Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016
-
Upload
philipp-garbe -
Category
Internet
-
view
257 -
download
0
Transcript of Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016
![Page 1: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/1.jpg)
Deliver Docker Containers Continuously on AWS
Philipp Garbe @pgarbe
![Page 2: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/2.jpg)
● Philipp Garbe
● Lead Developer @AutoScout24
● AWS
● Continuous Delivery
● Docker
About Me
![Page 3: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/3.jpg)
What About You?
![Page 4: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/4.jpg)
“Hello ECS”
![Page 5: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/5.jpg)
Our first ECS cluster
![Page 6: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/6.jpg)
ECS Cluster: Deployment OptionsAWS Console AWS CLI ECS CLI CloudFormation
Easy to start Yes No Yes No
Automation No Yes Yes Yes
Configuration as Code No No No Yes
Auto Scaling Yes Yes No Yes
![Page 7: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/7.jpg)
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
KeyName:
Type: AWS::EC2::KeyPair::KeyName
Description: EC2 KeyPair to enable SSH access.
...
Resources:
ECSCluster:
Type: AWS::ECS::Cluster
ECSAutoScalingGroup:
Type: AWS::AutoScaling::AutoScalingGroup
Properties:
VPCZoneIdentifier: !Ref: ServiceSubnets
LaunchConfigurationName: !Ref: LaunchConfig
MinSize: !Ref: ClusterMinSize
MaxSize: !Ref: ClusterMaxSize
LaunchConfig:
Type: AWS::AutoScaling::LaunchConfiguration
Metadata:
AWS::CloudFormation::Init:
config:
commands:
01_add_instance_to_cluster:
command: !Sub |
#!/bin/bash
echo ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config
Properties:
ImageId: !FindInMap: [AWSRegionToAMI, Ref: AWS::Region, AMIID]
InstanceType: !Ref: InstanceType
IamInstanceProfile: !Ref: EC2InstanceProfile
KeyName: !Ref: KeyName
...
Outputs:
ClusterName:
Value: !Ref: ECSCluster
Export:
Name: !Sub "${AWS::StackName}-ClusterName"
![Page 8: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/8.jpg)
The first deployment
![Page 9: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/9.jpg)
Container Definition
● Image
● Port mapping
● Mount points
● Network options
● Docker options
![Page 10: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/10.jpg)
Task Definition
● Task Role
● Volumes
● Network Mode
![Page 11: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/11.jpg)
Service Description
● Loadbalancer
● AutoScaling
● Deployment Configuration
![Page 12: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/12.jpg)
ECS Service: Deployment OptionsAWS Console AWS CLI ECS CLI CloudFormation
Easy to start Yes No Yes No
Automation No Yes Yes Yes
Configuration as Code No No Partially Yes
Auto Scaling Yes Yes No Yes
Load Balancer Yes Yes No Yes
![Page 13: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/13.jpg)
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
DesiredCount:
Type: Number
ClusterStack:
Type: String
Description: Name of the cluster stack
...
Resources:
TaskDefinition:
Type: AWS::ECS::TaskDefinition
Properties:
TaskRoleArn: !Ref TaskAuthRole
ContainerDefinitions:
- Name: Jenkins
Image: !Sub jenkins:${Version}
Cpu: '2048'
PortMappings:
- ContainerPort: 80
HostPort: 0
Memory: '4608'
Essential: 'true'
WebApp:
Type: AWS::ECS::Service
Properties:
Cluster:
"Fn::ImportValue": !Sub "${ClusterStack}-ClusterName"
DesiredCount: !Ref DesiredCount
TaskDefinition: !Ref TaskDefinition
DeploymentConfiguration:
MaximumPercent: 100
MinimumHealthyPercent: 0
Role: !Ref ServiceAuthRole
LoadBalancers:
- ContainerName: Jenkins
ContainerPort: 8080
LoadBalancerName:
"Fn::ImportValue": !Sub "${ClusterStack}-LoadBalancerName"
![Page 14: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/14.jpg)
Load Balancing
![Page 15: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/15.jpg)
Application Load Balancer (ALB)
![Page 16: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/16.jpg)
Static Port Mapping (ELB)
![Page 17: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/17.jpg)
Dynamic Port Mapping (ALB)
![Page 18: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/18.jpg)
Up & Down
![Page 19: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/19.jpg)
![Page 20: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/20.jpg)
![Page 21: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/21.jpg)
![Page 22: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/22.jpg)
![Page 23: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/23.jpg)
![Page 24: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/24.jpg)
![Page 25: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/25.jpg)
![Page 26: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/26.jpg)
![Page 27: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/27.jpg)
![Page 28: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/28.jpg)
● Two different kinds of scaling (cluster and service)
○ Cluster: Use cpu / memory reservation metrics
○ Service: Use cpu / memory utilization metrics
● Scale down to save money, but avoid endless-loop
● Scaling takes awhile to take effect
● ASG ist not aware of ECS
AutoScaling: Conclusion
![Page 29: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/29.jpg)
AutoScaling: Rule of Thumb
Threshold = (1 - max(Container Reservation) / Total Capacity of a single Container Instance) * 100
Example:
Container instance capacity: 2048 MBContainer reservation: 512 MB
Threshold = (1 - 512 / 2048) * 100 Threshold = 75%
![Page 30: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/30.jpg)
Deploy Continuously
![Page 31: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/31.jpg)
ECS Cluster
● Use AutoScaling Group
● UpdatePolicy defines deployment strategy
● Ensure Docker and ECS-Agent is running
![Page 32: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/32.jpg)
ECS Service
● Latest is not a version
● Providing a new task definition triggers deployment
● Deployment strategy based on minimum healthy percent
and maximum percent
![Page 33: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/33.jpg)
Node draining
● Not natively supported by ECS
● Use Lifecycle Hooks
![Page 34: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/34.jpg)
Volumes
![Page 35: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/35.jpg)
EBS vs EFS
![Page 36: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/36.jpg)
Security
![Page 37: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/37.jpg)
IAM Security Roles
ecsAutoScalingRole
ecsContainerInstanceRole
ecsServiceRole
ecsTaskRole
● Read CloudWatch Metrics● Modify App AutoScaling
● ECR: Get Images● ECS: De/Register
Container Instances
● De/Register Instances with Load Balancer
● Everything your task needs to do
https://iam.cloudonaut.io
![Page 38: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/38.jpg)
![Page 39: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/39.jpg)
![Page 40: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/40.jpg)
![Page 41: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/41.jpg)
How to protect yourselfEC2
● Disallow access to metadata service from tasks (containers)
iptables --insert FORWARD 1 --in-interface docker+ --destination 169.254.169.254/32 --jump DROP
IAM
● Give the instance role only the credentials it needs (according to aws docs)
![Page 42: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/42.jpg)
re:Invent
![Page 43: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/43.jpg)
● CloudWatch Events
● New task placement strategies
● Blox
New features
![Page 44: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/44.jpg)
New service integration
● EC2 System Manager parameter store
● CodeBuild
● AWS X-Ray
![Page 45: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/45.jpg)
Conclusion
![Page 46: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/46.jpg)
Questions?
![Page 47: Deliver Docker Containers Continuously On AWS - DevOpsCon Munich 2016](https://reader033.fdocuments.in/reader033/viewer/2022052706/5871afcb1a28abda6a8b65af/html5/thumbnails/47.jpg)
https://autoscout24.github.io/hiring
Philipp Garbe
http://garbe.io
@pgarbe
https://github.com/pgarbe