LogoLogo
Reliability HubAPI DocsPlatform
  • Welcome to Steadybit
  • Quick Start
    • First Steps
    • Compatibility
    • Install Agent and Extensions
    • Run an Experiment
    • Deploy Example Application
  • Concepts
    • Actions
    • Discovery
    • Query Language
  • Install and Configure
    • Install Agent
      • Architecture
      • Install on Kubernetes
      • Install on Linux Hosts
      • Install using Docker Compose
      • Install on Amazon ECS
      • Extension Registration
      • Using Mutual TLS for Extensions
      • Configuration Options
      • Agent State
      • Agent API
    • Install On-Prem Platform
      • Install on Minikube
      • Advanced Agent Authentication
      • Configuration Options
      • Maintenance & Incident Support
      • Syncing Teams via OIDC Attribute
    • Manage Environments
    • Manage Teams and Users
      • Users
      • Teams
      • Permissions
    • Manage Experiment Templates
  • Use Steadybit
    • Experiments
      • Design
      • Run
      • Run History
      • Schedule
      • Variables
      • Emergency Stop
      • Share
        • Templates
        • Duplicate
        • File
      • OpenTelemetry Integration
    • Explorer
      • Landscape
      • Targets
      • Advice
    • Reporting
  • Integrate with Steadybit
    • Extensions
      • Anatomy of an Extension
      • Extension Installation
      • Extension Kits
      • Available Extensions
    • API
      • Interactive API Documentation
    • CLI
    • Badges
    • Webhooks
      • Custom Webhooks
      • Preflight Webhooks
    • Preflight Actions
    • Slack Notifications
    • Audit Log
    • Hubs
  • Troubleshooting
    • How to troubleshoot
    • Common fixes
      • Extensions
      • Agents
      • On-prem platform
Powered by GitBook

Extension Docs

  • ActionKit
  • DiscoveryKit
  • EventKit

More Resources

  • Reliability Hub
  • API Docs
On this page
  • Amazon ECS with EC2
  • Compatibility
  • Installation
  • Amazon ECS with Fargate
  • Compatibility
  • Installation
  • FAQ

Was this helpful?

Edit on GitHub
  1. Install and Configure
  2. Install Agent

Install on Amazon ECS

Last updated 4 months ago

Was this helpful?

The Steadybit Agent can be installed on Amazon Elastic Container Service.

Amazon ECS with EC2

Compatibility

and needs to run in privileged mode and network mode host is required for the extensions.

Installation

Pre-requisites

  • You need to have an ECS cluster running with at least one EC2 instance.

  • You need to know the (private) Subnet-IDs where you want to place the agent and extension tasks.

  • The security group used by the ec2 instances need to allow inbound traffic to the extension-host and extension-container (ports 8085 and 8086) as they are running as daemon service using the host network.

Step-By-Step Guide

  1. Copy the required Files

  1. The agent needs some permissions to be able to look up extensions running in the cluster. Create a IAM role for the agent task with the following permissions:

    aws iam create-role --role-name steadybit-agent-task-role --assume-role-policy-document file://steadybit-agent-role-trust-policy.json
    aws iam put-role-policy --role-name steadybit-agent-task-role --policy-name steadybit-agent-extension-lookup --policy-document file://steadybit-agent-role-permissions.json
  2. aws iam create-role --role-name steadybit-extension-aws-task-role --assume-role-policy-document file://steadybit-agent-role-trust-policy.json
    aws iam put-role-policy --role-name steadybit-extension-aws-task-role --policy-name steadybit-extension-aws --policy-document file://steadybit-extension-aws-role-permissions.json
  3. Replace all placeholders in the JSON files with your values. All placeholders are prefixed with MY-. Take care, the placeholders are used multiple times in the JSON files.

    • MY-AGENT-KEY: Your agent key

    • MY-CLUSTER-NAME: The name of your ECS cluster

    • MY-PLATFORM-URL: The URL of your Steadybit platform, for SaaS use https://platform.steadybit.com

    • MY-REGION: The AWS region where your ECS cluster is running

    • MY-ACCOUNT: The AWS account ID

  4. Register the Task Definitions

    aws ecs register-task-definition --cli-input-json file://steadybit-agent.json 
    aws ecs register-task-definition --cli-input-json file://steadybit-extension-host.json
    aws ecs register-task-definition --cli-input-json file://steadybit-extension-container.json
    aws ecs register-task-definition --cli-input-json file://steadybit-extension-http.json
    aws ecs register-task-definition --cli-input-json file://steadybit-extension-aws.json
  5. Create the Services

    • Agent - please replace the cluster-name, subnet-ids, and security-group-id with your values. The security group needs to allow outbound traffic to the Steadybit platform and to the extensions (ports 8080-8099).

    aws ecs create-service \
     --cluster MY-CLUSTER \
     --service-name steadybit-agent \
     --task-definition steadybit-agent \
     --propagate-tags TASK_DEFINITION \
     --desired-count 1 \
     --deployment-configuration maximumPercent=101,minimumHealthyPercent=0 \
     --tags key=steadybit.com/discovery-disabled,value=true \
     --network-configuration '{"awsvpcConfiguration": {"subnets": ["MY-SUBNET-1", "MY-SUBNET-2", "MY-SUBNET-3"], "securityGroups": ["MY-SECURITY-GROUP-ID"], "assignPublicIp": "DISABLED"}}'
    • Extension Host - please replace the cluster-name. The extension will use the host network strategy and use the security groupd and subnets of your ec2 instances.

    aws ecs create-service \
     --cluster MY-CLUSTER \
     --service-name steadybit-extension-host \
     --task-definition steadybit-extension-host \
     --propagate-tags TASK_DEFINITION \
     --launch-type EC2 \
     --tags key=steadybit.com/discovery-disabled,value=true \
     --scheduling-strategy DAEMON
    • Extension Container - please replace the cluster-name. The extension will use the host network strategy and use the security groupd and subnets of your ec2 instances.

    aws ecs create-service \
     --cluster MY-CLUSTER \
     --service-name steadybit-extension-container \
     --task-definition steadybit-extension-container \
     --propagate-tags TASK_DEFINITION \
     --launch-type EC2 \
     --tags key=steadybit.com/discovery-disabled,value=true \
     --scheduling-strategy DAEMON
    • Extension HTTP - please replace the cluster-name, subnet-ids, and security-group-id with your values. The security group needs to allow inbound traffic to the extension (port 8085) and outbound traffic to all ports/destination you want to reach out with the http checks implemented in the extension.

    aws ecs create-service \
     --cluster MY-CLUSTER \
     --service-name steadybit-extension-http \
     --task-definition steadybit-extension-http \
     --propagate-tags TASK_DEFINITION \
     --desired-count 1 \
     --deployment-configuration maximumPercent=101,minimumHealthyPercent=0 \
     --tags key=steadybit.com/discovery-disabled,value=true \
     --network-configuration '{"awsvpcConfiguration": {"subnets": ["MY-SUBNET-1", "MY-SUBNET-2", "MY-SUBNET-3"], "securityGroups": ["MY-SECURITY-GROUP-ID"], "assignPublicIp": "DISABLED"}}'    
    • Extension AWS - please replace the cluster-name, subnet-ids, and security-group-id with your values. The security group needs to allow inbound traffic to the extension (port 8085)

    aws ecs create-service \
     --cluster MY-CLUSTER \
     --service-name steadybit-extension-aws \
     --task-definition steadybit-extension-aws \
     --propagate-tags TASK_DEFINITION \
     --desired-count 1 \
     --deployment-configuration maximumPercent=101,minimumHealthyPercent=0 \
     --tags key=steadybit.com/discovery-disabled,value=true \
     --network-configuration '{"awsvpcConfiguration": {"subnets": ["MY-SUBNET-1", "MY-SUBNET-2", "MY-SUBNET-3"], "securityGroups": ["MY-SECURITY-GROUP-ID"], "assignPublicIp": "DISABLED"}}'    

Amazon ECS with Fargate

Compatibility

The agent and most of the extensions can be run as an ECS service in Fargate.

Installation

  1. Copy the required Files

  1. The agent needs some permissions to be able to look up extensions running in the cluster. Create a IAM role for the agent task with the following permissions:

    aws iam create-role --role-name steadybit-agent-task-role --assume-role-policy-document file://steadybit-agent-role-trust-policy.json
    aws iam put-role-policy --role-name steadybit-agent-task-role --policy-name steadybit-agent-extension-lookup --policy-document file://steadybit-agent-role-permissions.json
  2. Fargate tasks needs a task execution role to be able to write logs. If you don't already have an existing role, you can create one via:

    aws iam create-role --role-name steadybit-agent-task-execution-role --assume-role-policy-document file://steadybit-agent-role-trust-policy.json
    aws iam attach-role-policy --role-name steadybit-agent-task-execution-role --policy-arn arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
  3. aws iam create-role --role-name steadybit-extension-aws-task-role --assume-role-policy-document file://steadybit-agent-role-trust-policy.json
    aws iam put-role-policy --role-name steadybit-extension-aws-task-role --policy-name steadybit-extension-aws --policy-document file://steadybit-extension-aws-role-permissions.json
  4. Replace all placeholders in the JSON files with your values. All placeholders are prefixed with MY-. Take care, the placeholders are used multiple times in the JSON files.

    • MY-AGENT-KEY: Your agent key

    • MY-CLUSTER-NAME: The name of your ECS cluster

    • MY-PLATFORM-URL: The URL of your Steadybit platform, for SaaS use https://platform.steadybit.com

    • MY-REGION: The AWS region where your ECS cluster is running

    • MY-ACCOUNT: The AWS account ID

  5. Register the Task Definitions

    aws ecs register-task-definition --cli-input-json file://steadybit-agent-fargate.json 
    aws ecs register-task-definition --cli-input-json file://steadybit-extension-http-fargate.json
    aws ecs register-task-definition --cli-input-json file://steadybit-extension-aws-fargate.json
  6. Create the Services

    • Agent - please replace the cluster-name, subnet-ids, and security-group-id with your values. The security group needs to allow outbound traffic to the Steadybit platform and to the extensions (ports 8080-8099).

    aws ecs create-service \
     --cluster MY-CLUSTER \
     --service-name steadybit-agent \
     --task-definition steadybit-agent \
     --propagate-tags TASK_DEFINITION \
     --launch-type FARGATE \
     --desired-count 1 \
     --deployment-configuration maximumPercent=101,minimumHealthyPercent=0 \
     --tags key=steadybit.com/discovery-disabled,value=true \
     --network-configuration '{"awsvpcConfiguration": {"subnets": ["MY-SUBNET-1", "MY-SUBNET-2", "MY-SUBNET-3"], "securityGroups": ["MY-SECURITY-GROUP-ID"], "assignPublicIp": "DISABLED"}}'
    • Extension HTTP - please replace the cluster-name, subnet-ids, and security-group-id with your values. The security group needs to allow inbound traffic to the extension (port 8085) and outbound traffic to all ports/destination you want to reach out with the http checks implemented in the extension.

    aws ecs create-service \
     --cluster MY-CLUSTER \
     --service-name steadybit-extension-http \
     --task-definition steadybit-extension-http \
     --propagate-tags TASK_DEFINITION \
     --launch-type FARGATE \
     --desired-count 1 \
     --deployment-configuration maximumPercent=101,minimumHealthyPercent=0 \
     --tags key=steadybit.com/discovery-disabled,value=true \
     --network-configuration '{"awsvpcConfiguration": {"subnets": ["MY-SUBNET-1", "MY-SUBNET-2", "MY-SUBNET-3"], "securityGroups": ["MY-SECURITY-GROUP-ID"], "assignPublicIp": "DISABLED"}}'    
    • Extension AWS - please replace the cluster-name, subnet-ids, and security-group-id with your values. The security group needs to allow inbound traffic to the extension (port 8085)

    aws ecs create-service \
     --cluster MY-CLUSTER \
     --service-name steadybit-extension-aws \
     --task-definition steadybit-extension-aws \
     --propagate-tags TASK_DEFINITION \
     --launch-type FARGATE \
     --desired-count 1 \
     --deployment-configuration maximumPercent=101,minimumHealthyPercent=0 \
     --tags key=steadybit.com/discovery-disabled,value=true \
     --network-configuration '{"awsvpcConfiguration": {"subnets": ["MY-SUBNET-1", "MY-SUBNET-2", "MY-SUBNET-3"], "securityGroups": ["MY-SECURITY-GROUP-ID"], "assignPublicIp": "DISABLED"}}'    

FAQ

  • Q: How can I update the agent/extensions and force pulling a new image version when using latest?

    • A: aws ecs update-service --cluster <your-cluster> --service <your-service> --force-new-deployment

  • Q: Can I shell into the agent/extension tasks?

      • You need to allow update your service to allow it, e.g.: aws ecs update-service --service steadybit-agent --cluster <your-cluster> --enable-execute-command

      • The task role needs the following permissions:

        • ssmmessages:CreateControlChannel

        • ssmmessages:CreateDataChannel

        • ssmmessages:OpenControlChannel

        • ssmmessages:OpenDataChannel

      • The task definition needs to include initProcessEnabled in the linuxParameters, e.g:

        {
          "containerDefinitions": [
            {
              "name": "steadybit-agent",
              ...
              "linuxParameters": {
                "initProcessEnabled": true
              }
            }
          ]
        }
      • After that, you can shell into the agent task with aws ecs execute-command --cluster <your-cluster> --task <your-task-id> --container <container-name> --interactive --command "/bin/bash"

If you like to install the extension-aws you need to create a new IAM role with the following permissions. Please have a look at the for the latest list of required permissions.

However, and are not compatible with AWS Fargate because they require access to the underlying compute instance which is not possible with Fargate.

can also be used with Fargate and offers some alternative actions to discover and attack ECS resources.

If you like to install the extension-aws you need to create a new IAM role with the following permissions. Please have a look at the for the latest list of required permissions.

A: Yes, with ECS Exec, details can be found , short summary below:

extension-host
extension-container
steadybit-agent.json
steadybit-agent-role-trust-policy.json
steadybit-agent-role-permissions.json
steadybit-extension-host.json
steadybit-extension-container.json
steadybit-extension-http.json
steadybit-extension-aws.json
steadybit-extension-aws-role-permissions.json
extension documentation
extension-host
extension-container
extension-aws
steadybit-agent-fargate.json
steadybit-agent-role-trust-policy.json
steadybit-agent-role-permissions.json
steadybit-extension-http-fargate.json
steadybit-extension-aws-fargate.json
steadybit-extension-aws-role-permissions.json
extension documentation
here