Amazon EC2 Container Service (ECS) && Amazon EC2 Container Registry (ECR) - Dive Deep(?) 김기완, 솔루션스 아키텍트, 아마존웹서비스 코리아 Dec 14, 2015
Amazon EC2 Container Service (ECS) &&Amazon EC2 Container Registry (ECR)
- Dive Deep(?)
김기완,솔루션스아키텍트,아마존웹서비스코리아Dec 14, 2015
Some Facts on Docker (Sample of 7,000 compaines)
5 times grow in ONE year
2014.9 : 1.8% à2015.9 : 8.3%
Server
Guest OS
Bins/Libs Bins/Libs
App2App1
Managing one resource is straightforward
$ docker run myimage
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Managing a cluster is hard !!
Cluster Management Made Easy
• No cluster software to install and manage
• Manages cluster state• Manages containers• Control and monitoring• Scale from one to tens of thousands of
containers
Designed for use with other AWS services
Elastic Load BalancingAmazon Elastic Block StoreAmazon Virtual Private CloudAWS Identity and Access ManagementAWS CloudTrail
• Container Instance
• Cluster
• Task Definitions
• Tasks
• ServiceContainer Instance
Container Instance
…
Container Instance
Cluster
Task definition
Task
Service
Components
Overall Steps
• Create Cluster in ECS Console or CLI
• Prepare Cluster Instances
• Prepare Task Definitions
• Configure the scheduler (services, …)
Container Instances
#!/bin/bash echo ECS_CLUSTER=containerday >> /etc/ecs/ecs.configEOF
• Use ‘ecs-optimized’ AMI
• One line in the user data section
{"environment": [],"name": "simple-demo","image": "my-demo","cpu": 10,"memory": 500,"portMappings": [
{"containerPort": 80,"hostPort": 80
}],"mountPoints": [
{"sourceVolume": "my-vol","containerPath": "/var/www/my-
vol"}
],"entryPoint": [
"/usr/sbin/apache2","-D","FOREGROUND"
],"essential": true
},
Task Definitions[{
"image": "mysql","name": "db","cpu": 10,"memory": 500,"essential": true,"entryPoint": ["/entrypoint.sh"
],"environment": [{"name": "MYSQL_ROOT_PASSWORD","value": "pass"
}],"portMappings": []
}]
Essential to our Task
Create and mount volumes
Expose port 80 in containerto port 80 on host
10 CPU Units (1024 is full CPU),500 Megabytes of Memory
Tasks
Container Instance
Schedule
Shared Data Volume
PHP App Time of day App
Shared Data Volume
PHP App Time of day App
Scheduling Amazon ECS Tasks
• The Amazon ECS schedulers leverage cluster state information provided by the Amazon ECS API to make an appropriate placement decision.
• Services (Service Scheduler)– Long running stateless services and applications– Ensures that the specified number of tasks are constantly running and reschedules when a task fails– ELB– Can be dynamically changed (new task, # of desired tasks, …)
• Running Tasks (Runtask)– Batch jobs– Randomly distributes tasks across the cluster, but try to balance it
• The StartTask API – Write or use your own schedulers– AWS CLI, AWS SDK, and the Amazon ECS API– List/Describe to get the state of your cluster, and using StartTask, place tasks on the appropriate container instance
Services (Service Scheduler)
• If a task in a service becomes unhealthy or unresponsive, the task is killed and restarted. This process continues until your service reaches the number of desired running tasks.
• You can optionally run your service behind a load balancer
• When the service scheduler launches new tasks, it attempts to balance them across the Availability Zones in your cluster with the following logic (AZ aware scheduling) :
– Determine which of the container instances in your cluster can support your service's task definition (for example, they have the required CPU, memory, ports, and container instance attributes).
– Sort the valid container instances by the fewest number of running tasks for this service in the same Availability Zone as the instance. For example, if zone A has one running service task and zones B and C each have zero, valid container instances in either zone B or C are considered optimal for placement.
– Place the new service task on a valid container instance in an optimal Availability Zone (based on the previous steps), favoring container instances with the fewest number of running tasks for this service.
Service Load Balancer
• One Load Balancer per service.
• One Load Balancer can support multiple ports, if containers in the task definitions require multiple ports for the service. (e.g. a task definition consists of Elasticsearch using port 3030 on the container instance, with Logstash and Kibana using port 4040 on the container instance, the same load balancer can route traffic to Elasticsearch and Kibana through two listeners)
• Load balancer subnet configuration must include all subnets that your container instances reside in.
• If a service’s task fails the load balancer health check criteria, the task is killed and restarted. This process continues until your service reaches the number of desired running tasks.
Updating a Service
• Change the number of tasks that are maintained by a service.
• Scale up or down. (as long as the container instances are available)
• If the Docker image is updated, create a new task definition with that image, and deploy it to the service.
• The service scheduler creates a task with the new task definition (provided there is an available container instance to place it on), and after it reaches the RUNNING state, a task that is using the old task definition is drained and stopped. This process continues until all of the desired tasks in your service are using the new task definition.
Services
• Load Balance traffic across containers• Automatically recover unhealthy containers• Discover services
Shared Data Volume
PHP App
Time of day App
Shared Data Volume
PHP App
Time of day App
Shared Data Volume
PHP App
Time of day App
Elastic Load Balancing
Update Service
• Scale up• Scale down
Elastic Load Balancing
Shared Data Volume
PHP App
Time of day App
Shared Data Volume
PHP App
Time of day App
Shared Data Volume
PHP App
Time of day App
Shared Data Volume
PHP App
Time of day App
Update Service
• Deploy new version• Drain connections
Elastic Load Balancing
Shared Data Volume
PHP App
Time of day App
Shared Data Volume
PHP App
Time of day App
Shared Data Volume
PHP App
Time of day App
Running Tasks (RunTask)
• One-time or periodic batch job.
• If you want a specified number of tasks to always remain running or if you want to place your tasks behind a load balancer, you should use the Amazon ECS service scheduler.
Auto Scaling in ECS?
https://aws.amazon.com/blogs/compute/scaling-amazon-ecs-services-automatically-using-amazon-cloudwatch-and-aws-lambda/
Remaining Pain-points
• “We don’t want to be in the business of hosting our own infrastructure for a container registry”
• “Need a service that has better up time and can handle hundreds of image pulls at once”
• “Need to keep images private with fine-grained access control without managing certificates or credentials”
Overview
• Security– IAM Resource-based Policies– Images encrypted at transit and at rest
• Easily Manage & Deploy Images– Tight Integration with ECS– Standalone Service– Integration with Docker Toolset– Management Console & AWS CLI
• Reliability & Performance– S3 Backed– Regional Endpoints– Expect to handle hundreds of concurrent pulls
Pricing
• $0.10 per GB/month Docker image storage pricing
• Data transfer pass-through pricing (customary AWS rates)– Free data in– Charge for data out to internet and data out from one region to
another
• 12-month free tier for 500MB image storage
Amazon ECR Default Service Limits
Resources Default LimitNumber of repositories per account 10Number of images per repository 50
Number of layers per image 127 (Current Docker limit)Layer size 1GiB