This Job is a tool to manage ECS through terraform. There is not a proper place to move this. A possible solution is to create a nice makefile and with Terraform should be enough.

https://fsi-build.pdx.vm.datanerd.us/view/all/job/ecs-manage-clusters/

Description

Supporting ARM architecture (Graviton)

Acceptance Criteria

Building all the images that nri-ecs depends on with ARM and rebuilding the nri-ecs for ARM

Describe Alternatives

I don't think there are any alternatives to make the amd x86 image work with an ARM architecture

Dependencies

newrelic/infrastructure-bundle

Additional context

I'd like to use the newrelic nri-ecs with AWS Graviton2 Fargate as far as I'm concerned there is no image for nri-ecs build for ARM based architecture

Estimates

M

Currently ecsLaunchType metadata is being set depending on the fagate env variable.

This cause that task running on External instances are reported as EC2 LaunchTypes.

Since the LaunchType is on the v4 endpoint task response. This metadata can be extracted from there.

We should run unit tests on PR creation and when pushing to main or master.

There is already a target available make test

Hi Team,
I started my POC's in New relic and completed the setup both logs and metrices are streaming properly but i need to replace my host IP addresses with proper naming it was very difficult to check the logs with the IP address need anyone advise to change the IP into name
please find the attached images

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• chore(deps): update golang version to v1.23.1 (go, golang)
• chore(deps): update actions/github-script action to v7

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

Feature Description

When using AWS Metric Stream, the ECS Tasks status are not in New Relic. So there is no way to know the running and pending tasks. The request is to have New Relic infra daemon to collect the status tasks out of the box.
There is maybe opportunity to collect more than the Tasks status (containers, services details).
https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ListTasks.html

Describe Alternatives

When doing the AWS Pull integration, we get the tasks status in the ComputeSample event. But the AWS Metric Stream is the recommended way to get the AWS metrics in New Relic.

Priority

Really Want.

Bump bundle version on manifest to include the fix newrelic/infrastructure-agent#339 (comment)

Improve the pipeline in order to populate a var with the integrationVersion (replacing this) from the Released Tag.

Repolinter Report

🤖This issue was automatically generated by repolinter-action, developed by the Open Source and Developer Advocacy team at New Relic. This issue will be automatically updated or closed when changes are pushed. If you have any problems with this tool, please feel free to open a GitHub issue or give us a ping in #help-opensource.

This Repolinter run generated the following results:

• Passed
  • ✅ license-file-exists
  • ✅ readme-file-exists
  • ✅ readme-starts-with-community-plus-header
  • ✅ readme-contains-link-to-security-policy
  • ✅ readme-contains-discuss-topic
  • ✅ code-of-conduct-should-not-exist-here
  • ✅ third-party-notices-file-exists

Passed #

Currently we are enabling support for arm and arm64 for all integrations and ecs is missing.
We should modify the pipeline to support arm as well

Repolinter Report

🤖This issue was automatically generated by repolinter-action, developed by the Open Source and Developer Advocacy team at New Relic. This issue will be automatically updated or closed when changes are pushed. If you have any problems with this tool, please feel free to open a GitHub issue or give us a ping in #help-opensource.

This Repolinter run generated the following results:

• Passed
  • ✅ license-file-exists
  • ✅ readme-file-exists
  • ✅ readme-starts-with-community-plus-header
  • ✅ readme-contains-link-to-security-policy
  • ✅ readme-contains-forum-topic
  • ✅ code-of-conduct-should-not-exist-here
  • ✅ third-party-notices-file-exists

Passed #

I notice the three ecsClusterName, ecsLaunchType and ecsClusterArn disappearing. Before->After

I believe that this is not expected.
I guess it is related to #30 and the NRIA_IS_FORWARD_ONLY change.
The solution should be manually add those attributes to the ContainerSamples if the env is Fargate

Suppport is asking for enablement for:

• Monitoring services on ECS: https://docs.newrelic.com/docs/integrations/host-integrations/host-integrations-list/monitor-services-running-amazon-ecs/.
• ECS integration which can be deployed through a Fargate or EC2 launch type: https://docs.newrelic.com/docs/integrations/elastic-container-service-integration/installation/install-ecs-integration/

We should create some documentation (maybe a PPT) to train support.

CAOS wants to collaborate with us, they need to know if they need to collaborate/contribute because the agent.
We need to update them (José Moré) whenever we have the first version.

Is your feature request related to a problem? Please describe.

No

Feature Description

It would be helpful to have a documented chart of data that is gathered from ECS Hosts/Fargate in order to know exactly what data is exported.

Additional context

Might be advantageous to also document here: https://docs.newrelic.com/docs/integrations/elastic-container-service-integration/understand-use-data/ecs-integration-understand-use-data

Priority

Please help us better understand this feature request by choosing a priority from the following options:
[Nice to Have, Really Want, Must Have, Blocker]

Nice to Have

##Description
Currently there are not many unit/integration tests, we should improve them.

Note that there is an image amazon/amazon-ecs-local-container-endpoints that (maybe) can be used to have a local metadata endpoint

Priority

Nice to Have

Summary

Fargate platform 1.4.0 has been recently released and supports a new range of network related metrics. It would be great to see these included in the New Relic solution for Fargate container monitoring.

Desired Behaviour

This integration, when running on Fargate as a sidecar container, should send all metrics available on Fargate platform 1.4.0

Possible Solution

Add support for the Task Metadata Endpoint v4 for deployments running on Fargate platform 1.4.0

Additional context

We heavily use Fargate for our application deployments, and we use New Relic as our primary monitoring tool. However, it has been difficult to get detailed container-level metrics for things we care about. The v4 metadata endpoint for Fargate provides additional detail, such as network traffic statistics for containers. This would be really helpful to us.

Repolinter Report

🤖This issue was automatically generated by repolinter-action, developed by the Open Source and Developer Advocacy team at New Relic. This issue will be automatically updated or closed when changes are pushed. If you have any problems with this tool, please feel free to open a GitHub issue or give us a ping in #help-opensource.

This Repolinter run generated the following results:

• Fail
  • ❌ readme-starts-with-community-plus-header
• Passed
  • ✅ license-file-exists
  • ✅ readme-file-exists
  • ✅ readme-contains-link-to-security-policy
  • ✅ readme-contains-discuss-topic
  • ✅ code-of-conduct-should-not-exist-here
  • ✅ third-party-notices-file-exists

Fail #

❌ readme-starts-with-community-plus-header #

The README of a community plus project should have a community plus header at the start of the README. If you already have a community plus header and this rule is failing, your header may be out of date, and you should update your header with the suggested one below. For more information please visit https://opensource.newrelic.com/oss-category/. Below is a list of files or patterns that failed:

• README.md: The first 5 lines do not contain the pattern(s): Open source Community Plus header (see https://opensource.newrelic.com/oss-category).
  • 🔨 Suggested Fix: prepend the latest code snippet found at https://github.com/newrelic/opensource-website/wiki/Open-Source-Category-Snippets#code-snippet-2 to file

Passed #

ECS anywhere allows to use on-premise machines as ECS workers to schedule ECS workloads.

Our ECS solution is mostly the infrastructure agent + nri-docker, but it does use nri-ecs to get metadata. It is unclear whether this metadata is available on self-hosted workers.

Description

Currently, cloudformation yamls point to infrastructure-bundle version 1.6.0, which is a couple months old already.

it would be good to update these manifests to the latest version of infrastructure-bundle.

Problem:
After the release of the integration , the new version needs to be added to the infra bundle image , once the bundle is released the release of the manifest is needed in this repo. This is procedure is manual and often forgotten.

Solution proposals:

• Dispatch the manifest release workflow from infra bundle ci
• Create the ecs image based on the bundle image like k8s integration. (chosen)
  • Unify all code and context related to the integration in the same repo (nri-ecs)
  • Do a single step deployment ( pushing image and templates installation manifests )

^^ Provide a general summary of the issue in the title above. ^^

Description

I'm reading the releases (https://github.com/newrelic/nri-ecs/releases), and then follow the links to the updates of the infrastructure bundle.

Expected Behavior

Browser shows infrastructure bundle changelog.

Troubleshooting or NR Diag results

N/A

Steps to Reproduce

Open https://github.com/newrelic/nri-ecs/releases, find infrastructure-bundle changelog links, click on them.

Your Environment

A browser. :)

Additional context

The links point to https://github.com/newrelic/infrastructure-bundle/releases/tag/3.2.13 (no "v"), they should point to https://github.com/newrelic/infrastructure-bundle/releases/tag/v3.2.13 ("v" before the version).

For Maintainers Only or Hero Triaging this bug

Suggested Priority (P1,P2,P3,P4,P5):
Suggested T-Shirt size (S, M, L, XL, Unknown):

Currently the integration only supports v3 endpoint.
Supporting v4 endpoint will be required to implement #43 .

https://fsi-build.pdx.vm.datanerd.us/view/all/job/nri-ecs-release-binary

https://fsi-build.pdx.vm.datanerd.us/view/all/job/nri-ecs-release-manifests

Commands are already grouped in makefile targets that can be called

Description

I want to fetch data from a specific cluster in ECS, although I have attached a role to meet my requirements, the new relic can't fetch the data

Acceptance Criteria

checking the logs from your side to find out the root cause of this issue

Estimates

S

Description

Using the readOnlyRootFilesystem: true is a recommended best practice. The EKS sidecar has documentation for the sidecar and which volumes need to be mounted for the sidecar to work, but the ECS docs makes no mention of the flag our the required volumes.

Acceptance Criteria

Document which volumes need to be mounted with write access in order for the sidecar to work with ECS.

Estimates

S

When launching as sidecar with my single-container service, I get the following error in the logs:

time="2021-01-15T20:01:10Z" level=info msg="Starting agent process: /usr/bin/newrelic-infra"
time="2021-01-15T20:01:10Z" level=info msg="Creating service..."
time="2021-01-15T20:01:10Z" level=info msg="runtime configuration" agentUser=root component="New Relic Infrastructure Agent" executablePath= maxProcs=1 pluginDir="[/etc/newrelic-infra/integrations.d /var/db/newrelic-infra/integrations.d]"
time="2021-01-15T20:01:10Z" level=info msg="Checking network connectivity..." component=AgentService service=newrelic-infra
time="2021-01-15T20:01:10Z" level=info msg="service is stopping. waiting for agent process to terminate..."
time="2021-01-15T20:01:10Z" level=info msg=Initializing component=AgentService elapsedTime=470.403006ms service=newrelic-infra version=1.14.2
time="2021-01-15T20:01:13Z" level=info msg="New Relic infrastructure agent is running." component=AgentService elapsedTime=3.47403056s service=newrelic-infra
time="2021-01-15T20:01:13Z" level=info msg="Starting up agent..." component=Agent
time="2021-01-15T20:01:13Z" level=warning msg="failed to connect to DBus. make sure systemd is present." component=NotificationHandler
time="2021-01-15T20:01:13Z" level=warning msg="failed to init shutdown monitor" component=NotificationHandler error="no systemd found"
time="2021-01-15T20:01:13Z" level=info msg="Integration health check finished with success" component=integrations.runner.Runner integration_name=nri-ecs
time="2021-01-15T20:01:20Z" level=warning msg="Service run exit." error="graceful stop time exceeded... forcing stop"

Any idea what is going on?

I followed the instructions here: https://docs.newrelic.com/docs/integrations/elastic-container-service-integration/installation/install-ecs-integration and have the required containers, IAM roles, SSM parameter, Policies etc all in place.

ECS on Fargate v1.4.0

Feature request to include the new ClockDrift metadata block which is part of the new v4 ${ECS_CONTAINER_METADATA_URI_V4}/task endpoint

ClockDrift information is useful to determining if there's an time drift which can cause problems with time sensitive token/authorization flows.

Context: https://aws.amazon.com/about-aws/whats-new/2021/09/monitoring-clock-aws-fargate-amazon-ecs/

Priority: Nice to have. Currently trying to troubleshoot an intermittent issue which may be due to clock drift.

Repolinter Report

🤖This issue was automatically generated by repolinter-action, developed by the Open Source and Developer Advocacy team at New Relic. This issue will be automatically updated or closed when changes are pushed. If you have any problems with this tool, please feel free to open a GitHub issue or give us a ping in #help-opensource.

This Repolinter run generated the following results:

• Fail
  • ❌ readme-starts-with-community-plus-header
  • ❌ code-of-conduct-file-does-not-exist
• Passed
  • ✅ license-file-exists
  • ✅ readme-file-exists
  • ✅ readme-contains-link-to-security-policy
  • ✅ readme-contains-discuss-topic
  • ✅ third-party-notices-file-exists

Fail #

❌ readme-starts-with-community-plus-header #

The README of a community plus project should have a community plus header at the start of the README. If you already have a community plus header and this rule is failing, your header may be out of date, and you should update your header with the suggested one below. For more information please visit https://opensource.newrelic.com/oss-category/. Below is a list of files or patterns that failed:

• README.md: The first 5 lines do not contain the pattern(s): Open source Community Plus header (see https://opensource.newrelic.com/oss-category).
  • 🔨 Suggested Fix: prepend [![Community Plus header](https://github.com/newrelic/opensource-website/raw/master/src/images/categories/Community_Plus.png)](https://opensource.newrelic.com/oss-category/#community-plus) to file

❌ code-of-conduct-file-does-not-exist #

New Relic has moved the CODE_OF_CONDUCT file to a centralized location where it is referenced automatically by every repository in the New Relic organization. Because of this change, any other CODE_OF_CONDUCT file in a repository is now redundant and should be removed. For more information please visit https://docs.google.com/document/d/1y644Pwi82kasNP5VPVjDV8rsmkBKclQVHFkz8pwRUtE/view. Found files. Below is a list of files or patterns that failed:

• CODE_OF_CONDUCT.md
  • 🔨 Suggested Fix: Remove file

Passed #

Context

Previous to nri-docker 1.3.3, the fargate sidecar was running with the agent in NRIA_IS_SECURE_FORWARD_ONLY mode. This allowed the agent to send custom attributes as entity tags, which then infra platform used to decorate container samples. However, this mode has the side-effect of also creating an entity for the host, which is not something desired in Fargate.

With nri-docker 1.3.3 we switched to the NRIA_IS_FORWARD_ONLY mode, that does not report anything about the host. However, this also has the side-effect of the agent not decorating samples with almost anything.

There is no clear solution for this.

Description

When browsing the ContainerSample event data that results from this integration, the tags attached to the ECS tasks are not propagated to NR.

Expected Behaviour

Task tags are exported to and queryable in NR.

Your Environment

Fargate containers running latest nri-ecs sidecar.

Additional context

I believe that the ${ECS_CONTAINER_METADATA_URI_V4}/taskWithTags endpoint should be used to achieve this.

The goal is to investigate how we can enable service monitoring in ECS Fargate by improving the current configuration experience proposed.

@gsanchezgavier worked on a POC that made possible to monitor services by creating a EFS volume in ECS and then configuring the infrastructure agent to grab the configuration file.

Here are some options than can be considered.

We need to evaluate if this approach can be improved or enable other strategies to easily inject the configuration in the infrastructure agent.

CAOS and CoreInt will work together on this spike.

cc @davidgit @josemore

The update_service function in the script "newrelic-infra-ecs-installer.sh" calls "aws ecs update-service" with the flag "--launch-type" which makes the update failing because in the AWS CLI v2 such a flag for "update-service" doesn't exist.

Description

Unable to update the existing NR service

Expected Behavior

The update should happen without errors

Troubleshooting or NR Diag results

Output of the failure:

Service newrelic-infra in cluster _redacted_ already exists. Updating to latest task definition of newrelic-infra.

usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:

  aws help
  aws <command> help
  aws <command> <subcommand> help

Unknown options: --launch-type, EC2

Error: couldn't update the newrelic-infra service.

Steps to Reproduce

Run the script a first time to install the ECS integration then re run the script on the same cluster to launch an update
TIP: # ( Link a sample application that demonstrates the issue. )

Your Environment

Base Amazon Linux 2022 - Linux Kernel 5.15 (amd64 / arm64)

Additional context

Is your feature request related to a problem? Please describe.

Recently we started integrating nri-ecs image in ECS cluster as per the how-to's document and we were successful. However during initial integration in lower environments it's been found that the image contains multiple security vulnerabilities which is blocking us to proceed further. NewRelic Support suggested to open issue over here to track it.

nri-ecs version: 1.8.0

Feature Description

Can we have this vulnerabilities addressed which will unblock us to take it further.

Priority

Please help us better understand this feature request by choosing a priority from the following options:
Blocker

Attaching the list of vulnerabilities:
nri-ecs-image-vulnerabilities.csv

I tried this feature(implemeted by cloud formation) however a error occurred below when I started task ...

Fetching secret data from SSM Parameter Store in ap-northeast-1: AccessDeniedException: 
User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/NewRelicECSIntegration-Ne-NewRelicECSTaskExecution-xxxxxxxxxxxx/xxxxxxxxxxxx 
is not authorized to perform: ssm:GetParameters on resource: arn:aws:ssm:ap-northeast-1:xxxxxxxxxxxx:parameter/aws/reference/secretsmanager/NewRelicLicenseKeySecret-xxxxxxxxxxxx 
status code: 400, request id: xxxxxxxxxxxxxx

Description

Same above.

Expected Behavior

Task is started and collect container's data to New Relic.

Troubleshooting or NR Diag results

Troubleshooting

• I tried to add IAM policy of "AmazonSSMReadOnlyAccess" to task execution role created by Cloud formation manually.
• Got it what I expect behavior as above.

How to resolve this issue is below.

• Add "AmazonSSMReadOnlyAccess" and so on to execution-role.yaml such as below.

      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
        - "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
        - "arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess" # Add this line.
        - !Ref NewRelicLicenseKeySecretReadAccess

Steps to Reproduce

Your Environment

I think resolve It regardless of what type of environment.

Additional context

nothing.