Windows Containers on Amazon ECS (re:Invent 2017, CON324)

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS re:INVENT
Windows Containers on Amazon ECS
S a m u e l K a r p — S e n i o r S o f t w a r e D e v e l o p m e n t E n g i n e e r , A m a z o n E C S
C h a l k T a l k
C O N 3 2 4
N o v e m b e r 2 8 , 2 0 1 7

View Slide

Samuel Karp
Sr. Software Development Engineer
Amazon Elastic Container Service
(focus on Docker and ECS agent)
5+ years at Amazon
GitHub: @samuelkarp
Hello!

View Slide

• A brief introduction to containers
• Differences between Windows and
Linux containers
• Windows containers in production
with Amazon Elastic Container Service
(Amazon ECS)
• Lots of Q&A!
What to expect from this talk

View Slide

A brief introduction to containers

View Slide

• Shared kernel, separate user
space
• Visibility isolation
• Resource limits
• Immutable images
• Shared layers
• Reproducibility
What is a container?

View Slide

• Limit memory and CPU
• Isolate the file system
• Share directories and drives
optionally
• Isolate the Windows registry
• Isolate the network
What can you do with a container?

View Slide

• Each layer forms a copy-on-write view
of your files
• New files exist only in the top layer
• When a file is modified, it is copied up
to the top layer
• Unmodified files exist in whatever
layer they were added/modified
• Deleted files are hidden, but still exist
Top layer
(read-write)
Intermediate
layer (read-
only)
Base layer
(read-only)
How layers work

View Slide

• Multiple images can share layers if
they share ancestry
• Push layers to a repository
• Only pull un-cached layers
• Foreign layers can come from other
places
• Some layers are non-distributable
(including Microsoft base layers)
How layers work

View Slide

Differences between Windows and
Linux containers

View Slide

• Linux base images have a Linux
userland, usually somewhat minimal
• A Linux image can be as small as a
single static binary
• The boundary between userland and
the operating system is kernel syscalls
• Windows base images come from
Microsoft in two flavors:
• Server Core
• Nano Server
• A Windows image must build on the
Microsoft-provided base images
• The boundary between userland and
the operating system is DLLs and
Windows services
Base images

View Slide

• Minimal installation of Windows
Server 2016
• Windows PowerShell
• .NET support
• No graphical applications
• Great for migrating existing Windows
applications to containers
microsoft/windowsservercore

View Slide

• Smallest base layer available for
Windows
• Only 64-bit applications
• Optimized for .NET Core applications
• Windows PowerShell not included by
default (as of Windows Server version
1709)
• Only PowerShell Core is available
microsoft/nanoserver

View Slide

• microsoft/iis – Internet Information
Services (IIS) web server
• microsoft/dotnet – .NET Core runtime
• microsoft/aspnet – ASP.NET web
application framework
• microsoft/mssql-server-windows-
express and microsoft/mssql-server-
windows-developer – Microsoft SQL
Server (two different flavors)
Even more base images!

View Slide

• Normally escaped with \, but you can
change this to ` on Windows with the
#escape parser directive
• RUN defaults to cmd.exe, but you can
change this to PowerShell using the
SHELL directive
Building images

View Slide

• Microsoft releases updated base
images with Windows patches
• Sometimes incremental layers
• Sometimes replacing base
layer
• Running Windows Update in your
container is an anti-pattern
Patching

View Slide

• Major revisions of Windows Server
may not be able to run images built
from previous base layers
• Windows Server 2016 RS3/1709
cannot run images built for pre-RS3
versions of Windows Server 2016
• This is likely for RS4/1803 as well
Major Windows releases

View Slide

• Similar to bridge mode on Linux
• Containers have private IP address
only accessible from the host
• Cannot access exposed ports via
localhost
WinNAT network mode

View Slide

• Memory
• No overcommitted memory
• No OOM killer
• CPU
• CPU percent/hard limit
Windows containers need more memory
and CPU than Linux containers
Resource allocation

View Slide

• Basic volumes work
• Mount whole drives (like H:\)
• Mount folders (like C:\My Folder)
• Only for folders on the same
drive where the container
layers are stored
• Plugins not yet supported
Volumes

View Slide

Running Windows containers with
Amazon ECS

View Slide

• Use multiple containers together
• Placement logic across a cluster
• Service scheduling and deployment
management
• Application Auto Scaling
• Load balancer integration
• AWS Identity and Access Management (IAM)
• Application logging
• Instance draining for maintenance
• Resource constraints (CPU, memory, ports)
• Placement constraints (attributes, capabilities)
• Placement strategies (spread, binpack)
• Automatic spread across
Availability Zones (AZs)
What can you do with Windows and ECS?

View Slide

• Use the ECS-optimized Windows AMI
[NEW!]
• Register task definitions to define
your applications
• Enable Amazon EC2 IMDS and ECS
task roles in your containers with
Windows PowerShell
How to set up a Windows cluster

View Slide

ECS-optimized Windows AMI
• Windows Server 2016
• Modern version of Docker EE
• ECS agent runs as a Windows service
• PowerShell module can be used to configure the ECS agent
• Logs in the Windows Event Viewer
Launch the ECS-optimized Windows AMI with this user data to configure the ECS
agent and join a cluster:

Import-Module ECSTools
Initialize-ECSAgent -Cluster "MyCluster"

View Slide

Storing images in Amazon ECR
• Amazon ECR Credential Helper for Docker to simplify authentication
• Microsoft base layers are not pushed to Amazon ECR by default
• Can push base layers to Amazon ECR, but you must comply with the EULA
To push Microsoft base layers to a registry, you need to enable the
--allow-nondistributable-artifacts option on the command line or in the
C:\ProgramData\docker\config\daemon.json file like this:
{
"allow-nondistributable-artifacts":
["123456789012.dkr.ecr.us-west-2.amazonaws.com"]
}

View Slide

• Most task definition fields that work
on Linux work unchanged on Windows
• Some fields work on Windows, but
need changes:
• Volumes use Windows-style
paths
• Some fields are not supported on
Windows:
• Network mode—only NAT
mode is supported
• Container links
• Memory reservation/soft limit
• Privileged
• ulimits
• Linux security options
Task definitions

View Slide

Dockerfile
# escape `
FROM microsoft/windowsservercore:latest
ADD https://sdk-for-net.amazonwebservices.com/latest/AWSToolsAndSDKForNet.msi AWSToolsAndSDKForNet.msi
RUN powershell –command "Start-Process 'msiexec.exe' –ArgumentList '/quiet /i AWSToolsAndSDKForNet.msi' –Wait"
ADD setup-aws.ps1 setup-aws.ps1
setup-aws.ps1
$EC2_METADATA_ADDRESS = "169.254.169.254"
[string]$gateway = (Get-Net-Route | Where { $_.DestinationPrefix –eq ‘0.0.0.0/0‘ } | Sort-Object RouteMetric | `
Select -First 1).NextHop
[int]$ifIndex = (Get-NetAdapter –InterfaceDescription "Hyper-V Virtual Ethernet*" | `
Sort-Object | Select –First 1).ifIndex
New-NetRoute –DestinationPrefix "$($EC2_METADATA_ADDRESS)/32" –InterfaceIndex $ifIndex –NextHop $gateway
Import-Module "${env:ProgramFiles(x86)}\AWS Tools\PowerShell\AWSPowerShell\AWSPowerShell.psd1"
Sample Dockerfile

View Slide

Q&A

View Slide

Thank you!

View Slide

Windows Containers on Amazon ECS (re:Invent 2017, CON324)

Windows Containers on Amazon ECS (re:Invent 2017, CON324)

Samuel Karp

More Decks by Samuel Karp

Featured

Transcript