Containers on AWS: slides from the event with Steamhaus and AWS

Transcript

1. July 2019 Containers – BEST PRACTICES

2. ABOUT ME Chris Merrett • Co-founder and lead cloud architect

   at steamhaus • Based in manchester • 16 years industry experience

3. My Talk Today Containers on AWS – Best Practices •

   Best practices for building container images • Information and advice REGARDING ECS • Information and advice REGARDING EKS • Which service should I pick to run my containers?

4. BUT FIRST!

5. CONTAINERS - best practices

6. CONTAINERS - best practices ONE IMAGE FOR ALL ENVIRONMENTS

7. CONTAINERS - best practices Make use of build arguments to

   add flexibility

8. CONTAINERS - best practices Make use of environment variables

9. CONTAINERS - best practices Keep secrets and environment-specific code out

   of your images

10. CONTAINERS - best practices Integrate, rebuild, test and deploy often

11. CONTAINERS - best practices Keep your dependencies up to date

12. CONTAINERS - best practices Set up automated STATIC IMAGE scanning

    and reporTING

13. CONTAINERS - best practices Avoid running your container processes as

    root

14. CONTAINERS - best practices Avoid mounting host directories within containers

15. CONTAINERS - best practices RUN CONTAINER IMAGES READ- ONLY BY

    DEFAULT

16. CONTAINERS - best practices Consider multi-stage builds for security and

    cleanliness

17. CONTAINERS - best practices # Here, our initial stage is

    for builds and compilation # We're using one of our stable OS builds as the base FROM acmecorp/acmeos:stable as build # Accept a build argument, in this case the content of our selected # private key as some our dependencies are in private repos ARG SSH_PRIV_KEY # Authorize SSH Host RUN mkdir -p /root/.ssh && \ chmod 700 /root/.ssh && \ ssh-keyscan github.com > /root/.ssh/known_hosts # Add the key and set permissions # We don't want any trace of this in our final image! RUN echo "$SSH_PRIV_KEY" > /root/.ssh/id_rsa && \ chmod 600 /root/.ssh/id_rsa COPY . /app WORKDIR /app # This will be able to successfully pull our dependencies from private repos # due to the presence of our private key RUN composer install --working-dir=/app --no-dev --prefer-dist --optimize-autoloader # Our final stage is a CLEAN environment born of our stable OS image FROM acmecorp/acmeos:stable as final # Here we copy our artifact from our build layer. The SSH key and everything # else we did in the previous layer is left behind COPY --from=build /app /app # DO OTHER STUFF # Avoid using root RUN chown -R www-data: /app USER www-data EXPOSE 9000 CMD ["php-fpm", "-F", "-R"]

18. CONTAINERS - best practices $ docker build --compress -t my-app:latest

    --build-arg \ SSH_PRIV_KEY="$(cat ~/.ssh/dependancies_id_rsa)" .

19. CONTAINERS - best practices SIGN DOCKER IMAGES USING NOTARY

20. CONTAINERS - best practices Go nuts with tagging

21. ECS - Stuff worth knowing

22. ECS - Stuff worth knowing AWS manage the control plane

    FOR YOU

23. ECS - Stuff worth knowing THERE ARE TWO AVAILABLE LAUNCH

    TYPES

24. ECS - Stuff worth knowing Which launch type should I

    pick?

25. ECS - Stuff worth knowing What are the building blocks

    available within ECS?

26. ECS - Stuff worth knowing Why choose ECS?

27. EKS – Stuff worth knowing

28. EKS - Stuff worth knowing AWS manage the control plane

29. EKS - Stuff worth knowing Only one available launch type

    today

30. EKS - Stuff worth knowing Which launch type should I

    pick?

31. EKS - Stuff worth knowing What are the building blocks

    available within EKS?

32. EKS - Stuff worth knowing Why choose EKS?

33. Which should I choose?

34. https://www.steamhaus.co.uk Thank you!