© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Pierre Steckmeyer, Solutions Architect Feb.23, 2016 Amazon EC2 Container Service Deep Dive
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Pierre Steckmeyer, Solutions Architect
Feb.23, 2016
Amazon EC2 Container Service Deep Dive
Agenda
Containers and Amazon ECS Benefits ECS Clusters ECS Tasks ECS Services Solutions Built on Amazon ECS
Why Containers?
Container Benefits
Portable
Flexible
Fast
Efficient
Server
Guest OS
Bins/Libs Bins/Libs
App2App1
Why Amazon ECS?
Amazon ECS Benefits
Easily Manage Clusters for Any Scale Flexible Container Placement Designed for Use with Other AWS Services Extensible
Clusters
Regional Resource Pool Grouping of Container Instances Start Empty, Dynamically Scalable
Tasks
Unit of Work Grouping of Related Containers Run on Container Instances
Services
Good for Long-Running Applications Load Balance Traffic across Containers Automatically Recover Unhealthy Containers Discover Services
ECS Clusters
ECS Clusters
Setup IAM Roles Monitoring Logging Autoscaling Amazon EC2 Simple Systems Manager (SSM) Provisioning with CloudFormation
Setup ECS Cluster with AutoScaling
Create LaunchConfiguration Pick instance type depending on resource requirements, e.g.
memory or CPU Use latest Amazon Linux ECS-optimized AMI, other distros
available
Create AutoScaling Group and Set to Cluster Initial Size
ECS IAM Policies and Roles
The ECS agent calls the ECS APIs on your behalf, so container instances require an IAM policy and role that allows these calls.
The ECS service scheduler calls the EC2 and ELB APIs on your behalf to register and deregister container instances with your load balancers.
Use AmazonEC2ContainerServiceforEC2Role and AmazonEC2ContainerServiceRole managed policies (respectively)
Monitoring with Amazon CloudWatch
Metric data sent to CloudWatch in 1-minute periods and recorded for a period of two weeks
Available metrics:CPUReservation, MemoryReservation, CPUUtilization, MemoryUtilization
Monitoring with Amazon CloudWatch
Monitoring with Amazon CloudWatch
Use the Amazon CloudWatch Monitoring Scripts to monitor additional metrics, e.g. disk space:# Edit crontab> crontab -e
# Add command to report disk space utilization to CloudWatch every five minutes*/5 * * * * <path_to>/mon-put-instance-data.pl --disk-space-util --disk-space-used --disk-space-avail --disk-path=/ --from-cron
Logging with Amazon CloudWatch Logs
Logging container with syslogd and CloudWatch Logs Agent
Attach /var/log Volume to Logging container
Link Other Containerssyslogd
CloudWatch Logs Agent
CloudWatch Logs
Container instance
ECS Cluster
ECS Agent Logs
Docker Logs
AutoScaling your Amazon ECS Cluster
Create CloudWatch alarm on a metric, e.g. MemoryReservation
Configure scaling policies to increase and decrease the size of your cluster
Amazon EC2 Simple Systems Manager (SSM)
Use Amazon EC2 SSM to execute commands on container instances, e.g. yum update
Add AmazonEC2RoleForSSM to instances IAM role to process Run Commands
Install SSM Agent Create SSM document
Cluster Setup with AWS CloudFormation
CloudFormation supports ECS cluster, service and task definition resources
Use AWS::IAM::Role to create ECS service role and container instances role
Launch container instances using AWS:AutoScaling::LaunchConfiguation and AWS:AutoScaling::AutoScalingGroup
Provision Clusters with AWS CloudFormation"Resources" : { "ECSCluster": { "Type": "AWS::ECS::Cluster" }, "ECSAutoScalingGroup" : { "Type" : "AWS::AutoScaling::AutoScalingGroup", "Properties" : { "VPCZoneIdentifier" : { "Ref" : "SubnetID" }, "LaunchConfigurationName" : { "Ref" : "ContainerInstances" }, "MinSize" : "1", "MaxSize" : { "Ref" : "MaxSize" }, "DesiredCapacity" : { "Ref" : "DesiredCapacity" } }, […] },
Provision Clusters with AWS CloudFormation "ContainerInstances": { "Type": "AWS::AutoScaling::LaunchConfiguration", "Metadata" : { "AWS::CloudFormation::Init" : { "config" : { "commands" : { "01_add_instance_to_cluster" : { "command" : { "Fn::Join": [ "", [ "#!/bin/bash\n", "echo ECS_CLUSTER=", { "Ref": "ECSCluster" }, " >> /etc/ecs/ecs.config" ] ] } } }, […] } } }
ECS Tasks
ECS Tasks
Task Definition Amazon EC2 Container Registry
ECS Tasks
Group containers used for a common purpose in a single task definition
Separate different components into multiple task definitions
Create services from Task Definition to maintain availability
Task Definitions
Volume Definitions
Container Definitions
Task Definition
{ "containerDefinitions": [ { "name": "wordpress", "links": [ "mysql" ], "image": "wordpress", "essential": true, "portMappings": [ { "containerPort": 80, "hostPort": 80 } ], "memory": 500, "cpu": 10 },
Task Definition
{ "environment": [ { "name": "MYSQL_ROOT_PASSWORD", "value": "password" } ], "name": "mysql", "image": "mysql", "cpu": 10, "memory": 500, "essential": true } ], "family": "hello_world"}
Tasks
Shared Data Volume
Containers
scheduleContainer Instance
Volume Definitions
Container Definitions
Amazon ECR Setup
You have read and write access to the repositories you create in your default registry, i.e. <aws_account_id>.dkr.ecr.us-east-1.amazonaws.com
Repository names can support namespaces, e.g. team-a/web-app.
Repositories can be controlled with both IAM user access policies and repository policies.
Amazon ECR Setup
# Authenticate Docker to your Amazon ECR registry> aws ecr get-logindocker login -u AWS -p <password> -e none https://<aws_account_id>.dkr.ecr.us-east-1.amazonaws.com> docker login -u AWS -p <password> -e none https://<aws_account_id>.dkr.ecr.us-east-1.amazonaws.com
# Create a repository called ecr-demo> aws ecr create-repository --repository-name ecr-demo
# Build or tag an image
# Push an image to your repository> docker push <aws_account_id>.dkr.ecr.us-east-1.amazonaws.com/ecr-demo:v1
ECR IAM Policies and Roles
ECR uses resource-based permissions to control access. By default, only the repository owner has access to a
repository. You can apply a policy document that allows others to access
your repository. Use managed policies for IAM users or roles that allow
differing levels of control: AmazonEC2ContainerRegistryFullAccess, AmazonEC2ContainerRegistryPowerUser or AmazonEC2ContainerRegistryReadOnly
ECS Services
ECS Services
Monitoring Logging Scaling Service discovery Deployment
Monitoring with Amazon CloudWatch
Metric data sent to CloudWatch in 1-minute periods and recorded for a period of two weeks
Available metrics:CPUReservation, MemoryReservation, CPUUtilization, MemoryUtilization
Monitoring ECS Services with CloudWatch
Configuring Logging in Task Definition
logConfiguration task definition parameter Requires version 1.18 or greater of the Docker Remote
API Maps to docker run --log-driver option Log drivers: json-file, syslog, journald, gelf, fluentd
Scaling ECS Services with AWS Lambda
Service Discovery with Services & Route 53
Task
Task TaskTask
ECS Service
Application router, e.g.
nginx
Internal ELB with CNAME, e.g.
api.example.com
Route 53 private zone, e.g.
example.com
Deploying ECS Services
Optionally run your service behind a load balancer. One load balancer per service. ELB currently supports a fixed relationship between the
load balancer port and the container instance port. If a task fails the ELB health check, the task is killed and
restarted (until service reaches desired capacity).
Deploying ECS Services
Update service’s task definition (rolling update)
Specify a deployment configuration for your service: minimumHealthyPercent: lower limit (as a percentage of the
service's desiredCount) of the number of running tasks that must remain running in a service during a deployment.
maximumPercent: upper limit (as a percentage of the service's desiredCount) of the number of running tasks that can be running in a service during a deployment.
Deploying ECS ServicesDeploy using the least space: minimumHealthyPercent = 50%, maximumPercent = 100%
Deploying ECS ServicesDeploy quickly without reducing service capacity: minimumHealthyPercent = 100%, maximumPercent = 200%
Deploying ECS Services
Blue-Green deployments: Define two ECS services (Blue and Green) Each service is associated with an ELB Both ELBs in Route 53 record set with weighted routing
policy, 100% Primary, 0% Secondary Deploy to Blue or Green service and switch weights
Deploying ECS Services
Route 53 record set with weighted routing policy
TaskTask
0%
100%
Deploying ECS Services with Jenkins
Build image
Push image
Update service
ECS CI/CD Partners
Solutions Built on ECS
Solutions Built on ECS
AWS Elastic Beanstalk Convox Remind Empire
AWS Elastic Beanstalk Uses Amazon ECS to coordinate deployments to
multicontainer Docker environments Takes care of tasks including cluster creation, task definition
and execution
AWS Elastic Beanstalk
Elastic Beanstalk uses a Dockerrun.aws.json file that describes how to deploy containers.
The Dockerrun.aws.json file includes three sections: AWSEBDockerrunVersion: Set to "2" for multicontainer
Docker environments. containerDefinitions: An array of container definitions. volumes: Creates mount points in the container instance that
a container can use.
Convox
Convox
# Initialize your app and create default manifest> convox init
# Locally build and run your app as declared in the manifest > convox start
# Create app> convox apps create my_app
# Deploy app, output ELB DNS name> convox deploy[...]web: http://my_app-1234567890.us-east-1.elb.amazonaws.com
Remind Empire
Control layer on top of Amazon ECS that provides a familiar PaaS workflow
Any tagged Docker image can be deployed to Empire as an app
When you deploy a Docker image to Empire, it will extract a Procfile from the WORKDIR
Each process type in the Procfile maps directly to an ECS Service
Remind Empire
Routing Layer Backed by Internal ELBs An application that specifies a web process will get an
internal ELB attached to its ECS Service When a new internal ELB is created, an associated CNAME
record is created in Route53 under the internal TLD, enabling service discovery via DNS
Thank you!
Additional Resources
ECS CloudFormation Template - http://amzn.to/1KH51m5 ECS CloudWatch Metrics - http://amzn.to/1PUR7OU Scaling Container Instances with CloudWatch Alarms -
http://amzn.to/1ORt06b Service Discovery with Consul - http://amzn.to/1JZL5gz
Continuous Delivery to ECS with Jenkins - http://amzn.to/1GbheTp
Elastic Beanstalk Multicontainer Docker Environment - http://amzn.to/1bAkjxG
AWS Summit – Chicago: An exciting, free cloud conference designed to educate and inform new customers about the AWS platform, best practices and new cloud services.
Details• April 18-19, 2016 • Chicago, Illinois• @ McCormick Place
Featuring• New product launches• 50+ sessions, labs, and bootcamps• Executive and partner networking
Register Now• Go to aws.amazon.com/summits• Click on The AWS Summit - Chicago … then register.• Come and see what AWS and the cloud can do for you.
Chicago – April 18-19