This document provides an overview of Amazon EC2 Container Service (ECS) including benefits of containers and ECS, ECS clusters, tasks, services, monitoring, logging, auto-scaling, provisioning with CloudFormation, container image management with ECR, and example solutions built on ECS like Elastic Beanstalk and Convox. Key aspects covered include using ECS clusters to dynamically run and scale containerized applications, defining reusable tasks and long-running services, integrating with other AWS services for monitoring, auto-scaling and service discovery, and deploying containerized applications on ECS.
11. ECS Clusters
Setup
IAM Roles
Monitoring
Logging
Autoscaling
Amazon EC2 Simple Systems Manager (SSM)
Provisioning with CloudFormation
12. Setup ECS Cluster with AutoScaling
Create LaunchConfiguration
Pick instance type depending on resource requirements, e.g.
memory or CPU
Use latest Amazon Linux ECS-optimized AMI, other distros
available
Create AutoScaling Group and Set to Cluster Initial
Size
13. ECS IAM Policies and Roles
The ECS agent calls the ECS APIs on your behalf, so
container instances require an IAM policy and role that
allows these calls.
The ECS service scheduler calls the EC2 and ELB APIs
on your behalf to register and deregister container
instances with your load balancers.
Use AmazonEC2ContainerServiceforEC2Role and
AmazonEC2ContainerServiceRole managed policies
(respectively)
14. Monitoring with Amazon CloudWatch
Metric data sent to CloudWatch in 1-minute periods and
recorded for a period of two weeks
Available metrics:
CPUReservation, MemoryReservation, CPUUtilization, MemoryUtilization
16. Monitoring with Amazon CloudWatch
Use the Amazon CloudWatch Monitoring Scripts to monitor
additional metrics, e.g. disk space:
# Edit crontab
> crontab -e
# Add command to report disk space utilization to CloudWatch every five minutes
*/5 * * * * <path_to>/mon-put-instance-data.pl --disk-space-util --disk-space-used --disk-
space-avail --disk-path=/ --from-cron
17. Logging with Amazon CloudWatch Logs
Logging container with
syslogd and CloudWatch
Logs Agent
Attach /var/log Volume
to Logging container
Link Other Containers
syslogd
CloudWatch
Logs Agent
CloudWatch
Logs
Container instance
ECS Cluster
ECS Agent
Logs
Docker
Logs
18. AutoScaling your Amazon ECS Cluster
Create CloudWatch alarm on a
metric, e.g. MemoryReservation
Configure scaling policies to
increase and decrease the size
of your cluster
19. Amazon EC2 Simple Systems Manager (SSM)
Use Amazon EC2 SSM to execute commands on container
instances, e.g. yum update
Add AmazonEC2RoleForSSM to instances IAM role to
process Run Commands
Install SSM Agent
Create SSM document
20. Cluster Setup with AWS CloudFormation
CloudFormation supports ECS cluster, service and task
definition resources
Use AWS::IAM::Role to create ECS service role and
container instances role
Launch container instances using
AWS:AutoScaling::LaunchConfiguation and
AWS:AutoScaling::AutoScalingGroup
25. ECS Tasks
Group containers used for a common purpose in
a single task definition
Separate different components into multiple task
definitions
Create services from Task Definition to maintain
availability
30. Amazon ECR Setup
You have read and write access to the repositories
you create in your default registry, i.e.
<aws_account_id>.dkr.ecr.us-east-1.amazonaws.com
Repository names can support namespaces, e.g.
team-a/web-app.
Repositories can be controlled with both IAM user
access policies and repository policies.
31. Amazon ECR Setup
# Authenticate Docker to your Amazon ECR registry
> aws ecr get-login
docker login -u AWS -p <password> -e none https://<aws_account_id>.dkr.ecr.us-east-
1.amazonaws.com
> docker login -u AWS -p <password> -e none https://<aws_account_id>.dkr.ecr.us-east-
1.amazonaws.com
# Create a repository called ecr-demo
> aws ecr create-repository --repository-name ecr-demo
# Build or tag an image
# Push an image to your repository
> docker push <aws_account_id>.dkr.ecr.us-east-1.amazonaws.com/ecr-demo:v1
32. ECR IAM Policies and Roles
ECR uses resource-based permissions to control access.
By default, only the repository owner has access to a
repository.
You can apply a policy document that allows others to access
your repository.
Use managed policies for IAM users or roles that allow
differing levels of control:
AmazonEC2ContainerRegistryFullAccess,
AmazonEC2ContainerRegistryPowerUser or
AmazonEC2ContainerRegistryReadOnly
35. Monitoring with Amazon CloudWatch
Metric data sent to CloudWatch in 1-minute periods and
recorded for a period of two weeks
Available metrics:
CPUReservation, MemoryReservation, CPUUtilization, MemoryUtilization
37. Configuring Logging in Task Definition
logConfiguration task definition parameter
Requires version 1.18 or greater of the Docker Remote
API Maps to docker run --log-driver option
Log drivers: json-file, syslog, journald, gelf, fluentd
39. Service Discovery with Services & Route 53
Task
Task TaskTask
ECS
Service
Application
router, e.g.
nginx
Internal ELB with
CNAME, e.g.
api.example.com
Route 53 private
zone, e.g.
example.com
40. Deploying ECS Services
Optionally run your service behind a load balancer.
One load balancer per service.
ELB currently supports a fixed relationship between the
load balancer port and the container instance port.
If a task fails the ELB health check, the task is killed and
restarted (until service reaches desired capacity).
41. Deploying ECS Services
Update service’s task definition (rolling update)
Specify a deployment configuration for your service:
minimumHealthyPercent: lower limit (as a percentage of the
service's desiredCount) of the number of running tasks that
must remain running in a service during a deployment.
maximumPercent: upper limit (as a percentage of the
service's desiredCount) of the number of running tasks that
can be running in a service during a deployment.
43. Deploying ECS Services
Deploy quickly without reducing service capacity:
minimumHealthyPercent = 100%, maximumPercent = 200%
44. Deploying ECS Services
Blue-Green deployments:
Define two ECS services (Blue and Green)
Each service is associated with an ELB
Both ELBs in Route 53 record set with weighted routing
policy, 100% Primary, 0% Secondary
Deploy to Blue or Green service and switch weights
50. AWS Elastic Beanstalk
Uses Amazon ECS to coordinate deployments to
multicontainer Docker environments
Takes care of tasks including cluster creation, task definition
and execution
51. AWS Elastic Beanstalk
Elastic Beanstalk uses a Dockerrun.aws.json file that
describes how to deploy containers.
The Dockerrun.aws.json file includes three sections:
AWSEBDockerrunVersion: Set to "2" for multicontainer
Docker environments.
containerDefinitions: An array of container definitions.
volumes: Creates mount points in the container instance that
a container can use.
53. Convox
# Initialize your app and create default manifest
> convox init
# Locally build and run your app as declared in the manifest
> convox start
# Create app
> convox apps create my_app
# Deploy app, output ELB DNS name
> convox deploy
[...]
web: http://my_app-1234567890.us-east-1.elb.amazonaws.com
54. Remind Empire
Control layer on top of Amazon ECS that provides a
familiar PaaS workflow
Any tagged Docker image can be deployed to Empire as
an app
When you deploy a Docker image to Empire, it will extract a
Procfile from the WORKDIR
Each process type in the Procfile maps directly to an ECS
Service
55. Remind Empire
Routing Layer Backed by Internal ELBs
An application that specifies a web process will get an
internal ELB attached to its ECS Service
When a new internal ELB is created, an associated CNAME
record is created in Route53 under the internal TLD,
enabling service discovery via DNS
57. Additional Resources
ECS CloudFormation Template - http://amzn.to/1KH51m5
ECS CloudWatch Metrics - http://amzn.to/1PUR7OU
Scaling Container Instances with CloudWatch Alarms -
http://amzn.to/1ORt06b
Service Discovery with Consul - http://amzn.to/1JZL5gz
Continuous Delivery to ECS with Jenkins -
http://amzn.to/1GbheTp
Elastic Beanstalk Multicontainer Docker Environment -
http://amzn.to/1bAkjxG
58. AWS Summit – Chicago: An exciting, free cloud conference designed to educate and inform new
customers about the AWS platform, best practices and new cloud services.
Details
• April 18-19, 2016
• Chicago, Illinois
• @ McCormick Place
Featuring
• New product launches
• 50+ sessions, labs, and bootcamps
• Executive and partner networking
Register Now
• Go to aws.amazon.com/summits
• Click on The AWS Summit - Chicago … then register.
• Come and see what AWS and the cloud can do for you.
Chicago – April 18-19