Deep Dive on Containers

Slide 1

Slide 1 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Dr Frank Munz Senior Technical Evangelist Amazon Web Services Deep Dive on Containers Brian Bordini Cloud Architect Richemont

Slide 2

Slide 2 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T About me • Software Architect / DevOps Engineer • Technical Evangelist @ AWS • Published an AWS book • Containers, serverless and a sprinkle of ML & big / fast data @frankmunz

Slide 3

Slide 3 text

S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Level – 300 “Sessions dive deeper into the selected topic. Presenters assume that the audience has some familiarity with the topic, but may or may not have direct experience implementing a similar solution”

Slide 4

Slide 4 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Container Amazon Elastic Container Service Amazon Elastic Kubernetes Service AWS App Mesh Brian Bordini, Richemont Agenda

Slide 5

Slide 5 text

Slide 6

Slide 6 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Linux Kernel Container runtime Container 1 Container 2 Container 3 Container 4 Container 5 Container 6 Control Groups Namespaces Union filesystem

Slide 7

Slide 7 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T What can you use cgroups for? • Linux kernel feature that defines resource limits, priotization, control and accounting for processes • Implemented by subsystems • Typically mounted at /sys/fs/cgroup or /cgroup Examples of subsystems: • Memory • CPU time • Block I/O • Number of discrete processes (pids) • CPU & memory pinning • Freezer (used by docker pause) • Devices • Network priority

Slide 8

Slide 8 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T And namespaces? • Partition kernel resources like hostname, proc IDs etc. • Namespaces are visible in /proc organised by PID • Files are symbolic links to the namespace $ readlink /proc/$$/ns/* cgroup:[4026531835] ipc:[4026531839] mnt:[4026531840] net:[4026531993] pid:[4026531836] user:[4026531837] uts:[4026531838]

Slide 9

Slide 9 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Network namespace • Docker uses a separate network namespace per container • Multiple containers can share a network namespace, used with K8s pods and Amazon ECS task • Improve isolation by creating dedicated network interfaces: ECS awsvpc networking, EKS amazon-vpc-cni-k8s plugin

Slide 10

Slide 10 text

Slide 11

Slide 11 text

Slide 12

Slide 12 text

Slide 13

Slide 13 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Go • Modern language • Docker is implemented in Go • Native concurrency • Low startup time • Small, static binaries • Easy cross compilation

Slide 14

Slide 14 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Java – Open Source Cloud Native Stacks Polyglot, declarative, reactive, microservices frameworks like Micronaut or Quarkus based on Graal VM. • Dead code eliminiation • Aggressive Advance of Time Compliation (AOT) • Native image generation • Docker and Kubernetes YAML file generation • Startup times in milliseconds https://quarkus.io/vision/container-first

Slide 15

Slide 15 text

Slide 16

Slide 16 text

Slide 17

Slide 17 text

Slide 18

Slide 18 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T “Just launch 10 copies of my container distributed across three availability zones and connect them to this load balancer” X 10

Slide 19

Slide 19 text

Slide 20

Slide 20 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon ECS Easiest way to deploy and manage containers at scale Integration with entire AWS platform ALB, Auto Scaling, Batch, Elastic Beanstalk, CloudFormation, CloudTrail, CloudWatch Events, CloudWatch Logs, CloudWatch Metrics, ECR, EC2 Spot, IAM, NLB, Parameter Store, and VPC Scales to support clusters of any size Service integrations (like ALB and NLB) are at container level 1 2 3

Slide 21

Slide 21 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ECS EC2 vs. ECS Fargate EC2 Fargate Managed by Customer AWS Storage Ephemeral or Persistent Only Ephemeral Sidecar pattern Yes Yes Network Mode Bridge or VPC Mode VPC Mode Daemons Yes No SSH into host Yes No Privileged Containers Yes No

Slide 22

Slide 22 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Task Definition: CPU & MEMORY SPECIFICATION { "family": "scorekeep", "cpu": "1 vCpu", "memory": "2 gb", "containerDefinitions": [ { "name":“scorekeep-frontend", "image":"xxx.dkr.ecr.us-east-1.amazonaws.com/fe“, "cpu": 256, "memoryReservation": 512 }, { "name":“scorekeep-api", "image":"xxx.dkr.ecr.us-east-1.amazonaws.com/api", "cpu": 768, "memoryReservation": 512 } ] } Units • CPU : cpu-units. 1 vCPU = 1024 cpu-units • Memory : MB Task Level Resources: • Total Cpu/Memory across all containers • Required fields • Billing axis Container Level Resources: • Defines sharing of task resources among containers • Optional fields Task Level Resources Container Level Resources Task Definition Snippet

Slide 23

Slide 23 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T CONFIGURABLE NETWORKING 172.31.0.0/16 Subnet 172.31.1.0/24 Internet Other Entities in VPC EC2 LB DB etc. Private IP 172.31.1.164 Explicit control for your containers networking: • Subnet placement, specific IP address ranges • Private IP address (optional public IP address) • Security group inbound access only from specific sources on specific ports Under the hood : • We create an Elastic Network Interface (ENI) • The ENI is allocated a private IP from your subnet • The ENI is attached to your task • Your task now has a private IP from your subnet! • Optionally you can also give it a public IP address if its in a public subnet with internet access ENI Fargate Task Public / 208.57.73.13 /

Slide 24

Slide 24 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS CDK Contribute Code AWS Cloud Development Kit Define cloud infrastructure and reusable components in “real code“ and provision through AWS CloudFormation Stack(s) CDK Application Construct Construct CloudFormation template Resources

Slide 25

Slide 25 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ECS Pattern: Load Balanced Fargate Service Basic constructs: Cluster, Task Definition, Task, Service, etc. Common architecture patterns: load balanced service …this TypeScript generates 568 CloudFormation LOC

Slide 26

Slide 26 text

Slide 27

Slide 27 text

Slide 28

Slide 28 text

Slide 29

Slide 29 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Availability Zone 1 Availability Zone 2 Availability Zone 3 Kubectl Amazon EKS Architecture CloudWatch Container Insights for Amazon EKS and ECS

Slide 30

Slide 30 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon EKS Features Bring your own instances / types Packer configuration for building a custom EKS AMI Market place instances with Tensorflow and NVIDIA packages CloudWatch Container Insights for EKS and ECS

Slide 31

Slide 31 text

Slide 32

Slide 32 text

Slide 33

Slide 33 text

Slide 34

Slide 34 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. OSSC libraries: code changes required, language specific Service Mesh: decentral, language agnostic, polyglot, light-weight https://www.infoq.com/articles/microservices-post-kubernetes Need for a Service Mesh

Slide 35

Slide 35 text

Slide 36

Slide 36 text

Slide 37

Slide 37 text

Slide 38

Slide 38 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. App Mesh works across compute services Amazon ECS AWS Fargate Amazon EKS Amazon EC2 Kubernetes on EC2 Based on Envoy proxy It‘s free (you only pay for resources used)

Slide 39

Slide 39 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo: Install AppMesh # AppMesh Installation with Grafana/Prometheus # and Envoy, AWS X-Ray daemon sidecar # and StatsD Prometheus exporter $ helm install -n aws-appmesh \ --namespace appmesh-system \ https://github.com/PaulMaddox/ \ aws-appmesh-helm/releases/ \ latest/download/aws-appmesh.tgz https://github.com/PaulMaddox/aws-appmesh-helm

Slide 40

Slide 40 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Install Demo App # create namespace & enable auto-injection $ kubectl create ns appmesh-demo $ kubectl label namespace appmesh-demo appmesh.k8s.aws/sidecarInjectorWebhook=enabled # deploy the demo $ helm install -n aws-appmesh-demo \ --namespace appmesh-demo \ https://github.com/.../aws-appmesh-demo.tgz

Slide 41

Slide 41 text

Slide 42

Slide 42 text

Slide 43

Slide 43 text

Slide 44

Slide 44 text

Slide 45

Slide 45 text

Slide 46

Slide 46 text

A journey in Kubernetes

Slide 47

Slide 47 text

Who Am I ? • Developer converted to Ops and Architecture • Working since one year with Kubernetes • "In the cloud" since two years • Worked in banking and insurance industries • Now in luxury industry (Geneva and Shanghai) Twitter: @brnmori LinkedIn: Brian Bordini

Slide 48

Slide 48 text

Challenges of this journey A web product with a global user base • Customer satisfaction • Time to market • Unpredictable load • Security and compliance • Cost efficiency Chéserex, Switzerland

Slide 49

Slide 49 text

Availability Zone Amazon Simple Queue Service Amazon Elastic Container Service for Kubernetes Amazon Aurora Amazon ElastiCache CDN Load Balancer Customers Availability Zone Amazon Aurora Amazon ElastiCache Auto Scaling Groups Instances Spot instances Spot instances Instances Amazon Simple Storage Service (S3) DB group AWS Direct Connect Architecture

Slide 50

Slide 50 text

23 Pizzas Team 8 Developers 1 Quality Assurance Engineer 1 Lead Architect 1 Solution Architect / Automation Engineer 1 Product Owner 1 Business Analyst 1 Agile Coach

Slide 51

Slide 51 text

Customer satisfaction, Time to Market Fast provisioning and low operational overhead with managed services Repeatability and consistency with Infrastructure as Code Seamless experience from dev machine to production with Docker

Slide 52

Slide 52 text

Unpredictable Load First worldwide launch, design for elasticity and simplicity Elastic horizontal workloads with Amazon EKS Workers AutoScaling Groups with stateless Kubernetes Pods CDN and Amazon ElastiCache Redis for caching

Slide 53

Slide 53 text

Security Encryption at rest and in-transit with one click by template Automated certificate rotation for AWS services Accounts centrally managed in IAM

Slide 54

Slide 54 text

Cost Optimization Spot Instances save up to 70-80% compared to On-Demand Shutdown non-production services in non-business hours Purchase Reserved Instances

Slide 55

Slide 55 text

Time Line January 2018 • project inception March 2018 • start with AWS Container Service July 2018 • installation of self managed Kubernetes January 2019 • switch to AWS EKS May 2019 • go-live

Slide 56

Slide 56 text

Outcome Customers satisfied Scalable infrastructure with fewer cost than on-premises Team ownership from inception to production Faster time to market with better quality than traditional deployment Reusable infrastructure modules and CI/CD pipelines for future projects

Slide 57

Slide 57 text

What next Evaluation to change event processing to Amazon Kafka

Slide 58

Slide 58 text

Q & A Any feedback is welcome J You can reach me on: • LinkedIn: Brian Bordini • Twitter: @brnmori

Slide 59

Slide 59 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Summary • Architect wisely (Serverless vs ECS vs EKS vs EC2) • Running K8s is hard, use a managed K8s service • AWS App Mesh is free to use and works across compute services