Intro to Containers
Virtualization problem - heavy usage because operating system is duplicated on each application that is hosted on 1 host.1
- Before: App with OS M---1 AWS Hypervisor + AWS EC2 Host
Solution: Containerization
- After: App M---1 Container Engine + Host OS + Host Hardware
Containerization - mostly consumption by the application and its runtime
- Do not need full OS for each app
Image anatomy
Container - running copy of docker image
Docker image made up of multiple independent layers - not monolithic
- Used to run container
Dockerfile - used to build docker images. Each step creates fs layers.
- Images are created from base image or scratch
- Image contain readonly layers, changes layered onto image using differential architecture
Layers:
- operating system set up
- app run
- filesystem
Docker container is docker image with read write layer to run it
- Identical layers apart from R/W layer, which makes shared fs layers efficient
Container images deployed to docker host, service running container engine.
- Container is single thing that can generate
- Dockerhub to get or download your own
Container key concepts:
- Dockerfiles to build images
- Portable - self-contained, always run as expected
- Lightweight - parent os used and shared fs layers
- Only runs app and environment it needs
- Provides as much isolation as VMs
- Ports are exposed to host
- App stacks can be multi-container
DEMO Docker Image
Hosting docker image from EC2 instance
- CloudFormation
- Connect to EC2 Instance
sudo dnf install dockersudo service docker startdocker ps- Error, no permission
sudo usermod -a -G docker ec2-user- Allow local user to interact with docker engine
- Reconnect
sudo su - ec2-user- Logins to ec2-user without ssh key
docker pslscd containerls -ladocker build -t containerofcats .- Based on current docker file
- Each line generally generates new fs layer
docker images --filter reference=containerofcats- list of imagew
docker run -t -i -p 80:80 containerofcats- Open new tab based on public ipv4 address
This runs docker container from EC2 instance. Later, can use ECS to host docker image
How to push image into dockerhub:
docker login --username=YOUR_USERdocker images- see all containers- copy image id of
containerofcats
- copy image id of
docker tag IMAGE_ID YOUR_USER/containerofcats- prepare to be pushed to docker hub
docker push YOUR_USER/containerofcats:latest
Elastic Container Service (ECS) Concepts
ECS - run containers on AWS fully/ partially-managed services, reduces admin overhead.
- ECS is for container like EC2 for VM
ECS uses cluster that run on 2 modes: 1. EC2 - uses EC2 as container host 2. Fargate - serverless way to run docker containers
ECS Cluster - where containers run from
- ECR (Elastic Container Registry) to manage docker container images
Task on ECS - container as a whole
- Define containers inside
- Task - store resources used by task (CPU, Memory, networking, compatibility).
- Also task role - IAM role that the task can assume for temporary credentials. Best way to give container within ECS to run AWS service.
- Task can contain 1 to M containers
Service definition - defines service
- How we want task to scale, copies to run, can have multiple tasks
Concepts:
- Container definition - image and ports
- Which image to use
- Which port to expose
- Task definition - securiy (taks role), container(s), resources
- Task role - IAM role which the task assumes
- Service - how many copies, HA, restarts
ECS Cluster Mode
Modes:
- EC2 - less admin overhead
- Fargate - even lesser admin overhead
Cluster mode defines many, but main idea is how much of an admin overhead is AWS or customer managed
ECS management components:
- Scheduling
- Orcehstrating
- Cluster management
- Engine placement ^ exist in both modes.
ECS - EC2 Mode
EC2 mode - EC2 instance used to run containers, specify initial size
ECS Cluster is created within VPC inside AWS account
- benefits from multiple AZ
- handled by Auto Scaling Group (ASG), add or remove instance as needed
- uses container registry - way container images are stored
- task and services use images from registry and deployed on container host on form of containers handled by ECS
ECS - Fargate Mode
Main difference on how container is actually hosted - on Fargate shared infrastructure
Gain access to shared pool (like EC2 on shared HW):
- Use same task and services definition allocated to shared fargate platform
- Still have cluster that uses VPC that operates on AZ
- ECS task that runs on shared infrastructure and on networking, injected to VPC - Elastic Network Interface
- Has IP address within VPC
- Works just like any other VPC resource
- Only pays for used containers based on consumed resources
EC2 vs ECS (EC2) vs Fargate
- If use containers, use ECS
- If large workload and price conscious, EC2 mode to use its spot and reserved mode
- More admin overhead - scaling, sizing, correcting faults
- If large workload and overhead conscious, Fargate
- For small/ burst workloads - Fargate
- Fully EC2 host running on inconsistent workload does not make sense
- For batch/ periodic workloads - Fargate
DEMO - deploying containers using Fargate
- ECS > Create Cluster > Select all subnets
- Create new task definition
- Image URI
docker.io/USERNAME/REPOSITORY
- Image URI
- Create cluster with the new task
- Use Launch type
Deleting:
- Deregister task
- Delete cluster
Elastic Container Registry (ECR)
ECR manages container image registery service
- Dockerhub for AWS
- Each AWS account has public and private registry
- public means anyone can have readonly access, unlike private
- Each registry can have many repositories
- Each repository can contain many images
- images can have several tags
ECR:
- Integrated with IAM for permissions
- Image scanning, basic, and enhanced
- NR real time metrics => CW (auth, push, pull)
- API Actions => CloudTrail
- Events => EventBridge
- Replication. Cross-region and cross-account
Kubernetes 101
Kubernetes - open-source container orchestration system to run container in a reliable and scalable way.
- Automate deployment and scaling of containerized system
- Docker with robots
Cluster structure:
- Highly available cluster of compute resources organized to work as one unit
- Cluster Control Plane to manage cluster, scheduling, app, scaling, and deploying
- Cluster nodes - VM or physical server as worker in the cluster
- Containerd - handling container operations
- kubelet - agent to interact with control plane
- Kubernetes API for communication between control plane and kubelet agent
Cluster detail:
- Has container runtime and kubelet
- Has 1 to many nodes
- Has pods - smallest units of computing in kubernetes shared storage and networking. Usually non-permanent.
- kube-proxy - network proxy on each node to coordinate networking within control plane
- help impleemnt service
Control plane:
- kube-apiserver - front-end for kubernetes control plane.
- What nodes and cluster elements interact with.
- Horizontally scaled for HA and performance
- etcd - provides highly available key-value store within cluster
- main backing store for cluster
- kube-scheduler - assigns nodes to pods with node based on resource and constraints
- cloud-controlled-manager - provides cloud specific control logic
- allows linking kubernetes with cloud provider APIs
- kube-controller-manager - control processes
- Node controller
- Job controller
- Endpoint controller
- Service account and token
Summary:
- Cluster - deployment of kubernetes, management, orchestration
- Node - resources; pods placed on nodes to run
- Pod - 1+ containers; smallest unit in k8s; usually 1-to-1 container-pod.
- Service - abstaction; service on 1 or more pods
- Job - ad-hoc for one or mode pods
- Ingress - exposes way into service
- Ingress => Routing => Service => 1 + Pods
- Ingress Controller - provides ingress
- AWS LB controller uses ALB/ NLB
- Persistent Storage - permanent volume for beyond 1+ pods
Elastic Kubernetes Service 101 (EKS)
EKS - AWS managed kubernetes
- Can be run on AWS, Outposts, EKS anywhere, EKS Distro
- The control plane scales and runs on multiple AZs
- Integrates with AWS services (ECR, ELB, IAM, VPC)
- EKS Cluster = EKS control plane and EKS nodes
- etcd distributed across multiple AZs
- Storage providers include EBS, EFS, FSx Lustre
Nodes - self managed, managed node groups, or fargate pods. Decided based on requirements.
- Windows, GPU, Inferentia
- AWS Managed VPC - Control plane managed and multi AZs
- EKS Admin via public endpoint
- Control Plane ENIs injected into Customer VPC
- Customer VPC into Service Consumer