compose/docs/ecs-compose-features.md

7.5 KiB

Compose - Amazon ECS mapping

This document outlines the conversion of an application defined in a Compose file to AWS resources. Each service is mapped to an ECS service in the project's cluster.

Compose fields mapping

The table below lists supported Compose file fields and their AWS counterparts.

Legend:

  • ✓: Implemented
  • n: Not yet implemented
  • x: Not applicable / no available conversion
Keys Map Notes
Service
service.service.build x Ignored. No image build support on AWS.
service.cap_add, cap_drop Supported with Fargate limitations
service.command
service.configs x
service.cgroup_parent x
service.container_name x
service.credential_spec x
service.deploy
service.deploy.endpoint_mode x
service.deploy.mode x
service.deploy.replicas Set service initial scale. Auto-scaling, when enabled, will make this dynamic
service.deploy.placement Used with EC2 support to select a machine type and AMI
service.deploy.update_config
service.deploy.resources Fargate resource is selected with the lowest instance type for configured memory and cpu
service.deploy.restart_policy
service.deploy.labels
service.devices x
service.depends_on Implemented using CloudFormation Depends_on
service.dns x
service.dns_search x
service.domainname x
service.tmpfs x Not supported on Fargate, see https://github.com/docker/compose-cli/issues/839
service.entrypoint
service.env_file
service.environment
service.expose x
service.extends
service.external_links x
service.extra_hosts x
service.group_add x
service.healthcheck This configures container level health check as reported on ECS console. Application Load Balancer will also check for HTTP service health by accessing / and expect a HTTP 200 status code.
service.hostname x
service.image Private images will be accessible by passing x-aws-pull_policy with ARN of a username+password secret
service.isolation x
service.labels x
service.links x
service.logging Can be used to customize CloudWatch Logs configuration
service.network_mode x
service.networks x Communication between services is implemented by SecurityGroups within the application VPC.
service.pid x
service.ports Only symetrical port mapping is supported in ECS. See Exposing ports.
service.secrets See Secrets.
service.security_opt x
service.stop_grace_period x
service.stop_signal x
service.sysctls x
service.ulimits Only support nofile ulimit due to Fargate limitations
service.userns_mode x
service.volumes Mapped to EFS File Systems. See Persistent volumes.
service.restart x Replaced by service.deployment.restart_policy
Volume x
driver See Persistent volumes.
driver_opts
external name must be an EFS filesystem ID
labels x
Secret x
external name must be set to secret's ARN
file file content will be uploaded into AWS Secret Manager
Config x

Logs

Application logs can be obtained container with docker compose logs. The Docker ECS integration relies on AWS CloudWatch Logs to collect logs from all containers. CloudWatch can be customized by setting service logging.driver_opts by passing configuration attributes prefixed with awslogs-.

  test:
    image: mycompany/webapp
    logging:
      driver-opts:
        awslogs-datetime-pattern: "some-pattern"

Exposing ports

When one or more services expose ports, a Load Balancer is created for the application. As all services are expose through the same Load Balancer, only one service can expose a given port number. The source and target ports defined in the Compose file MUST be the same, as service-to-service communication don't go trought the Load Balancer and could not benefit from Listeners abstraction to assign a distinct published port.

If services in the Compose file only expose ports 80 or 443, an Application Load Balancer is created, otherwise ECS integration will provision a Network Load Balancer. HTTP services using distinct ports can force use of an ALB by claiming the http protocol with x-aws-protocol custom extension within the port declaration:

  test:
    image: mycompany/webapp
    ports:
      - target: 8080
        x-aws-protocol: http

Persistent volumes

Docker volumes are mapped to EFS file systems. Volumes can be external (name must then be set to filesystem ID) or will be created when the application is first deployed. docker compose down will NOT delete the filesystem, and it will be re-attached to the application on future runs. driver_opts can be used to tweak the EFS filsystem.

Volume mount can be customized to workaround Posix filesystem permission issues by setting user and group IDs to be used to write to filesystem, whatever user is configured to run the container.

services:
    myservice:
        image: mycompany/webapp
        volumes:
        - mydata:/mount/testvolumes

volumes:
  mydata:
    driver_opts:
      performance-mode: maxIO 
      throughput-mode: bursting
      uid: 0
      gid: 0

Secrets

Secrets can be defined in compose files, and will need secret files available at deploy time next to the compose file. The content of the secret file will be made available inside selected containers, by default under /run/secrets/<SECRET_NAME>. External secrets are also supported, name must then be set to secret's ARN

services:
    nginx:
        image: mycompany/webapp
        secrets:
          - mysecret

secrets:
  mysecret:
    file: ./my_secret1.txt

Container Resources

CPU and memory limits can be set in compose. Those are used to select the minimal Fargate size that will match those limits.

services:
    nginx:
        image: mycompany/webapp
        deploy:
          resources:
            limits:
              cpu: 0.5
              memory: 2Gb