From your Desktop to the Cloud

Things you need to consider before you run Docker in AWS

Agenda◇ What is docker?◇ Docker on the Desktop: It’s so simple!◇ Docker Application Lifecycle: Thinking

holistically◇ The Cloud OS: A new way of thinking?◇ How can AWS help?

About Me◇ Technical Director @ IMS◇ Hands-on (i.e. I go crazy if I don’t get to code)◇ Full Stack (ish)◇ Passionate about using Cloud technologies to

deliver business value

My Docker Journey

What is Docker?

““Docker allows you to package an application with all of its dependencies into a standardized unit of software development.”

Think of it like a virtual machine that is preconfigured, launches instantly, is completely ephemeral and has almost no runtime overhead.

Docker Images◇ Read-only template from which containers are created◇ Derived from a base image (ex. Busybox, Alpine or

Ubuntu)◇ Consists of layers that get combined together using a

union filesystem◇ Built from a Dockerfile (build description file)◇ Each layer is hashed & cached (somewhat git-like)

Docker Registry◇ A place to store Docker images◇ Docker Hub◇ Private Registries◇ Open Source◇ Reminiscent of Git repositories

Docker Container◇ A runtime instance of a Docker image◇ A container is effectively a read/write layer added on

top of the image◇ Ephemeral!

What you get◇ Process Isolation◇ Network Isolation◇ IPC Isolation◇ Filesystem Isolation◇ Hostname Isolation◇ Resource Controls (i.e. How much CPU & Memory the

container should have)

Docker Architecture

Docker on the DesktopWhy your first impressions will lull you into a sense that your life is about to get a whole lot easier

DEMO TIME!

Docker Application LifecycleThe Birds and the Bees...for containers...

Docker Application Lifecycle

◇ Build◇ Deploy◇ Run◇ Monitor

Build◇ Every command is a new layer◇ Layers are hierarchical: changing a lower layer

destroys the cached layers above◇ Size: remember you are going to have to

download this thing over and over again

FROM scratchCOPY hello /CMD ["/hello"]

Dockerfile (hello-world)

Build: Best Practices◇ Avoid using too many layers◇ Where possible, order commands so that the

frequently changing stuff is last (i.e. your code)◇ Containers are ephemeral: avoid writing stuff to

disk◇ Run only one program per container￭ Use supervisord if you have to￭ Docker compose￭ Docker networking (overlay network)

Deploy: Registry Considerations

◇ Authentication￭ Developers￭ Build Infrastructure (i.e. Jenkins)￭ Operational Infrastructure (i.e. your prod)

◇ Reliability￭ What happens when the registry goes down?￭ Registry becomes part of your build infrastructure AND operation infrastructure

Deploy: Running your own Registry

◇ Docker Registry is open source◇ Is this a business you want to be in?◇ Considerations:

￭ High Availability: ELB, EC2/ECS, S3￭ Docker engine concurrency weirdness

◇ Lots of alternatives these days

Deploy: Pick your Poison

◇ Docker Hub◇ AWS Elastic Container Registry◇ Quay.io◇ Bintray

Run◇ To pull or not to pull: that is the question!◇ Security◇ Insecure Registry issues◇ How do you provide the configuration?◇ How do you run a Docker container that

depends on snowflaky things like hard-coded IP’s (ENI) or EBS volumes

Running a Docker container on your local machine is easy. Asking another machine to run a Docker container for you is significantly more complicated.

Monitor◇ Extra layer of abstraction is an extra layer you

may need to drill through◇ Docker’s job is to hide stuff from you

Monitor: Gotchas◇ Disk space◇ Standard metrics like CPU usage start to have a

confusing meaning◇ Monitoring daemons: do they run inside the

container or outside?

The Cloud OSThe part where I get to stand on my soapbox

Internet Layers of Abstraction

Deploy in weeks

Deploy in minutes

Deploy in seconds

Deploy in milliseconds

The Docker MindsetHow to get the most out of Docker

◇ The operating system (the VM) doesn’t matter◇ You shouldn’t care what machine your system runs

on◇ Everything is ephemeral◇ Assume your disks are read-only◇ You can only create & destroy: you cannot update

Docker can be thought of as a higher-order Operating System abstraction.

Hard Problem #1:Scheduling

◇ Given a finite set of computing resources determine where to launch a Docker container

◇ Typical Bin Packing Problem: Dimensions￭ CPU, Memory, I/O, High Availability◇ Why is this hard?￭ Distributed System Complexity￭ Heterogeneous Infrastructure￭ Auto-Scaling￭ Resource Affinity (i.e. ENI or EBS Volumes)

Hard Problem #2:Fault Tolerance

◇ When the main Docker process terminates (PID 1) the Docker container terminates

◇ How are you going to restart your Docker container?◇ Common Patterns

￭ Supervisord￭ Restart Policy

◇ If your Docker runtime doesn’t support this you have

to do this yourself◇ Out of memory? Disk? You need to failover to

another node and Docker (itself) can’t help you here

AWSElastic Container ServiceAnd friends

Elastic Container Service◇ Built on top of EC2◇ AWS does all the nasty distributed stuff for us◇ AWS provides the tools: you run it the way you

want￭ Clusters￭ Container Instances◇ Supports custom schedulers*◇ Task Definition -> Task◇ Services◇ Service Auto-Scaling*

ECS Gotchas◇ Container Instances need to be configured

(via user data) to point to a cluster◇ Task Definitions can’t be deleted◇ Service operation delays

Elastic Container Registry◇ A Docker Registry hosted by AWS◇ A place to put your private Docker containers◇ Supports all the AWS IAM access control

goodness◇ Cheap! ($0.10/GB-month)￭ Not billed per repo!

ECR: Gotchas◇ Does not support “conventional” Docker login￭ Requires AWS CLI (aws ecr get-login)￭ Makes it more difficult to use outside of

AWS’ walled garden◇ Global Service (like S3): does not run in your

VPC◇ Difficulty using “ephemeral” IAM resources

More of the ThingsOther ways of running Docker on AWS

The Other Guys◇ Kubernetes◇ Mesos & Marathon◇ Docker Swarm◇ CoreOS / Fleet

It’s Done!Thanks for coming!