Learn how to deploy and manage containers at scale in the cloud.
This session covers everything from Linux container internals to Amazon Elastic Container Services with and without Fargate,
Amazon Elastic Kubernetes Service and AWS App Mesh.
rights reserved. S U M M I T Dr Frank Munz Senior Technical Evangelist Amazon Web Services Deep Dive on Containers Brian Bordini Cloud Architect Richemont
rights reserved. S U M M I T About me • Software Architect / DevOps Engineer • Technical Evangelist @ AWS • Published an AWS book • Containers, serverless and a sprinkle of ML & big / fast data @frankmunz
Services, Inc. or its affiliates. All rights reserved. Level – 300 “Sessions dive deeper into the selected topic. Presenters assume that the audience has some familiarity with the topic, but may or may not have direct experience implementing a similar solution”
rights reserved. S U M M I T Linux Kernel Container runtime Container 1 Container 2 Container 3 Container 4 Container 5 Container 6 Control Groups Namespaces Union filesystem
rights reserved. S U M M I T What can you use cgroups for? • Linux kernel feature that defines resource limits, priotization, control and accounting for processes • Implemented by subsystems • Typically mounted at /sys/fs/cgroup or /cgroup Examples of subsystems: • Memory • CPU time • Block I/O • Number of discrete processes (pids) • CPU & memory pinning • Freezer (used by docker pause) • Devices • Network priority
rights reserved. S U M M I T And namespaces? • Partition kernel resources like hostname, proc IDs etc. • Namespaces are visible in /proc organised by PID • Files are symbolic links to the namespace $ readlink /proc/$$/ns/* cgroup:[4026531835] ipc:[4026531839] mnt:[4026531840] net:[4026531993] pid:[4026531836] user:[4026531837] uts:[4026531838]
rights reserved. S U M M I T Network namespace • Docker uses a separate network namespace per container • Multiple containers can share a network namespace, used with K8s pods and Amazon ECS task • Improve isolation by creating dedicated network interfaces: ECS awsvpc networking, EKS amazon-vpc-cni-k8s plugin
rights reserved. S U M M I T Go • Modern language • Docker is implemented in Go • Native concurrency • Low startup time • Small, static binaries • Easy cross compilation
rights reserved. S U M M I T Java – Open Source Cloud Native Stacks Polyglot, declarative, reactive, microservices frameworks like Micronaut or Quarkus based on Graal VM. • Dead code eliminiation • Aggressive Advance of Time Compliation (AOT) • Native image generation • Docker and Kubernetes YAML file generation • Startup times in milliseconds https://quarkus.io/vision/container-first
rights reserved. S U M M I T “Just launch 10 copies of my container distributed across three availability zones and connect them to this load balancer” X 10
rights reserved. Amazon ECS Easiest way to deploy and manage containers at scale Integration with entire AWS platform ALB, Auto Scaling, Batch, Elastic Beanstalk, CloudFormation, CloudTrail, CloudWatch Events, CloudWatch Logs, CloudWatch Metrics, ECR, EC2 Spot, IAM, NLB, Parameter Store, and VPC Scales to support clusters of any size Service integrations (like ALB and NLB) are at container level 1 2 3
rights reserved. ECS EC2 vs. ECS Fargate EC2 Fargate Managed by Customer AWS Storage Ephemeral or Persistent Only Ephemeral Sidecar pattern Yes Yes Network Mode Bridge or VPC Mode VPC Mode Daemons Yes No SSH into host Yes No Privileged Containers Yes No
rights reserved. S U M M I T CONFIGURABLE NETWORKING 172.31.0.0/16 Subnet 172.31.1.0/24 Internet Other Entities in VPC EC2 LB DB etc. Private IP 172.31.1.164 Explicit control for your containers networking: • Subnet placement, specific IP address ranges • Private IP address (optional public IP address) • Security group inbound access only from specific sources on specific ports Under the hood : • We create an Elastic Network Interface (ENI) • The ENI is allocated a private IP from your subnet • The ENI is attached to your task • Your task now has a private IP from your subnet! • Optionally you can also give it a public IP address if its in a public subnet with internet access ENI Fargate Task Public / 208.57.73.13 /
rights reserved. AWS CDK Contribute Code AWS Cloud Development Kit Define cloud infrastructure and reusable components in “real code“ and provision through AWS CloudFormation Stack(s) CDK Application Construct Construct CloudFormation template Resources
rights reserved. ECS Pattern: Load Balanced Fargate Service Basic constructs: Cluster, Task Definition, Task, Service, etc. Common architecture patterns: load balanced service …this TypeScript generates 568 CloudFormation LOC
rights reserved. Availability Zone 1 Availability Zone 2 Availability Zone 3 Kubectl Amazon EKS Architecture CloudWatch Container Insights for Amazon EKS and ECS
rights reserved. Amazon EKS Features Bring your own instances / types Packer configuration for building a custom EKS AMI Market place instances with Tensorflow and NVIDIA packages CloudWatch Container Insights for EKS and ECS
rights reserved. OSSC libraries: code changes required, language specific Service Mesh: decentral, language agnostic, polyglot, light-weight https://www.infoq.com/articles/microservices-post-kubernetes Need for a Service Mesh
rights reserved. App Mesh works across compute services Amazon ECS AWS Fargate Amazon EKS Amazon EC2 Kubernetes on EC2 Based on Envoy proxy It‘s free (you only pay for resources used)
Architecture • Working since one year with Kubernetes • "In the cloud" since two years • Worked in banking and insurance industries • Now in luxury industry (Geneva and Shanghai) Twitter: @brnmori LinkedIn: Brian Bordini
for Kubernetes Amazon Aurora Amazon ElastiCache CDN Load Balancer Customers Availability Zone Amazon Aurora Amazon ElastiCache Auto Scaling Groups Instances Spot instances Spot instances Instances Amazon Simple Storage Service (S3) DB group AWS Direct Connect Architecture
overhead with managed services Repeatability and consistency with Infrastructure as Code Seamless experience from dev machine to production with Docker
Team ownership from inception to production Faster time to market with better quality than traditional deployment Reusable infrastructure modules and CI/CD pipelines for future projects
rights reserved. Summary • Architect wisely (Serverless vs ECS vs EKS vs EC2) • Running K8s is hard, use a managed K8s service • AWS App Mesh is free to use and works across compute services
Amazon Web Services, Inc. or its affiliates. All rights reserved. frankmunz @frankmunz https://medium.com/@frank.munz (Blog) https://speakerdeck.com/fmunz (Slides) !
fmunz
rect
konokenj
tkikuc
manfredsteyer
satoshi256kbyte
christianliebel
satohiroyuki
moshi1121
chinen
kiwasaki
takahashiikki
harunatsujita
mclloyd
keathley
holman
mojombo
scottboms
paulrobertlloyd
reverentgeek
tenderlove
danielanewman
sachag
stephaniewalter
matthewcrist
