Im using awsebcli(*pip install awsebcli —upgrade —user)
for build NLB (NetWork Load Balancer) on elasticbeanstalk with awsebcli(https://pypi.python.org/pypi/awsebcli/3.0.3)
But I have a problem now.....
$ eb create
Enter Environment Name
(default is ko-dev-dev):
Enter DNS CNAME prefix
(default is ko-dev-dev):
and then
Select a load balancer type
1) classic
2) application
3) network
(default is 1): 3
**ERROR: AlreadyExistsError - Cannot exceed quota for PoliciesPerRole: 10**
I wonder what is causing this problem now . . . . .
requirements.txt
awscli==1.14.31
awsebcli==3.12.1
blessed==1.14.2
botocore==1.8.35
cement==2.8.2
colorama==0.3.7
docker-py==1.7.2
dockerpty==0.4.1
docopt==0.6.2
docutils==0.14
jmespath==0.9.3
pathspec==0.5.0
pyasn1==0.4.2
python-dateutil==2.6.1
PyYAML==3.12
requests==2.9.1
rsa==3.4.2
s3transfer==0.1.12
semantic-version==2.5.0
six==1.11.0
tabulate==0.7.5
termcolor==1.1.0
wcwidth==0.1.7
websocket-client==0.46.0
There are some limits for resources in AWS.
So suppose you want to increase that limit,
Just go to
Service Quotas --> Aws Services --> IAM --> Raise a ticket
e.g
Note: For IAM quotas to increase, you need to select the region US East (N. Virginia)
For More details https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html
Related
After spending many hours reading dozens of guides, I finally got into a working setup, and decided to publish the instructions here.
The problem: I have a working flask app running in my machine. How do I launch it as a web app using Microsoft Azure platform?
So here is my guide. I hope it will help others!
Steps for launching a new web app under Azure:
0. Login to Azure
Goto Azure portal https://portal.azure.com/ and sign-in using your Microsoft account.
1. Create a resource group:
Home > create a resource > Resource group
fill in: subscription(Free Trial), name (something with _resgrp), Region (e.g. West Europe)
2. DB:
Home > create a resource > create Azure Cosmos DB > Azure Cosmos DB for MongoDB
fill in: subscription(Free Trial), resource group (see above), account name (something with _db), Region (West Europe), [create]
goto Home > db account > connection strings, copy line marked "PRIMARY CONNECTION STRING" and keep it aside.
3. App:
Home > create a resource > create Web App
fill in: subscription(Free Trial), resource group (see above), name (will appear in the site url!),
publish: code, run time stack: python 3.9, region: West Europe, plan: Basic B1 ($13/mon), [create]
Home > our-web-app > configuration > Application settings > Connection strings
click "New Connection strings" and set MYDB with the connection string from step 2.
4. Code:
We will use a nice "to-do list" minimalist app published by Prashant Shahi. Thank you Prashant!
Clone code from https://github.com/prashant-shahi/ToDo-List-using-Flask-and-MongoDB into some local folder.
Delete everything but app.py, static, templates, requirements.txt
Edit requirements.txt so that Flask appears without "==version", because an older version is there by default.
create wsgi.py with:
from app import app
if __name__ == '__main__':
app.run()
Create go.sh with the following code. These commands are will setup the environment and then start gunicorn to respond to web requests. Some of these commands are used for debug only.
# azure webapp: called under sh from /opt/startup/startup.sh
set -x
ls -la
pip install -r /home/site/wwwroot/requirements.txt
echo "$(pwd) $(date)"
ps aux
gunicorn --bind=0.0.0.0 --log-level=debug --timeout 600 wsgi:app
edit app.py:
replace first 3 lines about db connection with: (btw, MYDB comes from steps 3)
CON_STR = os.environ['CUSTOMCONNSTR_MYDB']
client = MongoClient(CON_STR) #Configure the connection to the database
after app = Flask(name) add these lines for logging:
if __name__ != '__main__':
gunicorn_logger = logging.getLogger('gunicorn.error')
app.logger.handlers = gunicorn_logger.handlers
app.logger.setLevel(gunicorn_logger.level)
add first line under def about(): #clicking [about] in the app will dump environment vars to the logs)
app.logger.debug('\n'.join([f'{k}={os.environ[k]}' for k in os.environ.keys()]))
5. Ftp:
Home > our-web-app > Deployment Center > FTPS Ceredentials
Open FileZilla, top-left icon, [new site]
copy paste from web to FileZilla: FTPS endpoint into host, user to username, password to password, [connect]
upload the content (not the parent!) of the folder from step 4 to the remote path /site/wwwroot
6. Launch:
Home > our-web-app > configuration > General settings > Startup Command
paste this: sh -c "cp go.sh go_.sh && . go_.sh"
7. Test:
Browse to https://[our-web-app].azurewebsites.net
8. Logging / debugging:
Install Azure CLI (command line interface) from https://learn.microsoft.com/en-us/cli/azure/install-azure-cli
Open cmd and run
az login
# turn on container logging (run once):
az webapp log config --name [our-web-app] --resource-group [our-step1-group] --docker-container-logging filesystem
# tail the logs:
az webapp log tail --name [our-web-app] --resource-group [our-step1-group]
9. Kudu SCM management for the app
(must be logged into Azure for these to work):
Show file/dir: https://[our-web-app].scm.azurewebsites.net/api/vfs/site/[path]
Downloads full site: https://[our-web-app].scm.azurewebsites.net/api/zip/site/wwwroot
Status: https://[our-web-app].scm.azurewebsites.net/Env
SSH: https://[our-web-app].scm.azurewebsites.net/webssh/host
Bash: https://[our-web-app].scm.azurewebsites.net/DebugConsole
More on REST API here: https://github.com/projectkudu/kudu/wiki/REST-API
10. Notes:
I don't recommend on using automatic deployment from GitHub / BitBucket, unless you have Azure's support available. We encountered many difficulties with that.
Any comments are most welcome.
What I want to do
I want to create Node.js (built with Nest.js) server in the infrastructure as follows:
infra-structure-image
GitHub repo is here.
Notice:
ECS is settled in private subnet.
I want to use private link to connect with AWS services (ECR and S3 in my case) rather than NAT gateway in public subnet.
Infrastructure is built from CloudFormation stack in AWS CDK Toolkit.
Node.js server is a simple app that responses 'Hello World!'.
Current behavior
When I deploy the AWS CloudFormation stack with cdk deploy, it is stuck in the ECS service creation at CREATE_IN_PROGRESS state. I can see ECS task execution error logs in ECS management console as follows:
STOPPED (ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve ecr registry auth: service call has been retried 3 time(s): RequestError: send request failed caused by: Post https://api.ecr.ap-northeast-1.amazonaws.com/: dial tcp 99.77.62.61:443: i/o timeout)
If I don't delete stack or set minimum number of task to 0, ECS service continuously try to execute tasks for hours and finally get timeout error.
I have already checked some points based on this official article.
Create VPC endpoints (com.amazonaws.region.ecr.dkr, com.amazonaws.region.ecr.api, S3)
Configure VPC endpoints (security group, subnets to settle in, IAM policy)
Add permissions to ECS task execution role so that ECS can pull image from ECR
Check if the image exists in ECR
And I have checked 'hello world' with this docker image in local machine.
Reproduction Steps
A minimal GitHub repo is here.
$ git clone https://github.com/Fanta335/cdk-ecs-nest-app
$ cd cdk-ecs-nest-app
$ npm install
AWS CDK toolkit is used in this project, so you need to run npm install -g aws-cdk if you have not installed AWS CDK toolkit in your local machine.
And if you have not set default IAM user configuration in aws cli, you need to run aws configure in order to pass environment variables to the CloudFormation stack.
$ cdk deploy
Then the deployment should be stuck.
Versions
MacOS Monterey 12.6
AWS CDK cli 2.43.1 (build c1ebb85)
AWS cli aws-cli/2.7.28 Python/3.9.11 Darwin/21.6.0 exe/x86_64 prompt/off
Docker version 20.10.17, build 100c701
Nest cli 9.1.3
The problem was DNS resolution has not been enabled in ECR VPC endpoints. I should have set privateDnsEnabled: true manually to the InterfaceVpcEndpoint instances in cdk-ecs-nest-app-stack.ts file as follows:
const ECSPrivateLinkAPI = new ec2.InterfaceVpcEndpoint(this, "ECSPrivateLinkAPI", {
vpc,
service: new ec2.InterfaceVpcEndpointService(`com.amazonaws.${REGION}.ecr.api`),
securityGroups: [securityGroupPrivateLink],
privateDnsEnabled: true, // HERE
});
const ECSPrivateLinkDKR = new ec2.InterfaceVpcEndpoint(this, "ECSPrivateLinkDKR", {
vpc,
service: new ec2.InterfaceVpcEndpointService(`com.amazonaws.${REGION}.ecr.dkr`),
securityGroups: [securityGroupPrivateLink],
privateDnsEnabled: true, // HERE
});
According to the CDK docs, the default value of privateDnsEnabled is defined by the service which uses this VPC endpoint.
privateDnsEnabled?
Type: boolean (optional, default: set by the instance of IInterfaceVpcEndpointService, or true if not defined by the instance of IInterfaceVpcEndpointService)
I didn't checked the default privateDnsEnabled values of com.amazonaws.${REGION}.ecr.api and com.amazonaws.${REGION}.ecr.dkr but we have to set true manually in CDK Toolkit.
I have a 2.x python app and some 3.x python app which are running on google app engine.
Recently, I had updated the 2.x app without any issue. Now, when I'm trying to deploy an update for a 3.x python app, I'm getting an error "Error Response: [7] Failed to create cloud build: Permission denied on"
Services to deploy:
descriptor: [C:\Users\artha\Documents\gae billApp\CbicNtfnAndAutoMailer\app.yaml]
source: [C:\Users\artha\Documents\gae billApp\CbicNtfnAndAutoMailer]
target project: [cbicntfnandautomailer]
target service: [default]
target version: [1]
target url: [https://cbicntfnandautomailer.appspot.com]
target service account: [App Engine default service account]
Do you want to continue (Y/n)? Y
Beginning deployment of service [default]...
#============================================================#
#= Uploading 0 files to Google Cloud Storage =#
#============================================================#
File upload done.
Updating service [default]...failed.
ERROR: (gcloud.app.deploy) Error Response: [7] Failed to create cloud build: Permission denied on 'locations/asia-south1' (or it may not exist)..
Previously, I did not face any issue.
gcloud app describe shows me
authDomain: gmail.com
codeBucket: staging.cbicntfnandautomailer.appspot.com
databaseType: CLOUD_DATASTORE_COMPATIBILITY
defaultBucket: cbicntfnandautomailer.appspot.com
defaultHostname: cbicntfnandautomailer.appspot.com
featureSettings:
splitHealthChecks: true
useContainerOptimizedOs: true
gcrDomain: asia.gcr.io
id: cbicntfnandautomailer
locationId: asia-south1
name: apps/cbicntfnandautomailer
serviceAccount: cbicntfnandautomailer#appspot.gserviceaccount.com
servingStatus: SERVING
I have also tried disabling and re-enabling cloud build, but to no avail...
Can you please advice how to resolve the issue, thanks!!!
EDIT: As a workaround, created a seperate project and deployed there to resolve the issue, but the root cause still remains unknown!!
Check if you reached the limit of build-triggers allowed per region:
Cloud build limits
I tried to add a custom script to VM through extensions. I have observed that when vm is created, Microsoft.Azure.Extensions.CustomScript type is created with name "cse-agent" by default. So I try to update extension by encoding the file with script property
az vm extension set \
--resource-group test_RG \
--vm-name aks-agentpool \
--name CustomScript \
--subscription ${SUBSCRIPTION_ID} \
--publisher Microsoft.Azure.Extensions \
--settings '{"script": "'"$value"'"}'
$value represents the script file encoded in base 64.
Doing that gives me an error:
Deployment failed. Correlation ID: xxxx-xxxx-xxx-xxxxx.
VM has reported a failure when processing extension 'cse-agent'.
Error message: "Enable failed: failed to get configuration: invalid configuration:
'commandToExecute' and 'script' were both specified, but only one is validate at a time"
From the documentation, it is mentioned that when script attribute is present,
there is no need for commandToExecute. As you can see above I haven't mentioned commandToExecute, it's somehow taking it from previous extension. Is there a way to update it without deleting it? Also it will be interesting to know what impact will cse-agent extension will create when deleted.
FYI: I have tried deleting 'cse-agent' extension from VM and added my extension. It worked.
the CSE-AGENT vm extension is crucial and manages all of the post install needed to configure the nodes to be considered a valid Kubernetes nodes. Removing this CSE will break the VMs and will render your cluster inoperable.
IF you are interested in applying changes to nodes in an existing cluster, while not officially supported, you could leverage the following project.
https://github.com/juan-lee/knode
This allows you to configure the nodes using a DaemonSet, which helps when you node pools have the auto-scaling feature enabled.
for simple Node alteration of the filesystem, a privilege pod with host path will also work
https://dev.to/dannypsnl/privileged-pod-debug-kubernetes-node-5129
I'm new on cloud computing and I'm trying to use SSH to control my VM instance but when I use command (with debug)
gcloud compute ssh my-instance-name --verbosity=debug
it's show error
DEBUG: (gcloud.compute.ssh) [/usr/bin/ssh] exited with return code
[255]. Traceback (most recent call last): File
"/google/google-cloud-sdk/lib/googlecloudsdk/calliope/cli.py", line
983, in Execute
resources = calliope_command.Run(cli=self, args=args) File "/google/google-cloud-sdk/lib/googlecloudsdk/calliope/backend.py",
line 784, in Run
resources = command_instance.Run(args) File "/google/google-cloud-sdk/lib/surface/compute/ssh.py", line 262, in
Run
return_code = cmd.Run(ssh_helper.env, force_connect=True) File "/google/google-cloud-sdk/lib/googlecloudsdk/command_lib/util/ssh/ssh.py",
line 1256, in Run
raise CommandError(args[0], return_code=status) CommandError: [/usr/bin/ssh] exited with return code [255]. ERROR:
(gcloud.compute.ssh) [/usr/bin/ssh] exited with return code [255].
I try to solve the problem in this link but it's not work
https://groups.google.com/forum/#!topic/gce-discussion/O-c10TM4ZLM
SSH error code 255 is a general error returned by GCP. You can try one of the following options.
1. Wait a few minutes and try again. It is possible that:
The instance has not finished starting up.
Metadata for SSH keys has not finished being propagated to the project or instance.
The Guest Environment has not yet read the SSH keys metadata.
2. Verify that SSH access to the instance is not blocked by a firewall.
gcloud compute firewall-rules list | grep "tcp:22"
If necessary, create a firewall rule to allow TCP 22 for a given VPC network, subnet, or instance tag.
gcloud compute firewall-rules create ssh-allow-incoming --priority=0 --allow=tcp:22 --network=[VPC-Network]
3. Make sure that the root volume is not out of disk space. Messages like the following will be visible in the console log when it is out of disk space:
...No space left on device...
...google-accounts: ERROR Exception calling the response handler.
[Errno 2] No usable temporary directory found in ['/tmp', '/var/tmp',
'/usr/tmp', '/']...
4. Make sure that the instance has not run out of memory
5. Verify that temporary SSH Keys metadata is set for either the project or instance.
Finally you could follow any of their supported or third-party methods
Assuming you have the correct IAM permissions, it is much easier and preferred by GCP to use OSlogin to ssh into an instance, rather than manage ssh keys
in cloud shell, enter this
gcloud compute --project PROJECTID project-info add-metadata --metadata enable-oslogin=TRUE
This enables OSLogin on all instances in a project, instead of using ssh keys gcp will check your IAM permissions and authenticate based on those.
If you are not project owner, make sure you have the compute.osloginviewer or admin permissions in Cloud IAM
Once enables, try SSHing into the instance again using the command you posted.
This is not a concrete answer but I think at first you should set your project by :
gcloud config set project PROJECT_ID
Then
gcloud compute ssh my-instance-name --verbosity=debug
This link would be useful:
https://cloud.google.com/sdk/gcloud/reference/compute/ssh