© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS re:INVENT Windows Containers on Amazon ECS S a m u e l K a r p — S e n i o r S o f t w a r e D e v e l o p m e n t E n g i n e e r , A m a z o n E C S C h a l k T a l k C O N 3 2 4 N o v e m b e r 2 8 , 2 0 1 7

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Samuel Karp Sr. Software Development Engineer Amazon Elastic Container Service (focus on Docker and ECS agent) 5+ years at Amazon GitHub: @samuelkarp Hello!

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • A brief introduction to containers • Differences between Windows and Linux containers • Windows containers in production with Amazon Elastic Container Service (Amazon ECS) • Lots of Q&A! What to expect from this talk

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. A brief introduction to containers

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Shared kernel, separate user space • Visibility isolation • Resource limits • Immutable images • Shared layers • Reproducibility What is a container?

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Limit memory and CPU • Isolate the file system • Share directories and drives optionally • Isolate the Windows registry • Isolate the network What can you do with a container?

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Each layer forms a copy-on-write view of your files • New files exist only in the top layer • When a file is modified, it is copied up to the top layer • Unmodified files exist in whatever layer they were added/modified • Deleted files are hidden, but still exist Top layer (read-write) Intermediate layer (read- only) Base layer (read-only) How layers work

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Multiple images can share layers if they share ancestry • Push layers to a repository • Only pull un-cached layers • Foreign layers can come from other places • Some layers are non-distributable (including Microsoft base layers) How layers work

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Differences between Windows and Linux containers

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Linux base images have a Linux userland, usually somewhat minimal • A Linux image can be as small as a single static binary • The boundary between userland and the operating system is kernel syscalls • Windows base images come from Microsoft in two flavors: • Server Core • Nano Server • A Windows image must build on the Microsoft-provided base images • The boundary between userland and the operating system is DLLs and Windows services Base images

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Minimal installation of Windows Server 2016 • Windows PowerShell • .NET support • No graphical applications • Great for migrating existing Windows applications to containers microsoft/windowsservercore

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Smallest base layer available for Windows • Only 64-bit applications • Optimized for .NET Core applications • Windows PowerShell not included by default (as of Windows Server version 1709) • Only PowerShell Core is available microsoft/nanoserver

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • microsoft/iis – Internet Information Services (IIS) web server • microsoft/dotnet – .NET Core runtime • microsoft/aspnet – ASP.NET web application framework • microsoft/mssql-server-windows- express and microsoft/mssql-server- windows-developer – Microsoft SQL Server (two different flavors) Even more base images!

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Normally escaped with \, but you can change this to ` on Windows with the #escape parser directive • RUN defaults to cmd.exe, but you can change this to PowerShell using the SHELL directive Building images

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Microsoft releases updated base images with Windows patches • Sometimes incremental layers • Sometimes replacing base layer • Running Windows Update in your container is an anti-pattern Patching

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Major revisions of Windows Server may not be able to run images built from previous base layers • Windows Server 2016 RS3/1709 cannot run images built for pre-RS3 versions of Windows Server 2016 • This is likely for RS4/1803 as well Major Windows releases

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Similar to bridge mode on Linux • Containers have private IP address only accessible from the host • Cannot access exposed ports via localhost WinNAT network mode

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Memory • No overcommitted memory • No OOM killer • CPU • CPU percent/hard limit Windows containers need more memory and CPU than Linux containers Resource allocation

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Basic volumes work • Mount whole drives (like H:\) • Mount folders (like C:\My Folder) • Only for folders on the same drive where the container layers are stored • Plugins not yet supported Volumes

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Running Windows containers with Amazon ECS

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Use multiple containers together • Placement logic across a cluster • Service scheduling and deployment management • Application Auto Scaling • Load balancer integration • AWS Identity and Access Management (IAM) • Application logging • Instance draining for maintenance • Resource constraints (CPU, memory, ports) • Placement constraints (attributes, capabilities) • Placement strategies (spread, binpack) • Automatic spread across Availability Zones (AZs) What can you do with Windows and ECS?

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Use the ECS-optimized Windows AMI [NEW!] • Register task definitions to define your applications • Enable Amazon EC2 IMDS and ECS task roles in your containers with Windows PowerShell How to set up a Windows cluster

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ECS-optimized Windows AMI • Windows Server 2016 • Modern version of Docker EE • ECS agent runs as a Windows service • PowerShell module can be used to configure the ECS agent • Logs in the Windows Event Viewer Launch the ECS-optimized Windows AMI with this user data to configure the ECS agent and join a cluster: Import-Module ECSTools Initialize-ECSAgent -Cluster "MyCluster"

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Storing images in Amazon ECR • Amazon ECR Credential Helper for Docker to simplify authentication • Microsoft base layers are not pushed to Amazon ECR by default • Can push base layers to Amazon ECR, but you must comply with the EULA To push Microsoft base layers to a registry, you need to enable the --allow-nondistributable-artifacts option on the command line or in the C:\ProgramData\docker\config\daemon.json file like this: { "allow-nondistributable-artifacts": ["123456789012.dkr.ecr.us-west-2.amazonaws.com"] }

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Most task definition fields that work on Linux work unchanged on Windows • Some fields work on Windows, but need changes: • Volumes use Windows-style paths • Some fields are not supported on Windows: • Network mode—only NAT mode is supported • Container links • Memory reservation/soft limit • Privileged • ulimits • Linux security options Task definitions

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Dockerfile # escape ` FROM microsoft/windowsservercore:latest ADD https://sdk-for-net.amazonwebservices.com/latest/AWSToolsAndSDKForNet.msi AWSToolsAndSDKForNet.msi RUN powershell –command "Start-Process 'msiexec.exe' –ArgumentList '/quiet /i AWSToolsAndSDKForNet.msi' –Wait" ADD setup-aws.ps1 setup-aws.ps1 setup-aws.ps1 $EC2_METADATA_ADDRESS = "169.254.169.254" [string]$gateway = (Get-Net-Route | Where { $_.DestinationPrefix –eq ‘0.0.0.0/0‘ } | Sort-Object RouteMetric | ` Select -First 1).NextHop [int]$ifIndex = (Get-NetAdapter –InterfaceDescription "Hyper-V Virtual Ethernet*" | ` Sort-Object | Select –First 1).ifIndex New-NetRoute –DestinationPrefix "$($EC2_METADATA_ADDRESS)/32" –InterfaceIndex $ifIndex –NextHop $gateway Import-Module "${env:ProgramFiles(x86)}\AWS Tools\PowerShell\AWSPowerShell\AWSPowerShell.psd1" Sample Dockerfile

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Q&A

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you!