ufo 4.5.4 → 4.5.5
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +6 -2
- data/docs/_docs/extras/ecs-network-mode.md +17 -3
- data/docs/_docs/ufo-env-extra.md +2 -0
- data/lib/template/.ufo/settings/cfn/default.yml.tt +3 -2
- data/lib/ufo/stack.rb +6 -2
- data/lib/ufo/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: d86ea7d84ac2ec056ffd1993b8c83c01fe3c9caea66ec44204efbb70cffb25cb
|
|
4
|
+
data.tar.gz: 29aba82ec174765fe0d948b2fc5a313065416f9ea0178af90366b8dc769cd2f5
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 016d61a18190e0daa866ed7bdf3613d6a0561c6a5221f20348e9dba34797f034882fb1b89af486d5c009068446aa512092596c73b611c88a0a9a3bf8552a8f13
|
|
7
|
+
data.tar.gz: a2f20498236dc2c205fef1d071a4e766e04e14aa0f2b5f8ac7a76c1676e4b299e70eaae8b3d1e55c83ecc6a5d60ae84213d9449915d773e6850ddb83baa6910b
|
data/CHANGELOG.md
CHANGED
|
@@ -3,9 +3,13 @@
|
|
|
3
3
|
All notable changes to this project will be documented in this file.
|
|
4
4
|
This project *tries* to adhere to [Semantic Versioning](http://semver.org/), even before v1.0.
|
|
5
5
|
|
|
6
|
+
## [4.5.5]
|
|
7
|
+
- adjust default health check thresholds in skeleton
|
|
8
|
+
- improve error handling for UPDATE\_ROLLBACK\_FAILED state
|
|
9
|
+
|
|
6
10
|
## [4.5.4]
|
|
7
|
-
-
|
|
8
|
-
-
|
|
11
|
+
- #85 `ufo docker compile` command. ability to compile Dockerfile from Dockerfile.erb w/o building
|
|
12
|
+
- #86 slight improvement to `ufo docker compile`
|
|
9
13
|
|
|
10
14
|
## [4.5.3]
|
|
11
15
|
- fix error exit code when unable to find task definition
|
|
@@ -3,15 +3,25 @@ title: ECS Network Mode
|
|
|
3
3
|
nav_order: 26
|
|
4
4
|
---
|
|
5
5
|
|
|
6
|
-
## Pros and Cons:
|
|
6
|
+
## Pros and Cons: bridge network mode
|
|
7
7
|
|
|
8
8
|
With network bridge mode, the Docker containers of multiple services share the EC2 container instance's security group. So you have less granular control over opening ports for specific services only. For example, let’s say service A and B both are configured use bridge network mode. If you open up port 3000 for service A, it will also open up port 3000 for service B because they use the same security group at the EC2 instance level.
|
|
9
9
|
|
|
10
10
|
One advantage of bridge mode is you can use dynamic port mapping and do not have to worry about network card limits.
|
|
11
11
|
|
|
12
|
-
|
|
12
|
+
## Pros and Cons: awsvpc mode
|
|
13
13
|
|
|
14
|
-
|
|
14
|
+
With awsvpc network mode, you must consider the limit of ethernet cards for the instance type. If the instance supports ENI Trunking, then this is limit is decently large. However, if the instance does not support ENI Trunking, then the ENI limit is rather small.
|
|
15
|
+
|
|
16
|
+
For ENI Trunking Task limits per instance: [Elastic Network Interface Trunking](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/container-instance-eni.html)
|
|
17
|
+
|
|
18
|
+
For example, a m5.large instance has a limit of 10 tasks per instance.
|
|
19
|
+
For EC2 instances that do not support ENI Trunking,
|
|
20
|
+
the table that lists the limits are under section the aws EC2 docs under [IP Addresses Per Network Interface Per Instance Type](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html)
|
|
21
|
+
|
|
22
|
+
For example, a t3.small instance has a limit of 3 ethernet cards. This means, at most, you can run 2 ECS tasks on that instance in awsvpc network mode, since one network card is already used by the host.
|
|
23
|
+
|
|
24
|
+
In awsvpc mode, each ECS task gets its own network card. The advantage is there’s more granular control of the permissions per ECS service. For example, when service A and B are using awsvpc mode, they can have different security groups associated with them. In this mode, ufo creates a security group and sets up the permissions so the load balancer can talk to the containers. You can also add additional security groups to the `.ufo/settings/network/default.yml` config.
|
|
15
25
|
|
|
16
26
|
The following table summarizes the pros and cons:
|
|
17
27
|
|
|
@@ -20,4 +30,8 @@ Network mode | Pros | Cons
|
|
|
20
30
|
bridge | The numbers of containers you can run will not be limited due to EC2 instance network cards limits. | Less fine grain security control over security group permissions with multiple ECS services.
|
|
21
31
|
awsvpc | Fine grain security group permissions for each ECS service. | The number of containers can be limited by the number of network cards the EC2 instance type supports.
|
|
22
32
|
|
|
33
|
+
## Recommendation
|
|
34
|
+
|
|
35
|
+
It is generally recommended to use awsvpc mode with ENI trunking supported instances. You get the best of both worlds in this situation: a strong security posture as well as container density.
|
|
36
|
+
|
|
23
37
|
{% include prev_next.md %}
|
data/docs/_docs/ufo-env-extra.md
CHANGED
|
@@ -3,6 +3,8 @@ title: UFO_ENV_EXTRA
|
|
|
3
3
|
nav_order: 21
|
|
4
4
|
---
|
|
5
5
|
|
|
6
|
+
<div class="video-box"><div class="video-container"><iframe src="https://www.youtube.com/embed/UVQuwQGToYE" frameborder="0" allowfullscreen=""></iframe></div></div>
|
|
7
|
+
|
|
6
8
|
Ufo has an concept of extra environments. This is controlled by the `UFO_ENV_EXTRA` variable. By setting `UFO_ENV_EXTRA` you can create additional identical ECS services or environments.
|
|
7
9
|
|
|
8
10
|
ufo ship demo-web # creates a demo-web ecs service
|
|
@@ -19,10 +19,11 @@ target_group:
|
|
|
19
19
|
# so we can keep this commented out, unless we need HTTPS at the app level
|
|
20
20
|
# Health check settings are supported by application load balancer only:
|
|
21
21
|
# health_check_path: /upcheck
|
|
22
|
-
#
|
|
22
|
+
health_check_interval_seconds: 10 # default: 30. Network ELB can only take 10 or 30
|
|
23
|
+
healthy_threshold_count: 2
|
|
24
|
+
unhealthy_threshold_count: 2 # default: 10
|
|
23
25
|
# health_check_protocol: HTTP # HTTP or HTTPS
|
|
24
26
|
# health_check_port: traffic-port
|
|
25
|
-
# unhealthy_threshold_count: 10
|
|
26
27
|
target_group_attributes:
|
|
27
28
|
- key: deregistration_delay.timeout_seconds
|
|
28
29
|
value: 10
|
data/lib/ufo/stack.rb
CHANGED
|
@@ -185,7 +185,11 @@ module Ufo
|
|
|
185
185
|
def handle_stack_error(e)
|
|
186
186
|
case e.message
|
|
187
187
|
when /state and can not be updated/
|
|
188
|
-
puts "The #{@stack_name} stack is in
|
|
188
|
+
puts "The #{@stack_name} stack is in a state that cannot be updated. Deleted the stack and try again."
|
|
189
|
+
puts "ERROR: #{e.message}"
|
|
190
|
+
if message.include?('UPDATE_ROLLBACK_FAILED')
|
|
191
|
+
puts "You might be able to do a 'Continue Update Rollback' and skip some resources to get the stack back into a good state."
|
|
192
|
+
end
|
|
189
193
|
region = `aws configure get region`.strip rescue 'us-east-1'
|
|
190
194
|
url = "https://console.aws.amazon.com/cloudformation/home?region=#{region}"
|
|
191
195
|
puts "Here's the CloudFormation console url: #{url}"
|
|
@@ -203,7 +207,7 @@ module Ufo
|
|
|
203
207
|
end
|
|
204
208
|
|
|
205
209
|
def updatable?(stack)
|
|
206
|
-
stack.stack_status =~ /_COMPLETE$/
|
|
210
|
+
stack.stack_status =~ /_COMPLETE$/ || stack.stack_status == 'UPDATE_ROLLBACK_FAILED'
|
|
207
211
|
end
|
|
208
212
|
end
|
|
209
213
|
end
|
data/lib/ufo/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: ufo
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.5.
|
|
4
|
+
version: 4.5.5
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Tung Nguyen
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-08-
|
|
11
|
+
date: 2019-08-29 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: aws-sdk-cloudformation
|