https://prefect.io logo
Powered by
Title
d

Darragh

06/03/2020, 8:22 PM
Hey guys, having trouble with running a flow on FargateTaskEnvironment. Configuration for the Environment is below.. 
flow.environment = FargateTaskEnvironment(
        launch_type="FARGATE",
        region="eu-west-1",
        cpu="256",
        memory="512",
        networkConfiguration={
            "awsvpcConfiguration": {
                "assignPublicIp": "ENABLED",
                "subnets": ["subnet-X"],
                "securityGroups": ["sg-Y"],
            }
        },
        family="my_flow",
        taskRoleArn="arn:aws:iam::X:role/CommonSuperRole",
        executionRoleArn="arn:aws:iam::X:role/CommonSuperRole",
        containerDefinitions={
            "name": "my-flow",
            "image": "my-flow",
            "command": [],
            "environment": [],
            "essential": True,
        }
    )
I keep getting this error: 
An error occurred (ClientException) when calling the RegisterTaskDefinition operation: Fargate requires task definition to have execution role ARN to support log driver awslogs
So my questions : • I’m using the same Uber Role for both the taskRoleArn and the executionRoleArn, probably not best practice but should work? • I’ve thrown every possible log and cloudwatch related policy/permission at it that I can think of, but nothing is taking. I can provide a dump of the permissions if need be? Any help massively appreciated, fairly stumped on it. Is there any way to get more debug info out of it?
j

Joe Schmid

06/03/2020, 8:27 PM
hi @Darragh We run the Fargate agent for a bunch of production Prefect Flows. Usually task role and execution role are different, with execution role almost always being the standard one named: 
ecsTaskExecutionRole
It looks like yours are set to the same role. See this in AWS docs: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html
:upvote: 1
(FWIW, I find the AWS naming of these two roles to be a disaster. Specifically, execution role (not task role) is almost always set to something (
ecsTaskExecutionRole
) that has both of those words in the name!?)
d

Darragh

06/03/2020, 8:34 PM
AWS roles and policies are a wild west all unto themselves 🙂 I followed that guide but no joy. One interesting line in it though, 
The task execution role is supported by Amazon ECS container agent version 1.16.0 and later
No idea if there’s any correlation or not.
Is there any way to get more debug info out of it?
j

Joe Schmid

06/03/2020, 8:37 PM
@Darragh could you try these 2 things (should be quick): 1. Confirm that your AWS account has a role for 
ecsTaskExecutionRole
2. Update your FargateTaskEnvironment to use the 
ecsTaskExecutionRole
for execution role and your own role for task role, like this: 
task_role_arn="arn:aws:iam::<your-aws-account-number>:role/<your-aws-iam-role-name>",
    execution_role_arn="arn:aws:iam::<your-aws-account-number>:role/ecsTaskExecutionRole",
d

Darragh

06/03/2020, 8:45 PM
Testing now…
Same error
python snippet from the flow: 
flow.environment = FargateTaskEnvironment(
        launch_type="FARGATE",
        region="eu-west-1",
        cpu="256",
        memory="512",
        networkConfiguration={
            "awsvpcConfiguration": {
                "assignPublicIp": "ENABLED",
                "subnets": ["subnet-RANDOM"],
                "securityGroups": ["sg-RANDOM"],
            }
        },
        family="my_flow",
        taskRoleArn="arn:aws:iam::RANDOM:role/Orchestration-PrefectRole1E6EFC48-1J7FK5V772G96",
        executionRoleArn="arn:aws:iam::RANDOM:role/ecsTaskExecutionRole",
        containerDefinitions={
            "name": "batch-universe",
            "image": "batch-universe",
            "command": [],
            "environment": [],
            "essential": True,
        }
    )
Im now wondering is it possible to turn the logging and roles off just to get past this issue 😂
Or even how to turn on verbose logging for the agent
j

Joe Schmid

06/03/2020, 9:07 PM
@Darragh I'm surprised that you're getting an error complaining about 
"log driver awslogs"
-- we specifically add that to our containerDefinitions but you don't have that in your config. Here's ours: 
containerDefinitions=[
        {
            "command": [],
            "environment": [
                {"name": "PREFECT__LOGGING__LOG_TO_CLOUD", "value": "true"},
                {"name": "AWS_DEFAULT_REGION", "value": REGION_NAME},
            ],
            "essential": True,
            "logConfiguration": {
                "logDriver": "awslogs",
                "options": {
                    "awslogs-group": "blah-blah",
                    "awslogs-region": "our region",
                    "awslogs-stream-prefix": "blah blah",
                },
            },
        }
    ],
d

Darragh

06/03/2020, 9:12 PM
@Joe Schmid We might be looking at different definitions here - mine is for the flow definition, and i think yours is for the agent, is that right?
Agent definition here..
j

Joe Schmid

06/03/2020, 9:46 PM
@Darragh that makes sense now. I'd recommend getting a Flow that uses a simple RemoteEnvironment() to work first. (If you haven't already.)
I don't see where your agent is getting execution role ARN and task role ARN. Is that coming from environment variables? You can try the same configuration I mentioned above using 
ecsTaskExecutionRole
for execution role and your 
CommonSuperRole
for task role with the agent. (Ignore me if your Fargate Agent is already working fine.)
d

Darragh

06/03/2020, 9:50 PM
@Joe Schmid Yeah i have a basic one working for remote, but our major use case is on fargate, im going to test the roles tomorrow on a manual fargate task deploy and see if they work at al!
Are the roles suppsed to be set on the agent? I thoight they were only on the flow?
j

Joe Schmid

06/03/2020, 9:50 PM
Those roles definitely need to be set for the agent.
d

Darragh

06/03/2020, 9:52 PM
Ah, from what i read i thought they were on the flow only! Ok ill test that, thanks joe
j

Joe Schmid

06/03/2020, 9:52 PM
No problem, post here with what you find and we'll get you up and running soon!
(Fargate Agent and FargateTaskEnvironment both register task definitions with ECS and run ECS tasks. The Fargate Agent will make a new ECS task -- and corresponding task definition -- for each Flow run. The FargateTaskEnvironment would make an additional ECS task.)
For us, we run Flows with the Fargate Agent that either: 1. Just uses a simple RemoteEnvironment() with no parameters so that the Flow run occurs in the ECS task that the Fargate Agent creates 2. Uses DaskCloudProviderEnvironment to create a truly distributed Dask cluster with ECS, i.e. Dask scheduler and Dask workers run as independent ECS tasks I would encourage anyone NOT to start with DaskCloudProviderEnvironment as it adds complexity. Just get #1 working successfully first then scale up if needed.
d

Darragh

06/03/2020, 9:58 PM
Thanks joe! So i might not actually need the fargate task envrionmwnt at all, is that right?
Added the ARNs to both the flow and the agent, and hey presto, a new error!! 
An error occurred (ClusterNotFoundException) when calling the RunTask operation: Cluster not found
j

Joe Schmid

06/04/2020, 12:16 AM
So i might not actually need the fargate task envrionmwnt at all, is that right?
That’s correct. There’s certainly no requirement to use it if you’re using the Fargate Agent.
a new error!!
An error occurred (ClusterNotFoundException) when calling the RunTask operation: Cluster not found
That’s definitely progress! Since the error is in RunTask, your Fargate Agent was able to successfully register a task definition. (And is now trying to run it.) Since your 
launch_type
is 
FARGATE
I think it should use the default cluster in ECS if you don’t specify one, but maybe try specifying a cluster ARN for your Fargate Agent. You also mentioned “Added ARNs to both the flow and the agent” — if the Flow is still using FargateTaskEnvironment, I would switch that to RemoteEnvironment().
l

Leonard Marcq

09/12/2020, 9:12 PM
For people who get the 
An error occurred (ClientException) when calling the RegisterTaskDefinition operation: Fargate requires task definition to have execution role ARN to support log driver awslogs
error message and might be searching for help in the channel later. Make sure that you spelled 
taskRoleArn
and 
executionRoleArn
in camelCase and not in snake_case. Just spent a good billion hours looking for the source of the problem everywhere else but in my spelling lol
m

Maikel Penz

10/13/2020, 8:41 AM
@Darragh did you get around the 
Cluster not found
error? I am facing the same
d

Darragh

10/13/2020, 9:16 AM
Hi Maikel, we actually moved away from it for a while due to other problems 🙂 Hoping to get back to it soon and fixing up our remaining problems
m

Maikel Penz

10/13/2020, 7:05 PM
Thanks Darragh. If anyone here has seen this error before (and fixed it) can you please share the solution ? 🙂 
An error occurred (ClusterNotFoundException) when calling the RunTask operation: Cluster not found
#prefect-communityJoin Slack
Powered by