Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Windows Containers on Amazon ECS (re:Invent 2017, CON324)

Samuel Karp
November 28, 2017
330

Windows Containers on Amazon ECS (re:Invent 2017, CON324)

Docker containers are commonly regarded as powerful and portable runtime environments for Linux code, but Docker also offers support for running Windows Server applications in containers.

In this talk, we'll discuss what containers are and why you'd use them, how they work on Windows, and how Windows containers compare to Linux containers.

Samuel Karp

November 28, 2017
Tweet

More Decks by Samuel Karp

Transcript

  1. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. AWS re:INVENT Windows Containers on Amazon ECS S a m u e l K a r p — S e n i o r S o f t w a r e D e v e l o p m e n t E n g i n e e r , A m a z o n E C S C h a l k T a l k C O N 3 2 4 N o v e m b e r 2 8 , 2 0 1 7
  2. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Samuel Karp Sr. Software Development Engineer Amazon Elastic Container Service (focus on Docker and ECS agent) 5+ years at Amazon GitHub: @samuelkarp Hello!
  3. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. • A brief introduction to containers • Differences between Windows and Linux containers • Windows containers in production with Amazon Elastic Container Service (Amazon ECS) • Lots of Q&A! What to expect from this talk
  4. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. A brief introduction to containers
  5. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. • Shared kernel, separate user space • Visibility isolation • Resource limits • Immutable images • Shared layers • Reproducibility What is a container?
  6. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. • Limit memory and CPU • Isolate the file system • Share directories and drives optionally • Isolate the Windows registry • Isolate the network What can you do with a container?
  7. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. • Each layer forms a copy-on-write view of your files • New files exist only in the top layer • When a file is modified, it is copied up to the top layer • Unmodified files exist in whatever layer they were added/modified • Deleted files are hidden, but still exist Top layer (read-write) Intermediate layer (read- only) Base layer (read-only) How layers work
  8. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. • Multiple images can share layers if they share ancestry • Push layers to a repository • Only pull un-cached layers • Foreign layers can come from other places • Some layers are non-distributable (including Microsoft base layers) How layers work
  9. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Differences between Windows and Linux containers
  10. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. • Linux base images have a Linux userland, usually somewhat minimal • A Linux image can be as small as a single static binary • The boundary between userland and the operating system is kernel syscalls • Windows base images come from Microsoft in two flavors: • Server Core • Nano Server • A Windows image must build on the Microsoft-provided base images • The boundary between userland and the operating system is DLLs and Windows services Base images
  11. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. • Minimal installation of Windows Server 2016 • Windows PowerShell • .NET support • No graphical applications • Great for migrating existing Windows applications to containers microsoft/windowsservercore
  12. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. • Smallest base layer available for Windows • Only 64-bit applications • Optimized for .NET Core applications • Windows PowerShell not included by default (as of Windows Server version 1709) • Only PowerShell Core is available microsoft/nanoserver
  13. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. • microsoft/iis – Internet Information Services (IIS) web server • microsoft/dotnet – .NET Core runtime • microsoft/aspnet – ASP.NET web application framework • microsoft/mssql-server-windows- express and microsoft/mssql-server- windows-developer – Microsoft SQL Server (two different flavors) Even more base images!
  14. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. • Normally escaped with \, but you can change this to ` on Windows with the #escape parser directive • RUN defaults to cmd.exe, but you can change this to PowerShell using the SHELL directive Building images
  15. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. • Microsoft releases updated base images with Windows patches • Sometimes incremental layers • Sometimes replacing base layer • Running Windows Update in your container is an anti-pattern Patching
  16. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. • Major revisions of Windows Server may not be able to run images built from previous base layers • Windows Server 2016 RS3/1709 cannot run images built for pre-RS3 versions of Windows Server 2016 • This is likely for RS4/1803 as well Major Windows releases
  17. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. • Similar to bridge mode on Linux • Containers have private IP address only accessible from the host • Cannot access exposed ports via localhost WinNAT network mode
  18. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. • Memory • No overcommitted memory • No OOM killer • CPU • CPU percent/hard limit Windows containers need more memory and CPU than Linux containers Resource allocation
  19. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. • Basic volumes work • Mount whole drives (like H:\) • Mount folders (like C:\My Folder) • Only for folders on the same drive where the container layers are stored • Plugins not yet supported Volumes
  20. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Running Windows containers with Amazon ECS
  21. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. • Use multiple containers together • Placement logic across a cluster • Service scheduling and deployment management • Application Auto Scaling • Load balancer integration • AWS Identity and Access Management (IAM) • Application logging • Instance draining for maintenance • Resource constraints (CPU, memory, ports) • Placement constraints (attributes, capabilities) • Placement strategies (spread, binpack) • Automatic spread across Availability Zones (AZs) What can you do with Windows and ECS?
  22. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. • Use the ECS-optimized Windows AMI [NEW!] • Register task definitions to define your applications • Enable Amazon EC2 IMDS and ECS task roles in your containers with Windows PowerShell How to set up a Windows cluster
  23. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. ECS-optimized Windows AMI • Windows Server 2016 • Modern version of Docker EE • ECS agent runs as a Windows service • PowerShell module can be used to configure the ECS agent • Logs in the Windows Event Viewer Launch the ECS-optimized Windows AMI with this user data to configure the ECS agent and join a cluster: <powershell> Import-Module ECSTools Initialize-ECSAgent -Cluster "MyCluster" </powershell>
  24. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Storing images in Amazon ECR • Amazon ECR Credential Helper for Docker to simplify authentication • Microsoft base layers are not pushed to Amazon ECR by default • Can push base layers to Amazon ECR, but you must comply with the EULA To push Microsoft base layers to a registry, you need to enable the --allow-nondistributable-artifacts option on the command line or in the C:\ProgramData\docker\config\daemon.json file like this: { "allow-nondistributable-artifacts": ["123456789012.dkr.ecr.us-west-2.amazonaws.com"] }
  25. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. • Most task definition fields that work on Linux work unchanged on Windows • Some fields work on Windows, but need changes: • Volumes use Windows-style paths • Some fields are not supported on Windows: • Network mode—only NAT mode is supported • Container links • Memory reservation/soft limit • Privileged • ulimits • Linux security options Task definitions
  26. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Dockerfile # escape ` FROM microsoft/windowsservercore:latest ADD https://sdk-for-net.amazonwebservices.com/latest/AWSToolsAndSDKForNet.msi AWSToolsAndSDKForNet.msi RUN powershell –command "Start-Process 'msiexec.exe' –ArgumentList '/quiet /i AWSToolsAndSDKForNet.msi' –Wait" ADD setup-aws.ps1 setup-aws.ps1 setup-aws.ps1 $EC2_METADATA_ADDRESS = "169.254.169.254" [string]$gateway = (Get-Net-Route | Where { $_.DestinationPrefix –eq ‘0.0.0.0/0‘ } | Sort-Object RouteMetric | ` Select -First 1).NextHop [int]$ifIndex = (Get-NetAdapter –InterfaceDescription "Hyper-V Virtual Ethernet*" | ` Sort-Object | Select –First 1).ifIndex New-NetRoute –DestinationPrefix "$($EC2_METADATA_ADDRESS)/32" –InterfaceIndex $ifIndex –NextHop $gateway Import-Module "${env:ProgramFiles(x86)}\AWS Tools\PowerShell\AWSPowerShell\AWSPowerShell.psd1" Sample Dockerfile