QOTO on AWS

Bring up container (aws-cli)

aws ecs register-task-definition --family load-balancer --network-mode bridge --container-definitions "$(cat container-def.json)" --volumes "$(cat volumes-def.json)"

# Launch ECS task, when above command ran once X == 1, for every update X increases by one.
#  will have too double check docs how to get latest
aws ecs run-task --cluster default --task-definition load-balancer:X --count 1

Bring up container (ecs-cli)

#Another way to bring up a cluster, uses cloud formation
ecs up --capability-iam

#or with some options
ecs-cli up --keypair aws-key --capability-iam --size 1

#or make it empty
ecs-cli up --keypair aws-key --capability-iam --empty

#or specify user data
ecs-cli up \
  --capability-iam \
  --extra-user-data my-shellscript \
  --extra-user-data my-cloud-boot-hook \
  --extra-user-data my-mime-multipart-archive \
  --launch-type EC2
  
#bring up docker-compose container
ecs compose up

container-def.json

[{
    "name": "nginx-proxy",
    "image": "jwilder/nginx-proxy",
    "portMappings": [{
        "containerPort": 80,
        "hostPort": 80
    },{
        "containerPort": 443,
        "hostPort": 443
    }],
    "memory": 128,
    "mountPoints": [{
        "sourceVolume": "nginx-certs",
        "containerPath": "/etc/nginx/certs",
        "readOnly": false
    }, {
        "sourceVolume": "nginx-vhosts",
        "containerPath": "/etc/nginx/vhost.d",
        "readOnly": false
    }, {
        "sourceVolume": "nginx-default",
        "containerPath": "/usr/share/nginx/html",
        "readOnly": false
    }, {
        "sourceVolume": "docker-socket",
        "containerPath": "/tmp/docker.sock",
        "readOnly": true
    }, {
        "sourceVolume": "proxy-log",
        "containerPath": "/var/log",
        "readOnly": false
    }],
    "environment": [{
        "name": "DEBUG",
        "value": "true"
    }]
}, {
    "name": "nginx-proxy-letsencrypt",
    "image": "jrcs/letsencrypt-nginx-proxy-companion",
    "memory": 128,
    "volumesFrom": [{
        "sourceContainer": "nginx-proxy",
        "readOnly": false
    }],
    "mountPoints": [{
        "sourceVolume": "docker-socket",
        "containerPath": "/var/run/docker.sock",
        "readOnly": true
    }, {
        "sourceVolume": "letsencrypt-log",
        "containerPath": "/var/log",
        "readOnly": false
    }],
    "environment": [{
        "name": "DEFAULT_EMAIL",
        "value": "[email protected]"
    },{
        "name": "DEBUG",
        "value": "true"
    }]
}]

Create Security Group

#create security group
aws ec2 create-security-group --group-name qoto-sg --description "My security group" --vpc-id vpc-073bf00a5b8e5f714
#name it
aws ec2 create-tags --resources securityGroupId --tags "Key=Name,Value=qoto-security-group-open"

#add all outbound, probably not needed
aws ec2 authorize-security-group-egress --group-id sg-04baf687640554cf7 --cidr 0.0.0.0/0 --protocol all

#enable all input
aws ec2 authorize-security-group-ingress --group-id sg-04baf687640554cf7 --cidr 0.0.0.0/0 --protocol all

##
## Make sure you create an EFS mount point mounted via user data.
##

#must base64 encode the file locally. The keyname matches the name in AWS
aws ec2 run-instances --image-id ami-0c09d65d2051ada93 --count 1 --instance-type r5a.xlarge --user-data file://userdata.sh --iam-instance-profile "Name=ecsInstanceRole" --key-name aws-key --security-group-ids sg-00240092cb8166df4 --subnet-id subnet-0a43db1988ad60343 --block-device-mappings 'DeviceName=/dev/xvdcz,Ebs={VolumeSize=128}'

#just view some info
aws ec2 describe-security-groups --group-ids sg-xxxxxxxx

Create VPC

# Create a VPC of the given subnet block.
aws ec2 create-vpc --cidr-block 10.0.0.0/16
# Apply a name to the vpc we just created
aws ec2 create-tags --resources VpcIDHere --tags "Key=Name,Value=MyNewNameHere"

#enable some needed features on the vpc
aws ec2 modify-vpc-attribute --vpc-id VpcIDHere --enable-dns-support "{\"Value\":true}"
aws ec2 modify-vpc-attribute --vpc-id VpcIDHere --enable-dns-hostnames "{\"Value\":true}"

# Create a subnet within the VPC
aws ec2 create-subnet --vpc-id VpcIDHere --cidr-block 10.0.0.0/24
# Name the subnet
aws ec2 create-tags --resources SubnetIDHere --tags "Key=Name,Value=MyNewNameHere"

# Lets create a gateway to allow internet access
aws ec2 create-internet-gateway
# Name gw
aws ec2 create-tags --resources GatewayIDHere --tags "Key=Name,Value=MyNewNameHere"

# Attach the new gateway to our earlier subnet
aws ec2 attach-internet-gateway --vpc-id VpcIDHere --internet-gateway-id GatewayIDHere

# Create empty routing table
aws ec2 create-route-table --vpc-id VpcIDHere
# Name the new routing table
aws ec2 create-tags --resources RouteTableIDHere --tags "Key=Name,Value=MyNewNameHere"
# Create the default route in the routing table to our gateway
aws ec2 create-route --route-table-id RouteTableIDHere --destination-cidr-block 0.0.0.0/0 --gateway-id GatewayIDHere

# Optionally we can view the new route table to confirm it worked
aws ec2 describe-route-tables --route-table-id RouteTableIDHere

# Associate earlier subnet with the route table
aws ec2 associate-route-table  --subnet-id SubnetIDHere --route-table-id RouteTableIDHere

# Ensure any insance launched into the subnet is automatically given a public IP
aws ec2 modify-subnet-attribute --subnet-id SubnetIDHere --map-public-ip-on-launch

docker-compose.yml

version: '2'
services:
  nginx-proxy:
    image: jwilder/nginx-proxy
    volumes:
    - "/data/proxy/etc/nginx/certs:/etc/nginx/certs"
    - "/data/proxy/etc/nginx/vhost.d:/etc/nginx/vhost.d"
    - "/data/proxy//usr/share/nginx/html:/usr/share/nginx/html"
    - "/var/run/docker.sock:/tmp/docker.sock:ro"
    ports:
     - "80:80"
     - "443:443"
  nginx-proxy-letsencrypt:
    image: jrcs/letsencrypt-nginx-proxy-companion
    volumes:
    - "/var/run/docker.sock:/var/run/docker.sock:ro"
    volumes_from:
      - nginx-proxy:rw
    environment:
    - "[email protected]"

Script

aws ecs register-task-definition --family load-balancer --network-mode bridge --container-definitions "$(cat container-def.json)" --volumes "$(cat volumes-def.json)"

# Launch ECS task, when above command ran once X == 1, for every update X increases by one.
#  will have too double check docs how to get latest
aws ecs run-task --cluster default --task-definition load-balancer:X --count 1

UserData.sh

#!/bin/bash
echo ECS_CLUSTER=default >> /etc/ecs/ecs.config
echo ECS_BACKEND_HOST= >> /etc/ecs/ecs.config
echo ECS_ENABLE_TASK_CPU_MEM_LIMIT=false >> /etc/ecs/ecs.config
echo 'ECS_RESERVED_PORTS=[2375, 2376, 51678]' >> /etc/ecs/ecs.config
sudo mkdir /data
sudo echo 'fs-105c7858:/ /data efs defaults,nofail 0 2' >> /etc/fstab;
sudo yum install -y amazon-efs-utils && sudo mount /data
sudo sed -i 's/OPTIONS=\"/OPTIONS=\"-H tcp:\/\/127\.0\.0\.1:2375 -H unix:\/\/\/var\/run\/docker.sock /g' /etc/init.d/docker
sudo etc/init.d/docker restart
sudo sed -i 's/#Port 22/Port 2222 /g' /etc/ssh/sshd_config
sudo /etc/init.d/sshd restart

volume-def.json

[{
    "name": "nginx-certs",
    "host": {
        "sourcePath": "/data/proxy/etc/nginx/certs"
    }
}, {
    "name": "nginx-vhosts",
    "host": {
        "sourcePath": "/data/proxy/etc/nginx/vhost.d"
    }
}, {
    "name": "nginx-default",
    "host": {
        "sourcePath": "/data/proxy//usr/share/nginx/html"
    }
}, {
    "name": "docker-socket",
    "host": {
        "sourcePath": "/var/run/docker.sock"
    }
}, {
    "name": "proxy-log",
    "host": {
        "sourcePath": "/data/proxy/var/log"
    }
}, {
    "name": "letsencrypt-log",
    "host": {
        "sourcePath": "/data/letsencrypt/var/log"
    }
}]