From 155587dde6ca5c37ff41e976152e4607a3f41c63 Mon Sep 17 00:00:00 2001 From: Michael Barrett Date: Sun, 11 Oct 2015 17:23:57 -0700 Subject: [PATCH 1/6] Fixes ECS Agent stats for Empire --- stacker/blueprints/empire/policies.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stacker/blueprints/empire/policies.py b/stacker/blueprints/empire/policies.py index 7f2ec5db7..32cd136c1 100644 --- a/stacker/blueprints/empire/policies.py +++ b/stacker/blueprints/empire/policies.py @@ -17,7 +17,7 @@ def ecs_agent_policy(): Action=[ecs.CreateCluster, ecs.RegisterContainerInstance, ecs.DeregisterContainerInstance, ecs.DiscoverPollEndpoint, ecs.ECSAction("Submit*"), - ecs.Poll] + ecs.Poll, ecs.ECSAction("StartTelemetrySession")] ) ] ) From 77ec37d61148f187b4c43f2cedd22e89e472d356 Mon Sep 17 00:00:00 2001 From: Michael Barrett Date: Mon, 12 Oct 2015 10:39:58 -0700 Subject: [PATCH 2/6] Add policies for streaming logs --- stacker/blueprints/empire/empire_minion.py | 46 +++++++++++++++++----- stacker/blueprints/empire/policies.py | 19 ++++++++- 2 files changed, 54 insertions(+), 11 deletions(-) diff --git a/stacker/blueprints/empire/empire_minion.py b/stacker/blueprints/empire/empire_minion.py index 824e11e4c..30338a699 100644 --- a/stacker/blueprints/empire/empire_minion.py +++ b/stacker/blueprints/empire/empire_minion.py @@ -1,8 +1,9 @@ import logging +import copy logger = logging.getLogger(__name__) -from troposphere import Ref, Output, GetAtt, Tags, FindInMap +from troposphere import Ref, Output, GetAtt, Tags, FindInMap, If, Not, Equals from troposphere import ec2, autoscaling, ecs from troposphere.autoscaling import Tag as ASTag from troposphere.iam import Role, InstanceProfile, Policy @@ -11,7 +12,7 @@ from .empire_base import EmpireBase -from .policies import ecs_agent_policy +from .policies import ecs_agent_policy, logstream_policy CLUSTER_SG_NAME = "EmpireMinionSecurityGroup" @@ -74,8 +75,21 @@ class EmpireMinion(EmpireBase): "DockerRegistryEmail": { "type": "String", "description": "Email for authentication with docker registry."}, + "DisableStreamingLogs": { + "type": "String", + "description": "Disables streaming logging if set to anything." + "Note: Without this Empire creates a kinesis " + "stream per app that you deploy in Empire.", + "default": "", + }, } + def create_conditions(self): + t = self.template + t.add_condition( + "EnableStreamingLogs", + Not(Equals(Ref("DisableStreamingLogs"), ""))) + def create_security_groups(self): t = self.template t.add_resource( @@ -144,22 +158,32 @@ def build_block_device(self): return [docker_volume, swap_volume] + def generate_iam_policies(self): + ns = self.context.namespace + base_policies = [ + Policy( + PolicyName="%s-ecs-agent" % ns, + PolicyDocument=ecs_agent_policy()), + ] + with_logging = copy.deepcopy(base_policies) + with_logging.append( + Policy( + PolicyName="%s-kinesis-logging" % ns, + PolicyDocument=logstream_policy() + ) + ) + policies = If("EnableStreamingLogs", with_logging, base_policies) + return policies + def create_iam_profile(self): t = self.template - ns = self.context.namespace - # Create the EmpireMinionRole - this has all the permissions - # that the ECS Agent needs. ec2_role_policy = get_default_assumerole_policy() t.add_resource( Role( "EmpireMinionRole", AssumeRolePolicyDocument=ec2_role_policy, Path="/", - Policies=[ - Policy( - PolicyName="%s-ecs-agent" % ns, - PolicyDocument=ecs_agent_policy()), - ])) + Policies=self.generate_iam_policies())) t.add_resource( InstanceProfile( "EmpireMinionProfile", @@ -180,6 +204,8 @@ def generate_seed_contents(self): "DOCKER_USER=", Ref("DockerRegistryUser"), "\n", "DOCKER_PASS=", Ref("DockerRegistryPassword"), "\n", "DOCKER_EMAIL=", Ref("DockerRegistryEmail"), "\n", + "ENABLE_STREAMING_LOGS=", If(Ref("DisableStreamingLogs"), + "false", "true"), "\n" ] return seed diff --git a/stacker/blueprints/empire/policies.py b/stacker/blueprints/empire/policies.py index 32cd136c1..96781bf73 100644 --- a/stacker/blueprints/empire/policies.py +++ b/stacker/blueprints/empire/policies.py @@ -4,7 +4,7 @@ from awacs.aws import Statement, Allow, Policy, Action -from awacs import ecs, ec2, iam, route53 +from awacs import ecs, ec2, iam, route53, kinesis from awacs import elasticloadbalancing as elb @@ -82,3 +82,20 @@ def empire_policy(): ] ) return p + + +def logstream_policy(): + """Policy needed for logspout -> kinesis log streaming.""" + p = Policy( + Statement=[ + Statement( + Effect=Allow, + Resource=["*"], + Action=[ + kinesis.CreateStream, kinesis.DescribeStream, + Action(kinesis.prefix, "AddTagsToStream"), + Action(kinesis.prefix, "PutRecords") + ]) + ] + ) + return p From e6c4f1c2c2dbe25fcb92b20db9b953f55836385e Mon Sep 17 00:00:00 2001 From: Michael Barrett Date: Mon, 12 Oct 2015 13:52:23 -0700 Subject: [PATCH 3/6] Add controller kinesis permissions --- stacker/blueprints/empire/policies.py | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/stacker/blueprints/empire/policies.py b/stacker/blueprints/empire/policies.py index 96781bf73..b836dc796 100644 --- a/stacker/blueprints/empire/policies.py +++ b/stacker/blueprints/empire/policies.py @@ -78,7 +78,15 @@ def empire_policy(): route53.ListHostedZones, route53.GetHostedZone ], # TODO: Limit to specific zones - Resource=["*"]) + Resource=["*"]), + Statement( + Effect=Allow, + Action=[ + kinesis.DescribeStream, + Action(kinesis.prefix, "Get*"), + Action(kinesis.prefix, "List*") + ], + Resource=["*"]), ] ) return p From 50f3649e8c6abe9db31d7a51777d4827241845e3 Mon Sep 17 00:00:00 2001 From: Michael Barrett Date: Mon, 12 Oct 2015 16:32:30 -0700 Subject: [PATCH 4/6] Some cleanup, final AMIs --- conf/empire/empire.yaml | 8 +++++--- conf/empire/example.env | 3 +++ stacker/blueprints/empire/empire_controller.py | 11 +++++++++++ stacker/blueprints/empire/empire_minion.py | 8 ++++---- 4 files changed, 23 insertions(+), 7 deletions(-) diff --git a/conf/empire/empire.yaml b/conf/empire/empire.yaml index c6e3df447..f05dbeb9e 100644 --- a/conf/empire/empire.yaml +++ b/conf/empire/empire.yaml @@ -39,15 +39,15 @@ mappings: us-east-1: NAT: ami-c02b04a8 ubuntu1404: ami-c135f3aa - empire: ami-1963c872 + empire: ami-8fbaf1ea us-west-1: NAT: ami-67a54423 ubuntu1404: ami-bf3dccfb - empire: ami-25d02e61 + empire: ami-6b57962f us-west-2: NAT: ami-2dae821d ubuntu1404: ami-f15b5dc1 - empire: ami-85ede7b5 + empire: ami-4628ce75 # Many stacks need these settings, or a subset of them, from the VPC - # this makes it easy to pass them around. Stacker will drop unused Parameters @@ -134,6 +134,7 @@ stacks: MaxSize: ${empire_minion_max_instance_count} SshKeyName: ${ssh_key_name} ImageName: empire + DisableStreamingLogs: ${empire_disable_streaming_logs} - name: empireController class_path: stacker.blueprints.empire.empire_controller.EmpireController parameters: @@ -160,3 +161,4 @@ stacks: EmpireGithubClientSecret: ${empire_controller_github_client_secret} EmpireGithubOrganization: ${empire_controller_github_organization} EmpireTokenSecret: ${empire_controller_token_secret} + DisableStreamingLogs: ${empire_disable_streaming_logs} diff --git a/conf/empire/example.env b/conf/empire/example.env index de1c404d2..8e730c131 100644 --- a/conf/empire/example.env +++ b/conf/empire/example.env @@ -40,6 +40,9 @@ empiredb_instance_type: db.m3.large empiredb_user: empiredb_password: +# Set to anything to disable streaming logs +empire_disable_streaming_logs: "''" + empire_minion_min_instance_count: 3 empire_minion_max_instance_count: 10 empire_minion_instance_type: c4.xlarge diff --git a/stacker/blueprints/empire/empire_controller.py b/stacker/blueprints/empire/empire_controller.py index 49044840d..718eb0590 100644 --- a/stacker/blueprints/empire/empire_controller.py +++ b/stacker/blueprints/empire/empire_controller.py @@ -127,6 +127,12 @@ class EmpireController(EmpireBase): "DockerRegistryEmail": { "type": "String", "description": "Email for authentication with docker registry."}, + "DisableStreamingLogs": { + "type": "String", + "description": "Disables streaming logging if set to anything." + "Note: Without this Empire creates a kinesis " + "stream per app that you deploy in Empire.", + "default": ""}, } def create_conditions(self): @@ -136,6 +142,9 @@ def create_conditions(self): self.template.add_condition( "UseDNS", Not(Equals(Ref("ExternalDomain"), ""))) + self.template.add_condition( + "EnableStreamingLogs", + Equals(Ref("DisableStreamingLogs"), "")) def create_security_groups(self): t = self.template @@ -286,6 +295,8 @@ def generate_seed_contents(self): "DOCKER_USER=", Ref("DockerRegistryUser"), "\n", "DOCKER_PASS=", Ref("DockerRegistryPassword"), "\n", "DOCKER_EMAIL=", Ref("DockerRegistryEmail"), "\n", + "ENABLE_STREAMING_LOGS=", If("EnableStreamingLogs", + "true", "false"), "\n" ] return seed diff --git a/stacker/blueprints/empire/empire_minion.py b/stacker/blueprints/empire/empire_minion.py index 30338a699..e40a93626 100644 --- a/stacker/blueprints/empire/empire_minion.py +++ b/stacker/blueprints/empire/empire_minion.py @@ -3,7 +3,7 @@ logger = logging.getLogger(__name__) -from troposphere import Ref, Output, GetAtt, Tags, FindInMap, If, Not, Equals +from troposphere import Ref, Output, GetAtt, Tags, FindInMap, If, Equals from troposphere import ec2, autoscaling, ecs from troposphere.autoscaling import Tag as ASTag from troposphere.iam import Role, InstanceProfile, Policy @@ -88,7 +88,7 @@ def create_conditions(self): t = self.template t.add_condition( "EnableStreamingLogs", - Not(Equals(Ref("DisableStreamingLogs"), ""))) + Equals(Ref("DisableStreamingLogs"), "")) def create_security_groups(self): t = self.template @@ -204,8 +204,8 @@ def generate_seed_contents(self): "DOCKER_USER=", Ref("DockerRegistryUser"), "\n", "DOCKER_PASS=", Ref("DockerRegistryPassword"), "\n", "DOCKER_EMAIL=", Ref("DockerRegistryEmail"), "\n", - "ENABLE_STREAMING_LOGS=", If(Ref("DisableStreamingLogs"), - "false", "true"), "\n" + "ENABLE_STREAMING_LOGS=", If("EnableStreamingLogs", + "true", "false"), "\n" ] return seed From a1bb2bffe7c8948c137989d6397316c6dc73a702 Mon Sep 17 00:00:00 2001 From: Michael Barrett Date: Mon, 12 Oct 2015 16:34:11 -0700 Subject: [PATCH 5/6] Clean up docstring --- conf/empire/example.env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/empire/example.env b/conf/empire/example.env index 8e730c131..d26895cbc 100644 --- a/conf/empire/example.env +++ b/conf/empire/example.env @@ -40,7 +40,7 @@ empiredb_instance_type: db.m3.large empiredb_user: empiredb_password: -# Set to anything to disable streaming logs +# Change to anything non-blank to disable streaming logs (enabled by default) empire_disable_streaming_logs: "''" empire_minion_min_instance_count: 3 From be062e37f1762ccd64e2d175945d4f9b04dafcf1 Mon Sep 17 00:00:00 2001 From: Michael Barrett Date: Mon, 12 Oct 2015 16:38:45 -0700 Subject: [PATCH 6/6] Add circle-ci url for empire ami --- conf/empire/empire.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/conf/empire/empire.yaml b/conf/empire/empire.yaml index f05dbeb9e..5d9433fea 100644 --- a/conf/empire/empire.yaml +++ b/conf/empire/empire.yaml @@ -39,15 +39,15 @@ mappings: us-east-1: NAT: ami-c02b04a8 ubuntu1404: ami-c135f3aa - empire: ami-8fbaf1ea + empire: ami-8fbaf1ea # https://circleci.com/gh/remind101/empire_ami/43 us-west-1: NAT: ami-67a54423 ubuntu1404: ami-bf3dccfb - empire: ami-6b57962f + empire: ami-6b57962f # https://circleci.com/gh/remind101/empire_ami/43 us-west-2: NAT: ami-2dae821d ubuntu1404: ami-f15b5dc1 - empire: ami-4628ce75 + empire: ami-4628ce75 # https://circleci.com/gh/remind101/empire_ami/43 # Many stacks need these settings, or a subset of them, from the VPC - # this makes it easy to pass them around. Stacker will drop unused Parameters