Contenu connexe
Similaire à Deep Dive into Amazon Fargate (20)
Plus de Amazon Web Services (20)
Deep Dive into Amazon Fargate
- 1. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon Container
Services
Coming 2018!
- 2. Technical Developer Evangelist
•Linux Engineer
•Containers
•ECS
•Kubernetes
•Serverless
•CI/CD
•Cloudformation / Terraform
•Python scripter
•Vim user
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
@ric__harvey
@awscloud
@AWS_UKI
https://github.com/richarvey
- 3. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What are containers and
why use them?
• Standard way of packaging and shipping:
• Configuration
• Data
• Content
• Binarys
???• Portability
• Consistency
• Better isolation
• Better use of compute resource
- 4. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Running a container locally
is easy
- 5. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
- 6. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
First there was EC2
- 7. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Then Docker
EC2 Instance
Containers
Customers started containerising workloads within EC2
- 8. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Managing containers is a
ton of work
- 9. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Containers made it easy to build and scale
cloud-native applications
Customers needed an easier way to manage large clusters of
instances and containers
Amazon Elastic Container Service
Cluster Management as hosted service
- 10. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon ECS users
Plus many more!
- 11. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
This is great but….
• Managing a fleet is hard work!
• Patching and upgrading the OS, packages and agents
• Scaling the fleet for optimal use
- 12. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Cluster management
ECS
Agent
Docker
Agent
OS
EC2 Instance
- 13. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Customers wanted to run containers without having to manage EC2 instances
ECS
Agent
Docker
Agent
OS
EC2 Instance
ECS
Agent
Docker
Agent
OS
EC2 Instance
ECS
Agent
Docker
Agent
OS
EC2 Instance
Elastic
Container
Service
- 14. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Fargate
MANAGED BY AWS
No EC2 Instances to provision, scale or manage
ELASTIC
Scale up & down seamlessly. Pay only for what you use
INTEGRATED
with the AWS ecosystem: VPC Networking,
Elastic Load Balancing, IAM Permissions, Cloudwatch and more
- 15. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Early adopters
To name a few…
- 16. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Running Fargate containers
in ECS
- 17. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Running Fargate containers
in ECS
Use ECS APIs to launch Fargate Containers
Easy migration – Run Fargate and EC2 launch
type tasks in the same cluster
Same Task Definition schema
- 18. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Task definition
• Immutable, versioned document
• Identified by family:version
• Contains a list of up to 10 container definitions
• All containers are co-located on the same host
• Each container definition has:
• A name
• Image URL (ECR or Public Images)
• And more…stay tuned!
{
"family": “scorekeep",
"containerDefinitions": [
{
"name":“scorekeep-frontend",
"image":"xxx.dkr.ecr.us-east-1.amazonaws.com/fe"
},
{
"name":“scorekeep-api",
"image":"xxx.dkr.ecr.us-east-1.amazonaws.com/api"
}
]
}
- 19. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Primitives are shared with
ECS
Use the same primitives, and integrations as EC2
launch-type ECS tasks:
• VPC
• IAM
• CloudWatch
- 20. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Constructs
Define application containers:
Image URL, CPU & Memory requirements, etc.
register: Task definition run: Task
• A running instantiation of
a task definition
• Use FARGATE launch type
ALB or NLB
create: Service
• Maintain n running copies
• Integrated with ELB
• Unhealthy tasks automatically replaced
create: Cluster
• Infrastructure Isolation Boundary
• IAM Permissions Boundary
- 21. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Fargate workflow
- 22. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Compute Resources in Fargate
- 23. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Cpu and memory spec
{
"family": "scorekeep",
"cpu": "1 vCpu",
"memory": "2 gb",
"containerDefinitions": [
{
"name":“scorekeep-frontend",
"image":"xxx.dkr.ecr.us-east-
1.amazonaws.com/fe“,
"cpu": 256,
"memoryReservation": 512
},
{
"name":“scorekeep-api",
"image":"xxx.dkr.ecr.us-east-
1.amazonaws.com/api",
"cpu": 768,
"memoryReservation": 512
}
]
}
Units
• CPU : cpu-units. 1 vCPU = 1024 cpu-units
• Memory : MiB
Task Level Resources:
• Total CPU/Memory across all containers
• Required fields
Container Level Resources:
• Defines sharing of task resources among containers
• Optional fields
Task Level
Resources
- 24. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Resource Config with Fargate
Flexible configuration options –
50 CPU/memory configurations
CPU Memory
256 (.25 vCPU) 512MB, 1GB, 2GB
512 (.5 vCPU) 1GB, 2GB, 3GB, 4GB
1024 (1 vCPU) 2GB, 3GB, 4GB, 5GB, 6GB, 7GB, 8GB
2048 (2 vCPU) Between 4GB and 16GB in 1GB increments
4096 (4 vCPU) Between 8GB and 30GB in 1GB increments
- 25. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Networking
- 26. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Networking (awsvpc)
• With awsvpc, each task is allocated an ENI
(Elastic Network Interface)
• Containers launched as part of the same task
can use the local loopback interface (remember
that one?), since containers part of the same
task share an ENI
• With the ENI allocation comes a private IP.
Public IPs can also be allocated.
• ENIs are at the task level, though, so how to
containers that are part of different tasks
communicate?
- 27. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC integration
172.31.0.0/16
Subnet
172.31.1.0/24
Internet
Other Entities in VPC
EC2 LB DB etc.
Private IP
172.31.1.164
us-east-1a
us-east-1b
us-east-1c
ENI Fargate
TaskPublic /
208.57.73.13 /
Launch your Fargate Tasks into subnets
Beneath the hood :
• We create an Elastic Network Interface (ENI)
• The ENI is allocated a private IP from your subnet
• The ENI is attached to your task
• Your task now has a private IP from your subnet!
You can also assign public IPs to your tasks
Configure security groups to control inbound & outbound traffic
- 28. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC configuration
{
"family": "scorekeep",
"cpu": "1 vCpu",
"memory": "2 gb",
"networkMode": "awsvpc",
"containerDefinitions": [
{
"name":“scorekeep-frontend",
"image":"xxx.dkr.ecr.us-east-
1.amazonaws.com/fe",
"cpu": 256,
"memoryReservation": 512
},
{
"name":“scorekeep-api",
"image":"xxx.dkr.ecr.us-east-
1.amazonaws.com/api",
"cpu": 768,
"memoryReservation": 512
}
]
}
$ aws ecs run-task ...
-- platform-version LATEST
-- network-configuration
“awsvpcConfiguration = {
subnets=[subnet1-id, subnet2-
id],
securityGroups=[sg-id]
}”
Run Task
Task Definition
Other network
modes not
supported on
Fargate
- 29. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Internet Access
The Task ENI is used for:
• All network traffic to and from your task
• Image Pull (from ECR or a public repository)
• Log Pushing to CloudWatch (if configured)
Outbound Internet Access is required for Image Pull & Log Pushing (even if the
application itself doesn’t require it)
•
There are two ways to set this up:
• Private task with outbound internet access. Does not allow inbound internet traffic.
• Public task with both inbound and outbound internet access
- 30. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Local networking
- 31. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
awsvpc pub + priv networks
- 32. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Load Balancing
- 33. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
More info
https://aws.amazon.com/blogs/
compute/introducing-cloud-native-
networking-for-ecs-containers/
https://aws.amazon.com/blogs/
compute/task-networking-in-aws-
fargate/
- 34. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Permissions
- 35. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Types of permissions
Cluster level permissions:
• Control who can launch/describe tasks in your cluster
Application level permissions:
• Allows your application containers to access AWS resources
securely
Housekeeping permissions:
• Allows us to perform housekeeping activities around your task:
• ECR Image Pull
• CloudWatch logs pushing
• ENI creation
• Register/Deregister targets into ELB
Cluster
Permissions
Application
Permissions
Task Housekeeping
Permissions
Cluster
Fargate Task
- 36. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Isolation at the cluster level
PROD Cluster Infrastructure
DEV Cluster Infrastructure
BETA Cluster Infrastructure
QA Cluster Infrastructure
Web Web
Shopping
Cart
Shopping
Cart
Notifications NotificationsWeb
Shopping
Cart NotificationsWeb
Shopping
Cart
Shopping
Cart
Notifications NotificationsWeb Web
PROD CLUSTER BETA CLUSTER
DEV CLUSTER QA CLUSTER
- 37. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
And more!
- 38. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Registry support
Amazon Elastic Container Repository (ECR)
Public repositories (docker hub, etc)
3rd party private repository support (comming soon)
- 39. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
FAQ
FAQ: how do I exec into a Fargate container?
Short Answer: you don’t
Longer answer: if it were me, I’d stop the Fargate container
and restart as type EC2 for debugging, then switch back over.
Long term, something we’re looking at building.
- 40. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CLI Support
• aws-cli: the official OG. Open source, includes most AWS services.
• More info here: https://aws.amazon.com/cli/
• Github here: https://github.com/aws/aws-cli
• ecs-cli: also official, but just for ECS. Supports docker compose files.
• More info here: https://github.com/aws/amazon-ecs-cli
Some good unofficial options:
• Fargate cli: https://github.com/jpignata/fargate
• Coldbrew cli: https://github.com/coldbrewcloud/coldbrew-cli
- 41. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Resources
https://github.com/nathanpeck/awesome-ecs
- 42. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
One more thing!
Fargate mode for EKS
(available 2018)
- 43. © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you
@ric__harvey