Amazon EC2 Container Service (ECS) &&Amazon EC2 Container Registry (ECR)

- Dive Deep(?)

김기완,솔루션스아키텍트,아마존웹서비스코리아Dec 14, 2015

Some Facts on Docker (Sample of 7,000 compaines)

5 times grow in ONE year

2014.9 : 1.8% à2015.9 : 8.3%

Some Facts on Docker (Sample of 7,000 compaines)

0% à 6% in ONE year!

Some Facts on Docker (Sample of 7,000 compaines)

Larger Companies Are the Early Adopters

Server

Guest OS

Bins/Libs Bins/Libs

App2App1

Managing one resource is straightforward

Server

Guest OS

Bins/Libs Bins/Libs

App2App1

Managing one resource is straightforward

$ docker run myimage

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Server

Guest OS

Managing a cluster is hard !!

Fleet management

• Monitor utilization

• Grow capacity

• Security

State Management

Availability Zone 1 Availability Zone 2

Amazon EC2 Container Service (ECS)

Architecture

Cluster Management Made Easy

• No cluster software to install and manage

• Manages cluster state• Manages containers• Control and monitoring• Scale from one to tens of thousands of

containers

Flexible Container Placement

Applications

Batch jobs

Multiple schedulers

Designed for use with other AWS services

Elastic Load BalancingAmazon Elastic Block StoreAmazon Virtual Private CloudAWS Identity and Access ManagementAWS CloudTrail

Extensible

Comprehensive APIs

Open source agent

Custom schedulers

• Container Instance

• Cluster

• Task Definitions

• Tasks

• ServiceContainer Instance

Container Instance

…

Container Instance

Cluster

Task definition

Task

Service

Components

Overall Steps

• Create Cluster in ECS Console or CLI

• Prepare Cluster Instances

• Prepare Task Definitions

• Configure the scheduler (services, …)

Container Instances

#!/bin/bash echo ECS_CLUSTER=containerday >> /etc/ecs/ecs.configEOF

• Use ‘ecs-optimized’ AMI

• One line in the user data section

Container Instances

{"environment": [],"name": "simple-demo","image": "my-demo","cpu": 10,"memory": 500,"portMappings": [

{"containerPort": 80,"hostPort": 80

}],"mountPoints": [

{"sourceVolume": "my-vol","containerPath": "/var/www/my-

vol"}

],"entryPoint": [

"/usr/sbin/apache2","-D","FOREGROUND"

],"essential": true

},

Task Definitions[{

"image": "mysql","name": "db","cpu": 10,"memory": 500,"essential": true,"entryPoint": ["/entrypoint.sh"

],"environment": [{"name": "MYSQL_ROOT_PASSWORD","value": "pass"

}],"portMappings": []

}]

Essential to our Task

Create and mount volumes

Expose port 80 in containerto port 80 on host

10 CPU Units (1024 is full CPU),500 Megabytes of Memory

Tasks

Container Instance

Schedule

Shared Data Volume

PHP App Time of day App

Shared Data Volume

PHP App Time of day App

Scheduling Amazon ECS Tasks

• The Amazon ECS schedulers leverage cluster state information provided by the Amazon ECS API to make an appropriate placement decision.

• Services (Service Scheduler)– Long running stateless services and applications– Ensures that the specified number of tasks are constantly running and reschedules when a task fails– ELB– Can be dynamically changed (new task, # of desired tasks, …)

• Running Tasks (Runtask)– Batch jobs– Randomly distributes tasks across the cluster, but try to balance it

• The StartTask API – Write or use your own schedulers– AWS CLI, AWS SDK, and the Amazon ECS API– List/Describe to get the state of your cluster, and using StartTask, place tasks on the appropriate container instance

Services (Service Scheduler)

• If a task in a service becomes unhealthy or unresponsive, the task is killed and restarted. This process continues until your service reaches the number of desired running tasks.

• You can optionally run your service behind a load balancer

• When the service scheduler launches new tasks, it attempts to balance them across the Availability Zones in your cluster with the following logic (AZ aware scheduling) :

– Determine which of the container instances in your cluster can support your service's task definition (for example, they have the required CPU, memory, ports, and container instance attributes).

– Sort the valid container instances by the fewest number of running tasks for this service in the same Availability Zone as the instance. For example, if zone A has one running service task and zones B and C each have zero, valid container instances in either zone B or C are considered optimal for placement.

– Place the new service task on a valid container instance in an optimal Availability Zone (based on the previous steps), favoring container instances with the fewest number of running tasks for this service.

Service Load Balancer

Service Load Balancer

• One Load Balancer per service.

• One Load Balancer can support multiple ports, if containers in the task definitions require multiple ports for the service. (e.g. a task definition consists of Elasticsearch using port 3030 on the container instance, with Logstash and Kibana using port 4040 on the container instance, the same load balancer can route traffic to Elasticsearch and Kibana through two listeners)

• Load balancer subnet configuration must include all subnets that your container instances reside in.

• If a service’s task fails the load balancer health check criteria, the task is killed and restarted. This process continues until your service reaches the number of desired running tasks.

Updating a Service

• Change the number of tasks that are maintained by a service.

• Scale up or down. (as long as the container instances are available)

• If the Docker image is updated, create a new task definition with that image, and deploy it to the service.

• The service scheduler creates a task with the new task definition (provided there is an available container instance to place it on), and after it reaches the RUNNING state, a task that is using the old task definition is drained and stopped. This process continues until all of the desired tasks in your service are using the new task definition.

Services

• Load Balance traffic across containers• Automatically recover unhealthy containers• Discover services

Shared Data Volume

PHP App

Time of day App

Shared Data Volume

PHP App

Time of day App

Shared Data Volume

PHP App

Time of day App

Elastic Load Balancing

Update Service

• Scale up• Scale down

Elastic Load Balancing

Shared Data Volume

PHP App

Time of day App

Shared Data Volume

PHP App

Time of day App

Shared Data Volume

PHP App

Time of day App

Shared Data Volume

PHP App

Time of day App

Update Service

• Deploy new version• Drain connections

Elastic Load Balancing

Shared Data Volume

PHP App

Time of day App

Shared Data Volume

PHP App

Time of day App

Shared Data Volume

PHP App

Time of day App

Running Tasks (RunTask)

• One-time or periodic batch job.

• If you want a specified number of tasks to always remain running or if you want to place your tasks behind a load balancer, you should use the Amazon ECS service scheduler.

Task Life Cycle

Auto Scaling in ECS?

https://aws.amazon.com/blogs/compute/scaling-amazon-ecs-services-automatically-using-amazon-cloudwatch-and-aws-lambda/

So, Happy Enough?

Some Facts on Docker (Sample of 7,000 compaines)

Hmmmm, Registry??

Remaining Pain-points

• “We don’t want to be in the business of hosting our own infrastructure for a container registry”

• “Need a service that has better up time and can handle hundreds of image pulls at once”

• “Need to keep images private with fine-grained access control without managing certificates or credentials”

Overview

• Security– IAM Resource-based Policies– Images encrypted at transit and at rest

• Easily Manage & Deploy Images– Tight Integration with ECS– Standalone Service– Integration with Docker Toolset– Management Console & AWS CLI

• Reliability & Performance– S3 Backed– Regional Endpoints– Expect to handle hundreds of concurrent pulls

Pricing

• $0.10 per GB/month Docker image storage pricing

• Data transfer pass-through pricing (customary AWS rates)– Free data in– Charge for data out to internet and data out from one region to

another

• 12-month free tier for 500MB image storage

Amazon ECR Default Service Limits

Resources Default LimitNumber of repositories per account 10Number of images per repository 50

Number of layers per image 127 (Current Docker limit)Layer size 1GiB

AWS Console for ECR

AWS Console for ECR

AWS Console for ECR

Demo

Q&A

THANK YOU!