© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

October 25th, 2016

Amazon EC2 Container Service Deep DivePeter Dalbhanjan, Solutions Architect

Agenda

• ECS Infrastructure Setup• ECS Infrastructure Management• PaaS on ECS• Q & A

Amazon ECS Benefits

• Easily Manage Clusters for any scale• Flexible Container Placement• Designed for use with other AWS Services• Extensible

Amazon ECS Infrastructure Setup

Amazon ECS Infrastructure Setup

• Amazon ECS Cluster• AWS CloudFormation• Amazon ECS CLI• AWS OpsWorks

• Amazon ECR

ECS Cluster Setup with AWS CloudFormation

"Resources" : { "ECSCluster": { "Type": "AWS::ECS::Cluster" }, "ECSAutoScalingGroup" : { "Type" : "AWS::AutoScaling::AutoScalingGroup", "Properties" : { "VPCZoneIdentifier" : { "Ref" : "SubnetID" }, "LaunchConfigurationName" : { "Ref" : "ContainerInstances" }, "MinSize" : "1", "MaxSize" : { "Ref" : "MaxSize" }, "DesiredCapacity" : { "Ref" : "DesiredCapacity" } }, […] },

Autoscaling Group

ECS Cluster

"ContainerInstances": { "Type": "AWS::AutoScaling::LaunchConfiguration", "Metadata" : { "AWS::CloudFormation::Init" : { "config" : { "commands" : { "01_add_instance_to_cluster" : { "command" : { "Fn::Join": [ "", [ "#!/bin/bash\n", "echo ECS_CLUSTER=", { "Ref": "ECSCluster" }, " >> /etc/ecs/ecs.config" ] ] } } }, […] } } }

ECS Cluster Setup with AWS CloudFormation

Launch Configuration

"taskdefinition": { "Type": "AWS::ECS::TaskDefinition", "Properties" : { "ContainerDefinitions" : [ { "Name": "simple-app", "Cpu": "10", "Essential": "true", "Image":"httpd:2.4", "Memory":"300", "MountPoints": [{ "ContainerPath": "/usr/local/apache2/htdocs", "SourceVolume": "my-vol” }], "PortMappings": [ { "HostPort": 80, "ContainerPort": 80 } ] },

ECS Cluster Setup with AWS CloudFormation { "Name": "busybox", "Cpu": 10, "Command": [ "/bin/sh -c \" while true; do echo '<html> <head> <title>Amazon ECS Sample App</title> <style>..... > /usr/local/apache2/htdocs/index.html ; sleep 1; done\"” ], "EntryPoint": [ "sh", "-c"], "Essential": false, "Image": "busybox", "Memory": 200, "VolumesFrom": [ { "SourceContainer": "simple-app" } ] } ],

ECS Cluster Setup with Amazon ECS CLI

• Simplifies creating, updating, and monitoring clusters and tasks

• Supports Docker Compose

• Available on github https://github.com/aws/amazon-ecs-cli

ECS Cluster Setup with Amazon ECS CLI

# Build cluster and container instances$ ecs-cli scale --size 2 --capability-iam --keypair demo-user

# Create task definition and start tasks$ ecs-cli compose up

# See running tasks$ ecs-cli compose ps

# Start tasks as ECS service$ ecs-cli compose --project-name wordpress-test service start

# See the progress of task state$ ecs-cli compose --project-name wordpress-test service ps

ECS Cluster Setup with AWS OpsWorks

• Update OpsWorks IAM role to allow ecs:* actions

• Add instances to layer (24/7, time-based, load-based)

• Manage security updates, user permission and access

Note:• One ECS Cluster layer per

stack• An ECS Cluster can only be

associated with one stack

Amazon ECR Setup

Amazon ECR Setup

• You have read and write access to the repositories you create in your default registry, i.e. <aws_account_id>.dkr.ecr.us-east-1.amazonaws.com

• Repository names can support namespaces, e.g. team-a/web-app.

• Repositories can be controlled with both IAM user access policies and repository policies.

Amazon ECR Setup

# Authenticate Docker to your Amazon ECR registry> aws ecr get-login> docker login -u AWS -p <password> -e none https://<aws_account_id>.dkr.ecr.us-east-1.amazonaws.com> docker login -u AWS -p <password> -e none https://<aws_account_id>.dkr.ecr.us-east-1.amazonaws.com

# Create a repository called ecr-demo> aws ecr create-repository --repository-name ecr-demo

# Push an image to your repository> docker push <aws_account_id>.dkr.ecr.us-east-1.amazonaws.com/ecr-demo:v1

Amazon ECR Docker Credential Helper

• Available today - https://github.com/awslabs/amazon-ecr-credential-helper

• Place the docker-credential-ecr-login binary on your PATH 

• Set the contents of ~/.docker/config.json file to be:{ "credsStore": "ecr-login" }• Push and pull images from ECR without docker login

Amazon ECS Infrastructure Management

Amazon ECS Infrastructure Management

• Monitoring and Logging• Automatic Scaling• Service Discovery• Security

Monitoring & Logging

Monitoring with Amazon CloudWatch

• Metric data sent to CloudWatch in 1-minute periods and recorded for a period of two weeks

• Available metrics: CPUReservation, MemoryReservation, CPUUtilization, MemoryUtilization

• Available dimensions: ClusterName, ServiceName

Monitoring with Amazon CloudWatch

Monitoring with Amazon CloudWatch

Monitoring with Amazon CloudWatch

Use the Amazon CloudWatch Monitoring Scripts to monitor additional metrics, e.g. disk space:

# Edit crontab> crontab -e

# Add command to report disk space utilization to CloudWatch every five minutes*/5 * * * * <path_to>/mon-put-instance-data.pl --disk-space-util --disk-space-used --disk-space-avail --disk-path=/ --from-cron

CloudWatch Logs with awslogs driver

Amazon CloudWatch Logs

Amazon CloudWatch Logs

Amazon CloudWatch Logs

Amazon CloudWatch Logs

Amazon S3

Amazon Kinesis

AWS Lambda

Amazon Elasticsearch Service

Amazon ECS Store

Stream

Process

Search

CloudWatch Logs driver

Configuring Logging in Task Definition

"containerDefinitions": [ { "memory": 300, "portMappings": [ {

"hostPort": 80, "containerPort": 80 } ],

"entryPoint": [ "sh", "-c" ], "logConfiguration": {

"logDriver": "awslogs", "options": {

"awslogs-group": "awslogs-test", "awslogs-region": "us-west-2", "awslogs-stream-prefix": "nginx" }

}, "name": "simple-app", "image": "httpd:2.4", "command": [ "/bin/sh -c \"echo 'Congratulations! Your application is now running on a

container in Amazon ECS.' > /usr/local/apache2/htdocs/index.html && httpd-foreground\"" ], "cpu": 10 } ], "family": "cw-logs-example"

}

Monitoring Amazon ECS with Datadog

Monitoring Amazon ECS with Sysdig Cloud

Scaling Amazon ECS

Setup ECS Cluster with AutoScaling

Create LaunchConfiguration • Pick instance type depending

on resource requirements, e.g. memory or CPU

• Use latest Amazon Linux ECS-optimized AMI, other distros available

Create AutoScaling group and set to cluster initial size

AutoScaling your Amazon ECS Cluster

• Create CloudWatch alarm on a metric, e.g. MemoryReservation

• Configure scaling policies to increase and decrease the size of your cluster

AutoScaling your Amazon ECS services

AutoScaling your Amazon ECS services

Service Discovery

Service Discovery using ELB

• Automation built using CloudWatch Events, Lambda and Route53 private hosted zones

• Route53 is used as service registry

• Lambda is used to add/remove records based on Service API’s from ECS

• Available on github https://github.com/awslabs/ecs-refarch-service-discovery

Service Discovery using ELB

Service Discovery using DNS• Install an agent

(ecssd_agent.go) on container instances

• The agent registers service name, IP and port into Route53 private hosted zone

• lambda_health_check.py used for cleanup

• Available on github https://github.com/awslabs/service-discovery-ecs-dns

Service Discovery using DNS

Service Discovery with Weaveworks

• DNS interface for cross-host container communication

• Gossip protocol to share grouped updates

• Overlay network between hosts

Service Discovery and Configuration Management with Consul

ECS

Clus

ter

consul-server

ECS Instance

consul-agent

registrator

ECS Instance

Back end 1

Back end 2

consul-agent

registrator

ECS Instance

Front end

ECS

Clus

ter

Security

IAM Roles for ECS Tasks{

"family": “signup-app", "taskRoleArn":

"arn:aws:iam::123456789012:role/DynamoDBRoleForTask", "volumes": [],

"containerDefinitions": [{ "environment": [ ... ],

"name": “signup-web",

"mountPoints": [], "image": “amazon/signup-

web", "cpu": 25, "portMappings": [ ... ],

"entryPoint": [ ... ],"memory": 100, "essential": true, "volumesFrom": []

} ]}

Logging Amazon ECS API with AWS CloudTrail

{ "eventVersion": "1.03", "userIdentity": {…}, "eventTime": "2015-10-12T13:57:33Z", "eventSource": "ecs.amazonaws.com", "eventName": "CreateCluster", "awsRegion": "eu-west-1", "sourceIPAddress": "54.240.197.227", "userAgent": "console.amazonaws.com", "requestParameters": { "clusterName": "ecs-cli" },

Create Cluster event

Logging Amazon ECS API with AWS CloudTrail

"responseElements": { "cluster": { "clusterArn": "arn:aws:ecs:eu-west-1:560846014933:cluster/ecs-cli", "pendingTasksCount": 0, "registeredContainerInstancesCount": 0, "status": "ACTIVE", "runningTasksCount": 0, "clusterName": "ecs-cli", "activeServicesCount": 0 } }, […]

Create Cluster event

Image Vulnerability Scanning with Twistlock

Secrets Management

• Option 1: Task Definition Environment Variables• Easy to get Started• Configuration stored Directly into Task Definition• Version in Immutable Definition; Easy Rollback• Not Great for Secrets

• Option 2: Encrypted DynamoDB or S3• Use Environment Variables to Provide Pointer• Use AWS Encryption Clients to Securely Store• Use VPC-Endpoints, IAM Policies, and IAM Roles to Restrict

Access

Secrets Management

Task

ECS Cluster

Container instance

PaaS on ECS

AWS Elastic Beanstalk

• Elastic Beanstalk uses Amazon ECS to coordinate deployments to multi-container Docker environments

• Dockerrun.aws.json file that describes how to deploy containers.• Takes care of tasks including cluster creation, task definition and

execution

Convox

Convox

# Initialize your app and create default manifest> convox init

# Locally build and run your app as declared in the manifest > convox start

# Create app> convox apps create my_app

# Deploy app, output ELB DNS name> convox deploy[...]web: http://my_app-1234567890.us-east-1.elb.amazonaws.com

Remind Empire

• Offers a control layer on top of Amazon ECS that provides a Heroku like workflow

• Any tagged Docker image can be deployed to Empire as an app • When you deploy a Docker image to Empire, it will extract a Procfile

from the WORKDIR• Each process type in the Procfile maps directly to an ECS Service

Remind Empire

• Get started by launching CloudFormation stack • Use the emp client to start developing your app

# tell empire client where it can find the API$ export EMPIRE_API_URL=http://empire-60-LoadBala-…elb.amazonaws.com/

# login to empire using your github credentials $ emp login

# run your first app$ emp deploy remind101/acme-inc:master

# check what’s running$ emp apps acme-inc Jun 15 20:42[...]

Additional Resources

• ECS CLI – http://bit.ly/2eKy3I6• ECR Docker Credential Helper – http://bit.ly/2dD02xo• AutoScaling – http://amzn.to/2eohA2a• ECS integration with ALB to support Dynamic ports and

Path-based routing: http://amzn.to/2exhh07• Service Discovery

• Service Discovery using ELB – http://bit.ly/2dAN6Dw• Service Discovery using DNS – http://bit.ly/2eI831D

Thank you!

Peter Dalbhanjandalbhanj@amazon.com