellowfin-app-only) on ECS Fargate. I was able to set up a test cluster for my team to experiment with. Yellowfin requires a license to use their software. To issue a license, Yellowfin needs to know the hostname of the underlying platform it runs on. Yellowfin can provide wildcard licenses that match on a standard prefix or suffix. Currently, we are using a development license that matches on the default hostname that our test environment's Fargate task is assigned. The default hostname seems to be of the form <32-character alphanumeric string>-<10-digit number> where the former is the running task's ID and the latter is an ID of some other related AWS resource (the task definition? the cluster?) that I could not identify. Although this 10-digit number stays constant if new tasks are run, it does not seem like a good strategy to base the real Yellowfin license off of it. I would like to override the hostname of a Fargate task when launching the container to include a common prefix (e.g., "myorg-yfbi-") to make it simple to request a wildcard license for actual use. If possible, I would like to avoid building my own image or migrating to use another AWS service. Is there a standard way to override the hostname for a Fargate service by solely updating the task definition? Would overriding the entrypoint be a viable option? Is there another way to set hostname in Fargate that I am not aware of? Thank you for any guidance you can provide. Happy to provide more information if it helps.

Hi I have been go through the documentation for update the "`AWS:AutoScaling:AutoSclaingGroup`" in my existing EB Environment. My current environment is setup using `Docker-compose.yml `file to refer to the default .env file. I decided to go with update environment setting through AWS CLI. But i keep getting the error as below. ``` aws elasticbeanstalk update-environment --environment-name Testenv-env --template-name v1 An error occurred (ConfigurationValidationException) when calling the UpdateEnvironment operation: Configuration validation exception: Invalid option specification (Namespace: 'aws:autoscaling:autoscalinggroup', OptionName: 'HealthCheckType'): Unknown configuration setting. ``` In my v1.json file, I have the setup in below ``` aws:autoscaling:autoscalinggroup: HealthCheckType: ELB ``` Then I researched online a bit, found ppl are discussing this is no longer working, and I checked the latest API documentation, which is conflicting from the instruction in below link. Apparent "HealthCheckType" is no longer in the Support field for EB. Then I turned to another solution mentioned in below link: [https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/environmentconfig-autoscaling-healthchecktype.html](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/environmentconfig-autoscaling-healthchecktype.html) It suggested that I use the autoscaling.config in the .ebextensions folder. However I found quite not clear instruction to how to use the .ebextensions folder with my current environment setup where I use docer-compose to refer to the default .env file when deploying. Can someone help in pointing to me a clear instruction. Another thought is, since the environment already exist, if I directly go to the ASG group in my environment, and update from there, would new deployment (with upgrade version) into my EB environment override this ASG change each time I do upgrade? Or the change will be honored and kept in the ASG group as long as it was not deleted.

The "new" Amazon ECS Console, which is an opt-in experience, is missing important functionality. One such missing function is the ability to specify a custom entrypoint or command override for each container defined in an Amazon ECS Task Definition. This makes the usage of the "new" console almost impossible, and I have to fallback to using the old console. When is the "new" ECS console going to be usable?

Hi All, We are trying to migrate from EC2 to AWS ECS Fargate and this is a PCI complaint environment. We would like to get inputs on how we could be complaint for PCI with Fargate implementation. Particularly it would be helpful if I get some inputs on how everyone is dealing with the run-time security of Fargate containers. It would be nice to know as to how requirements like anti-virus, FIM which were in EC2 are covered with AWS Fargate. Regards, Karthik

I am new to AWS SageMaker and i am using this technology for building and training the machine learning models. I have now developed a docker image which contains our custom code for tensorflow. I would like to upload this custom docker image to AWS SageMaker and make use of it. I have searched various links but could not find proper information on how to upload our own custom docker image. Can you please suggest me the process of uploading our own docker image to AWS SageMaker?

This question is mostly for educational purposes, but the current SageMaker documentation does not describe whether these things are allowed or not. Lets suppose I have: * a `XGBoost_model_1` (that needs a `XGBoost container`) * a `KMeans_model_1` and a `KMeans_model_2` (both require a `KMeans container`) **1.** Here's the first question - can I do the following: * create a `Model` with `InferenceExecutionConfig.Mode=Direct` and specify two cointainers (`XGBoost` and `KMeans` with `Mode: MultiModel`) That would enable the client: * to call `invoke_endpoint(TargetContainer="XGBoost")` to access the `XGBoost_model_1` * to call `invoke_endpoint(TargetContainer="KMeans", TargetModel="KMeans_model_1")` to access the `KMeans_model_1` * to call `invoke_endpoint(TargetContainer="KMeans", TargetModel="KMeans_model_2")` to access the `KMeans_model_2` I don't see a straight answer in the documentation whether combining Multi-Model containers with Multi-container endpoint is possible. **2.** The second question - how does the above idea work with `ProductionVariants`. Can I create something like this: * `Variant1` with `XGBoost` serving `XGBoost_model_1` having a weight of `0.5` * `Variant2` with a Multi-container having both `XGBoost` and `KMeans` (with a `MultiModel` setup) having a weight of `0.5` So that the client could: * call `invoke_endpoint(TargetVariant="Variant2", TargetContainer="KMeans", TargetModel="KMeans_model_1")` to access the `KMeans_model_1` * call `invoke_endpoint(TargetVariant="Variant2", TargetContainer="KMeans", TargetModel="KMeans_model_2")` to access the `KMeans_model_2` * call `invoke_endpoint(TargetVariant="Variant1")` to access the `XGBoost_model_1` * call `invoke_endpoint(TargetVariant="Variant2", TargetContainer="XGBoost")` to access the `XGBoost_model_1` Is that combination even possible? If so, what happens when the client calls the `invoke_endpoint` without specifying the variant? For example: * would `invoke_endpoint(TargetContainer="KMeans", TargetModel="KMeans_model_2")` fail 50% of the time (if it hits the right variant then it works just fine, if it hits the wrong one it would most likely result with a 400/500 error ("incorrect payload")?

``` public class Example { public static void main(String[] args) { // print statement at the start of the program System.out.println("Start..."); System.out.print("Number of available processors are: "); System.out.println( Runtime.getRuntime().availableProcessors()); } } ``` Ref: https://www.tutorialspoint.com/get-number-of-available-processors-in-java When I compile and run this code on AWS ECS Fargate getting "1" as the output even though I have specified more than 1 cpu in task def(4098 for 4 vCPU). **Tested Java versions:** - Corretto-17.0.0.35.1 - Corretto-8.275.01.1 But when I do the same on AWS EC2 inside docker by allocating CPU with --cpus for "docker run" I get the exact number what I pass to --cpus. Same results with AWS EC2 with Containerd as well. Also tested this in EKS 1.18 by setting CPU limit. It returns the number of CPUs specified in the CPU limit. So, wondering why "1" only in AWS ECS.

Hi, We are having two microservices running in separate containers in ECS cluster, we are getting "connection reset" error in microservice when it tries to call another microservice over REST. We are using Elastic Load Balancer and we verified that idle timeout on ELB is sufficiently large. Does anyone faced this issue before? Any pointers will be helpful. Thank You in advance. Vishwas

I have been trying to find an answer in documentation, github, here and the old forums, but I fail to find the answer to my question. In my CDK v1 (python) I create a RDS instance of SQL Server and set credentials with aws_rds.Cerednetials.from_generated_secret(), but when I later on want to provide environment/sercrets values to the docker container I want to run in fargate I have the following environment variable that I need to be set: DB_CONNECTION_STRING, which has the following syntax: Server=<somehost.aws.com>,144;Database=<databasename>; User Id=<databaseuser>;Password=<databasepassword> All the examples I have seen uses multiple variables like DB_USER/DB_PASS/DB_HOST and then you can easily set those with help of secret_value, but there is no example on generating a connection string. How do you solve this? I took a look at aws glue, but it didn't feel like the right optionand I'm not too keen on making a dockerfile to try to pull the official docker image and then create a kind of a wrapper to have environment/sercret variables and then a script that builds up the connection string and sets it before calling the start script for the application (this has other downsides). The reason why I'm not using the CDK v2 is that the current version seems to be broken when you create a new project in WSL (seems to think it's pure ms-windows and fails to create a number of files needed). Thanks in advance for any reply.

I am trying to create an eks cluster using the eksctl command. However, an error occurs as below: AWS::EKS::Cluster/ControlPlane: CREATE_FAILED – "Resource handler returned message: \"Duplicate key <<cluster_name>/ControlPlane\" If you try to delete it using cloudformation, it fails because of ControlPlane. Currently, there is no EKS Cluster.

I need to run a container image in a lambda. For each run, I have to supply it a runtime application config file. How can I supply this runtime application config file? I do not want to rebuild the docker image for each run because there are no code changes; I just want to be able to run the same code, same lambda with a different application config-file. Thanks

Hello all, Our environment contains: - AWS EventBridge event to run an AWS Fargate task once an hour; - AWS ECS event and lambda to monitor task status changes Lately, we sometimes see that the AWS Fargate task fails to start due to the stopReason: > Rate limit exceeded while preparing network interface to be attached to instance I have checked our quotas, and we are very far (<50 ENIs out of 5000 per region). 1. What is the cause for this error? 2. Is a retry (the lambda to RunTask the task) a good workaround? Thank you in advance, Boris.

I have created an Image in ECR, also created Fargate cluster and when I am defining task using hypens (-) for pulling ECR image e.g. 0000-0000-00000..dkr.ecr.ap-south-1.amazonaws.com/liferay:latest, I am getting ResourceInitializationError: unable to pull secrets or registry auth: pull command failed: : signal: killed. 2nd scenario while I am defining Task for pulling ECR Image without hypen (-) 0000000000000..dkr.ecr.apsouth1.amazonaws.com/liferay:latest, I am getting below error CannotPullContainerError: inspect image has been retried 5 time(s): failed to resolve ref "000000000000.dkr.ecr.ap.south.1.amazonaws.com/liferay:latest": failed to do request: Head https://000000000000.dkr.ecr.ap.south.1.amazonaws.com/v2/liferay/manife... Is Fargate not accepting hypens in Image name ?? or how to resolve, since Account Number and Regions contains hypen(s)

While trying to start a task of a ECS cluster using the aws API key with boto3 for my own account, the task container was created and immediately killed due to an error: *Unexpected EC2 error while attempting to Create Network Interface in subnet 'subnet-xxxxxxxxxxxxxxxxx': UnauthorizedOperation * However, I was able to start a task in a ECS cluster via web GUI using the same subnet. When the container was created, it is in the subnet I am expecting. The task launch type is FARGATE, platform version is 1.4.0. Task role has been defined and used in either manual or script launch mode. Network mode shows awsvpc. In case of failed script launch, the EIN id is 'unset'. Can someone help understand this issue? It will be nice to know how to enable the log for the launching of a container. At this moment, I only see the container logs after a container is successfully launched via web gui. Thank you!

I've a built a container image that I'm able to execute locally. The container works well with `aws-lambda-rie`. However, when trying to create lambda function in the console with it, I encounter: "Failed to create the function xxxxxx : MissingParentDirectory: Parent directory does not exist for file: ./usr/share/doc/ca-certificates/copyright" The folder exists on the container. What could be causing this error? Are there other undocumented requirements for containers to be lambda compatible?

I'm running a flask container on AWS Lightsail. The container runs fine when running locally. However, when I send a request to one of the endpoints, I get a 504 status code response from my client. When I checked the container logs on Lightsail, I can see that the request was successful (status code 200) like so: `[13/Jan/2022:13:02:29] 172.26.23.25 - - [13/Jan/2022 13:02:29] "POST /mosaicapi/v1/cubepdf/2 HTTP/1.1" 200 -` My container capacity is small (1GB RAM, 0.5vCPUs) with a scale of 1 @15USD/month. This is my first time deploying a container on AWS, so I don't know how to go about resolving the issue.

Hello We have a problem with the App runner service. Sometime after deployment, we get: ``` 19:32:05 0|kultr | SequelizeConnectionError: getaddrinfo EAI_AGAIN xxxxxxxxxx.xxxxxxx.us-east-2.rds.amazonaws.com 19:34:17 1|kultr | Error: getaddrinfo EAI_AGAIN logs.us-east-2.amazonaws.com ``` After a couple of redeploying this problem is gone. Following https://github.com/nodejs/docker-node/issues/1030 node:12.13.0-alpine was changed to node:12.13.0-stretch but the problem still exists. Something similar was mentioned on this topic https://forums.aws.amazon.com/thread.jspa?threadID=346652&tstart=0 Could somebody advise how we could fix this error and make the service more stable? Thank you!

Using ECR I created an ECS task and I created an IMGPROXY server and I bind to port 80. In security, I allowed all traffic anywhere for inbound and outbound. But when i am deploying the task it's showing this error that port is missing but i already opened all ports.

Hello All I am expanding the scope of the project, and wanted some suggestions/comments on if the right tech stack is being used. (Job - Pulling Leads and Activities from Marketo). Each job has a different query. **Scope**: We need 2 jobs to be run daily, however here is the catch. Each job should be created and queued first. Once done, we can poll to see if the job on Marketo side is completed and the file is downloaded. The file download can take more than 15 mins. THe file an be downloaded using the Job Id, using the 2 jobs that were created earlier. **Current/Implemented Solution**: I started with solving for Leads only and here is the stack that was worked out. The Event will be triggered, on a daily basis using event bridge. The task that is to be triggered is a step function. The Sfn, first calls a Lambda to create job, waits for 1 min, another lambda to queue the job, then wait for 10 mins and 3rd lambda to check status of file. If not ready, wait for 10 and poll again for file status(this is a loop with choice to keep checking file status). Once file is ready, call a container(fargate/ECS) and pass the Job Id as containerOverride to the container. Run the job on container to download the file and upload the file to S3. **Incorporate pulling activities into the above flow**: Since the queuing and Polling(for file status) lamba are similar, and the first lambda(creating the job) is different, I though of creating a parallel task where each branch does create, queue, poll and download the file(using the implemented solution, so 2 lambdas for job create and reuse the 2nd and 3rd lambdas). Once the complete chain(one for Leads and one for activities) is done, have a consolidation stage where the output from each container output is collected and an SNS message of job completion is send. I am looking forward to your suggestions to see if the suggested above workflow is how it should be done or is there any other technology that I should use. **Design Constraints**: I need to create and queue all the jobs first before starting the downloading since Marketo has a limit of 500mb for file download. Hence I the need to create and queue all the jobs first , and then only start the job to download of files. Thanks for your suggestions. Regards Tanmay

Hi, This is the first time I try to use AWS Lightsail. I use it in `us-east-1`. I setup a nano single instance and try to run two containers - one with a Go program which talks to a database and one with Nginx front-end serving a React application. For the sake of troubleshooting, I narrowed it down to just the Go program. The Docker image I created on my laptop runs fine on my laptop, it can even open the connection to the database (I made the database public while debugging). But when I push the image to Lightsail and try to deploy it, all I get is: ``` [1/Jan/2022:01:03:21] [deployment:8] Creating your deployment [1/Jan/2022:01:04:31] [deployment:8] Started 1 new node [1/Jan/2022:01:05:25] [deployment:8] Started 1 new node [1/Jan/2022:01:06:34] [deployment:8] Started 1 new node [1/Jan/2022:01:07:12] [deployment:8] Canceled ``` No matter what I try. The container's ENTRYPOINT script prints some output (for instance, it executes `env` to show the environment), but I don't see it in the logs and the Go code is verbose when it starts up but I don't see the expected output in the logs either. It also starts in about 5 seconds, including opening the connection to the database and running a few quick transactions on it, so I don't think it's a matter of slow start. I couldn't find any other output or logs from Lightsail. The container takes about 3Mb of RAM when it runs on my laptop, way less than the 512Mb available on the Nano instance. Similar issues happen with the container which runs Nginx. It's a custom container based on the official `nginx:alpine` image with my static files and extra config added to it. It runs fine on my laptop. What am I doing wrong? Where else can I look for hints on why my deployments fail? I've been banging my head over this for three days now.

I have a deployment with a private php:7.4-apache derivative image container and a database container. When I launch my deployment, it is failing, but I don't know why. For some reason, it appears to start multiple times: ``` [28/Dec/2021:16:16:15] [deployment:33] Creating your deployment [28/Dec/2021:16:17:05] > Wrote the baseURL ([REDACTED].us-east-1.cs.amazonlightsail.com) to .env [28/Dec/2021:16:17:05] [File\Write] Writing to /var/www/fairs/.env. [28/Dec/2021:16:18:11] [deployment:33] Started 1 new node [28/Dec/2021:16:19:18] [File\Write] Writing to /var/www/fairs/.env. [28/Dec/2021:16:19:18] > Wrote the baseURL ([REDACTED].us-east-1.cs.amazonlightsail.com) to .env [28/Dec/2021:16:20:21] [deployment:33] Started 1 new node [28/Dec/2021:16:20:49] [deployment:33] Took too long ``` I also have a mysql import in my launch command that fails whenever I try to import a database snapshot: ``` [28/Dec/2021:19:23:00] ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) ``` But when I look at the logs of my db container, it doesn't appear to be ready at that exact time.: ``` [28/Dec/2021:19:22:07] [deployment:35] Creating your deployment [28/Dec/2021:19:22:59] 2021-12-28 19:22:59+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 5.7.33-1debian10 started. [28/Dec/2021:19:22:59] 2021-12-28 19:22:59+00:00 [Note] [Entrypoint]: Switching to dedicated user 'mysql' [28/Dec/2021:19:23:00] 2021-12-28 19:22:59+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 5.7.33-1debian10 started. [28/Dec/2021:19:23:00] 2021-12-28 19:23:00+00:00 [Note] [Entrypoint]: Initializing database files [28/Dec/2021:19:23:00] 2021-12-28T19:23:00.385802Z 0 [Warning] Changed limits: max_open_files: 1024 (requested 5000) [28/Dec/2021:19:23:00] 2021-12-28T19:23:00.385858Z 0 [Warning] Changed limits: table_open_cache: 431 (requested 2000) [28/Dec/2021:19:23:00] 2021-12-28T19:23:00.385992Z 0 [Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please use --explicit_defaults_for_timestamp server option (see documentation for more details). [28/Dec/2021:19:23:00] 2021-12-28T19:23:00.791276Z 0 [Warning] InnoDB: New log files created, LSN=45790 [28/Dec/2021:19:23:00] 2021-12-28T19:23:00.843479Z 0 [Warning] InnoDB: Creating foreign key constraint system tables. [28/Dec/2021:19:23:00] 2021-12-28T19:23:00.904067Z 0 [Warning] No existing UUID has been found, so we assume that this is the first time that this server has been started. Generating a new UUID: 9240f4d4-6813-11ec-af07-0a58a9feac02. [28/Dec/2021:19:23:00] 2021-12-28T19:23:00.906067Z 0 [Warning] Gtid table is not ready to be used. Table 'mysql.gtid_executed' cannot be opened. [28/Dec/2021:19:23:02] 2021-12-28T19:23:02.285861Z 0 [Warning] CA certificate ca.pem is self signed. ... [28/Dec/2021:19:23:06] 2021-12-28T19:23:06.403308Z 0 [Note] mysqld: ready for connections. [28/Dec/2021:19:23:06] Version: '5.7.33' socket: '/var/run/mysqld/mysqld.sock' port: 0 MySQL Community Server (GPL) ``` When I take out the launch command in my container, it launches fine. Is the command supposed to return something to indicate that it's done and ok? I need the launch command to configure my app and import the database.

I want to deploy two containers which is "nginx" and "php-fpm(Laravel)". I already create and make it work on local using docker-compose. But by Lightsail it failed. Lightsail logs said php-fpm container not found which I set the name on container.yml. `nginx: [emerg] host not found in upstream "php" in /etc/nginx/conf.d/default.conf:24` The line 24 is`fastcgi_pass php:9000;`, indicating the name of php container not found. Like docker-compose, I thought it would be possible with specifying container name can communicate between each containers. So, my question is what is the right way to configure for communicate between two container. Here is the settings. nginx default.conf ``` server { listen 80 default_server; listen [::]:80 default_server; server_name _; root /app/public; add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options "nosniff"; index index.html index.htm index.php; charset utf-8; location / { try_files $uri $uri/ /index.php?$args; } location ~ \.php$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass php:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; include fastcgi_params; fastcgi_buffer_size 32k; fastcgi_buffers 4 32k; fastcgi_read_timeout 1200s; fastcgi_send_timeout 1200s; } } ``` Lightsail container.yml ``` serviceName: ${SERVICE_NAME} containers: nginx: command: [] image: ${LATEST_NGINX_LIGHTSAIL_DOCKER_IMAGE} ports: '80': HTTP php: command: [] image: ${LATEST_PHP_LIGHTSAIL_DOCKER_IMAGE} publicEndpoint: containerName: nginx containerPort: 80 healthCheck: healthyThreshold: 2 intervalSeconds: 20 path: /api/healthcheck successCodes: 200-499 timeoutSeconds: 4 unhealthyThreshold: 2 ```

Following the [Public endpoints and default domains](https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-container-services#container-services-endpoints-domains) instructions, I'm trying to make my services chat to each other but having trouble with the private domain. I'm instructions but not having much luck. **This should not have to be guess work**. Please add the private domain for each running service in its section because currently one may not even know this is possible without reading the docs plus docs clearly aren't helping.

Following from earlier thread https://repost.aws/questions/QU6QlY_u2VQGW658S8wVb0Cw/should-ecs-service-task-start-be-triggered-by-asg-capacity-0-1 , I've now attached a proper Capacity Provider, an Auto Scale Group provider to my ECS Cluster. Question TL;DR: should scaling an ECS Service 0->1 desired tasks be able to wake-up a previously scaled-to-zero ASG and have it scale 0->1 desired/running? So I've started with an ECS Service with a single task definition and Desired=1, backed by the ASG with Capacity Provider scaling - also starting with 1 Desired/InService ASG instance. I can then set the ECS Service Desired tasks to 0, and it stops the single running task, then `CapacityProviderReservation` goes from 100 to 0, and 15 minutes/sample later the Alarm is triggered, and the ASG shuts-down it's only instance, 1->0 Desired/running. If I later change the ECS Service Desired back to 1 - nothing happens, other than ECS noting that it has no capacity to place the task. Should this work? I have previously seen something similar working - `CapacityProviderReservation` jumps to 200 and an instance gets created, but this is not working for me now - that metric is stuck at 100, and no scale-up-from-zero (to one) occurs in the ASG, and the task cannot be started. Should this be expected to work? Reference blog https://aws.amazon.com/blogs/containers/deep-dive-on-amazon-ecs-cluster-auto-scaling/ suggests that `CapacityProviderReservation` should move to 200 if `M > 0 and N = 0`, but this seems to rely on a task in "Provisioning" state - will that even happen here, or is the ECS Service/Cluster giving-up and not getting that far, due to zero capacity?

Hello, I pushed containers based on Red Hat UBI 8, which is a subset of RHEL 8. More than that, as stated by Red Hat: "UBI is RHEL. It’s not a downstream rebuild" (source: https://developers.redhat.com/blog/2019/10/09/what-is-red-hat-universal-base-image). Problem is: my containers are not scanned by Amazon Inspector. When I click on "See findings" in "Vulnerabilities" column I got "Scan status: UNSUPPORTED_IMAGE". The documentation mentions RHEL 8 as being supported though: https://docs.aws.amazon.com/inspector/latest/user/supported.html I don't know how Inspector determines the OS in use but it seems it does not properly recognize UBI as RHEL (content of '/etc/redhat-release' file on UBI is clear enough: "Red Hat Enterprise Linux release 8.5 (Ootpa)"). Any idea? Thanks

TL;DR: If an ECS cluster's ASG scales from 0->1 running instances, should a Service with Task Desired=1 and Running=0 automatically react and start a Task, or does it have to be prodded? I have an ECS EC2-backed cluster with an EC2 Auto Scale Group. The ASG can be scaled-to-zero, either manually or via some alarm. When the ASG scales to zero, ECS notices and stops the Task, so Desired=1, Running=0. All good. If I later scale the ASG to Desired>0 (e.g. Desired=1) and instances start, these appear in ECS, however it does not seem to trigger the ECS Service to attempt to start a Task, now having capacity to do so, and Desired=1, Running=0. Is this expected - does an ECS Service need to be prodded in some way so it notices that it now has capacity to deploy tasks, and if so, what is the best prod to do? **Edit**: I'm now finding that ECS will start a task, but after some considerable delay after the ASG has reached desired capacity and new instances have started and the ECS agent registered with ECS - >10 minutes on all occasions. Is this some sort of tuneable polling, or instance-warm-up safety?

I deploy many times a day to Lightsail via CI/CD. My container ends up accumulating a lot of old images which I will never use again. Also the UI for deleting old images requires deleting them one by one which means deleting them is really painful. So I want to know what happens if I don't delete these redundant images? Does AWS charge me for the storage? should I be deleting them?

Hi there, I'm an AWS Lightsail containers user. Except for a few rough edges, I generally like working with AWS Lightsail. One thing that's unclear is what's coming to AWS Lightsail. Updates to AWS Lightsail are very rare so I'm wondering is this service stagnating or is it thriving and worth investing more time and energy? Any information about the future of this service such as what new changes might be coming is very appreciated.

We are having lots of AWS Accounts. Is there a way to manage ECS clusters across these accounts without logging back and forth between the accounts? Especially, if there are any tools for ECS like Lens for K8S, that will be really great.

18 hours still pending. I created my first container service on US-East-1 yesterday while services were failing. Lucky me. It is on step 3 copying certificate. Can't delete, not sure where to find a log or force stop it. Can't create a new one until this one is out of the way. Most likely the same issue as AWS-User-1888013 "Delete pending LightSail container service" . We created around the same time during the AWS partial outage. Tried to delete, but error says can't delete in pending Here some of the details: ``` aws lightsail get-container-services --service-name=... ... "resourceType": "ContainerService", "tags": [], "power": "nano", "powerId": "nano-1", "state": "PENDING", "stateDetail": { "code": "PROVISIONING_CERTIFICATE", "message": "" ```

I try to deploy my node application with ecs fargate service using cdk and after I added some packages in my application, get this error during the build process (yarn install) of my dockerfile: ``` error An unexpected error occurred: "ENOSPC: no space left on device, copyfile..... ``` Do you have some idea? PS. in CDK I use: `ApplicationLoadBalancedFargateService`

I have a CUDA application that requires version 470.x.x of NVIDIA's CUDA drivers. The Amazon Linux 2 ECS-optimized GPU AMI was updated a few weeks ago to carry driver version 470.57.02 (updated from 460.73.01), which is great. However, I find that a new Batch compute environment configured for p3-family instances launches instances using the older AMI amzn2-ami-ecs-gpu-hvm-2.0.20210916-x86_64-ebs from September, which has the old 460.73.01 driver version. This indicates that Batch does not directly track the latest recommended ECS-optimized GPU AMI version. When can I expect Batch to be updated to use the new amzn2-ami-ecs-gpu-hvm-2.0.20211120-x86_64-ebs ECS-optimized GPU AMI with NVIDIA driver version 470.57.02? In general, does AWS have a policy (official or unofficial) for when the ECS-optimized GPU AMI should be updated to include new drivers from NVIDIA, or for when Batch will start using a new ECS-optimized GPU AMI by default? Knowing this would be very helpful for my planning in order to avoid driver version incompatibility issues in the future. Thanks.

I migrated my ECS Fargate workloads to Graviton2, however when I am using CodePipeline to release new code, it removes ``` "runtimePlatform": { "operatingSystemFamily": "LINUX", "cpuArchitecture": "ARM64" }, ``` from the task definition and then the task fails due to architecture mismatch. I am using Amazon ECS as the deploy provider, so it only suppose to update the imageUri in the task definition. If I manually add the removed part, it works just fine.

A new Amazon Linux version was released on 11/3, but the Docker Hub amazonlinux image has not been updated. The new version included upgrades to glibc which align with versions in Amazon's repos, but are incompatible with the versions included in previous releases. The end result is you can no longer install gcc on the currently published docker image; it fails due to dependency conflicts. Are there plans to build a new Docker image from the latest Amazon Linux release 2.0.20211103.0?