Download - Amazon ECS Deep Dive
![Page 1: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/1.jpg)
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
October 25th, 2016
Amazon EC2 Container Service Deep DivePeter Dalbhanjan, Solutions Architect
![Page 2: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/2.jpg)
Agenda
• ECS Infrastructure Setup• ECS Infrastructure Management• PaaS on ECS• Q & A
![Page 3: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/3.jpg)
Amazon ECS Benefits
• Easily Manage Clusters for any scale• Flexible Container Placement• Designed for use with other AWS Services• Extensible
![Page 4: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/4.jpg)
Amazon ECS Infrastructure Setup
![Page 5: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/5.jpg)
Amazon ECS Infrastructure Setup
• Amazon ECS Cluster• AWS CloudFormation• Amazon ECS CLI• AWS OpsWorks
• Amazon ECR
![Page 6: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/6.jpg)
ECS Cluster Setup with AWS CloudFormation
"Resources" : { "ECSCluster": { "Type": "AWS::ECS::Cluster" }, "ECSAutoScalingGroup" : { "Type" : "AWS::AutoScaling::AutoScalingGroup", "Properties" : { "VPCZoneIdentifier" : { "Ref" : "SubnetID" }, "LaunchConfigurationName" : { "Ref" : "ContainerInstances" }, "MinSize" : "1", "MaxSize" : { "Ref" : "MaxSize" }, "DesiredCapacity" : { "Ref" : "DesiredCapacity" } }, […] },
Autoscaling Group
ECS Cluster
![Page 7: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/7.jpg)
"ContainerInstances": { "Type": "AWS::AutoScaling::LaunchConfiguration", "Metadata" : { "AWS::CloudFormation::Init" : { "config" : { "commands" : { "01_add_instance_to_cluster" : { "command" : { "Fn::Join": [ "", [ "#!/bin/bash\n", "echo ECS_CLUSTER=", { "Ref": "ECSCluster" }, " >> /etc/ecs/ecs.config" ] ] } } }, […] } } }
ECS Cluster Setup with AWS CloudFormation
Launch Configuration
![Page 8: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/8.jpg)
"taskdefinition": { "Type": "AWS::ECS::TaskDefinition", "Properties" : { "ContainerDefinitions" : [ { "Name": "simple-app", "Cpu": "10", "Essential": "true", "Image":"httpd:2.4", "Memory":"300", "MountPoints": [{ "ContainerPath": "/usr/local/apache2/htdocs", "SourceVolume": "my-vol” }], "PortMappings": [ { "HostPort": 80, "ContainerPort": 80 } ] },
ECS Cluster Setup with AWS CloudFormation { "Name": "busybox", "Cpu": 10, "Command": [ "/bin/sh -c \" while true; do echo '<html> <head> <title>Amazon ECS Sample App</title> <style>..... > /usr/local/apache2/htdocs/index.html ; sleep 1; done\"” ], "EntryPoint": [ "sh", "-c"], "Essential": false, "Image": "busybox", "Memory": 200, "VolumesFrom": [ { "SourceContainer": "simple-app" } ] } ],
![Page 9: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/9.jpg)
ECS Cluster Setup with Amazon ECS CLI
• Simplifies creating, updating, and monitoring clusters and tasks
• Supports Docker Compose
• Available on github https://github.com/aws/amazon-ecs-cli
![Page 10: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/10.jpg)
ECS Cluster Setup with Amazon ECS CLI
# Build cluster and container instances$ ecs-cli scale --size 2 --capability-iam --keypair demo-user
# Create task definition and start tasks$ ecs-cli compose up
# See running tasks$ ecs-cli compose ps
# Start tasks as ECS service$ ecs-cli compose --project-name wordpress-test service start
# See the progress of task state$ ecs-cli compose --project-name wordpress-test service ps
![Page 11: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/11.jpg)
ECS Cluster Setup with AWS OpsWorks
• Update OpsWorks IAM role to allow ecs:* actions
• Add instances to layer (24/7, time-based, load-based)
• Manage security updates, user permission and access
Note:• One ECS Cluster layer per
stack• An ECS Cluster can only be
associated with one stack
![Page 12: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/12.jpg)
Amazon ECR Setup
![Page 13: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/13.jpg)
Amazon ECR Setup
• You have read and write access to the repositories you create in your default registry, i.e. <aws_account_id>.dkr.ecr.us-east-1.amazonaws.com
• Repository names can support namespaces, e.g. team-a/web-app.
• Repositories can be controlled with both IAM user access policies and repository policies.
![Page 14: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/14.jpg)
Amazon ECR Setup
# Authenticate Docker to your Amazon ECR registry> aws ecr get-login> docker login -u AWS -p <password> -e none https://<aws_account_id>.dkr.ecr.us-east-1.amazonaws.com> docker login -u AWS -p <password> -e none https://<aws_account_id>.dkr.ecr.us-east-1.amazonaws.com
# Create a repository called ecr-demo> aws ecr create-repository --repository-name ecr-demo
# Push an image to your repository> docker push <aws_account_id>.dkr.ecr.us-east-1.amazonaws.com/ecr-demo:v1
![Page 15: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/15.jpg)
Amazon ECR Docker Credential Helper
• Available today - https://github.com/awslabs/amazon-ecr-credential-helper
• Place the docker-credential-ecr-login binary on your PATH
• Set the contents of ~/.docker/config.json file to be:{ "credsStore": "ecr-login" }• Push and pull images from ECR without docker login
![Page 16: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/16.jpg)
Amazon ECS Infrastructure Management
![Page 17: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/17.jpg)
Amazon ECS Infrastructure Management
• Monitoring and Logging• Automatic Scaling• Service Discovery• Security
![Page 18: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/18.jpg)
Monitoring & Logging
![Page 19: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/19.jpg)
Monitoring with Amazon CloudWatch
• Metric data sent to CloudWatch in 1-minute periods and recorded for a period of two weeks
• Available metrics: CPUReservation, MemoryReservation, CPUUtilization, MemoryUtilization
• Available dimensions: ClusterName, ServiceName
![Page 20: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/20.jpg)
Monitoring with Amazon CloudWatch
![Page 21: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/21.jpg)
Monitoring with Amazon CloudWatch
![Page 22: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/22.jpg)
Monitoring with Amazon CloudWatch
Use the Amazon CloudWatch Monitoring Scripts to monitor additional metrics, e.g. disk space:
# Edit crontab> crontab -e
# Add command to report disk space utilization to CloudWatch every five minutes*/5 * * * * <path_to>/mon-put-instance-data.pl --disk-space-util --disk-space-used --disk-space-avail --disk-path=/ --from-cron
![Page 23: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/23.jpg)
CloudWatch Logs with awslogs driver
Amazon CloudWatch Logs
Amazon CloudWatch Logs
Amazon CloudWatch Logs
Amazon CloudWatch Logs
Amazon S3
Amazon Kinesis
AWS Lambda
Amazon Elasticsearch Service
Amazon ECS Store
Stream
Process
Search
![Page 24: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/24.jpg)
CloudWatch Logs driver
![Page 25: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/25.jpg)
Configuring Logging in Task Definition
"containerDefinitions": [ { "memory": 300, "portMappings": [ {
"hostPort": 80, "containerPort": 80 } ],
"entryPoint": [ "sh", "-c" ], "logConfiguration": {
"logDriver": "awslogs", "options": {
"awslogs-group": "awslogs-test", "awslogs-region": "us-west-2", "awslogs-stream-prefix": "nginx" }
}, "name": "simple-app", "image": "httpd:2.4", "command": [ "/bin/sh -c \"echo 'Congratulations! Your application is now running on a
container in Amazon ECS.' > /usr/local/apache2/htdocs/index.html && httpd-foreground\"" ], "cpu": 10 } ], "family": "cw-logs-example"
}
![Page 26: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/26.jpg)
Monitoring Amazon ECS with Datadog
![Page 27: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/27.jpg)
Monitoring Amazon ECS with Sysdig Cloud
![Page 28: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/28.jpg)
Scaling Amazon ECS
![Page 29: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/29.jpg)
Setup ECS Cluster with AutoScaling
Create LaunchConfiguration • Pick instance type depending
on resource requirements, e.g. memory or CPU
• Use latest Amazon Linux ECS-optimized AMI, other distros available
Create AutoScaling group and set to cluster initial size
![Page 30: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/30.jpg)
AutoScaling your Amazon ECS Cluster
• Create CloudWatch alarm on a metric, e.g. MemoryReservation
• Configure scaling policies to increase and decrease the size of your cluster
![Page 31: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/31.jpg)
AutoScaling your Amazon ECS services
![Page 32: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/32.jpg)
AutoScaling your Amazon ECS services
![Page 33: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/33.jpg)
Service Discovery
![Page 34: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/34.jpg)
Service Discovery using ELB
• Automation built using CloudWatch Events, Lambda and Route53 private hosted zones
• Route53 is used as service registry
• Lambda is used to add/remove records based on Service API’s from ECS
• Available on github https://github.com/awslabs/ecs-refarch-service-discovery
![Page 35: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/35.jpg)
Service Discovery using ELB
![Page 36: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/36.jpg)
Service Discovery using DNS• Install an agent
(ecssd_agent.go) on container instances
• The agent registers service name, IP and port into Route53 private hosted zone
• lambda_health_check.py used for cleanup
• Available on github https://github.com/awslabs/service-discovery-ecs-dns
![Page 37: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/37.jpg)
Service Discovery using DNS
![Page 38: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/38.jpg)
Service Discovery with Weaveworks
• DNS interface for cross-host container communication
• Gossip protocol to share grouped updates
• Overlay network between hosts
![Page 39: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/39.jpg)
Service Discovery and Configuration Management with Consul
ECS
Clus
ter
consul-server
ECS Instance
consul-agent
registrator
ECS Instance
Back end 1
Back end 2
consul-agent
registrator
ECS Instance
Front end
ECS
Clus
ter
![Page 40: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/40.jpg)
Security
![Page 41: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/41.jpg)
IAM Roles for ECS Tasks{
"family": “signup-app", "taskRoleArn":
"arn:aws:iam::123456789012:role/DynamoDBRoleForTask", "volumes": [],
"containerDefinitions": [{ "environment": [ ... ],
"name": “signup-web",
"mountPoints": [], "image": “amazon/signup-
web", "cpu": 25, "portMappings": [ ... ],
"entryPoint": [ ... ],"memory": 100, "essential": true, "volumesFrom": []
} ]}
![Page 42: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/42.jpg)
Logging Amazon ECS API with AWS CloudTrail
{ "eventVersion": "1.03", "userIdentity": {…}, "eventTime": "2015-10-12T13:57:33Z", "eventSource": "ecs.amazonaws.com", "eventName": "CreateCluster", "awsRegion": "eu-west-1", "sourceIPAddress": "54.240.197.227", "userAgent": "console.amazonaws.com", "requestParameters": { "clusterName": "ecs-cli" },
Create Cluster event
![Page 43: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/43.jpg)
Logging Amazon ECS API with AWS CloudTrail
"responseElements": { "cluster": { "clusterArn": "arn:aws:ecs:eu-west-1:560846014933:cluster/ecs-cli", "pendingTasksCount": 0, "registeredContainerInstancesCount": 0, "status": "ACTIVE", "runningTasksCount": 0, "clusterName": "ecs-cli", "activeServicesCount": 0 } }, […]
Create Cluster event
![Page 44: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/44.jpg)
Image Vulnerability Scanning with Twistlock
![Page 45: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/45.jpg)
Secrets Management
• Option 1: Task Definition Environment Variables• Easy to get Started• Configuration stored Directly into Task Definition• Version in Immutable Definition; Easy Rollback• Not Great for Secrets
• Option 2: Encrypted DynamoDB or S3• Use Environment Variables to Provide Pointer• Use AWS Encryption Clients to Securely Store• Use VPC-Endpoints, IAM Policies, and IAM Roles to Restrict
Access
![Page 46: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/46.jpg)
Secrets Management
Task
ECS Cluster
Container instance
![Page 47: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/47.jpg)
PaaS on ECS
![Page 48: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/48.jpg)
AWS Elastic Beanstalk
• Elastic Beanstalk uses Amazon ECS to coordinate deployments to multi-container Docker environments
• Dockerrun.aws.json file that describes how to deploy containers.• Takes care of tasks including cluster creation, task definition and
execution
![Page 49: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/49.jpg)
Convox
![Page 50: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/50.jpg)
Convox
# Initialize your app and create default manifest> convox init
# Locally build and run your app as declared in the manifest > convox start
# Create app> convox apps create my_app
# Deploy app, output ELB DNS name> convox deploy[...]web: http://my_app-1234567890.us-east-1.elb.amazonaws.com
![Page 51: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/51.jpg)
Remind Empire
• Offers a control layer on top of Amazon ECS that provides a Heroku like workflow
• Any tagged Docker image can be deployed to Empire as an app • When you deploy a Docker image to Empire, it will extract a Procfile
from the WORKDIR• Each process type in the Procfile maps directly to an ECS Service
![Page 52: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/52.jpg)
Remind Empire
• Get started by launching CloudFormation stack • Use the emp client to start developing your app
# tell empire client where it can find the API$ export EMPIRE_API_URL=http://empire-60-LoadBala-…elb.amazonaws.com/
# login to empire using your github credentials $ emp login
# run your first app$ emp deploy remind101/acme-inc:master
# check what’s running$ emp apps acme-inc Jun 15 20:42[...]
![Page 53: Amazon ECS Deep Dive](https://reader030.vdocument.in/reader030/viewer/2022020714/58e57d9e1a28abbf5d8b5471/html5/thumbnails/53.jpg)
Additional Resources
• ECS CLI – http://bit.ly/2eKy3I6• ECR Docker Credential Helper – http://bit.ly/2dD02xo• AutoScaling – http://amzn.to/2eohA2a• ECS integration with ALB to support Dynamic ports and
Path-based routing: http://amzn.to/2exhh07• Service Discovery
• Service Discovery using ELB – http://bit.ly/2dAN6Dw• Service Discovery using DNS – http://bit.ly/2eI831D