Docker containers are like lightweight VMs and allow you to run your application in an isolated environment. Using Docker, you can package your application inside a lightweight container and ship it to your dev, QA, staging, and production environments. Docker's simplified API helps you with the creation and deployment of containers, and its versioning feature helps you easily manage your containers across your environments (that is, dev, test, staging, and production). You can share your Docker images using public registry, Docker hub, maintained by Docker, Inc.
Managing and scheduling these containers in a fleet of machines adds complexity. However, Amazon EC2 Container Service solves this problem for you. Amazon ECS is a container management service that makes it easier to manage Docker containers on an AWS EC2 cluster. This service lets you launch container-enabled application using an API. ECS eliminates the need for your own cluster management and configuration management systems. AWS EC2 Container Service is free to use, you only pay for the resources used. There are open source container orchestration softwares, such as Marathon, that run on top of Apache Mesos, Kubernetes by Google, Docker swarm, and CoreOS fleet.
The following sample command installs Docker in a Ubuntu 12.04.5 LTS machine:
sudo wget -qO- https://get.docker.com/ | sh
After installing Docker, verify the Docker version by executing the following command:
sudo docker --version
Create a folder called myapp and a file inside that folder called Dockerfile. Our sample Dockerfile contains commands for installing Java and Tomcat.
# Specify the base image. FROM ubuntu:12.04 # Update the local repository. RUN apt-get update # Add Java 7 repository. RUN apt-get -y install software-properties-common python- software-properties RUN add-apt-repository ppa:webupd8team/java RUN apt-get -y update # Accept the Oracle Java license. RUN echo "oracle-java7-installer shared/accepted-oracle- license-v1-1 boolean true" | debconf-set-selections # Install Oracle Java. RUN apt-get -y install oracle-java7-installer # Install Tomcat7. RUN apt-get -y install tomcat7 RUN echo "JAVA_HOME=/usr/lib/jvm/java-7-oracle" >> /etc/default/tomcat7 # Set environment variable. ENV CATALINA_BASE=/var/lib/tomcat7 # Set entry point. ENTRYPOINT [ "/usr/share/tomcat7/bin/catalina.sh", "run" ]
By running the following command, you can build an image from Dockerfile. Before executing this command, change the directory to myapp.
sudo docker build -t sekhar/javatomcat:v1 .
You can list the images in your host by running the following command:
sudo docker images
Docker uses resource isolation features of the Linux kernel to sandbox the application, its dependencies, and interfaces in a container. A container can run on any host system having relevant kernel components, while shielding the application from variances of the software installed on any given host. Also, multiple containers can run independently on a single host OS without a hypervisor.
In Docker, images are used to create Docker containers. For example, an image could contain an operating system with Java, Tomcat server, and your web application. You can create these Docker images or use images that other developers created. In this recipe, we used Dockerfile to build images. The Dockerfile is a text document containing a set of commands you would normally execute manually in order to build an image.
The parameters in the Dockerfile are explained as follows:
FROM: This is a very important directive in your Dockerfile. It defines the base image to start the build process. You can use previously created images. If an image is not found on the host, Docker will then try to find it in the Docker image index.RUN: Using this directive, you can execute your commands in the build process, for example, installing Java and Tomcat.ENV: Using this directive you, can set up the environment variables. You can access these environment variables in your application inside the container.ENTRYPOINT: You can define your target application using this directive. Whenever a container is created from that image, your application will be the target.
After creating the Dockerfile, we built our Docker image from that Dockerfile. We pass the repository name (sekhar/javatomcat) and tag (v1) for the image. We can use the previously created images to create new containers. You can also spawn as many containers as required from that image.
Finally, we created the Docker container. We specified the host and container port mapping using the –p argument. Here, Tomcat's default port inside container is 8080, so we map the host port 80 to Tomcat port 8080. The –d value indicates that this container will run in detached mode. We also specified the repository name and tag name.
Typically, the container is built on the developer's machine. This can make deployments simpler and faster, as it simply involves moving the container to your target environment. In addition, consistency and predictability can be maintained when moving your application code between various environments. The containers can be deployed in AWS environments using AWS Elastic Beanstalk and Amazon ECS.
AWS Beanstalk can deploy your application containers to Amazon ECS. You will need to specify your container images, CPU, memory, ports, and so on. Beanstalk will provision the infrastructure, and place your containers in the cluster and monitor the container's health.
Amazon ECS has been specifically designed to manage containers deployed in a cluster. Amazon ECS provides the cluster management infrastructure and integrates with other AWS services such as ELB, EBS volumes, and IAM. A cluster here is a set of EC2 instances running the Amazon ECS container agent that communicates with the cluster manager and the Docker daemon. The agent registers with the specified cluster and sends EC2 instance and container information. An autoscaling group is associated with the cluster to ensure that the cluster grows appropriately, to meet the container workloads.
Amazon ECS provides two schedulers—the RunTask action (for random distribution of tasks across your cluster) and the service scheduler (for long-running stateless services). The schedulers use the cluster state information from the ECS API to make the placement decisions. Amazon ECS also allow integration of custom and third-party schedulers.
Amazon ECS supports using CloudWatch to monitor the EC2 instances in the cluster. You can view the metrics for Amazon ECS in the ECS and the CloudWatch consoles. The average, minimum, and maximum values for the last 24 hours for cluster CPU and memory and service metrics are available in the ECS console. The CloudWatch console provides a more detailed view of the ECS cluster and service metrics. These metrics include the cluster utilization and service utilization metrics. In addition, you can create CloudWatch alarms. For example, you can create an autoscaling group for the ECS cluster based on cluster memory utilization metric. Amazon ECS is integrated with AWS CloudTrail, so you can use to track the API calls made by Amazon ECS.
Container security can be implemented using AWS IAM, security groups, and VPC configurations. For example, you can create an IAM role and associate it with your container instances (when launch them) so that the ECS container instances calls to ECS and EC2 APIs are authenticated. In addition, you can also leverage Dockers isolation capabilities or use other isolation frameworks such as iptables and SELinux.