mirror of
				https://github.com/docker/compose.git
				synced 2025-10-24 16:53:52 +02:00 
			
		
		
		
	
		
			
				
	
	
		
			177 lines
		
	
	
		
			7.5 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
			
		
		
	
	
			177 lines
		
	
	
		
			7.5 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
| # Compose - Amazon ECS mapping
 | |
| 
 | |
| This document outlines the conversion of an application defined in a Compose file to AWS resources.
 | |
| Each service is mapped to an ECS service in the project's cluster.
 | |
| 
 | |
| ## Compose fields mapping
 | |
| 
 | |
| The table below lists supported Compose file fields and their AWS counterparts.
 | |
| 
 | |
| __Legend:__
 | |
| 
 | |
| - __✓:__ Implemented
 | |
| - __n:__ Not yet implemented
 | |
| - __x:__ Not applicable / no available conversion
 | |
| 
 | |
| | Keys                           |Map|  Notes                                                       |
 | |
| |--------------------------------|---|--------------------------------------------------------------|
 | |
| | __Service__                    | ✓ |
 | |
| | service.service.build          | x |  Ignored. No image build support on AWS.
 | |
| | service.cap_add, cap_drop      | ✓ |  Supported with [Fargate limitations](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_KernelCapabilities.html)
 | |
| | service.command                | ✓ |  
 | |
| | service.configs                | x |
 | |
| | service.cgroup_parent          | x |
 | |
| | service.container_name         | x |  
 | |
| | service.credential_spec        | x |
 | |
| | service.deploy                 | ✓ |
 | |
| | service.deploy.endpoint_mode   | x |
 | |
| | service.deploy.mode            | x |
 | |
| | service.deploy.replicas        | ✓ |  Set service initial scale. Auto-scaling, when enabled, will make this dynamic
 | |
| | service.deploy.placement       | ✓ |  Used with EC2 support to select a machine type and AMI
 | |
| | service.deploy.update_config   | ✓ |
 | |
| | service.deploy.resources       | ✓ |  Fargate resource is selected with the lowest instance type for configured memory and cpu
 | |
| | service.deploy.restart_policy  | ✓ |  
 | |
| | service.deploy.labels          | ✓ |  
 | |
| | service.devices                | x |
 | |
| | service.depends_on             | ✓ |  Implemented using CloudFormation Depends_on
 | |
| | service.dns                    | x |
 | |
| | service.dns_search             | x |
 | |
| | service.domainname             | x |  
 | |
| | service.tmpfs                  | x |  Not supported on Fargate, see https://github.com/docker/compose-cli/issues/839
 | |
| | service.entrypoint             | ✓ | 
 | |
| | service.env_file               | ✓ |
 | |
| | service.environment            | ✓ |
 | |
| | service.expose                 | x |
 | |
| | service.extends                | ✓ |
 | |
| | service.external_links         | x |
 | |
| | service.extra_hosts            | x |
 | |
| | service.group_add              | x |
 | |
| | service.healthcheck            | ✓ |  This configures container level health check as reported on ECS console. Application Load Balancer will also check for HTTP service health by accessing `/` and expect a HTTP 200 status code.
 | |
| | service.hostname               | x |
 | |
| | service.image                  | ✓ |  Private images will be accessible by passing x-aws-pull_policy with ARN of a username+password secret
 | |
| | service.isolation              | x |
 | |
| | service.labels                 | x |  
 | |
| | service.links                  | x |
 | |
| | service.logging                | ✓ |  Can be used to customize CloudWatch Logs configuration
 | |
| | service.network_mode           | x |
 | |
| | service.networks               | x |  Communication between services is implemented by SecurityGroups within the application VPC.
 | |
| | service.pid                    | x |
 | |
| | service.ports                  | ✓ |  Only symetrical port mapping is supported in ECS. See [Exposing ports](#exposing-ports).
 | |
| | service.secrets                | ✓ |  See [Secrets](#secrets).
 | |
| | service.security_opt           | x |
 | |
| | service.stop_grace_period      | x |
 | |
| | service.stop_signal            | x |
 | |
| | service.sysctls                | x |
 | |
| | service.ulimits                | ✓ |  Only support `nofile` ulimit due to Fargate limitations
 | |
| | service.userns_mode            | x |
 | |
| | service.volumes                | ✓ |  Mapped to EFS File Systems. See [Persistent volumes](#persistent-volumes).
 | |
| | service.restart                | x |  Replaced by service.deployment.restart_policy
 | |
| |                                |   |
 | |
| | __Volume__                     | x |
 | |
| | driver                         | ✓ |  See [Persistent volumes](#persistent-volumes).
 | |
| | driver_opts                    | ✓ |
 | |
| | external                       | ✓ |  `name` must be an EFS filesystem ID
 | |
| | labels                         | x |
 | |
| |                                |   |
 | |
| | __Secret__                     | x |
 | |
| | external                       | ✓ |  `name` must be set to secret's ARN
 | |
| | file                           | ✓ |  file content will be uploaded into AWS Secret Manager
 | |
| |                                |   |
 | |
| | __Config__                     | x |
 | |
| |                                |   |
 | |
| 
 | |
| 
 | |
| ## Logs
 | |
| 
 | |
| Application logs can be obtained container with `docker compose logs`.
 | |
| The Docker ECS integration relies on AWS CloudWatch Logs to collect logs from all containers. CloudWatch can be customized by setting service `logging.driver_opts`
 | |
| by passing configuration attributes prefixed with `awslogs-`.
 | |
| 
 | |
| ```yaml
 | |
|   test:
 | |
|     image: mycompany/webapp
 | |
|     logging:
 | |
|       driver-opts:
 | |
|         awslogs-datetime-pattern: "some-pattern"
 | |
| ```
 | |
| 
 | |
| 
 | |
| ## Exposing ports
 | |
| 
 | |
| When one or more services expose ports, a Load Balancer is created for the application.
 | |
| As all services are expose through the same Load Balancer, only one service can expose a given port number.
 | |
| The source and target ports defined in the Compose file MUST be the same, as service-to-service communication don't go trought the Load Balancer and could not
 | |
| benefit from Listeners abstraction to assign a distinct published port. 
 | |
| 
 | |
| If services in the Compose file only expose ports 80 or 443, an Application Load Balancer is created, otherwise ECS integration will provision a Network Load Balancer.
 | |
| HTTP services using distinct ports can force use of an ALB by claiming the http protocol with `x-aws-protocol` custom extension within the port declaration:
 | |
| 
 | |
| ```yaml
 | |
|   test:
 | |
|     image: mycompany/webapp
 | |
|     ports:
 | |
|       - target: 8080
 | |
|         x-aws-protocol: http
 | |
| 
 | |
| ```
 | |
| 
 | |
| ## Persistent volumes
 | |
| 
 | |
| Docker volumes are mapped to EFS file systems. Volumes can be external (`name` must then be set to filesystem ID) or will be created when the application is
 | |
| first deployed. `docker compose down` will NOT delete the filesystem, and it will be re-attached to the application on future runs.
 | |
| `driver_opts` can be used to tweak the EFS filsystem.
 | |
| 
 | |
| Volume mount can be customized to workaround Posix filesystem permission issues by setting user and group IDs to be used to write to filesystem, whatever user
 | |
| is configured to run the container.
 | |
| 
 | |
| ```yaml
 | |
| services:
 | |
|     myservice:
 | |
|         image: mycompany/webapp
 | |
|         volumes:
 | |
|         - mydata:/mount/testvolumes
 | |
| 
 | |
| volumes:
 | |
|   mydata:
 | |
|     driver_opts:
 | |
|       performance-mode: maxIO 
 | |
|       throughput-mode: bursting
 | |
|       uid: 0
 | |
|       gid: 0
 | |
| ```
 | |
| 
 | |
| 
 | |
| ## Secrets
 | |
| 
 | |
| Secrets can be defined in compose files, and will need secret files available at deploy time next to the compose file.
 | |
| The content of the secret file will be made available inside selected containers, by default under `/run/secrets/<SECRET_NAME>`.
 | |
| External secrets are also supported, `name` must then be set to secret's ARN
 | |
| 
 | |
| ```yaml
 | |
| services:
 | |
|     nginx:
 | |
|         image: mycompany/webapp
 | |
|         secrets:
 | |
|           - mysecret
 | |
| 
 | |
| secrets:
 | |
|   mysecret:
 | |
|     file: ./my_secret1.txt
 | |
| ```
 | |
| 
 | |
| 
 | |
| ## Container Resources
 | |
| 
 | |
| CPU and memory limits can be set in compose. Those are used to select the minimal [Fargate size](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/AWS_Fargate.html) that will match those limits.
 | |
| 
 | |
| ```yaml
 | |
| services:
 | |
|     nginx:
 | |
|         image: mycompany/webapp
 | |
|         deploy:
 | |
|           resources:
 | |
|             limits:
 | |
|               cpu: 0.5
 | |
|               memory: 2Gb
 | |
| ```          
 |