from your desktop to the cloud things you need to consider before you run docker in aws
TRANSCRIPT
From your Desktop to the Cloud
Things you need to consider before you run Docker in AWS
Agenda◇ What is docker?◇ Docker on the Desktop: It’s so simple!◇ Docker Application Lifecycle: Thinking
holistically◇ The Cloud OS: A new way of thinking?◇ How can AWS help?
About Me◇ Technical Director @ IMS◇ Hands-on (i.e. I go crazy if I don’t get to code)◇ Full Stack (ish)◇ Passionate about using Cloud technologies to
deliver business value
My Docker Journey
What is Docker?
““Docker allows you to package an application with all of its dependencies into a standardized unit of software development.”
Think of it like a virtual machine that is preconfigured, launches instantly, is completely ephemeral and has almost no runtime overhead.
Docker Images◇ Read-only template from which containers are created◇ Derived from a base image (ex. Busybox, Alpine or
Ubuntu)◇ Consists of layers that get combined together using a
union filesystem◇ Built from a Dockerfile (build description file)◇ Each layer is hashed & cached (somewhat git-like)
Docker Registry◇ A place to store Docker images◇ Docker Hub◇ Private Registries◇ Open Source◇ Reminiscent of Git repositories
Docker Container◇ A runtime instance of a Docker image◇ A container is effectively a read/write layer added on
top of the image◇ Ephemeral!
What you get◇ Process Isolation◇ Network Isolation◇ IPC Isolation◇ Filesystem Isolation◇ Hostname Isolation◇ Resource Controls (i.e. How much CPU & Memory the
container should have)
Docker Architecture
Docker on the DesktopWhy your first impressions will lull you into a sense that your life is about to get a whole lot easier
DEMO TIME!
Docker Application LifecycleThe Birds and the Bees...for containers...
Docker Application Lifecycle
◇ Build◇ Deploy◇ Run◇ Monitor
Build◇ Every command is a new layer◇ Layers are hierarchical: changing a lower layer
destroys the cached layers above◇ Size: remember you are going to have to
download this thing over and over again
FROM scratchCOPY hello /CMD ["/hello"]
Dockerfile (hello-world)
Build: Best Practices◇ Avoid using too many layers◇ Where possible, order commands so that the
frequently changing stuff is last (i.e. your code)◇ Containers are ephemeral: avoid writing stuff to
disk◇ Run only one program per container■ Use supervisord if you have to■ Docker compose■ Docker networking (overlay network)
Deploy: Registry Considerations
◇ Authentication■ Developers■ Build Infrastructure (i.e. Jenkins)■ Operational Infrastructure (i.e. your prod)
◇ Reliability■ What happens when the registry goes down?■ Registry becomes part of your build infrastructure AND operation infrastructure
Deploy: Running your own Registry
◇ Docker Registry is open source◇ Is this a business you want to be in?◇ Considerations:
■ High Availability: ELB, EC2/ECS, S3■ Docker engine concurrency weirdness
◇ Lots of alternatives these days
Deploy: Pick your Poison
◇ Docker Hub◇ AWS Elastic Container Registry◇ Quay.io◇ Bintray
Run◇ To pull or not to pull: that is the question!◇ Security◇ Insecure Registry issues◇ How do you provide the configuration?◇ How do you run a Docker container that
depends on snowflaky things like hard-coded IP’s (ENI) or EBS volumes
Running a Docker container on your local machine is easy. Asking another machine to run a Docker container for you is significantly more complicated.
Monitor◇ Extra layer of abstraction is an extra layer you
may need to drill through◇ Docker’s job is to hide stuff from you
Monitor: Gotchas◇ Disk space◇ Standard metrics like CPU usage start to have a
confusing meaning◇ Monitoring daemons: do they run inside the
container or outside?
The Cloud OSThe part where I get to stand on my soapbox
Internet Layers of Abstraction
Deploy in weeks
Deploy in minutes
Deploy in seconds
Deploy in milliseconds
The Docker MindsetHow to get the most out of Docker
◇ The operating system (the VM) doesn’t matter◇ You shouldn’t care what machine your system runs
on◇ Everything is ephemeral◇ Assume your disks are read-only◇ You can only create & destroy: you cannot update
Docker can be thought of as a higher-order Operating System abstraction.
Hard Problem #1:Scheduling
◇ Given a finite set of computing resources determine where to launch a Docker container
◇ Typical Bin Packing Problem: Dimensions■ CPU, Memory, I/O, High Availability◇ Why is this hard?■ Distributed System Complexity■ Heterogeneous Infrastructure■ Auto-Scaling■ Resource Affinity (i.e. ENI or EBS Volumes)
Hard Problem #2:Fault Tolerance
◇ When the main Docker process terminates (PID 1) the Docker container terminates
◇ How are you going to restart your Docker container?◇ Common Patterns
■ Supervisord■ Restart Policy
◇ If your Docker runtime doesn’t support this you have
to do this yourself◇ Out of memory? Disk? You need to failover to
another node and Docker (itself) can’t help you here
AWSElastic Container ServiceAnd friends
Elastic Container Service◇ Built on top of EC2◇ AWS does all the nasty distributed stuff for us◇ AWS provides the tools: you run it the way you
want■ Clusters■ Container Instances◇ Supports custom schedulers*◇ Task Definition -> Task◇ Services◇ Service Auto-Scaling*
ECS Gotchas◇ Container Instances need to be configured
(via user data) to point to a cluster◇ Task Definitions can’t be deleted◇ Service operation delays
Elastic Container Registry◇ A Docker Registry hosted by AWS◇ A place to put your private Docker containers◇ Supports all the AWS IAM access control
goodness◇ Cheap! ($0.10/GB-month)■ Not billed per repo!
ECR: Gotchas◇ Does not support “conventional” Docker login■ Requires AWS CLI (aws ecr get-login)■ Makes it more difficult to use outside of
AWS’ walled garden◇ Global Service (like S3): does not run in your
VPC◇ Difficulty using “ephemeral” IAM resources
More of the ThingsOther ways of running Docker on AWS
The Other Guys◇ Kubernetes◇ Mesos & Marathon◇ Docker Swarm◇ CoreOS / Fleet
It’s Done!Thanks for coming!