To make Weave Net and Weave Scope easier to use with Amazon ECS, a set of Amazon Machine Images (AMIs) are provided. These AMIs are fully compatible with the ECS-Optimized Amazon Linux AMI.
These are the latest supported Weave AMIs for each region:
| Region | AMI |
|---|---|
| us-east-1 | ami-7b692804 |
| us-east-2 | ami-6a0b350f |
| us-west-1 | ami-a4db3fc7 |
| us-west-2 | ami-12c98a6a |
| eu-west-1 | ami-b3bab7ca |
| eu-west-2 | ami-47846a20 |
| eu-central-1 | ami-7f211294 |
| ap-northeast-1 | ami-2a8c4355 |
| ap-southeast-1 | ami-b00304cc |
| ap-southeast-2 | ami-c7c41ba5 |
| ca-central-1 | ami-41028125 |
For more information about Weave AMIs and running them see:
- What’s in the Weave ECS AMIs?
- Deployment Requirements
- Required Open Ports
- Additional IAM Action Permissions
- Requirements for Peer Discovery
- Peer Discovery with Weave Net
- How to Run Weave Scope
- Standalone mode
- In Weave Cloud
- Upgrading Weave Scope and Weave Net
- Creating Your Own Customized Weave ECS AMI
What’s in the Weave ECS AMIs?
The latest Weave ECS AMIs are based on Amazon’s
ECS-Optimized Amazon Linux AMI,
version 2017.03.f and also includes:
Deployment Requirements
Required Open Ports
For Weave Net to function properly, ensure that the Amazon ECS container
instances can communicate over these ports: TCP 6783, as well as, UDP 6783 and
UDP 6784.
In addition to those open ports, launching Weave Scope in standalone mode,
requires that all instances are able to communicate over TCP port 4040. More information about
this can be found in How to Run Weave Scope.
See the
relevant section of the setup.sh
script from
Service Discovery and Load Balancing with Weave on Amazon ECS
for an example.
Additional IAM Action Permissions
Besides the customary Amazon ECS API actions required by all container instances
(see the AmazonEC2ContainerServiceforEC2Role managed policy), any instances using the Weaveworks ECS AMI must also be allowed to perform the following actions:
ec2:DescribeInstancesec2:DescribeTagsautoscaling:DescribeAutoScalingInstancesecs:ListServicesecs:DescribeTasksecs:DescribeServices
These extra actions are needed for discovering instance peers (1,2,3) and
creating the ECS views in Weave Scope
(4,5,6). weave-ecs-policy.json
(from the
Weaveworks ECS guide),
describes the minimal policy definition.
For more information on IAM policies see IAM Policies for Amazon EC2.
Requirements for Peer Discovery
To form a Weave network, the Amazon ECS container instances must either/or:
- be a member of an Auto Scaling Group.
- have a tag with key
weave:peerGroupName.
Peer Discovery with Weave Net
At boot time, an instance running the ECS Weave AMI will try to join other instances to form a Weave network.
- If the instance has a
tag
with key
weave:peerGroupName, it will join other instances with the same tag key and value. For instance, if the tag key isweave:peerGroupNameand the value isfooit will try to join other instances with tag keyweave:peerGroupNameand tag valuefoo. Note that for this to work, the instances need to be tagged at creation-time so that the tag is available by the time Weave is launched. - Otherwise it will join all the other instances in the same Auto Scaling Group.
When running Weave Scope in Standalone mode, probes discover apps with the same mechanism.
How to Run Weave Scope
There are two methods for running Weave Scope within the Weave ECS AMIs:
You can prevent Weave Scope from automatically starting at boot time by removing /etc/init/scope.conf.
This can be done at instance initialization time adding the following line to the User Data of the instance.
rm /etc/init/scope.conf
Running Weave Scope in Standalone Mode
Running Weave Scope in standalone mode is the default mode.
The following occurs on all Amazon ECS container instances:
- A
Weave Scopeprobe is launched that collects instance information. - A
Weave Scopeapp runs that enables cluster visualization.
Since all instances run an app and show the same information, you don’t have to worry about placing the app, thereby eliminating a Leader election problem.
However, running the app on all instances impacts performance, resulting in N *
N = N^2 connections in the Auto Scaling Group with N instances (i.e. all (N)
probes talk to all (N) apps in every instances).
To avoid this problem, it is recommended that you run Weave Scope in Weave Cloud.
The Weave Scope app runs a web-based application, which listens on TCP port
4040 where you can connect with your browser.
Weave Scope probes also forward information to the apps on TCP
port 4040. Ensure that your Amazon ECS container instances can talk to each
other on that port before running Weave Scope in standalone mode (see
Required Open Ports for more details).
Running Weave Scope in Weave Cloud
In Weave Cloud, you can visualize Amazon ECS containers as well as monitor Tasks
and Services all from within in Weave Cloud at https://cloud.weave.works.
In this case, Amazon ECS container instances run a Weave Scope probe and reports
data from the container instances to Weave Cloud.
To configure your ECS container instances to communicate with Weave Cloud,
store the Weave Scope cloud token in the/etc/weave/scope.config
file.
Note: The
Weave Scopecloud token can be found in your Weave Cloud account at http://cloud.weave.works.
For example, this command configures the instance to communicate with Weave
Cloud using token 3hud3h6ys3jhg9bq66n8xxa4b147dt5z.
echo SERVICE_TOKEN=3hud3h6ys3jhg9bq66n8xxa4b147dt5z >> /etc/weave/scope.config
You can do this at instance-initialization time using User Data, which is similar to how ECS Cluster Mapping is configured.
Upgrading Weave Scope and Weave Net
The AMIs are updated regularly (~monthly) to include the latest versions of Weave Net and Weave Scope. However, it is possible to upgrade Weave Net and Weave Scope in your running EC2 instances without needing to wait for a new AMI release or by rebuilding your cluster.
In order to upgrade Scope to the latest released version, run the following commands in each of your instances:
sudo curl -L git.io/scope -o /usr/local/bin/scope
sudo chmod a+x /usr/local/bin/scope
sudo stop scope
sudo start scope
Upgrade Weave Net to the latest version by running the following commands in each of your instances:
sudo curl -L git.io/weave -o /usr/local/bin/weave
sudo chmod a+x /usr/local/bin/weave
sudo stop weave
sudo start weave
Creating Your Own Customized Weave ECS AMI
Clone the integrations repository and then change to the packer directory.
git clone https://github.com/weaveworks/integrations
cd aws/ecs/packer
Download and install Packer version >=0.9 to build the AMI.
Finally, invoke ./build-all-amis.sh to build the Weave ECS images for all
regions. This step installs (in the image) AWS-CLI, jq, Weave Net, Weave Scope, init scripts
for Weave and it also updates the ECS agent to use the Weave Docker API Proxy.
Customize the image by modifying template.json to match your
requirements.
AWS_ACCSS_KEY_ID=XXXX AWS_SECRET_ACCESS_KEY=YYYY ./build-all-amis.sh
(If your account has MFA enabled you should follow this process
and also set AWS_SESSION_TOKEN)
If building an AMI for a particular region, set the ONLY_REGION variable to
that region when invoking the script:
ONLY_REGION=us-east-1 AWS_ACCSS_KEY_ID=XXXX AWS_SECRET_ACCESS_KEY=YYYY ./build-all-amis.sh
To make an AMI public:
aws ec2 modify-image-attribute --region=us-east-2 --image-id ami-6a0b350f --launch-permission "{\"Add\": [{\"Group\":\"all\"}]}"
Further Reading
Read the Service Discovery and Load Balancing with Weave on Amazon ECS guide for more information about the AMIs.
See Also