containers-on-aws

Transcript

1. AWS Docker Microservices Meetup vol.3 2016/09/08

2. @pottava SUPINF Inc. Docker Administration and Operations (AWS Certified) SA,

   DevOps Engineer Pro 2

3. ޮՌతͳಋೖɾӡ༻ͷͨΊͷ Amazon Web Services ׆༻ೖ໳ 2016/08/01 ίϯςφؔ࿈αʔϏεͰ͋Δ ECSɺECR ͦͷଞ CloudFrontɺACMɺAPI

   Gateway IAMɺAWS WAFɺCloudFormation ॻ͖·ͨ͠ɻ 3

4. http://jawsug-container.connpass.com/ ECS Λத৺ʹɺAWS Ͱͷίϯςφӡ༻Λߟ͍͑ͯ·͢ 4

5. http://jawsug-ai.connpass.com/ AI ΋ϚΠΫϩαʔϏεͱͯ͠औΓࠐΜ͡Ό͍·͠ΐ͏ʂ 5

6. גࣜձࣾεϐϯϑ ΞΠσΟΞΛ͔ͨͪʹʂ + 6

7. https://www.supinf.co.jp/service/dockersupport/ Comfy for Docker ϓϩδΣΫτ΁ͷ Docker ಋೖɾ։ൃࢧԉɾӡ༻؂ࢹ୅ߦΛ͍ͨ͠·͢ɻ ʢGCP / Azure

   ΋΋ͪΖΜରԠ͍ͯ͠·͢ɾɾʣ http://prtimes.jp/main/html/rd/p/000000007.000007768.html 7

8. Ͱ͸ 8

9. ɹAWS (Docker) Containers 9

10. ͓఻͍͑ͨ͜͠ͱ 1. AWS ʹ΋ίϯςφࢧԉػೳͨ͘͞Μ͋ΔΑ 2. ΍Γ͍ͨ͜ͱʹԠ͍ͯ͡ΖΜͳߏ੒͋Γ·͢ 10

11. ͓࿩͢͠Δ͜ͱ 1. AWS ͷίϯςφؔ࿈αʔϏε֓ཁ 2. جຊతͳߏ੒ɾߋ৽ྫ 2.1. ECSɻ 2.2. ElasticBeanstalkɻ

    2.3. CodeDeployɻ 3. AWS ͷϚΠΫϩαʔϏεࢧԉαʔϏε 4. ϑΣʔζผͷߏ੒ྫɾࣄྫ 4.1. ։ൃ؀ڥ 4.2. ධՁ؀ڥ 4.3. ຊ൪؀ڥ 11

12. 1. AWS ͷίϯςφؔ࿈αʔϏε֓ཁ 12

13. EC2 Amazon Elastic Compute CloudɻԾ૝αʔόɻ [ Ϣʔεέʔε ] • Docker

    ͷ swarm Ϟʔυ΍ Kubernetes Λ࢖͍͍ͨ • Docker ϨδετϦΛࣗલͰӡ༻͍ͨ͠ • อक೿ʢʁʣओʹ SSH ଒ͷओઓ৔ɻ [ ಛ௃ ] • Ϋϥελ؅ཧπʔϧ෼ɺαʔόىಈ਺↑ӡ༻ෛՙ↑ • ͱ͸͍͑ɺͳΜͰ΋Ͱ͖Δ. 13

14. ECS EC2 Container Serviceɻίϯςφ؅ཧɻ [ Ϣʔεέʔε ] • λεΫ͝ͱͷద੾ͳݖݶઃఆ +

    εέʔϧ΋ AWS ʹ೚͍ͤͨ • ࠷େݶϦιʔεΛޮ཰తʹ࢖͍ɺۃྗίετΛ཈͍͑ͨ. [ ಛ௃ ] • Ϛωʔδυ͞ΕͨΫϥελʔϚωʔδϟɻӡ༻ෛՙ͕௿͍. • Service Auto Scaling ΍ AZ Λҙࣝͨ͠ ࣗಈεέʔϧ • ALB ͱͷ૊Έ߹ΘͤͰಈతϙʔτϚοϐϯά࣮ݱ • λεΫεέδϡʔϥΛࣗ༝ʹೖΕସ͑ΒΕΔ. 14

15. name EC2 Container Service (ECS) Google Container Engine (GKE) Azure

    Container Service (ACS) based on - Kubernetes DC/OS or Docker swarm unit λεΫ Pod Service 15 ࢀߟʣίϯςφ؅ཧ͓͓·͔ͳൺֱ

16. ElasticBeanstalk (EB) Heroku తͳࢠɻ [ Ϣʔεέʔε ] • ίϯςφ΋طଘͷ EB

    ΞϓϦಉ༷ʹӡ༻͍ͨ͠ [ ಛ௃ ] • ECS ͷλεΫͱ࣮ͯ͠ߦ͞ΕΔ → ECS ͷΑ͞ΛҰ෦׆͔ͤΔ • ҰํͰ ECS ͷλεΫఆٛɺίϯςφ਺্ݶ 10 ʹΑΔ੍໿ • ElasticBeanstalk ͷ֤छػೳ͕࢖͑Δʂ؀ڥΫϩʔϯͳͲ • εέʔϧ͸αʔό୯Ґ. 16

17. ALB / ELB Application Load Balancer (L7) / Elastic Load

    Balancing (L4, L7)ɻϩʔυόϥϯαɻ [ Ϣʔεέʔε ] • ίϯςφͷલʹ͓͖͍ͨ • ECS ͷಈతϙʔτϚοϐϯάΛ࢖͍͍ͨ ( ALB ) • DC/OS ΍ Docker for AWS ͳͲͰ؅ཧϊʔυ΁ͷ HTTPS, SSH [ ಛ௃ ] • ٸܹͳෛՙ͕༧૝͞ΕΔͱ͖͸ஆؾਃ੥ • VPC ಺෦ͷϩʔυόϥϯαͱͯ͠΋࡞੒Մೳ NEW 17

18. ECR EC2 Container RegistryɻDocker ϨδετϦɻ [ Ϣʔεέʔε ] • Docker

    Hub ͷ଎౓͕ෆຬɻ౦ژʹ΄͍͠ʂ • ΞΫηε੍ޚ͍͚ͨ͠Ͳࣗલ؅ཧ͸ݏ. [ ಛ௃ ] • Ϛωʔδυ͞Εͨ Docker ϨδετϦɻӡ༻ෛՙ͕௿͍. • IAM ͱ౷߹͞Ε͍ͯͯɺΞΧ΢ϯτ/Ϣʔβࢦఆͷղ์ָ͕ • ΦϑΟε΍ GCP ͳͲ AWS ֎͔Β΋ར༻Մೳ • github.com/awslabs/amazon-ecr-credential-helper 18

19. S3 ߴػೳͳετϨʔδαʔϏεɻϑΝΠϧஔ͖৔ɻ [ Ϣʔεέʔε ] • docker save Ͱੜ੒Ͱ͖Δ tar

    ΞʔΧΠϒͷอ؅ɾ഑෍ ʢDocker ΠϝʔδͰ͸഑෍͠ʹ͍͘ঢ়گͳͲͰͱͯ΋ศརʣ • ൿಗ৘ใΛอ؅ɾ഑෍͍ͨ͠. • ίϯςφ֎ʹӬଓԽ͍ͨ͠σʔλ͕͋Δ. [ ಛ௃ ] • σʔλͷ҉߸ԽΦϓγϣϯ͕๛෋. • IAM ͱͷ࿈ܞͰίϯςφ͔ΒͷΞΫηε੍ޚ΋༰қ 19

20. CodeDeploy σϓϩΠࣗಈԽͷΈʹಛԽͨ͠αʔϏεɻ [ Ϣʔεέʔε ] • docker pull ͚ͩͰͳ͘ɺsave &

    load ΋࢖͍͍ͨ • ωΟςΠϒͳ docker-compose ΍ swarm ͰσϓϩΠ͍ͨ͠ • σϓϩΠલޙʹ͋Μͳॲཧ΍͜ΜͳॲཧΛؾܰʹ͸͞Έ͍ͨ [ ಛ௃ ] • ΦϯϓϨʹ͋Δαʔόʹରͯ͠΋࢖͑Δ • Healthy Ͱ͍ͯ΄͍͠ ୆਺ / ׂ߹ Λࢦఆͯ͠σϓϩΠ 20

21. 2. جຊతͳߏ੒ɾߋ৽ྫ 21

22. ECS 22 ࠷খߏ੒: ECR ECS EC2 Ϣʔβ

23. ECS 23 ؀ڥߋ৽: ECR ECS EC2 ᶃ docker push ᶄ

    λεΫఆٛߋ৽ & ɹ Service ߋ৽ͳͲ ᶅ ΤʔδΣϯτʹࢦࣔ ΤϯδχΞ Ϣʔβ ᶆ docker pull ᶇ σϓϩΠ

24. ECS with ALB / ELB AWS CLI Ͱͷߋ৽ྫɻʢECS CLI ͸ݱঢ়ಛఆ༻్͔ͳ..ʣ

    1. docker build & push > ECR etc..ɻ 2. λεΫఆٛॻ͖׵͑ 3. aws ecs register-task-definitionɻ 4. aws ecs update-serviceɻ εέʔϧͤ͞ΔͳΒϩʔυόϥϯαΛɻ ECS ͸αʔϏεσΟεΧόϦ΋ ALB / ELB Ͱߦ͏ࢥ૝ɻ 24

25. ECS: ಈతϙʔτϚοϐϯά • λεΫఆٛ ͷ Host ଆ Port ʹ 0

    Λࢦఆ • Service ͷϩʔυόϥϯαʹ ALB Λࢦఆ • ίϯςφଆ Port ͱҰக͢Δ TargetGroup ΛׂΓ౰ͯ NEW 25

26. • ͨͱ͑ EC2 ͕ 1୆Ͱ΋ɺService DesiredCount > 1 Մೳ •

    ྫ͑͹ 5 ʹ͢Δͱ͜͏ͳΔ • TargetGroup ͷ Targets ΋ݡ͘ɺউखʹ͜͏ͳΔ ECS: ಈతϙʔτϚοϐϯά NEW 26

27. ײ૝ • Port ͕λεΫεέδϡʔϧ্ͷ੍໿͔Β֎Εͨʂʂ • ཁ݅ʹԠͯ͡ docker swarm (+ CodeDeploy)

    ͱൺֱݕ౼ - ͍ͣΕ΋ແఀࢭͰͷϩʔϦϯάΞοϓσʔτ͕Մೳ - ͨͱ͑ EC2 1୆Ͱ͋ͬͯ΋ʂ • ͍ͭʹ͜ͷ೔͕དྷͨɻ • ײྦ ECS: ಈతϙʔτϚοϐϯά NEW 27

28. ElasticBeanstalk 28 ࠷খߏ੒: EC2 ECR EB ECS Ϣʔβ

29. ElasticBeanstalk 29 ؀ڥߋ৽: EC2 ECR EB ᶃ docker push ΤϯδχΞ

    Ϣʔβ ᶈ docker pull ᶉ ϩʔϦϯά Ξοϓσʔτ S3 ᶄ S3 ʹ bundle.zip సૹ ᶅ όʔδϣΞοϓ & ؀ڥߋ৽ ʢEB ͷߋ৽ύλʔϯ͸ෳ਺ʣ ECS ᶆ λεΫߋ৽ ᶇ ΤʔδΣϯτ ɹʹࢦࣔ

30. ElasticBeanstalk: ෳ਺ίϯςφ؀ڥ AWS CLI Ͱͷߋ৽ྫɻʢEB CLI ͳΒߋʹγϯϓϧʣ • source-bundleɻ -

    .ebextensionsɻ - foo.configɻ - bar.configɻ - Dockerrun.aws.json : ඞཁʹԠͯ͜͡ΕΛͭΒͭΒॻ͖׵͑.. 1. source-bundle Λ zip ͰݻΊͯ S3 ʹసૹ 2. aws elasticbeanstalk create-application-versionɻ 3. aws elasticbeanstalk update-environmentɻ 30

31. ElasticBeanstalk: ෳ਺ίϯςφ؀ڥ EB × Dockerɺ͚ͬ͜͏͸·Δਓଟ͍ʁ • CloudInfra Podcast ( https://cloudinfra.audio/

    ) #nobolycloud ͷ Track 8 ͸ ෳ਺ίϯςφ Docker ؀ڥͷͭΒΈ͕ޠΒΕ͍ͯΔ.. • ࣾ಺Ͱ͋ͬͨ͸·Γࣄྫ: - λεΫʹఆٛͰ͖Δίϯςφ਺্ݶ 10 ɹˠ ࢒ΓΛಉ͡ϗετ্ʹखಈ / ECS Ͱىಈ ɹˠ EB ͷσϓϩΠ͕ 2 ճʹ 1 ճίέΔ - AWS CLI ͔Βͷ EB ॳճ࡞੒࣌ɺγϯάϧΠϯελϯεΛ ɹɹ ࢦఆ͍ͯ͠Δͷʹ ELB ͕ੜ੒͞ΕΔ͜ͱ͕͋ΔʢṖʣ • EB ͷ AutoScale ͸ ECS ͷΑ͏ʹΫϥελج४Ͱ͸ͳ͘ɺ(ry 31

32. CodeDeploy 32 ࠷খߏ੒: EC2 S3 CodeDeploy Ϣʔβ

33. CodeDeploy 33 ؀ڥߋ৽: EC2 S3 CodeDeploy ᶃ docker save ͨ͠

    tar ͱ ɹ appspec.yml Λసૹ ᶄ CodeDeploy ʹ ɹ S3 ར༻ͷσϓϩΠΛࢦࣔ ᶅ ΤʔδΣϯτʹࢦࣔ ΤϯδχΞ Ϣʔβ ᶆ σʔλऔಘ ᶇ σϓϩΠ

34. CodeDeploy with docker ؀ڥߋ৽ͷجຊɻ 1. CircleCI ΍ GitLab CI Ͱಛఆϒϥϯνʹ

    push / λά͕͍ͭͨΒ 2. Docker Πϝʔδੜ੒ͯ͠ɺςετ͕௨ͬͨΒ - docker save ͨ͠ tar ࠐΈͰ CodeDeploy ༻ͷ S3 ʹసૹ - ·ͨ͸ ECR ʹ docker push + appspec.yml ͳͲΛ S3 ʹసૹ 3. CodeDeploy ʹσϓϩΠࢦࣔ 4. ApplicationStop ϑοΫͰ docker rm -f name 2>/dev/null || true 5. ApplicationStart ϑοΫͰ docker load / run -d -p 80:80 .. 34

35. CodeDeploy with docker-compose 35 ϩʔΧϧͱಉ͡ؾ͕ܰ͞΄͍͠ɻ 1. ಉ্ 2. docker-compose.yml ΋

    zip ʹೖΕͯ S3 ʹసૹ 3. ಉ্ 4. ApplicationStop ϑοΫͰ docker-compose rm -f 5. ApplicationStart ϑοΫͰ docker-compose up -d

36. EC2 1୆Ͱ΋ແఀࢭΞοϓσʔτ͍ͨ͠ɻ 1. ಉ্ 2. with docker ͱಉ༷ 3. ಉ্

    4. ApplicationStop ෆཁ 5. ApplicationStart ϑοΫͰ - ͢ͰʹՔಇαʔϏε͕͋Ε͹ docker service update ʢ͜ͷͱ͖ docker ΠϝʔδΛ࠷৽ʹߋ৽͢ΔͨΊͷ޻෉Λʂʣ ʢECR ͳΒ @sha256:.. Ͱͷϋογϡࢦఆ͕ݸਓతʹ͸Φεεϝʣ - ͳ͚Ε͹ docker service create --name web -p 80:80 --replicas 2 .. CodeDeploy with docker swarm 36

37. CodeDeploy ಋೖ Tips 37 • CI αʔό༻ͷ IAM Ϣʔβʹ͸ -

    https://circleci.com/docs/continuous-deployment-with-aws-codedeploy/ ɻ - ECR Λܦ༝͢Δ৔߹͸͜͜ͷ IAM ʹ ECR ͷ؅ཧݖݶΛ௥Ճ • CodeDeploy ͷσϓϩΠʹ S3 Λ࢖͏ͱ͖͸ - EC2 ʹ AmazonS3ReadOnlyAccess ͳͲͷϩʔϧΛ • CodeDeploy ͷσϓϩΠʹ ECR Λ࢖͏ͱ͖͸ - EC2 ʹ AmazonEC2ContainerRegistryReadOnly ͳͲͷϩʔϧΛ - github.com/awslabs/amazon-ecr-credential-helper ɻ - github.com/pottava/dockerized-ecr-credential-helper ɻ • Docker swarm ϞʔυΛ࢖͏ʹ͸ - Docker 1.12 ͕ඞཁͳͨΊɺAMI ʹ͸ CentOS 7 / Ubuntu 14.04 ͳͲΛ

38. 3. AWS ͷϚΠΫϩαʔϏεࢧԉαʔϏε ʢݸਓతղऍʹجͮ͘ʣ 38

39. ߴػೳͳίϯςϯπ഑৴ɻ [ ໾ཱͭػೳ ] • ៛ີʹઃఆͰ͖ΔΩϟογϡઃఆ • cookie ΛؚΉಈతίϯςϯπʹ΋҆৺ͯ͠࢖͑Δઃܭ •

    ෳ਺ΦϦδϯͰɺϚΠΫϩαʔϏεΛ౷߹Ͱ͖Δ [ ಛ௃ ] • ͱʹ͔͘ߴ଎ʹϨεϙϯε͢ΔͨΊͷ๛෋ͳػೳ ʢੈքதͷΤοδϩέʔγϣϯɺΩϟογϡɺTCPɾTLS ࠷దԽͳͲʣ CloudFront 39

40. ࠓேൃදɺɹॕ HTTP/2 ରԠ CloudFront 40 NEW

41. ར༻ྫ: CloudFront AWS WAF CloudFront ACM ECS / ElasticBeanstalk ELB

    / ALB EC2 https://www.service.com/ https://assets.service.com/ ʢSSL / TLS ূ໌ॻʣ ʢCDNʣ ʢίϯςφΫϥελ؅ཧʣ ʢϩʔυόϥϯαʣ ʢԾ૝αʔόʣ S3 AWS Lambda ʢ੩తϑΝΠϧʣ ʢؔ਺࣮ߦج൫ʣ API Gateway ʢAPI ؅ཧʣ ʢWeb ΞϓϦέʔγϣϯϑΝΠΞ΢Υʔϧʣ * https://api.service.com/v1/mobies/ https://api.service.com/v1/users/ 41

42. API Gateway API ͷͨΊͷଟ༷ͳػೳΛ΋ͬͨήʔτ΢ΣΠɻ [ ໾ཱͭػೳ ] • ෳ਺ͷ API

    Λ·ͱΊΔΧελϜυϝΠϯػೳ • IAMɺLambdaɺCognito UserPools ͷ͍ͣΕ͔ʹΑΔೝՄ • API ΩʔผͷεϩοτϦϯάͱϦΫΤετΫΥʔλ੍ݶ • Τϥʔ࣌ͷࢦ਺ؔ਺తޙୀΞϧΰϦζϜʹ΋ରԠͨ͠ SDK ͷ഑෍ ref) http://docs.aws.amazon.com/ja_jp/general/latest/gr/api-retries.html [ ಛ௃ ] • CI / CD Ͱ΋҆৺ͷϥΠϑαΠΫϧ؅ཧ • ख࡞ۀͰͷઃఆ͸ͭΒ͍ɻSwagger.. 42

43. ར༻ྫ: AWS WAF CloudFront ACM ECS / ElasticBeanstalk S3 ELB

    / ALB EC2 ʢԾ૝αʔόʣ API Gateway AWS Lambda ʢؔ਺࣮ߦج൫ʣ API Gateway ʢAPI ؅ཧʣ * *αʔϏεϓϩΩγɻDynamoDB ͷ GetItem ΍ PutItem ͳͲ IAM ͷ actions Ͱݟ׳Εͨ AWS ֤αʔϏεͷΞΫγϣϯΛ API Gateway ͔Β௚઀ୟ͚Δػೳɻ ʢϩʔυόϥϯαʣ https://api.service.com/v1/mobies/ https://api.service.com/v2/users/ https://api.service.com/v1/users/ 43

44. Serverless ͷՐ෇͚໾ɺFunction as a Serviceɻ [ ໾ཱͭػೳ ] • Cognito

    Sync ΍ CloudWatch Logs ͳͲ͔Βͷ࣮ߦ • εέδϡʔϧ࣮ߦ [ ಛ௃ ] • Մ༻ੑ΍εέʔϥϏϦςΟ͸ AWS ʹ͓೚ͤ • ରԠαʔόϨεϑϨʔϜϫʔΫଟ਺ɻซ༻ΦεεϝͰ͢ • ެࣜ: ChaliceʢPythonʣ/ Flourishʢެ։଴ͪ..ʣ • Serverless: API Gateway ͱ૊Έ߹Θͤ HTTP αʔόΛ؆୯ʹ࡞ΕΔ • Apex: Go ݴޠͰ΋ॻ͚ΔɻLambda ͷΈͷ؅ཧ • Lamvery: KMS ରԠ͍ͯͯ͠ૉఢ Lambda 44

45. Ϣʔβ؅ཧ͸ʁ 45

46. Ϣʔβ؅ཧ΍ೝূɺϢʔβσʔλͷσόΠεؒಉظɻ [ ໾ཱͭػೳ ] • UserPools: AWS ϚωʔδυͳϢʔβ؅ཧػೳ • Federated

    Identities: ID ϓϩόΠμΛ௨ͨ͡ AWS Ϧιʔε΁ͷ҆શͳΞΫηε • Sync: ϢʔβσʔλͷอଘɺσόΠεؒͰಉظ [ ಛ௃ ] • ֎෦ ID ϓϩόΠμʢFacebook ͳͲʣͱ؆୯ʹ࿈ܞͰ͖Δ • Lambda Λ࢖͍ॊೈʹΧελϚΠζͰ͖Δ Cognito 46

47. Cognito Cognito UserPools ະೝূ Facebook Google+ Twitter Amazon.com .. Federated

    Identities Authenticated Unauthenticated NEW Cognito Streams Cognito Events ϓογϡಉظ 47

48. .. Cognito Federated Identities ͍ͣΕ͔ͰϩάΠϯͨ͠Β ↓ ະϩάΠϯͳΒ ↓ AWS Ͱ͜Ε࢖͍͍ͬͯΑʂ

    AWS Ͱ͜Ε࢖͍͍ͬͯΑʂ มΘͬͨϢʔβσʔλ͸ ͜ΕͩΑ Ϣʔβσʔλ͕ มߋ͞ΕͨΑʂ ଞͷσόΠεʹ σʔλಉظͯ͠ʂ Authenticated Unauthenticated 48

49. ར༻ྫ: AWS WAF CloudFront ACM ECS / ElasticBeanstalk S3 ELB

    / ALB EC2 Cognito Cognito ͱ࿈ܞͯ͠Ϣʔβ৘ใऔಘ AWS Lambda Cognito ͱ࿈ܞ API Gateway CognitoʢϢʔβೝূɾ؅ཧʣ * https://www.service.com/ https://api.service.com/v1/mobies/ https://api.service.com/v2/users/ https://api.service.com/v1/users/ Cognito Ͱೝূ͞Εͨਓ͚ͩڐՄʂ *αʔϏεϓϩΩγɻDynamoDB ͷ GetItem ΍ PutItem ͳͲ IAM ͷ actions Ͱݟ׳Εͨ AWS ֤αʔϏεͷΞΫγϣϯΛ API Gateway ͔Β௚઀ୟ͚Δػೳɻ 49

50. Cognito UserPools ʹΑΔೝূɻϢʔβ৘ใͷอ؅΋҆৺ɻ Ϣʔβొ࿥ αΠϯΠϯ ύεϫʔυมߋ ʢฐࣾࣄྫʣ 50

51. AWS Ϧιʔε΍ΞϓϦέʔγϣϯͷϞχλϦϯάɻ [ ໾ཱͭػೳ ] • ΞϥʔϜ: ECS ͷ Service

    Auto Scaling ͕ઃఆͰ͖Δ • CloudWatch Logs: Docker ͷϩάυϥΠόʹରԠࡁɺͱͯ΋ศར • Events: ಛఆͷλΠϛϯάͰ Lambda ΛىಈͰ͖Δ [ ಛ௃ ] • ϝτϦοΫεσʔλͷอଘظؒ͸ 2 िؒ • Logs ͷอ࣋ظؒ͸σϑΥϧτͰ͸ແظݶ CloudWatch 51

52. IAM AWS ϢʔβͱϦιʔε΁ͷણࡉͳΞΫηε੍ޚɻ [ ໾ཱͭػೳ ] • ݖݶ؅ཧʢEC2 Πϯελϯε /

    ECS λεΫ୯ҐͰ੍ޚՄೳʣ • Cognito ΍ API Gateway Λซ༻͠ɺαʔϏε΁ͷΞΫηεΛ੍ޚ [ ಛ௃ ] • ΄ͱΜͲͷ AWS αʔϏε͕ IAM ʹରԠࡁ • Policy Simulator ΍ΞΫηεΞυόΠβͰΑΓηΩϡΞͳઃఆ΁ 52

53. σʔλͷ҉߸Խʹ࢖͏Ωʔͷ؅ཧɻ [ ໾ཱͭػೳ ] • ൿಗ৘ใͷ؅ཧʢ+ DynamoDB → github.com/fugue/credstash etc.

    ʣ • ҉߸ԽΩʔ ID ͷΈΛ؀ڥม਺Ͱίϯςφʹ౉͢ͳͲ [ ಛ௃ ] • 伴Λ࢖͏ݖݶͷͳ͍ਓ͔Β৘ใΛकΔ͜ͱ͕Ͱ͖Δ • CloudTrail Λ༗ޮʹ͢Ε͹ɺΩʔͷ࢖༻΋͢΂ͯϩάʹ࢒Δ KMS 53

54. 4. ϑΣʔζผͷߏ੒ྫɾࣄྫ Suzie Prince Head of Product, ThoughtWorks Products 54

55. ϩʔΧϧ։ൃ؀ڥ: ໌೔.. http://m3-engineer.connpass.com/event/36062/ ʮ։ൃ؀ڥͷ Docker Խύλʔϯूʯ@pottava 55

56. ͲΜͳ؀ڥͰ΋ɺئΘ͘͸ • Ҋ݅͝ͱʹՄ༻ੑɾΞΫηε੍ޚɾίετͳͲͰߏ੒ΛܾΊ͍ͨ • Infrastructure as Code ͳɺόʔδϣϯ؅ཧ͞Εͨੈքʹ͍ͨ͠ • Πϯϑϥ΋ΞϓϦ΋

    git push Ͱ؀ڥߋ৽͍ͨ͠ ɹʢͨͩ͠Πϯϑϥͷ͢΂ͯΛɺͱ͸ݴΘͳ͍ʣ • No more SSHɻ • ֤ਓͷ໾ׂʹԠͯ͡ɺ΍ΕΔ͜ͱΛ੍ݶ͍ͨ͠ → IAM Role • ୭͕ԿΛͨ͠ͷ͔೺Ѳ͍ͨ͠ → CloudTrail 56

57. ҎԼɺҰྫ 57

58. ։ൃ؀ڥ • Մ༻ੑɿଟগͷμ΢ϯλΠϜ͸ڐ༰͢Δ • ΞΫηε੍ޚɿҰൠެ։͸͠ͳ͍ɺϓϩδΣΫτʹΑͬͯ͸ෳࡶ • ίετɿ࠷খߏ੒Ͱ͓ئ͍͠·͢ɻ 58

59. ։ൃ؀ڥ ฐࣾࣄྫ: ECS ෳ਺ϓϩδΣΫτɺςετ؀ڥ΋ಥͬࠐΈ΍͍͢ɻ • ALB / ELB ͸࢖ΘͣɺEC2 1୆ߏ੒

    • Minimum healthy percent: 0, Maximum percent: 100 Ͱμ΢ϯڐ༰ 59 EC2 ᶃ ߋ৽ࢦࣔ ᶄ docker pull ECS ECR

60. ։ൃ؀ڥ ฐࣾࣄྫ: ElasticBeanstalk EB ʹ׳Ε͍ͯΕ͹ൺֱతಋೖ͠΍͍͢Ͱ͢ɻ • ECS Λϥοϓͯ͠Ӆṭ͍ͯ͠ΔͷͰɺֶशίετ͸Ұݟ௿͍ • τϥϒͬͨ࣌ͳͲ

    ECS ίϯιʔϧ݁ہ։͘͜ͱ͸͠͹͠͹.. 60 EB ᶃ λεΫߋ৽ EC2 ᶄ ߋ৽ࢦࣔ ᶅ docker pull ECS ECR

61. ։ൃ؀ڥ ฐࣾࣄྫ: CodeDeploy ΘΓͱͳΜͰ΋Ͱ͖Δ͕ɺγΣϧܳײ͸൱Ίͳ͍ɾɾ • ϩʔΧϧ؀ڥಉ༷ docker-compose ͕ͦͷ··࢖͑Δͷ͏Ε͍͠ • The

    Twelve-Factor App ײɺߴΊΒΕΔɻߴ·Δʔ • ັ࿭ͷΦϯϓϨར༻.. 61 S3 CodeDeploy EC2 ᶃ ߋ৽ࢦࣔ ᶄ σʔλऔಘ

62. ຊ൪؀ڥ • Մ༻ੑɿ௒ॏཁɻσϓϩΠ࣌΋μ΢ϯλΠϜ͸ڐ༰͠ͳ͍ • ΞΫηε੍ޚɿηΩϡϦςΟରࡦɺAPI ܥͷೝূɾೝՄ • ίετɿϩʔυόϥϯα΍ࣗಈεέʔϧ΋ߟྀʹೖΕͯ OK 62

63. ຊ൪؀ڥ ฐࣾࣄྫ: ECS + ALB ಈతϙʔτϚοϐϯάͰߋʹίετ࡟ݮͰ͖·ͨ͠ɻ • ίϯςφ഑ஔ্ɺϙʔτ໰୊͕௕೥ͭΒ͔ͬͨ → ղফʂ

    • ϩά͸ϩάυϥΠόܦ༝Ͱ͢΂ͯ CloudWatch Logs ʹ 63 EC2 ECR ALB ECS S3 CloudWatch CloudFront AWS WAF + ACM +

64. ຊ൪؀ڥ ฐࣾࣄྫ: Microservices AWS ͷϚωʔδυαʔϏεΛଟ༻ɻ • CognitoɺLambdaɺAPI GatewayɺKinesisɺSES • ALB

    ͷύεϕʔεϧʔςΟϯάʢ /auth ͷΈผαʔϏεͳͲʣ • ίϯςφىಈ࣌ʹ౉͢؀ڥม਺ͰڍಈɺԠ౴Λ੍ޚ • Sentry ͳͲΤϥʔτϨʔεख๏͸ΫοΫύου͞ΜΛࢀߟʹ 64

65. ຊ൪؀ڥ ฐࣾࣄྫ: DC/OS (Mesos) ෳࡶͳ಺෦௨৴ʹ͸ ELB Ҏ֎ͷબ୒ࢶ΋ɻ • ELB ͷ࣍ϨΠϠʹ

    Marathon-LBɺͦͷԼʹϚΠΫϩαʔϏε • Marathon-LB: ϗετ໊΍ HTTP ϔομͰϧʔςΟϯά • ͍ۙকདྷ GPU ରԠͷਪ࿦ϚΠΫϩαʔϏε΋౤ೖͨ͘͠.. ʢECS Ͱ΋Ͱ͖Δ͕.. ઌ೔ Apache Mesos v1.0 ౸ୡɺGPU ਖ਼ࣜαϙʔτʣ 65 Master ELB Public Agent Private Agent

66. AWS ެࣜͰͷࣄྫ 66

67. • ΫϨδοτΧʔυ΍ॅ୐ϩʔϯʹڧΈΛ΋ͭΞϝϦΧͷۜߦɻ • ALB Ͱ API Λ·ͱΊͨΓɺίετ࡟ݮͰ͖ͨ࿩ɻݩʑ AWS Ϣʔβɻ Capital

    OneʢECS + ALB ࣄྫʣ 67 https://aws.amazon.com/jp/blogs/compute/microservice-delivery-with-amazon-ecs-and-application-load-balancers/

68. • ੈքதͷେֶͱڠྗɺ͍͔ͭ͘ΛແঈͰΦϯϥΠϯ্ʹఏڙ͍ͯ͠Δɻ • δϣϒΛ Docker ͰϚΠΫϩαʔϏεʹ෼ׂɺECS Ͱεέδϡʔϧɻ CourseraʢECS ࣄྫʣ 68

    https://aws.amazon.com/jp/solutions/case-studies/coursera-ecs/

69. • EC αΠτͷʮ͜ͷ঎඼Λങͬͨਓ͸͜Μͳ঎඼΋஫໨͍ͯ͠·͢ʯ • σΟʔϓϥʔχϯάͷ OSS * ͚ͩͰͳ͘ɺࣗࣾͷߏ੒΋ࣄྫެ։ɻ Amazon.comʢECS +

    EMR ࣄྫʣ 69 http://aws.typepad.com/sajp/2016/07/generating-recommendations-at-amazon-scale-with-apache-spark-and-amazon-dsstne.html * Amazon DSSTNE: https://github.com/amznlabs/amazon-dsstne

70. ֤ϗετͰඞͣىಈ͍ͤͨ͞ίϯςφ͕͋Δ ʢϞχλϦϯάɺvolume / network ϓϥάΠϯͳͲʣ [ AWS αʔϏε ] •

    ECS: UserData ಺Ͱ aws ecs start-task Λར༻ ref) http://docs.aws.amazon.com/ja_jp/AmazonECS/latest/developerguide/start_task_at_launch.html • ElasticBeanstalk: جຊతʹͦ͏ಈ͘ [ ͦͷଞ ] • Docker swarm Ϟʔυ: --mode global ͰαʔϏεੜ੒ • Mesos/Marathon: UNIQUE ੍໿Λ͚ͭͯαʔϏεੜ੒ • Kubernetes: DaemonSet Λ࢖͏ ࢀߟʣon every node 70

71. ࢀߟʣAWS Ͱͷ DevOps • ܧଓతσϓϩΠ • AWS API Λ࢖ͬͯࣗલ CI

    αʔό͔Βͷࣗಈద༻ • Code 3ܑఋͱ֎෦αʔϏε࿈ܞ • αʔϏε͸མͪΔ • Route53ɺALB / ELB ͰͷϔϧενΣοΫ • CloudFront ΍ S3 ͰͷιʔϦʔ / Τϥʔϖʔδઃఆ • ECSɺAutoScaling Ͱͷࣗಈ෮چ • ΠϯϑϥϨΠϠ΋Πϛϡʔλϒϧʹ • CloudFormation ςϯϓϨʔτ / αʔυύʔςΟπʔϧ܈ • ECSɺElasticBeanstalkɺAPI Gateway ͳͲͷόʔδϣχϯά • ΠϯϑϥϨΠϠ΋ Docker Λҙࣝ͢Δ • IAMʢಛʹϩʔϧʣ/ VPC / SecurityGroup ͷݟ௚͠ • ϚωʔδυαʔϏεͷಋೖ 71

72. • Docker ࣾ੡ɺAWS ༻ swarm Ϋϥελಋೖπʔϧɻεέʔϧ΋؆୯ɻ • αʔϏεΛఆٛ͢Δͱ ELB ͷ֘౰ϙʔτ͕ͦΕʹࣗಈ௥ਵ͢Δʂ

    • ଍Γͳ͍ͱ͜Ζ͸ΈΜͳͰ Docker ࣾʹཁ๬Λʙ ࢀߟʣDocker for AWS 72

73. ͝૬ஊ͸͓ؾܰʹͪ͜Β·Ͱ.. <