Amazon Elastic Container Service (ECS)

Crawler

Overview

Amazon Elastic Container Service (ECS) is a highly scalable, high performance container management service for Docker containers running on EC2 instances.

This page covers AWS ECS setup with Datadog Container Agent v6. For other setups, see:

Setup

To monitor your ECS containers and tasks with Datadog, run the Agent as a container on every EC2 instance in your ECS cluster. As detailed below, there are a few setup steps:

Add an ECS Task
Create or Modify your IAM Policy
Schedule the Datadog Agent as a Daemon Service

If you don’t have a working EC2 Container Service cluster configured, review the Getting Started section in the ECS documentation.

Metric collection

Create an ECS Task

This task launches the Datadog container. When you need to modify the configuration, update this task definition as described further down in this guide. If you’re using APM, DogStatsD, or logs, set the appropriate flags in the task definition:

If you are using APM, set portMappings so your downstream containers can ship traces to the Agent service. APM uses port 8126 and TCP to receive traces, so set this as a hostPort in the task’s definition. Note that in order to enable trace collection from other containers, you must ensure that the DD_APM_NON_LOCAL_TRAFFIC environment variable is set to true. Learn more about APM with containers.
If you are using DogStatsD, set a hostPort of 8125 as UDP in the task’s definition. Note that in order to enable DogStatsD metrics collection from other containers, you must ensure the DD_DOGSTATSD_NON_LOCAL_TRAFFIC environment variable is set to true.
If you are using logs, refer to the dedicated Log collection documentation.

Double check the security group settings on your EC2 instances. Make sure these ports are not open to the public. Datadog uses the private IP to route to the Agent from the containers.

You may either configure the task using the AWS CLI tools or using the Amazon Web Console.

Dropdown

Download datadog-agent-ecs.json (datadog-agent-ecs1.json if you are using an original Amazon Linux AMI).
Edit datadog-agent-ecs.json and set <YOUR_DATADOG_API_KEY> with the Datadog API key for your account.
Optionally - Add an Agent health check.
Optionally - If you are in Datadog EU site, edit datadog-agent-ecs.json and set DD_SITE to DD_SITE:datadoghq.eu.
Optionally - See log collection to activate log collection.
Optionally - See process collection to activate process collection.
Optionally - See trace collection (APM) to activate trace collection.

Execute the following command:

aws ecs register-task-definition --cli-input-json file://path/to/datadog-agent-ecs.json

Agent health check

Add the following to your ECS task definition to create an Agent health check:

"healthCheck": {
  "retries": 3,
  "command": ["CMD-SHELL","agent health"],
  "timeout": 5,
  "interval": 30,
  "startPeriod": 15
}

Log in to your AWS Console and navigate to the EC2 Container Service section.
Click on the cluster you wish to add Datadog to.
Click on Task Definitions on the left side and click the button Create new Task Definition.
Enter a Task Definition Name, such as datadog-agent-task.
Click on the Add volume link.
For Name enter docker_sock. For Source Path, enter /var/run/docker.sock. Click Add.
Add another volume with the name proc and source path of /proc/.
Add another volume with the name cgroup and source path of /sys/fs/cgroup/ (or /cgroup/ if you are using an original Amazon Linux AMI).
Click the large Add container button.
For Container name enter datadog-agent.
For Image enter datadog/agent:latest.
For Maximum memory enter 256. Note: For high resource usage, you may need a higher memory limit.
Scroll down to the Advanced container configuration section and enter 10 in CPU units.
For Env Variables, add a Key of DD_API_KEY and enter your Datadog API Key in the value. If you feel more comfortable storing secrets like this in s3, take a look at the ECS Configuration guide.
Add another Environment Variable for any tags you want to add using the key DD_TAGS.
Scroll down to the Storage and Logging section.
In Mount points select the docker_sock source volume and enter /var/run/docker.sock in the Container path. Check the Read only checkbox.
Add another mount point for proc and enter /host/proc/ in the Container path. Check the Read only checkbox.
Add a third mount point for cgroup and enter /host/sys/fs/cgroup in the Container path. Check the Read only checkbox (use /host/cgroup/ if you are using an original Amazon Linux AMI).

Note: Setting the Datadog task definition to use 10 CPU units can cause the aws.ecs.cpuutilization for service:datadog-agent to display as running at 1000%. This is a peculiarity of how AWS displays CPU utilization. You can add more CPU units to avoid skewing your graph.

Create or Modify your IAM Policy

Add the following permissions to your Datadog IAM policy to collect Amazon ECS metrics. For more information on ECS policies, review the documentation on the AWS website.

AWS Permission	Description
`ecs:ListClusters`	Returns a list of existing clusters.
`ecs:ListContainerInstances`	Returns a list of container instances in a specified cluster.
`ecs:ListServices`	Lists the services that are running in a specified cluster.
`ecs:DescribeContainerInstances`	Describes Amazon ECS container instances.

Run the Agent as a Daemon Service

Ideally you want the Datadog Agent to load on one container on each EC2 instance. The easiest way to achieve this is to run the Datadog Agent as a Daemon Service.

Schedule a Daemon Service in AWS using Datadog’s ECS Task

Log in to the AWS console and navigate to the ECS Clusters section. Click into your cluster you run the Agent on.
Create a new service by clicking the Create button under Services.
For launch type, select EC2 then the task definition created previously.
For service type, select DAEMON, and enter a Service name. Click Next.
Since the Service runs once on each instance, you won’t need a load balancer. Select None. Click Next.
Daemon services don’t need Auto Scaling, so click Next Step, and then Create Service.

Dynamic detection and monitoring of running services

Datadog’s Autodiscovery can be used in conjunction with ECS and Docker to automatically discovery and monitor running tasks in your environment.

AWSVPC Mode

For Agent v6.10+, awsvpc mode is supported for both applicative containers and the Agent container, provided:

For the apps and the Agent in awsvpc mode, security groups must be set to allow:
- The Agent’s security group to reach the applicative containers on relevant ports.
- The Agent’s security group to reach the host instances on TCP port 51678. The ECS Agent container must either run in host network mode (default) or have a port binding on the host.
For apps in awsvpc mode and the Agent in bridge mode, security groups must be set to allow the host instances security group to reach the applicative containers on relevant ports.

Resource tag collection

To collect ECS resource tags:

Verify your Amazon ECS container instances are associated to an IAM role. This can be done when creating a new cluster with the ECS cluster creation wizard or in the launch configuration used by an autoscaling group.
Update the IAM role used by your Amazon ECS container instances with: ecs:ListTagsForResource.
Update your datadog-agent-ecs.json file (datadog-agent-ecs1.json if you are using an original Amazon Linux AMI) to enable resource tag collection by adding the following environment variable:
```
{
  "name": "DD_ECS_COLLECT_RESOURCE_TAGS_EC2",
  "value": "true"
}
```

Notes

Ensure your the IAM role is associated with your Amazon ECS container instances and not the underlying EC2 instance.
ECS resource tags can be collected from EC2 instances, but not from AWS Fargate.
This feature requires Datadog Agent v6.17+ or v7.17+.
The Agent supports ECS tag collection from the tasks, services, and container instances ECS resources.

Log collection

To collect all logs written by running applications in your ECS containers and send it to your Datadog application:

Follow the above instructions to install the Datadog Agent.

Update your datadog-agent-ecs.json file (datadog-agent-ecs1.json if you are using an original Amazon Linux AMI) with the following configuration:

{
    "containerDefinitions": [
    (...)
      "mountPoints": [
        (...)
        {
          "containerPath": "/opt/datadog-agent/run",
          "sourceVolume": "pointdir",
          "readOnly": false
        },
        (...)
      ],
      "environment": [
        (...)
        {
          "name": "DD_LOGS_ENABLED",
          "value": "true"
        },
        {
          "name": "DD_LOGS_CONFIG_CONTAINER_COLLECT_ALL",
          "value": "true"
        },
        (...)
      ]
    }
  ],
  "volumes": [
    (...)
    {
      "host": {
        "sourcePath": "/opt/datadog-agent/run"
      },
      "name": "pointdir"
    },
    (...)
  ],
  "family": "datadog-agent-task"
}

Make sure your container definition doesn’t contain a logConfiguration.logDriver parameter, so that the logs are written to stdout/stderr and collected by the Agent. If this parameter is set to awslogs, collect your Amazon ECS logs without the Agent by using AWS Lambda to collect ECS logs from CloudWatch.

Activate Log integrations

The source attribute is used to identify the integration to use for each container. Override it directly in your containers labels to start using log integrations. Read Datadog’s Autodiscovery guide for logs in order to learn more about this process.

Process collection

To collect processes information for all your containers and send it to Datadog:

Follow the above instructions to install the Datadog Agent.

Update your datadog-agent-ecs.json file (datadog-agent-ecs1.json if you are using an original Amazon Linux AMI) with the following configuration:

{
"containerDefinitions": [
(...)
  "mountPoints": [
    (...)
    {
      "containerPath": "/etc/passwd",
      "sourceVolume": "passwd",
      "readOnly": true
    },
    (...)
  ],
  "environment": [
    (...)
    {
      "name": "DD_PROCESS_AGENT_ENABLED",
      "value": "true"
    }
  ]
}
],
"volumes": [
(...)
{
  "host": {
    "sourcePath": "/etc/passwd"
  },
  "name": "passwd"
},
(...)
],
"family": "datadog-agent-task"
}

Trace collection

After installing the Datadog Agent, enable trace collection (optional):

Set the following parameters in the task definition for the datadog/agent container:

Port mapping: host / container port 8126, Protocol tcp:

containerDefinitions": [
{
"name": "datadog-agent",
"image": "datadog/agent:latest",
"cpu": 10,
"memory": 256,
"essential": true,
"portMappings": [
{
  "hostPort": 8126,
  "protocol": "tcp",
  "containerPort": 8126
}
],
...

For Agent v7.17 or lower, add the following environment variables:

...
  "environment": [
    ...
  {
    "name": "DD_APM_ENABLED",
    "value": "true"      
  },
  {
    "name": "DD_APM_NON_LOCAL_TRAFFIC",
    "value": "true"      
  },
  ...
  ]
...

See all environment variables available for Agent trace collection.

Assign the private IP address for each underlying instance your containers are running on in your application container to the DD_AGENT_HOST environment variable. This allows your application traces to be shipped to the Agent. The Amazon’s EC2 metadata endpoint allows discovery of the private IP address. To get the private IP address for each host, curl the following URL:
```
curl http://169.254.169.254/latest/meta-data/local-ipv4
```
and set the result as your Trace Agent Hostname environment variable for each application container shipping to APM:
```
os.environ['DD_AGENT_HOST'] = <EC2_PRIVATE_IP>
```
In cases where variables on your ECS application are set at launch time, you must set the hostname as an environment variable with DD_AGENT_HOST. Otherwise, you can set the hostname in your application’s source code for Python, Javascript, or Ruby. For Java and .NET you can set the hostname in the ECS task. For example:
- Dropdown
import requests from ddtrace import tracer def get_aws_ip(): r = requests.get('http://169.254.169.254/latest/meta-data/local-ipv4') return r.text tracer.configure(hostname=get_aws_ip())
For more examples of how to set the Agent hostname in other languages, refer to the change agent hostname documentation.
const tracer = require('dd-trace'); const request = require('request'); request('http://169.254.169.254/latest/meta-data/local-ipv4', function( error, resp, body ) { tracer.init({ hostname: body }); });
For more examples of how to set the Agent hostname in other languages, refer to the change agent hostname documentation.
require 'ddtrace' require 'net/http' Datadog.configure do |c| c.tracer hostname: Net::HTTP.get(URI('http://169.254.169.254/latest/meta-data/local-ipv4')) end
Copy this script into the entryPoint field of your ECS task definition, updating the values with your application jar and argument flags.
"entryPoint": [ "sh", "-c", "export DD_AGENT_HOST=$(curl http://169.254.169.254/latest/meta-data/local-ipv4); java -javaagent:/app/dd-java-agent.jar <APPLICATION_ARG_FLAGS> -jar <APPLICATION_JAR_FILE/WAR_FILE>" ]
For more examples of how to set the Agent hostname in other languages, refer to the change agent hostname documentation.
"entryPoint": [ "sh", "-c", "export DD_AGENT_HOST=$(curl http://169.254.169.254/latest/meta-data/local-ipv4); dotnet ${APP_PATH}" ]

Data Collected

Metrics

aws.ecs.cpuutilization (gauge)	Average percentage of CPU units that are used in the cluster or service. Shown as percent
aws.ecs.cpuutilization.minimum (gauge)	Minimum percentage of CPU units that are used in the cluster or service. Shown as percent
aws.ecs.cpuutilization.maximum (gauge)	Maximum percentage of CPU units that are used in the cluster or service. Shown as percent
aws.ecs.memory_utilization (gauge)	Average percentage of memory that is used in the cluster or service. Shown as fraction
aws.ecs.memory_utilization.minimum (gauge)	Minimum percentage of memory that is used in the cluster or service. Shown as fraction
aws.ecs.memory_utilization.maximum (gauge)	Maximum percentage of memory that is used in the cluster or service. Shown as fraction
aws.ecs.service.cpuutilization (gauge)	Average percentage of CPU units that are used in the service. Shown as percent
aws.ecs.service.cpuutilization.minimum (gauge)	Minimum percentage of CPU units that are used in the service. Shown as percent
aws.ecs.service.cpuutilization.maximum (gauge)	Maximum percentage of CPU units that are used in the service. Shown as percent
aws.ecs.service.memory_utilization (gauge)	Average percentage of memory that is used in the service. Shown as fraction
aws.ecs.service.memory_utilization.minimum (gauge)	Minimum percentage of memory that is used in the service. Shown as fraction
aws.ecs.service.memory_utilization.maximum (gauge)	Maximum percentage of memory that is used in the service. Shown as fraction
aws.ecs.cluster.cpuutilization (gauge)	Average percentage of CPU units that are used in the cluster. Shown as percent
aws.ecs.cluster.cpuutilization.minimum (gauge)	Minimum percentage of CPU units that are used in the cluster. Shown as percent
aws.ecs.cluster.cpuutilization.maximum (gauge)	Maximum percentage of CPU units that are used in the cluster. Shown as percent
aws.ecs.cluster.memory_utilization (gauge)	Average percentage of memory that is used in the cluster. Shown as fraction
aws.ecs.cluster.memory_utilization.minimum (gauge)	Minimum percentage of memory that is used in the cluster. Shown as fraction
aws.ecs.cluster.memory_utilization.maximum (gauge)	Maximum percentage of memory that is used in the cluster. Shown as fraction
aws.ecs.cpureservation (gauge)	Average percentage of CPU units that are reserved by running tasks in the cluster. Shown as percent
aws.ecs.cpureservation.maximum (gauge)	Maximum percentage of CPU units that are reserved by running tasks in the cluster. Shown as percent
aws.ecs.cpureservation.minimum (gauge)	Minimum percentage of CPU units that are reserved by running tasks in the cluster. Shown as percent
aws.ecs.memory_reservation (gauge)	Average percentage of memory that is reserved by running tasks in the cluster. Shown as percent
aws.ecs.memory_reservation.minimum (gauge)	Minimum percentage of memory that is reserved by running tasks in the cluster. Shown as percent
aws.ecs.memory_reservation.maximum (gauge)	Maximum percentage of memory that is reserved by running tasks in the cluster. Shown as percent
aws.ecs.running_tasks_count (gauge)	The number of tasks on the container instance that are in the RUNNING status.
aws.ecs.pending_tasks_count (gauge)	The number of tasks on the container instance that are in the PENDING status.
aws.ecs.registered_cpu (gauge)	The number of CPU units registered on the container instance
aws.ecs.remaining_cpu (gauge)	The number of CPU units remaining on the container instance
aws.ecs.registered_memory (gauge)	The number of Memory units registered on the container instance
aws.ecs.remaining_memory (gauge)	The number of Memory units remaining on the container instance
aws.ecs.services (gauge)	The number of services running per cluster
aws.ecs.service.pending (gauge)	The number of tasks in the cluster that are in the pending state
aws.ecs.service.desired (gauge)	The number of tasks in the cluster that are in the desired state
aws.ecs.service.running (gauge)	The number of tasks in the cluster that are in the running state

Each of the metrics retrieved from AWS is assigned the same tags that appear in the AWS console, including but not limited to host name, security-groups, and more.

Events

To reduce noise, the AWS ECS integration is automatically whitelisted to include only events that contain the following words: drain, error, fail, insufficient memory, pending, reboot, terminate. See example events below: