-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(ecs): default to stable fluentbit image instead of latest #16403
Comments
Hey @ayozemr, To help me fully understand your problem, can you share the relevant |
Sure, there we go. I redacted some possible sensitive values. The thing is the "log-router" container auto created has an image linked to a param out of my control, that checking ECS taskdefinition json, translates to So the idea is if there is any possibility that "log-router" image is any other tag instead of "latest" until they fix the bug, so I can make that "log-router" container uses Relevant code: CDK: const taskdefFamily = `${buildConfig.App}-${buildConfig.Environment}-dbmigrations`;
const migrationTaskDef = new ecs.TaskDefinition(this, 'MigrationsTaskDef', {
family: taskdefFamily,
compatibility: ecs.Compatibility.FARGATE,
cpu: '256',
memoryMiB: '512',
networkMode: ecs.NetworkMode.AWS_VPC,
taskRole: taskdefRole,
executionRole: taskExecutionRole,
});
migrationTaskDef.addContainer('FlywayContainer', {
image: ecs.RepositoryImage.fromEcrRepository(ecrRepository, 'latest'),
memoryLimitMiB: 512,
environment: {
ENV: buildConfig.Environment,
FLYWAY_URL: `jdbc:postgresql://${dbcredentials
.secretValueFromJson('host')
.toString()}:${dbcredentials
.secretValueFromJson('port')
.toString()}/db`,
},
logging: ecs.LogDrivers.firelens({
options: {
Name: 'datadog',
provider: 'ecs',
TLS: 'on',
dd_message_key: 'log',
dd_service: `${buildConfig.App}-Migrations`,
dd_source: 'java',
dd_tags: `env:${buildConfig.Environment}`,
},
secretOptions: {
apikey: ecs.Secret.fromSsmParameter(
ssm.StringParameter.fromStringParameterName(
this,
'DatadogApiKey',
'/datadog/APIKEY'
)
),
},
}),
}); // ----------------------------- MigrationsTaskDef1F4C395A:
Type: AWS::ECS::TaskDefinition
Properties:
ContainerDefinitions:
- Environment:
- Name: ENV
Value: stage
- Name: FLYWAY_URL
Value: REDACTED
Essential: true
Image:
Fn::Join:
- ""
- - Fn::Select:
- 4
- Fn::Split:
- ":"
- Fn::GetAtt:
- MigrationsServiceDECCB9A7
- Arn
- .dkr.ecr.
- Fn::Select:
- 3
- Fn::Split:
- ":"
- Fn::GetAtt:
- MigrationsServiceDECCB9A7
- Arn
- "."
- Ref: AWS::URLSuffix
- /
- Ref: MigrationsServiceDECCB9A7
- :latest
LogConfiguration:
LogDriver: awsfirelens
Options:
Name: datadog
provider: ecs
TLS: "on"
dd_message_key: log
dd_service: svc-Migrations
dd_source: java
dd_tags: env:stage
SecretOptions:
- Name: apikey
ValueFrom: REDACTED-PARAM
Memory: 512
Name: app
- Essential: true
FirelensConfiguration:
Type: fluentbit
Image:
Ref: SsmParameterValueawsserviceawsforfluentbitlatestC96584B6F00A464EAD1953AFF4B05118Parameter
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group:
Ref: MigrationsTaskDeflogrouterLogGroupAFD29B37
awslogs-stream-prefix: firelens
awslogs-region: us-east-1
MemoryReservation: 50
Name: log-router
Cpu: "256"
ExecutionRoleArn:
Fn::GetAtt:
- TaskExecRoleA2BBB60C
- Arn
Family: REDACTED
Memory: "512"
NetworkMode: awsvpc
RequiresCompatibilities:
- FARGATE
Tags:
- Key: app
Value: appname
- Key: environment
Value: stage
- Key: stack
Value: stackname
TaskRoleArn:
Fn::GetAtt:
- TaskRole30FC0FBB
- Arn
Metadata:
aws:cdk:path: stackname/MigrationsTaskDef/Resource |
This is where the image is set: aws-cdk/packages/@aws-cdk/aws-ecs/lib/base/task-definition.ts Lines 679 to 696 in 026cb8f
The aws-cdk/packages/@aws-cdk/aws-ecs/lib/firelens-log-router.ts Lines 179 to 184 in 026cb8f
Unfortunately, the use of escape hatches won't work here because |
Hey @ayozemr , I think you can use the public migrationTaskDef.addFirelensLogRouter('log-router', {
image: your-image-here,
firelensConfig: {
type: FirelensLogRouterType.FLUENTBIT,
},
logging: new AwsLogDriver({ streamPrefix: 'firelens' }),
memoryReservationMiB: 50,
}); Thanks, |
BTW, I think this should morph into a feature request to be able to more easily customize the image for the |
Thanks @peterwoodworth for your time. @skinny85 I have tried that but ended having problem when pulling the non latest image 🤷 . Had to use fromRepositoryArn because fromRepositoryName was adding my account id by default, ending in an incorrect image uri. Its weird but:
Reading official repo seems there is a public image, but looking at its URI I dont know how I can build its ARN to be able to use: So your solution works to build using another image, but I had no luck with the pull process in fargate... Code used: const awsFluentRepo = ecr.Repository.fromRepositoryArn(
this,
'AwsFluentRepo',
'arn:aws:ecr:us-east-1:906394416424:/aws-for-fluent-bit'
// '906394416424.dkr.ecr.us-east-1.amazonaws.com/aws-for-fluent-bit:2.19.0'
);
migrationTaskDef.addFirelensLogRouter('log-router', {
image: ecs.ContainerImage.fromEcrRepository(awsFluentRepo, '2.19.0'),
firelensConfig: {
type: ecs.FirelensLogRouterType.FLUENTBIT,
},
logging: new ecs.AwsLogDriver({ streamPrefix: 'firelens' }),
memoryReservationMiB: 50,
}); Something to override firelens image would be useful, especially in cases like this related to a bug. Maybe also something to use a container image using its URI instead of arn, would let me use that public ecr image Thanks for your time all!! |
@ayozemr I think what you're looking for here is the So something like: migrationTaskDef.addFirelensLogRouter('log-router', {
image: ecs.ContainerImage.fromRegistry('public.ecr.aws/aws-observability/aws-for-fluent-bit:2.19.0'),
// ... |
Oh yes! That did it 👏 Much appreciated!! Thanks for your time! About changing the issue to feature request, I don't know how to do it. I can close this one and create another referencing this if its ok for you |
I just ran into this problem and opened #16439 to default to the |
Great, I've converted this into a feature request. Changing the image to default to stable seems like a fine solution to me |
Closing this issue, since the upstream issue with fluentbit has been resolved. And we are no longer planning to implement this change in the default. |
|
I know this is closed as wontfix, but I figured I'd post anyway since the AWS for Fluent Bit image broke again: aws/aws-for-fluent-bit#491 This caused an outage for us that would have been avoided by using Is using bleeding-edge Fluent Bit, at increased risk of instability, really worth it? |
Per the comment visibility warning, cc @madeline-k and @peterwoodworth RE: @paulrosania's comment above. My PR was closed because changing from |
We can possibly implement this behind a feature flag to avoid the breakage. Should be a fairly simple contribution if someone wants to take a crack at it. |
❓ General Issue
The Question
I am affected by a bug in Fluentbit that causes DNS problems when using firelens log driver, almost with datadog. (aws/aws-for-fluent-bit#233). As of now, working solution is to not use latest image and use 2.19.0, which I have tested working.
My problem is that using CDK I don't see how I can set to use a fixed fluentbit version in the "log-router" container, as that container definition is created by cloudformation when we specify the logrouter in CDK/CFN in the app container taskdef, the system adds that log-router sidecar container with the version set to latest automaticly.
Its possible to change that sidecar container image from latest to 2.19.0?
Environment
Other information
Thanks for your time!!
The text was updated successfully, but these errors were encountered: