Using Containers

This week

• Container Management (AWS Fargate)
• Networking
• Storage

• Monitoring

• Run multiple container and push websites to shared volumes

Microservices

• isolate every services or functions from one another sothat, one fails other will not affected. However each seervice or function will communicate with each other.

AWS Fargate

• Running a container on EC2 as host option will work for you.
• There are two different layers you need to manage when host a container.
  • Manage EC2 for hosting
  • Also containers on top of the instances otherwise known as cluster

• First to get started one needs to provision, configure and scale a cluster of EC2 instances

  • You will place your instances in subnets inside of your VPC across availability zones
  • For provisioning you will only need to choose the EC2 instance type, AMI and provide any other configuration that is needed for example user data for bootstraping
  • Since EC2 will be used to host EC2 docker containers, so docker installation needs to be added as a part of bootstraping process.
  • Also one needs to make sure that these instances will continuously patched, updated and eveluated for secuirity. They also need latest and greatest software packages for hosting containers, so make sure these processess have in place
  • Next need to set up and configure EC2 for Autoscaling
    • Autoscaling will provision new EC2 instances when the demand of the containers will go up and autoscaling will terminate instances as the the containers are stopped, and therefore less compute and infrastructure to back it up.
• When these things are set up for functioning one can run containers on top of this group on EC2 instances or your cluster.
• Each EC2 instances will most likely have multiple containers inside it.
• So we have EC2 drawn here, but how exactly do these container instances get placed on top of hosts ??
  • These can be managed an orchestration tools like Amazon Elastic Container Service or ECS
  • So ECS will be the service you will be intarating with to run and set up your container, you will not interecting with the host directly.

  • Now you will need to monitor and use service like Amazon Cloud Watch to ensure that you cluster is scaling up properly and you can tweak it as it needed to optimize cluster resources.

  • So you will needs lot of preliminary set up that’s required to host container on top of EC2
  • How can we run containers without worrying about this infrastructure??
    • AWS Fargate is the helping hand
    • AWS Fargate is a serverless compute engine and hosting option for container-based workloads.
    • What Fargate allows you to do is to host your container on top of fully managed compute platform. No provosioning infrastructure, not setting up cluster scaling and no server management over time.

    • AWS Fargate abstracts all from you.

    • The containers are still spread across different AZ available zones and container lifecycle would still managed by orchestration tools like Amazon Elastic Container (ECS). However, no EC2 instances will be visible. It will be abstracted from you, allowing you to time and energy desiging and building the applications and containers instead of managing the underlying infrastructure that runs those containers.
• When using Fargate, you need to define all your containers need to run.
  • First what image you want to use.
  • How much memory and vCPU the container will be needed
  • Configure networking like VBC to use, what subnet, what secuirity groups will be needed.
  • IAM permissions that is needed for containers
  • Payment is only based on use means payment is only when your container is running.

Fargates key concept to understand

• Actually these concepts come from Amazon Elastic Container Service, which is container orchestration tool

• Fargate is the serverless way to host a container using Amazon Elastic Container (EC2) services

  ## Cluster

  • logical isolation boundary for the infrastructure that hosts the container. Cluster lives in virtual private network of you choice and can span multiple availability zones
  • you can select what subnets you want to place your container instances in as well and Fargate will provision and manage cluster for you.
  • Since this cluster is abstracted from you, you donot have ssh access or network access in any underlying instances.

  ## Tasks and Services

  • To run the container you will run tasks and services
  • These services will place the tasks on your cluster.
  • A Task is at a basic level just a wrapper to run your containers in.
  • To run a Task you need to create a task defination
  • A task defination is configuration for what container or containers are going to be run.
  • A task defination includes
    • What image or tag should be used
    • How much memory and vCPU for each container
    • what ports should be listening on and shared volume if needed.
  • Entire application stack shouldn’t exist in a same task defination(in most cases).

  • Your application can span multiple task definations by combining related containers into their own task defination. Each representing a single component of your application.

  • Once task defination is defined, then define a service, that will actually run the task, based on task defination.
  • A service that will allow you to configure running tasks, you want to run, and maintain across the cluster.
  • You also define whether you want to front your service with a load balance or not, as well as what subnets and secuirity groups you want your tasks to use.

  ### Walk through

  • Create an application load balancer in an existing VPC to front our service.
  • Then create a fargate cluster across two subnets and in that same existing VPC, crearte a task defination for our webapp
  • And then create a service to run our task op top of the cluster where we want two running tasks.

  #### Load Balancer set up

    aws elbv2 create-load-balancer --name FargateLoadBalancer\
    --subnets subnet-0b745a24484d91131 subnet-0e2ab9fd49e193459\
    --secuirity-groups sg13031acb62a9c273 --scheme internate facing \
    --type application --ip-adress-type ipv4
  

  first line we are creating a load balancer, this will allow us to access the application which is runnig on port 8080. Morgan want to submit a http request to port 80 of her load balancing and have it forwarded to the request to the back end container, which is running on 8080

  First giving a name here FargateLoadBalancer. Defininig two subnets in the second line, which she wants to attach to that load_balancer and third line assigining a secuirity group which will define the ingress and egress traffic that is allowed on port 80, these secuirity group is already exist, as well as subnets, so these are just ids for this existing resources.

  After enering this command line it will be created. From the output, she copied the Amazon Resource Name (ARN) of this load_balancer which was just created, she will use it later.

  Next will be target group This target group will be target group where our tasks will run. ``` sh aws albv2 create-target-group –name FargateTargetGroup –protocol HTTP \ –port 8080 –vpc-id vpc-024994381ad361013 –target-type ip

    Becuase the container is exposed to  port 8080, you can see Morgan is designating port for this group to 8080
      
    The last step for setting up a load balancer is to set up a listener, which will listen or port 80 for incoming http requests and then route them to our target group or port 8080 
      
    ``` sh
    aws elbv2 create-listner --load-balancer-arn <elb-arn> --protocol HTTP\ --port 80 -default-actions Type=forward, TargetGroupArn=<target-group-arn>
  

  Here elb-arn needs to be changed and it will be id which we will get from command line

  Load Bouncer set up is done

  #### Cluster set up

  Now we will create the cluster that wil host our tasks

    aws ecs create-cluster --cluster-name fargate-cluster
  

  We just gave a name fargatecluster

  #### Task defination

  Task defination is the configuration for our container. Tasks have associated IAM rules. Which Morgan has already creted for this account.

    aws ecs register-task-defination -family python-web-app \
    --task-role-arn arn:aws:iam:8332211724792:role/PythonECSTask \
    --execution-role-arn arn:aws:iam:8332211724792:role/ecsTaskExecutionRole \
    --network-mode awsvpc --container-definations file://fargate-container.json \
    --cpu .5vCPU -memory 1GB -requires-compatibilities FARGATE
  

  Here in the second line there is a task role arn and this arn is refferencing the IAM role, that ther service ECS will use to launch the task. There is also execution role arn, which is going to be used for the task itself. Also network mode needs to be defined. With Fargate it only supports the AWS VPC networking mode. There is other network mode is also exist. Later will be discussed. Next container defination, which is passed in a static json. which is found in the current directory.

  fargate-container.json file contais following information. ´´´ json [ { “environment”: [], “name”: “webapp”, “mountPoints”: [], “image”: “", "portMappings": [ { "protocol": "tcp", "containerPort": 8080, "hostPort": 8080 } ] } ] ´´´ Here we can see the image name and also port mappings are available. However Morgan needs to naviagate to ECR and grab the image URI.

  Go to AWS Management Console. search for ECR. There was repository set up and there was one pythonwebapp, which she will be launching. Grab the latest URI for that image, come back to cloud9 and replace image-from-ecr to this copied URI and now save and exit.

    * Also 0.5 vCPU is defined and memory 1GB
    * lastly to be eligible to the taks for fargate, requires-compatibilities with values FARGATE.  
  

  Then Morgan went the directory where the json file is available and run last command in that folder. Which we already have seen above.

    aws ecs register-task-defination -family python-web-app \
    --task-role-arn arn:aws:iam:8332211724792:role/PythonECSTask \
    --execution-role-arn arn:aws:iam:8332211724792:role/ecsTaskExecutionRole \
    --network-mode awsvpc --container-definations file://fargate-container.json \
    --cpu .5vCPU -memory 1GB -requires-compatibilities FARGATE
  

  So task is defined.

  #### Service Creation

  This service will use this task defination to launch a task

  ´´´sh aws ecs create-service –cluster --service-name FargateDemoService2 --task-defination --load-balancer file ://load-balancer.json -desired-count 2 --launch-type FARGATE --network-configuration file://task-networking.json -scheduling-strategy REPLICA --deployment-container type-ECS ´´´ Task defination arn we can found from what we just created. Also from provious command line output we can also copy cluster-arn and replace with that value.

  also some other things are done here. A service name is FargateDemoService2 is added. Providing that Morgan want to tasks to be launched (-desired-count 2) and a json file is provided which will ties this service to the load-balancer

  let see what is in json file

    [
        {
            "targetGroupArn": "<target-group-arn>",
            "containerName": "webapp",
            "containerPort": 8080
        }
    ]
  

  We actually need the target arn and replace it with that file. Which can be found in comman line output which we already have created. and replace it and save the file.

  Next we have launch-type and it is Fargate. We have network configuration file. let see what is there

    {
        "awsvpcConfiguration": {
            "subnets": ["sebnet-pe2ab9fd49e193459", "sebnet-0b4745a24482d91131"],
            "securityGroups": ["sg-0aae6caa0b11ff6db"],
            "assignPublicIp": "ENABLED"
        }
    }
  

  Two subnets and securityGroups are provided, this secuirityGroup allow http trafic to actually reach our running containers in our task. Now paste whole command on command line.

  So service is created so it should be starting up our taks on the cluster. In order to see that list of services which is running on the cluster.

    aws ecs list-services --cluster fargatecluster
  

  list services which is running on fargatecluster

  to verify whether actually they are running we will AWS console and go home. Find Services -ec2 search box. left hand side scroll down, click laod-balancer navigate load-balancer section and select the laod-balancer which was just created.grab the DNS name of laod-balncer. We actually should theoritaclly access those through DNS name and paste it in Browser.

Container Networking

1. How to you get traffic To our tasks on our instances?

• Similar like to get a traffic to a server or virtual machine.
  • we need load balancer

  • In AWS 3 types of load-balancer is available.

    1. Network load balancer
    2. classic laod balancer
    3. Application load balancer

here mostly application load balancer(ALB) will be discussed.

• One important feature of ALB is dynamic host port mapping
  • What is this?
  • which allows multiple tasks from same service to be placed on a single container instance.
  • Without dynamic host port mapping if you had a service with two tasks, you need to position them on two separate EC2 instances, because the containers can’t run on same port on the same server. So becuase of dynamic host mapping we don’t have the problem.
  • Application load balancer is recommended to use whenever you need to load balance HTTP or HTTPS requests. It also highly integrated into AWS container services like ECS whether you are placing a container on EC2 instances or using FARGATE launch type.
  • In fact ECS will configure load balancer on your behalf as well as place tasks on instances in your cluster.
  • Once it places a task on machine it will also configure the load balancer to send traffic to the new task without you doing any manual intervention.
  • another handy thing with ALB it can perform path-based routing, which is fancy way of saying, it can route requests based off of the URL
    • For example we have 3 different URL paths for our traffic to hit.
      1. /api/users
      2. /api/topics
      3. /api/messages So when users type URL path to the users service. Application load balancer will forward this requests to the containers that supports that service.

1. We want to our containers to be able to communicate with outside services.

• Task defination
  • In task defination you can specify the docker container network mode, that ECS will use for the containers in your task.
  • In task defination you can specify 4 different modes
    1. None –> It does not allow anything to anyone-
    2. Bridge –> default mode. Dockers built in network. Each and every task get an private IP and uses the docker bridge for any communication. In this mode container will share the same network interface as their host EC2 instances
    3. Host –>Removes the need for Dockers built in virtual network, because the container port are mapped directly to the EC2 instances network interface. No dynamic host port mapping, as this mode doesnot allow multiple tasks from the same service to be placed on a single container instance.
    4. AWS VPC mode –> offers highest networking performance for containers, because every tasks has given the same networking properties as regular ÈC2, what that means as every tasks is given it to its own elastic networking interface, its own private IP and internal DNS host name. no dynamic host port mapping like host mapping. More controls how you want your containers to communicate with other services and simplify the idea of networking.

Actually if EC2 networking is understood then you also understand The AWS VPC container networking mode with ECS. If the task defination uses a AWS VPC mode you are required to use a VPC subnets and a secuirity groups for your containers. However it is good practice as it provides greater level of secuirity. This is recommended appraoch. Everything needs to be set up in task defination.

Persistent Storage

• Storage here not the image storage but the container that needs to save files in some sort of consistent storage.

• By default storage used by container is not persistent.

• Normally iamge layers combined a writable top container layers to make a thing which we call container.
• When a container is removed, its upper writeable layers is removed but not the image layers.
• As a result of copy on write behaviour when the container is removed, associated data is lost.
• To have a persistent data with containers, the data needs to be externalized outiside of the container and not applied as a container layer? So this is problem,
• what is solution.

  • Bind Mount A file or folder stored anywhere in the contaner file system and mounted on a runnning continer. When using a mount you need to set the mount flag, when running a new container and specify the folder on the container host.

  • Volumes It is also hosted by host file system as well, but completely managed by container agent. Mount on the other hand can be modified outside of container management. Volumes still utilize the mount flag to specify the volume to mounted to a new container, but instead of local directory if specify the volume you want to mount to the container.. Volumes are prefered. Bind has sometimes problems with permissions issue and data is not initialized
    • Volume also provide additonal capabilities to non-local storage system such as NFS mounts
  • In AWS Elastic Block Store Volume (Amazon EbS) for underlying host storage. The EBS Volumes are specify to availabity zones and connot be mounted across AZs(availbility zones) or to multiple elastic Compute cloud instances at the same time.
  • If try to share volume contents across containers, the containers need to be on same unterlying instance or the volume needs to be cloned using EBS snapshot and then creating new volume.

  Cloud Watch Insight

  • CPU
  • Memory
  • Disk and network utilization
  • Log Information

  cloud watch can be used if you use Amazon Elastic Container service, Amazon Elastic kubernet service or kubernets platform on EC2

  • From Amazon Management console search ecs, left side click account settings and scroll all the way down to Container Insight and make sure for enabling it.
  • user IAM performing this action needs appropriate IAM permissions, the ECS put-account-setting permission to perform this action.
  • Once it is done all new containers will be monitored.
  • If we see the clusters. Scrolling up and click clusters
  • to see it go cloudwatch dashboard, normally click services and search cloudwatch, when it loads go to overview and scroll to container insights.
  • One can from here ECS or EKS cluster monitor, just click appropriate thing you want to watch, filter can be done based on cludter.
  • From log insights from left hand side one can see the logs, if cloud watch is enabled, it will autopopulate ecs logs, select appropriate logs.
  • stats avg(CpuUtilized), avg(MemoryUitlized) by bin(30m)