---
title: '11 ECS, ECR & Fargate + Docker in AWS'
disqus: hackmd
---
:::info
AWS Certified Developer Associate DVA-C01
:::
11 ECS, ECR & Fargate + Docker in AWS
===
<style>
img{
/* border: 2px solid red; */
margin-left: auto;
margin-right: auto;
width: 90%;
display: block;
}
</style>
## Table of Contents
[TOC]
Docker
---
- docker is software dev platform to deploy apps
- apps packaged in containers that can be run on any os
- apps run the same regardless whr they're run
- any machine
- no compat issues
- predictable behaviour
- less work
- easier to maintain and deploy
- cuz standardised
- works with any lang/OS/tech
- can run multiple docker containers
- even tho run on same machine, they dont interact with ea other unless we tell them to
- dont impact ea other
- can scale them since on same server
### Where are Docker Images Stored?
- docker imgs stored in docker repositories
- 2 famous repos
- public - docker hub https://hub.docker.com/
- find base imgs for many tech or os
- ubuntu
- mysql
- nodejs, java etc.
- private - __amazon ECR (elastic container registry)__
### Docker VS Virtual Machines
- docker is sort of virtualisation tech but not exactly
- res are shared with host
- can run many containers on 1 server
- docker has no hypervisor
- once installed docker daemon, can just run a container
- since docker is lightweight and well made, can run a lot more containers than VMs on your machine
### Getting Started with Docker
- download docker at https://www.docker.com/get-started
- build dockerfile
- run docker img to get docker container
### Docker Containers Management
- to manage containers, need container management platform
- 3 choices
- ecs
- amazon's own platform
- fargate
- amazon's own serverless platform
- eks
- amazon's managed kubernetes (open source)
- not in exam
AWS ECS (Elastic Container Service)
---
### ECS Clusters
- ecs clusters are logical grping of ec2 instances
- ec2 instances run ecs agent (docker container)
- ecs agent registers instance to ecs cluster
- ec2 instances run special AMI, made specifically for ecs
### ECS Task Definitions
- task definitions are metadata in json form to tell ecs how to run docker container
- contains crucial info around
- img name
- port binding for container and host
- memory and cpu required
- env variables
- networking info
- iam role
- logging configuration
- Eg. cloudwatch
### ECS Service
- ecs services help define how many tasks shld run and how they shld be run
- ensure that num of tasks desired is running across fleet of ec2 instances
- will also help if do updates to tasks
- can be linked to elb/nlb/alb if needed
- created at cluster lvl
#### ECS Service with Load Balancer
- change task def to specify container port and have random host port
- do this many time
- everytime httpd service is launched, new random port num created
- app load balancer will route traffic to random ports and spread load to diff containers
- has feature called dynamic port forwarding
### Console
- do not press get started cuz it will auto use fargate (fargate it gr8 but v new so might not come out in exam?)
- press create cluster
- shld create a keypair for ecs too
- add vpc, subnets and sec grp
- need iam role so ec2 instance can register to ecs
- when created ecs cluster, asg auto created too
- AMI id
- IAM profile
- created by ecs, called `ecsInstanceRole`
- ec2 user data
- ecs config file contains var ecs cluster = cluster demo
- when instance starts, register cluster named cluster demo
- change this bit if have multiple clusters
- security grp auto created too
- iam role on ec2 created for ecs
- docker agent helps register
- this specific process is what's registering our agent
- use `docker logs <container id>` to see logs
#### Task Definitions
- task assigned can have an iam role
- network mode
- bridged on linux
- NAT on windows
- task execution role
- role created to allow ecs to create the task
- is just info
- mem and ram assigned to task
- need to choose docker container from docker hub
- if specify image as `<name>:<ver tag>`, know to take img directly from dockerhub
- port mapping v impt
- must go dockerhub and find what port the img is using
- there's still a lot of options left to choose from
- can view json form of task def
#### Service
- set min healthy percent to 0
- enable us to do rolling restarts
- codedeploy can be used to deploy to ecs too
- task placement
- defining strategy of how to place tasks on diff ecs instances
- add inbound rule in cluster sec grp for docker container
- can set to scale ec2 instances for cluster
- or if dont see option can just access asg and change desired count
#### ECS Service with Load Balancer
- leave host port empty to randomise it
- alb
- allows dynamic port mapping - feature that is not in clb (static port mapping)
- though need to create load balancer in ec2 console to link to ecs
- security grp must allow all traffic from ecs load balancer
- setup p complicated, might want to rewatch the vid ECS Service with Load Balancers
ECR (Elastic Container Registry)
---
- so far we using docker imgs from docker hub (public)
- ecr is private docker img repo
- access controlled through iam
- perms errors => policy
- authenticating ecr using CLI
- aws cli v1 login cmd
- may be asked in exam
- `$(aws ecr get-login --no-include-email --region eu-west-1)`
- have `$()` cuz output of cmd has to be executed
- aws cli v2 login cmd
- newer, may also be asked in exam
- relies on pipes `|`
- `aws ecr get-login-password --region eu-west-1 | docker login --username AWS --password-stdin 1234567890.dkr.ecr.eu-west-1.amazonaws.com`
- 1st part give login passwd and pass into second part
- docker push & pull
- `docker push 1234567890.dkr.ecr.eu-west-1.amazonaws.com/demo:latest`
- just push full img url
- `docker pull 1234567890.dkr.ecr.eu-west-1.amazonaws.com/demo:latest`
### Console
- install docker first
- `docker --version` to check install
- breakdown of above docker file
- use `httpd:2.4` img from docker hub
- gonna install a few things on it
- add some html to it
- add a script
- launch that script after giving it executing perms
- bootstrap script
- going to run and pickup some metadata info arnd ecs and display to us
- build the docker img with this cmd
- `docker build -t <img> .`
- before we can use it in ecs, we have to push it to ecr
- create new repo in ecr
- can view push commands from repo console
- login into docker and ecr
- can push img into docker
- change img name to ecr img name in ecs task def
- when u update task def, it will slowly shutdown the prev task def and replace it with the new one
- might take a while
- alb has a deregistration delay of 300secs (5mins) for the registered targets to be drained
- or u can just stop it yourself
Fargate
---
- when launching ecs cluster, need to create ec2 instances
- if need scale, need to add ec2 instances
- with fargate, its all serverless
- dont provision ec2 instances, just create task definitions & aws will run container for us
- to scale, just inc task num
- simple
- no more ec2 :)
- if want run docker container in cloud, no need to think abt ec2, just use fargate
### Console
- creating cluster with fargate is v simple
- create 1st service
- create task def with fargate
- set task mem and cpu sizes
- add container for task def
- just like ecs hands on
- only need add container port
- fargate smart enough to do dynamic port mapping
- create fargate service
- process p similar to above
- tasks are not linked to any containers cuz its serverless
- no ec2 instances needed
More ECS
---
### ECS IAM Roles Deep Dive
- ec2 instance profile
- used by ecs agent
- ecs agent use role to make api calls to ecs service
- send container logs to cloudwatch logs
- pull docker img from ecr
- ecs task role
- allow ea task to have specific role with min perms
- use diff roles for diff ecs services u run
- task role defined in task definition
### ECS Tasks Placement
- when task of type ec2 launched, ecs must determine whr to place it with constraints of cpu, memory and avail port
- similarly, when service scales in, ecs needs to determine which task to terminate
- to assist with this, can define a __task placement strategy__ and __task placement constraints__
- NOTE
- this is only for ecs and ec2, not fargate
#### ECS Task Placement Process
- task placement strategies are best effort
- when amazon ecs places tasks, uses following process to select container instances
- identify instances that satisfy cpu, memory and port requirements in task def
- identify instances that satisfy task placement constraints
- identify instances that satisfy task placement strategies
- select instances for task placement and place task thr
#### ECS Task Placement Constraints
- `distinctInstance` - place ea task on diff container instance
- no 2 tasks on same instance
- `memberOf` - places task on instances that satisfy an expression
- uses cluster query lang (p advanced)
- Eg. instancetype must be type t2
### ECS Task Placement Strategies
#### Binpack
- binpack
- place tasks based on least avail amt of cpu or memory
- minimises num of instances in use
- cost savings
- packs all containers into one ec2 instance until it cannot hold anymore
- hence called binpack (packing containers tgt)
- minimises num of ec2 instances in use and maximise utilisation of 1 ec2 instance at a time
#### Random
- random
- place task randomly
- tasks place randomly between the 2 ec2 instances
- no logic to it
#### Spread
- spread
- place task evenly based on specified value
- Eg. `instanceId`, `attribute:availability-zone`
- for this example, it spreads based on ea az then start all over again
#### Hybrid
### ECS Service Auto Scaling
- cpu and ram tracked in cloudwatch at ecs service lvl
- __target tracking__
- target specific avg cloudwatch metric
- Eg. cpu transition shld be 60% across ecs service
- __step scaling__
- scale based on cloudwatch alarms
- __scheduled scaling__
- based on predictable changes
- ecs service scaling (task lvl) __NOT EQUAL__ to ec2 auto scaling (instance lvl)
- if scale up/down your ecs service, doesnt mean ec2 asg at instance lvl will scale up/down
- this makes ecs auto scaling p difficult at service lvl
- fargate auto scaling is much easier to setup
- because serverless
#### ECS Cluster Capacity Provider
- capacity provider is used in association with cluster to determine infrastructure that task runs on
- for ecs and fargate users, `FARGATE` and `FARGATE_SPOT` capacity providers are added automatically
- for amazon ecs on ec2, need to associate capacity provider with an asg
- asg add ec2 instances when needed
- when run task or service, define a capacity provider strat to prioritise which provider to run
- this allows capacity provider to auto provision infrastructure for u
- both ec2 instances are full
- create new task
- if task assigned to cluster capacity provider, will auto launch new ec2 instance running on ecs
- or if use fargate capacity container, will go on fargate container
### Console
#### ECS IAM Roles
- choose use case for ecs iam role
- choose your iam policy for the role
- ecs task role
- if go to trust r/s tab, it can be endorsed by ecs tasks
- is the role that gets assigned to specific tasks/services
#### Task Placements
- config when creating service
- custom task placements + constraints
#### Capacity Provider
- select asg
- set target capacity
- Eg. 70% = if 70% capacity of ec2 instances rched then will launch more instances
- can set capacity provider at service config
- set autoscaling for service
- set scaling policy type
- might want to rewatch the handson again
Summary
---
- service auto scaling does not mean your cluster will get bigger
Quiz
---
###### tags: `AWS Developer Associate` `Notes`
Sign in with Wallet
Connect another wallet