AWS ECS Installation
Deploy Telegen on Amazon Elastic Container Service (ECS).
Prerequisites
AWS CLI configured
ECS cluster (EC2 launch type)
IAM permissions for ECS task creation
EC2 instances with Linux kernel 4.18+
Note
Telegen requires EC2 launch type due to eBPF requirements. Fargate is not supported.
Agent Mode (Daemon Service)
Step 1: Create IAM Role
# Create trust policy
cat > trust-policy.json <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
# Create role
aws iam create-role \
--role-name telegen-task-role \
--assume-role-policy-document file://trust-policy.json
# Attach policies
aws iam attach-role-policy \
--role-name telegen-task-role \
--policy-arn arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
aws iam attach-role-policy \
--role-name telegen-task-role \
--policy-arn arn:aws:iam::aws:policy/CloudWatchLogsFullAccess
Step 2: Create Task Definition
cat > telegen-task-definition.json <<EOF
{
"family": "telegen-agent",
"networkMode": "host",
"pidMode": "host",
"requiresCompatibilities": ["EC2"],
"executionRoleArn": "arn:aws:iam::YOUR_ACCOUNT_ID:role/telegen-task-role",
"taskRoleArn": "arn:aws:iam::YOUR_ACCOUNT_ID:role/telegen-task-role",
"containerDefinitions": [
{
"name": "telegen-agent",
"image": "ghcr.io/mirastacklabs-ai/telegen:latest",
"essential": true,
"privileged": true,
"command": ["--mode=agent", "--config=/etc/telegen/config.yaml"],
"environment": [
{
"name": "TELEGEN_OTLP_ENDPOINT",
"value": "otel-collector.internal:4317"
},
{
"name": "TELEGEN_LOG_LEVEL",
"value": "info"
}
],
"mountPoints": [
{
"sourceVolume": "sys",
"containerPath": "/sys",
"readOnly": true
},
{
"sourceVolume": "proc",
"containerPath": "/host/proc",
"readOnly": true
},
{
"sourceVolume": "debugfs",
"containerPath": "/sys/kernel/debug",
"readOnly": false
},
{
"sourceVolume": "bpf",
"containerPath": "/sys/fs/bpf",
"readOnly": false
}
],
"portMappings": [
{
"containerPort": 19090,
"hostPort": 19090,
"protocol": "tcp"
},
{
"containerPort": 8080,
"hostPort": 8080,
"protocol": "tcp"
}
],
"healthCheck": {
"command": ["CMD-SHELL", "wget -q -O- http://localhost:8080/healthz || exit 1"],
"interval": 30,
"timeout": 5,
"retries": 3,
"startPeriod": 10
},
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "/ecs/telegen",
"awslogs-region": "us-east-1",
"awslogs-stream-prefix": "telegen"
}
},
"cpu": 256,
"memory": 512,
"memoryReservation": 256
}
],
"volumes": [
{
"name": "sys",
"host": {
"sourcePath": "/sys"
}
},
{
"name": "proc",
"host": {
"sourcePath": "/proc"
}
},
{
"name": "debugfs",
"host": {
"sourcePath": "/sys/kernel/debug"
}
},
{
"name": "bpf",
"host": {
"sourcePath": "/sys/fs/bpf"
}
}
]
}
EOF
# Register task definition
aws ecs register-task-definition --cli-input-json file://telegen-task-definition.json
Step 3: Create CloudWatch Log Group
aws logs create-log-group --log-group-name /ecs/telegen
Step 4: Create Daemon Service
cat > telegen-service.json <<EOF
{
"cluster": "your-cluster-name",
"serviceName": "telegen-agent",
"taskDefinition": "telegen-agent",
"schedulingStrategy": "DAEMON",
"deploymentConfiguration": {
"maximumPercent": 100,
"minimumHealthyPercent": 0
},
"placementConstraints": [],
"enableECSManagedTags": true,
"tags": [
{
"key": "Service",
"value": "telegen"
}
]
}
EOF
aws ecs create-service --cli-input-json file://telegen-service.json
Collector Mode
For SNMP and storage array monitoring:
Task Definition
cat > telegen-collector-task.json <<EOF
{
"family": "telegen-collector",
"networkMode": "awsvpc",
"requiresCompatibilities": ["EC2", "FARGATE"],
"cpu": "512",
"memory": "1024",
"executionRoleArn": "arn:aws:iam::YOUR_ACCOUNT_ID:role/telegen-task-role",
"taskRoleArn": "arn:aws:iam::YOUR_ACCOUNT_ID:role/telegen-task-role",
"containerDefinitions": [
{
"name": "telegen-collector",
"image": "ghcr.io/mirastacklabs-ai/telegen:latest",
"essential": true,
"command": ["--mode=collector", "--config=/etc/telegen/config.yaml"],
"environment": [
{
"name": "TELEGEN_OTLP_ENDPOINT",
"value": "otel-collector.internal:4317"
}
],
"secrets": [
{
"name": "DELL_PASSWORD",
"valueFrom": "arn:aws:secretsmanager:us-east-1:YOUR_ACCOUNT_ID:secret:telegen/dell-password"
},
{
"name": "SNMP_AUTH_PASSWORD",
"valueFrom": "arn:aws:secretsmanager:us-east-1:YOUR_ACCOUNT_ID:secret:telegen/snmp-auth"
}
],
"portMappings": [
{
"containerPort": 162,
"protocol": "udp"
},
{
"containerPort": 19090,
"protocol": "tcp"
},
{
"containerPort": 8080,
"protocol": "tcp"
}
],
"healthCheck": {
"command": ["CMD-SHELL", "wget -q -O- http://localhost:8080/healthz || exit 1"],
"interval": 30,
"timeout": 5,
"retries": 3
},
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "/ecs/telegen-collector",
"awslogs-region": "us-east-1",
"awslogs-stream-prefix": "telegen"
}
}
}
]
}
EOF
aws ecs register-task-definition --cli-input-json file://telegen-collector-task.json
Create Secrets
# Create secrets in Secrets Manager
aws secretsmanager create-secret \
--name telegen/dell-password \
--secret-string "your-dell-password"
aws secretsmanager create-secret \
--name telegen/snmp-auth \
--secret-string "your-snmp-password"
Create Service
aws ecs create-service \
--cluster your-cluster-name \
--service-name telegen-collector \
--task-definition telegen-collector \
--desired-count 2 \
--launch-type EC2 \
--network-configuration "awsvpcConfiguration={subnets=[subnet-xxx],securityGroups=[sg-xxx]}"
Using SSM Parameter Store
Alternative to Secrets Manager:
# Create parameters
aws ssm put-parameter \
--name "/telegen/otlp-endpoint" \
--value "otel-collector:4317" \
--type String
aws ssm put-parameter \
--name "/telegen/dell-password" \
--value "your-password" \
--type SecureString
Update task definition to use SSM:
{
"secrets": [
{
"name": "DELL_PASSWORD",
"valueFrom": "arn:aws:ssm:us-east-1:YOUR_ACCOUNT_ID:parameter/telegen/dell-password"
}
]
}
IAM Policies
Secrets Manager Access
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:us-east-1:YOUR_ACCOUNT_ID:secret:telegen/*"
]
}
]
}
SSM Parameter Store Access
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"ssm:GetParameter"
],
"Resource": [
"arn:aws:ssm:us-east-1:YOUR_ACCOUNT_ID:parameter/telegen/*"
]
}
]
}
Verification
Check Service Status
aws ecs describe-services \
--cluster your-cluster-name \
--services telegen-agent
Check Tasks
aws ecs list-tasks \
--cluster your-cluster-name \
--service-name telegen-agent
Check Logs
aws logs tail /ecs/telegen --follow
Terraform Example
resource "aws_ecs_task_definition" "telegen" {
family = "telegen-agent"
network_mode = "host"
pid_mode = "host"
requires_compatibilities = ["EC2"]
execution_role_arn = aws_iam_role.telegen_execution.arn
task_role_arn = aws_iam_role.telegen_task.arn
container_definitions = jsonencode([
{
name = "telegen-agent"
image = "ghcr.io/mirastacklabs-ai/telegen:latest"
essential = true
privileged = true
command = ["--mode=agent"]
environment = [
{
name = "TELEGEN_OTLP_ENDPOINT"
value = var.otlp_endpoint
}
]
mountPoints = [
{
sourceVolume = "sys"
containerPath = "/sys"
readOnly = true
},
{
sourceVolume = "proc"
containerPath = "/host/proc"
readOnly = true
},
{
sourceVolume = "debugfs"
containerPath = "/sys/kernel/debug"
},
{
sourceVolume = "bpf"
containerPath = "/sys/fs/bpf"
}
]
logConfiguration = {
logDriver = "awslogs"
options = {
"awslogs-group" = aws_cloudwatch_log_group.telegen.name
"awslogs-region" = var.region
"awslogs-stream-prefix" = "telegen"
}
}
}
])
volume {
name = "sys"
host_path = "/sys"
}
volume {
name = "proc"
host_path = "/proc"
}
volume {
name = "debugfs"
host_path = "/sys/kernel/debug"
}
volume {
name = "bpf"
host_path = "/sys/fs/bpf"
}
}
resource "aws_ecs_service" "telegen" {
name = "telegen-agent"
cluster = aws_ecs_cluster.main.id
task_definition = aws_ecs_task_definition.telegen.arn
scheduling_strategy = "DAEMON"
}
Troubleshooting
Task Not Starting
# Check stopped tasks
aws ecs list-tasks --cluster your-cluster --desired-status STOPPED
# Describe task
aws ecs describe-tasks --cluster your-cluster --tasks TASK_ARN
Permission Issues
Ensure EC2 instances have the ECS agent with correct permissions
Verify IAM roles have necessary policies
Check security groups allow outbound traffic to OTLP endpoint
eBPF Errors
ECS instances must be EC2 (not Fargate)
Kernel must be 4.18+ (5.8+ recommended)
Instance must have
/sys/fs/bpfmounted
Next Steps
Configuration - Configuration reference
Features - Feature guides