Jon Todd, profile picture
Uploaded byJon Todd
1,924 views

ECS and Docker at Okta

The document details Jon Todd's insights on leveraging Okta's services with a focus on ECS and Docker for managing microservices. It outlines the architecture, DevOps practices, security measures, and operational procedures needed for deploying applications with reliability and efficiency. Key takeaways include the importance of automation, scaling, and maintaining zero downtime during deployments.

Technologyā—¦
In this document
Powered by AI

Jon Todd introduces himself as the Chief Architect at Okta, discussing ECS and Docker on August 2, 2016.

Okta is a popular service used by millions of individuals and thousands of enterprises, notably for Adobeā€™s Creative Cloud.

Okta serves a wide range of industries including Finance, Technology, Health, and more, indicating its adaptability.

Describes various Okta features including Mobility Management, SSO, MFA, Directory Integration, providing secure access for all applications.

Okta is presented as the most reliable IDaaS, with global data centers, highlighting its redundancy and scalability.

Discussion of the challenges faced in defining micro-services and the need for development and operational stability.

Key requirements for deployments dwell on immutability, 0-downtime deployments, and compliance necessary for a robust system.

The selection of effective technology components such as container frameworks and continuous integration tools in DevOps.

Docker and ECS address issues like repeatability, stability, and compliance in managing applications efficiently.

Explains ECS concepts including task definitions, services, clusters, and continuous integration workflows for development.

Discusses dynamic scaling with ECS, cost savings using spot instances, and various termination policies for resource management.

Highlights ECS efficiency in operations with a cluster size of over 150 instances, emphasizing deployment strategies.

Focus on micro-services architecture with ECS and methods for 0-downtime testing to ensure smooth operations.

Technical parameters including ECS configuration, cluster setups, and performance metrics for operation evaluations.

Details the workflow structure involving deployment configurations and definitions provided by developers for ECS tasks.

Security measures and conventions for managing container updates, versions, and integration tests for reliable operations.

Emphasizes the importance of logging, monitoring metrics, and highlights feature requests to improve ECS functionalities.

Transition from challenges to an effective automated pipeline with a final opportunity for audience questions.

Jon Todd, Chief Architect ECS and Docker @Okta August 2, 2016 @JonToddDotCom
Background
Millions of people use Okta every dayMillions of people use Okta every day
Thousands of enterprises use Okta to connect to Adobeā€™s Creative Cloud jim@designer.com
Thousands of Enterprise Customers Ed, Gov, Non-Profit Services Media ConsumerTechnology Manufacturing, Energy FinanceCloudHealth
Okta Application Network Mobility ManagementSingle Sign On Adaptive MFA Provisioning Universal Directory Extensible Profiles, Attribute Transformations, Directory Integration and AD Password Management Secure SSO for All Your Web Apps, On-prem and Cloud, with Flexible Policy, from Any Device Contextual Access Policies, Modern Factors, Adaptive Authentication, Integrations for Apps and VPNs Lifecycle Management, Cloud & On-prem App Integration, Mastering from Apps, Directory Provisioning, Rules, Workflow, Reporting Tight User Identity Integration, Device Based Contextual Access, Light-weight Management Okta IT & Platform products
The most reliable IDaaS available Never taken offline for upgrades Redundant and scalable A B C A B C DC2 DC1 okta.com/trust A Platform Architecture For Scale DATA TIER A B C LOAD BALANCERS APP SERVERS
Global Datacenters
Our stack stackshare.io/okta/okta
The Problem
Defining a pattern for micro-services https://www.pinterest.com/pin/205828645447534387/ http://www.bennysbaker.com/poop-emoji-cupcakes/
DevOps abstraction layer Inspired by: http://dev2ops.org/2010/02/what-is-devops/ Dev OpsWall of turmoil Dev Ops I want stabilityI want change Domain boundary
Repeatability through immutability ā€¢ Same runtime environment dev / test / prod ā€¢ Runtime versioned w/ code ā€¢ Easy reproducibility ā€¢ All changes use same release process
Additional requirements ā€¢ 0-downtime deployments ā€¢ Support for our multi-az & multi-region architecture ā€¢ Compliance ā€“ SOC2 type 2, HIPAA, ISO 27001 ā€¢ Separation of duties ā€“ a.k.a. no developer access to production hosts ā€¢ Push button deployment ā€¢ Rollback and canary support
Technology Selection
Building blocks Dev Ops I want stabilityI want changeContainer frameworks Cluster schedulerDev Ops Continuous integration
Options Container frameworks Cluster schedulers Amazon EC2 Container Service LXC
Our problems solved ā€¢ Repeatability ā€¢ Declarative & composable Dockerfile ā€¢ Images are immutable ā€¢ Stability ā€¢ Massive community with production adoption ā€¢ Initial release > 3 years ago ā€¢ Compliant ā€¢ ECS isnā€™t in flow, EC2 is already compliant ā€¢ DevOps Abstraction ā€¢ Hosts and underlying resources abstracted away ā€¢ Task Definition allows developers to schedule deploys ā€¢ Stability ā€¢ 0-downtime services ā€¢ Fully managed! ā€¢ Works with existing AWS tooling Docker EC2 Container Service
ECS Refresher
Source: All Things Distributed ā€“ a.k.a Werner Vogels
Additional concepts ā€¢ Task Definitions define one or more containers to run. ā€¢ Services define a long running task and run inside a cluster ā€¢ Clusters define a set of EC2 resources that can be shared by more than one service ā€¢ Auto scaling groups can be used to define size and launch configuration of a cluster
CI with ECS Tasks
CI Workflow Artifactory (Maven, NPM, Docker, YUM) Topic builds ā€“ topic repo Promoted buildsā€“ release repo
CI Workflow
Why ECS ā€“ Isolation & Versioning
1. Lambda: Task which scales cluster based on queue 2. Lambda: Inspect running tasks an bin pack new tasks where possible ā€¢ This is one of the changes we had to make in order to use ECS for long running tasks, rather than long running services spread across many stateless instances ā€¢ Disconnects unneeded nodes from cluster allowing themselves to self terminate when they are idle Why ECS - Dynamic worker scaling VS
Dynamic Scaling
Cost Savings With Spot Instances
Feature Requests ā€¢ Ability to have spot and on-demand in same Auto Scaling Group (ASG) ā€¢ Built-in bin packing scheduler ā€¢ Give ASG a termination policy based on ECS status ā€¢ i.e. prefer instances with no running tasks
Termination policy ā€¢ OldestInstance. Auto Scaling terminates the oldest instance in the group. This option is useful when you're upgrading the instances in the Auto Scaling group to a new EC2 instance type, so you can gradually replace instances of the old type with instances of the new type. ā€¢ NewestInstance. Auto Scaling terminates the newest instance in the group. This policy is useful when you're testing a new launch configuration but don't want to keep it in production. ā€¢ OldestLaunchConfiguration. Auto Scaling terminates instances that have the oldest launch configuration. This policy is useful when you're updating a group and phasing out the instances from a previous configuration. ā€¢ ClosestToNextInstanceHour. Auto Scaling terminates instances that are closest to the next billing hour. This policy helps you maximize the use of your instances and manage costs. ā€¢ Default. Auto Scaling uses its default termination policy. This policy is useful when you have more than one scaling policy associated with the group.
Takeaways ā€¢ ECS is running well for us in a 150+ instance cluster ā€¢ Bake AMI with large files and common images into host machines ā€¢ Spot instances give 2 min warning. Keeps jobs short
Micro-services with ECS Services
Due diligence
0-Downtime Testing https://github.com/jontodd/aries
Test Assumptions ā€¢ ECS config ā€¢ Agent version 1.11.0 ā€¢ Docker version 1.11.2 ā€¢ Cluster config ā€¢ 8 instances backed by ASG ā€¢ ASG config ā€¢ 8 instances across 3 AZs ā€¢ Default termination policy ā€¢ 5 min health check grace period ā€¢ ELB ā€¢ Timeout 4s ā€¢ Interval 5s ā€¢ Unhealthy threshold 2 ā€¢ Healthy threshold 10 ā€¢ Enable connection draining 300s timeout ā€¢ Load generation ā€¢ 16 threads ā€¢ Throughput ā€¢ Interactive ļƒØ 490 r/s ā€¢ 10s long poll ļƒØ 1.5 r/s
Operation Interactive Errors (~70ms latency, 490rps) Long Poll Errors (~10s latency, 1.5rps) Upsize ECS service 4 ļƒ  8 0 0 Downsize ECS service 8 ļƒ  4 0 0 Deploy ECS service ā€“ 50% min healthy 0 0 Stop task* 0 0 Downsize Auto Scaling Group (ASG) 0 0 Terminate EC2 instance 0 0 Stop Docker daemon (service docker stop)* 0 0 Stop EC2 instance** 0 0 Kill Docker Container (docker kill <containerId>)* 2 2 Fail health check 450 5 * No intention of running operation in practice ** Caused inconsistent state
Our architecture
Workflow Auto Scaling Group Launch Config EC2 ECS Cluster ECS Service ECS Canary Service Application YAML Docker Registry (Artifactory) ELB Images pulled when tasks start Conductor (Bastion ECS Controller) CI Pipeline Git Repo Promoted artifactsDockerfile docker_compose.yml Test / Preview / ProductionDev Deploy new version
Application definition ā€¢ Developers define YAML for their application ā€¢ Deploy time configuration is supplied to the ECS task definition ā€¢ Secrets are pulled by the application at startup
Security conventions ā€¢ Container repository ā€¢ Only allow containers from internal repository ā€¢ IAM separation per service ā€¢ Either service per cluster or use new IAM for ECS functionality ā€¢ Security scanning of containers - JFrog Xray ā€¢ Process monitoring on docker host ā€“ cAdvisor from google ā€¢ Secrets or any form of config NEVER baked in containers ā€¢ Start from minimal, audited base OS ā€¢ Run container as non-privileged user w/ user namespaces Docker 1.10+ ā€¢ Monitor alas.aws.amazon.com for critical updates
Source Conventions ā€¢ 3 categories of container definitions 1. ā€œLibraryā€ definitions used as the basis for building other images 2. Third-party service definitions e.g. Zookeeper or Elasticsearch 3. Internal service definitions ā€¢ Repo per internal service ā€¢ Dockerfile in same repo => image versioned with code ā€¢ Docker compose for running dependent services ā€¢ Pegged versions (no builds) ā€¢ Single repo for library and third-party service definitions
Build Conventions ā€¢ Integration tests run against code running in container ā€¢ Build owns creating immutable version and publishing to artifact server ā€¢ Strict rules around ā€œFROMā€ clause ā€¢ Must point at internal artifact server ā€¢ Must be tagged following SEMVER-SHORT_SHA convention ā€¢ Never allow missing or use of ā€œlatestā€ tag for repeatable builds
Logging and monitoring ā€¢ Logging ā€¢ All output streams pipe to STDOUT/STDERR of the running process ā€¢ Log forwarding is provided by underlying host ā€¢ Log entries contain ā€¢ Host ā€¢ Container Id ā€¢ Image name & version ā€¢ Request Id ā€¢ Metrics ā€¢ Host level, generic container metrics provided by host ā€¢ App level metrics published directly to well defined endpoints
Feature requests ā€¢ ELB ā€¢ Dynamic port mapping to containers ā€¢ Fail health based on HTTP return code ā€¢ Different health endpoint for adding vs removing ā€¢ Service level security groups ā€¢ Service discovery w/o ELB ā€¢ Ability to mark container instances as un-schedulable ā€¢ Remove sharp edges around the stopped state ā€¢ Give ASG ability to set EC2 ā€shutdown behaviorā€ ā€¢ Periodic cleanup process in ECS to deregister stopped instances
Takeaways ā€¢ /etc/ecs/ecs.config ā€¢ ECS_ENGINE_TASK_CLEANUP_WAIT_DURATION for forensics (default 1hr) ā€¢ ECS_LOGLEVEL=debug ā€¢ Beware of running services in same cluster that use the same ports ā€¢ Tune ELB health check ā€¢ Docker 1.10 for security enhancements ā€¢ Canary & Blue/Green separate service attached to same ELB ā€¢ Rollback is trivial ā€¢ ECS is incredibly easy to get up and running ā€¢ The ecosystem is changing quickly, we are moving cautiously ā€¢ ECS team has made a lot of improvements
Dev OpsWall of turmoil Automated pipeline of awesomeness
Questions?
Thank You Follow me @JonToddDotCom Join us @Okta - www.okta.com/company/careers/

More Related Content

PPTX
Azure migration
byArnon Rotem-Gal-Oz
Ā 
PDF
Oracle APEX źø°ģ“ˆ ģ›Œķ¬ģƒµ - ģ‹¤ģŠµ ź°€ģ“ė“œ ė¬øģ„œ: Part 1 (1/2)
byTaewan Kim
Ā 
PPTX
OOW15 - Testing Oracle E-Business Suite Best Practices
byvasuballa
Ā 
PPTX
Google Firebase Presentation
byAeni Patel
Ā 
PDF
Oracle APEX, Oracle Autonomous Database, Always Free Oracle Cloud Services
byMichael Hichwa
Ā 
PDF
ASP.NET Core MVC with EF Core code first
byMd. Aftab Uddin Kajal
Ā 
PPT
Spring Core
byPushan Bhattacharya
Ā 
DOCX
Scott Allen Williams RƩsumƩ - Senior Java Software Developer - Agile Technolo...
byScott Williams
Ā 
Azure migration
byArnon Rotem-Gal-Oz
Ā 
Oracle APEX źø°ģ“ˆ ģ›Œķ¬ģƒµ - ģ‹¤ģŠµ ź°€ģ“ė“œ ė¬øģ„œ: Part 1 (1/2)
byTaewan Kim
Ā 
OOW15 - Testing Oracle E-Business Suite Best Practices
byvasuballa
Ā 
Google Firebase Presentation
byAeni Patel
Ā 
Oracle APEX, Oracle Autonomous Database, Always Free Oracle Cloud Services
byMichael Hichwa
Ā 
ASP.NET Core MVC with EF Core code first
byMd. Aftab Uddin Kajal
Ā 
Spring Core
byPushan Bhattacharya
Ā 
Scott Allen Williams RƩsumƩ - Senior Java Software Developer - Agile Technolo...
byScott Williams
Ā 

What's hot

PPTX
Introduction to Spring Framework
bySerhat Can
Ā 
PPTX
Introduction to spring boot
bySantosh Kumar Kar
Ā 
PPTX
Introduction to angular with a simple but complete project
byJadson Santos
Ā 
PPTX
Microsoft Azure Cost Optimization and improve efficiency
byKushan Lahiru Perera
Ā 
PDF
Step-by-Step: APEX Installation on Tomcat (Windows Server 2016)
bysheriframadan18
Ā 
PDF
Apache KafkaĀ® and the Data Mesh
byConfluentInc1
Ā 
PPTX
Oracle EBS Journey to the Cloud - What is New in 2022 (UKOUG Breakthrough 22 ...
byAndrejs Prokopjevs
Ā 
PDF
What's new in API Connect and DataPower - 2019
byIBM DataPower Gateway
Ā 
PPTX
Reactjs
byMallikarjuna G D
Ā 
PDF
Intro to GraphQL
byRakuten Group, Inc.
Ā 
PDF
How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...
byHostedbyConfluent
Ā 
PDF
ORDS - Oracle REST Data Services
byJustin Michael Raj
Ā 
PPSX
Rest api standards and best practices
byAnkita Mahajan
Ā 
PDF
Oracle Application Express (APEX) and Microsoft Sharepoint integration
byDimitri Gielis
Ā 
PDF
JCR, Sling or AEM? Which API should I use and when?
byconnectwebex
Ā 
PDF
Oracle APEX Interactive Grid Essentials
byKaren Cannell
Ā 
PDF
Understanding Sling Models in AEM
byAccunity Software
Ā 
PPTX
Spring Framework Petclinic sample application
byAntoine Rey
Ā 
PDF
Introduction to Knowledge Graphs for Information Architects.pdf
byHeather Hedden
Ā 
PDF
GraphQL vs REST
byGreeceJS
Ā 
Introduction to Spring Framework
bySerhat Can
Ā 
Introduction to spring boot
bySantosh Kumar Kar
Ā 
Introduction to angular with a simple but complete project
byJadson Santos
Ā 
Microsoft Azure Cost Optimization and improve efficiency
byKushan Lahiru Perera
Ā 
Step-by-Step: APEX Installation on Tomcat (Windows Server 2016)
bysheriframadan18
Ā 
Apache KafkaĀ® and the Data Mesh
byConfluentInc1
Ā 
Oracle EBS Journey to the Cloud - What is New in 2022 (UKOUG Breakthrough 22 ...
byAndrejs Prokopjevs
Ā 
What's new in API Connect and DataPower - 2019
byIBM DataPower Gateway
Ā 
Reactjs
byMallikarjuna G D
Ā 
Intro to GraphQL
byRakuten Group, Inc.
Ā 
How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...
byHostedbyConfluent
Ā 
ORDS - Oracle REST Data Services
byJustin Michael Raj
Ā 
Rest api standards and best practices
byAnkita Mahajan
Ā 
Oracle Application Express (APEX) and Microsoft Sharepoint integration
byDimitri Gielis
Ā 
JCR, Sling or AEM? Which API should I use and when?
byconnectwebex
Ā 
Oracle APEX Interactive Grid Essentials
byKaren Cannell
Ā 
Understanding Sling Models in AEM
byAccunity Software
Ā 
Spring Framework Petclinic sample application
byAntoine Rey
Ā 
Introduction to Knowledge Graphs for Information Architects.pdf
byHeather Hedden
Ā 
GraphQL vs REST
byGreeceJS
Ā 

Viewers also liked

PDF
Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)
byOkta-Inc
Ā 
PPTX
KMS at Okta - Intermediate Level
byJon Todd
Ā 
PPTX
Amazon API Gateway
byMark Bate
Ā 
PDF
Containers 101 - CloudCamp London
byEd Hoppitt
Ā 
PDF
Okta Directory Integration for Microsoft Office365 - from Atidan
byDavid J Rosenthal
Ā 
PPTX
Cisco Visual Networking Index and VNI Service Adoption 2014ā€“2019 - Argentina
byOscar Romano
Ā 
PDF
Marseille 2017 FTTH Conference Workshop "Revenues from Passive Network and fr...
byIgor Brusic
Ā 
PDF
Containers - Transforming the data centre as we know it 2016
byKeith Lynch
Ā 
PPTX
Best cases time
byDarina Zhezhel
Ā 
PPTX
Azure API Apps
byBizTalk360
Ā 
PPTX
Sekuentzia Didaktikoa
byOstadarrasutan
Ā 
PDF
LTC Lovell's Brief to the SAME Philadelphia Post
byKevin Lovell, PMP
Ā 
PDF
Marseille 2017 FTTH Conference Main Programm "Service Delivery in a 3-Layer-O...
byIgor Brusic
Ā 
PDF
Cisco Visual Networking Index (VNI) Global Mobile Data Traffic Forecast for 2...
byOscar Romano
Ā 
DOCX
Resume Jay a Woods
byJolee Allwood
Ā 
PPTX
Derechos de autor. derecho...
byLDRD01
Ā 
PDF
INFOGRAPHIC: EU Referendum ā€“ What do UK business leaders feel about the EU?
byPriceBailey
Ā 
PPTX
Triprockets' Top 10 Sydney bucketlist
byRizal Iskandar
Ā 
PPTX
DONATION FORM CHANGES
byKatherine Wisniewski
Ā 
PDF
Portafolio de objetos dibujados a mano alzada y en cad
by3219082707
Ā 
Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)
byOkta-Inc
Ā 
KMS at Okta - Intermediate Level
byJon Todd
Ā 
Amazon API Gateway
byMark Bate
Ā 
Containers 101 - CloudCamp London
byEd Hoppitt
Ā 
Okta Directory Integration for Microsoft Office365 - from Atidan
byDavid J Rosenthal
Ā 
Cisco Visual Networking Index and VNI Service Adoption 2014ā€“2019 - Argentina
byOscar Romano
Ā 
Marseille 2017 FTTH Conference Workshop "Revenues from Passive Network and fr...
byIgor Brusic
Ā 
Containers - Transforming the data centre as we know it 2016
byKeith Lynch
Ā 
Best cases time
byDarina Zhezhel
Ā 
Azure API Apps
byBizTalk360
Ā 
Sekuentzia Didaktikoa
byOstadarrasutan
Ā 
LTC Lovell's Brief to the SAME Philadelphia Post
byKevin Lovell, PMP
Ā 
Marseille 2017 FTTH Conference Main Programm "Service Delivery in a 3-Layer-O...
byIgor Brusic
Ā 
Cisco Visual Networking Index (VNI) Global Mobile Data Traffic Forecast for 2...
byOscar Romano
Ā 
Resume Jay a Woods
byJolee Allwood
Ā 
Derechos de autor. derecho...
byLDRD01
Ā 
INFOGRAPHIC: EU Referendum ā€“ What do UK business leaders feel about the EU?
byPriceBailey
Ā 
Triprockets' Top 10 Sydney bucketlist
byRizal Iskandar
Ā 
DONATION FORM CHANGES
byKatherine Wisniewski
Ā 
Portafolio de objetos dibujados a mano alzada y en cad
by3219082707
Ā 

Similar to ECS and Docker at Okta

PDF
ECS and ECR deep dive
byShiva Narayanaswamy
Ā 
PPTX
Docker on Amazon ECS
byDeepak Kumar
Ā 
PDF
ecs-presentation
byMarc Costello
Ā 
PPTX
Amazon ECS.pptx tasks conatiner ecs new car
byzineblahib2
Ā 
PPTX
Introduction to AWS and Docker on ECS
byCloudHesive
Ā 
PDF
intro elastic container service amazon aws
byDanielJara92
Ā 
PDF
Getting started with Amazon ECS
byIoannis Polyzos
Ā 
PDF
Running Docker Containers on AWS
byVladimir Simek
Ā 
PPTX
Leveraging Amzon EC2 Container Services for Container Orchestration
byNeeraj Shah
Ā 
PPTX
Docker on AWS - the Right Way
byAllCloud
Ā 
PPTX
AWS Elastic Container Service (ECS) with a CI Pipeline Overview
byWyn B. Van Devanter
Ā 
PDF
Amazon EC2 container service
byAleksandr Maklakov
Ā 
PDF
Getting Started with Docker on AWS
byKristana Kane
Ā 
PPTX
AWS ECS Meetup Talentica
byAnshul Patel
Ā 
PPTX
ECS - from 0 to 100
byVitaliy Kuznetsov
Ā 
PPTX
Tech connect aws
byBlake Diers
Ā 
PPTX
AWS ECS LESSONS LEARNED
byhumayun Jamal
Ā 
PDF
Introduction to Amazon EC2 Container Service
bychristophertcannon
Ā 
PPTX
Getting Started With Docker on AWS
byMikhail Prudnikov
Ā 
PPTX
Containers State of the Union I AWS Dev Day 2018
byAWS Germany
Ā 
ECS and ECR deep dive
byShiva Narayanaswamy
Ā 
Docker on Amazon ECS
byDeepak Kumar
Ā 
ecs-presentation
byMarc Costello
Ā 
Amazon ECS.pptx tasks conatiner ecs new car
byzineblahib2
Ā 
Introduction to AWS and Docker on ECS
byCloudHesive
Ā 
intro elastic container service amazon aws
byDanielJara92
Ā 
Getting started with Amazon ECS
byIoannis Polyzos
Ā 
Running Docker Containers on AWS
byVladimir Simek
Ā 
Leveraging Amzon EC2 Container Services for Container Orchestration
byNeeraj Shah
Ā 
Docker on AWS - the Right Way
byAllCloud
Ā 
AWS Elastic Container Service (ECS) with a CI Pipeline Overview
byWyn B. Van Devanter
Ā 
Amazon EC2 container service
byAleksandr Maklakov
Ā 
Getting Started with Docker on AWS
byKristana Kane
Ā 
AWS ECS Meetup Talentica
byAnshul Patel
Ā 
ECS - from 0 to 100
byVitaliy Kuznetsov
Ā 
Tech connect aws
byBlake Diers
Ā 
AWS ECS LESSONS LEARNED
byhumayun Jamal
Ā 
Introduction to Amazon EC2 Container Service
bychristophertcannon
Ā 
Getting Started With Docker on AWS
byMikhail Prudnikov
Ā 
Containers State of the Union I AWS Dev Day 2018
byAWS Germany
Ā 

Recently uploaded

PDF
Airtable Building Semantic Search with Milvus
byZilliz
Ā 
PDF
Embracing Karpenter to scale, optimise and upgrade Kubernetes
byMarko Bevc
Ā 
PDF
Igalia and WebKit: Status update and plans (2025)
byIgalia
Ā 
PDF
AI Enabled Task Automation Technology Trends in the IT Industry
byManish Chopra
Ā 
PDF
n8n - Next Generation Workflow Automation with Open Source
byDaisuke Masuda
Ā 
PDF
Top 11 Sites to Buy Verified GitHub Accounts in 2025
byBuy GitHub Accounts Looking for a verified GitHub account?
Ā 
PPTX
ScalaF: Functional Refactoring and Automated Code Transformations
byhelloshrikha
Ā 
PPTX
Strategic Briefing - Supply-Chain and Autonomous AI Convergence - October-18-...
bySergio De Gregorio
Ā 
PPTX
Introduction to WordPress Workshop - WCEH 2025
byShanta Nathwani
Ā 
PPTX
Taming Time in PHP: Best Practices and Gotchas at Longhorn PHP 2025
byScott Keck-Warren
Ā 
PDF
STurbo M.C. Surge Prevention by CCC Company
byRobertWaters35
Ā 
PDF
Session 7 Specialized AI Associate Series: UiPath Communications Mining Overview
byDianaGray10
Ā 
PDF
Energia Nowa and byteLAKE Partner to Develop Intelligent Services for Energy ...
bybyteLAKE
Ā 
PDF
APDCA Energy sustainability white paper.pdf
byflintglobalapac
Ā 
PDF
Linux Day Prato 2025: NixOS spiegato ammiocuggino - NixOS for Human Beings
byPeter Bittner
Ā 
PDF
The End of the Missed Call - How AI Recaptures Lost Leads and Secures ROI
byiovox
Ā 
PDF
G.O.RT.No. 1173_LRS Extension of time limit
byRAGHU RAM
Ā 
DOCX
Formula 2 - APIC HBEL general calculation.docx
byMarkus Janssen
Ā 
DOCX
Formula 1 - APIC general MACO calculation.docx
byMarkus Janssen
Ā 
PDF
The State of Adventure Capital - Grant Gregory | Cantos
byRazin Mustafiz
Ā 
Airtable Building Semantic Search with Milvus
byZilliz
Ā 
Embracing Karpenter to scale, optimise and upgrade Kubernetes
byMarko Bevc
Ā 
Igalia and WebKit: Status update and plans (2025)
byIgalia
Ā 
AI Enabled Task Automation Technology Trends in the IT Industry
byManish Chopra
Ā 
n8n - Next Generation Workflow Automation with Open Source
byDaisuke Masuda
Ā 
Top 11 Sites to Buy Verified GitHub Accounts in 2025
byBuy GitHub Accounts Looking for a verified GitHub account?
Ā 
ScalaF: Functional Refactoring and Automated Code Transformations
byhelloshrikha
Ā 
Strategic Briefing - Supply-Chain and Autonomous AI Convergence - October-18-...
bySergio De Gregorio
Ā 
Introduction to WordPress Workshop - WCEH 2025
byShanta Nathwani
Ā 
Taming Time in PHP: Best Practices and Gotchas at Longhorn PHP 2025
byScott Keck-Warren
Ā 
STurbo M.C. Surge Prevention by CCC Company
byRobertWaters35
Ā 
Session 7 Specialized AI Associate Series: UiPath Communications Mining Overview
byDianaGray10
Ā 
Energia Nowa and byteLAKE Partner to Develop Intelligent Services for Energy ...
bybyteLAKE
Ā 
APDCA Energy sustainability white paper.pdf
byflintglobalapac
Ā 
Linux Day Prato 2025: NixOS spiegato ammiocuggino - NixOS for Human Beings
byPeter Bittner
Ā 
The End of the Missed Call - How AI Recaptures Lost Leads and Secures ROI
byiovox
Ā 
G.O.RT.No. 1173_LRS Extension of time limit
byRAGHU RAM
Ā 
Formula 2 - APIC HBEL general calculation.docx
byMarkus Janssen
Ā 
Formula 1 - APIC general MACO calculation.docx
byMarkus Janssen
Ā 
The State of Adventure Capital - Grant Gregory | Cantos
byRazin Mustafiz
Ā 

ECS and Docker at Okta

  • 1.
    Jon Todd, ChiefArchitect ECS and Docker @Okta August 2, 2016 @JonToddDotCom
  • 2.
  • 3.
    Millions of peopleuse Okta every dayMillions of people use Okta every day
  • 4.
    Thousands of enterprisesuse Okta to connect to Adobeā€™s Creative Cloud jim@designer.com
  • 5.
    Thousands of EnterpriseCustomers Ed, Gov, Non-Profit Services Media ConsumerTechnology Manufacturing, Energy FinanceCloudHealth
  • 6.
    Okta Application Network MobilityManagementSingle Sign On Adaptive MFA Provisioning Universal Directory Extensible Profiles, Attribute Transformations, Directory Integration and AD Password Management Secure SSO for All Your Web Apps, On-prem and Cloud, with Flexible Policy, from Any Device Contextual Access Policies, Modern Factors, Adaptive Authentication, Integrations for Apps and VPNs Lifecycle Management, Cloud & On-prem App Integration, Mastering from Apps, Directory Provisioning, Rules, Workflow, Reporting Tight User Identity Integration, Device Based Contextual Access, Light-weight Management Okta IT & Platform products
  • 7.
    The most reliableIDaaS available Never taken offline for upgrades Redundant and scalable A B C A B C DC2 DC1 okta.com/trust A Platform Architecture For Scale DATA TIER A B C LOAD BALANCERS APP SERVERS
  • 8.
  • 9.
  • 10.
  • 11.
    Defining a patternfor micro-services https://www.pinterest.com/pin/205828645447534387/ http://www.bennysbaker.com/poop-emoji-cupcakes/
  • 12.
    DevOps abstraction layer Inspiredby: http://dev2ops.org/2010/02/what-is-devops/ Dev OpsWall of turmoil Dev Ops I want stabilityI want change Domain boundary
  • 13.
    Repeatability through immutability ā€¢Same runtime environment dev / test / prod ā€¢ Runtime versioned w/ code ā€¢ Easy reproducibility ā€¢ All changes use same release process
  • 14.
    Additional requirements ā€¢ 0-downtimedeployments ā€¢ Support for our multi-az & multi-region architecture ā€¢ Compliance ā€“ SOC2 type 2, HIPAA, ISO 27001 ā€¢ Separation of duties ā€“ a.k.a. no developer access to production hosts ā€¢ Push button deployment ā€¢ Rollback and canary support
  • 15.
  • 16.
    Building blocks Dev Ops Iwant stabilityI want changeContainer frameworks Cluster schedulerDev Ops Continuous integration
  • 17.
    Options Container frameworks Clusterschedulers Amazon EC2 Container Service LXC
  • 18.
    Our problems solved ā€¢Repeatability ā€¢ Declarative & composable Dockerfile ā€¢ Images are immutable ā€¢ Stability ā€¢ Massive community with production adoption ā€¢ Initial release > 3 years ago ā€¢ Compliant ā€¢ ECS isnā€™t in flow, EC2 is already compliant ā€¢ DevOps Abstraction ā€¢ Hosts and underlying resources abstracted away ā€¢ Task Definition allows developers to schedule deploys ā€¢ Stability ā€¢ 0-downtime services ā€¢ Fully managed! ā€¢ Works with existing AWS tooling Docker EC2 Container Service
  • 19.
  • 20.
    Source: All ThingsDistributed ā€“ a.k.a Werner Vogels
  • 21.
    Additional concepts ā€¢ TaskDefinitions define one or more containers to run. ā€¢ Services define a long running task and run inside a cluster ā€¢ Clusters define a set of EC2 resources that can be shared by more than one service ā€¢ Auto scaling groups can be used to define size and launch configuration of a cluster
  • 22.
  • 23.
    CI Workflow Artifactory (Maven, NPM,Docker, YUM) Topic builds ā€“ topic repo Promoted buildsā€“ release repo
  • 24.
  • 25.
    Why ECS ā€“Isolation & Versioning
  • 26.
    1. Lambda: Taskwhich scales cluster based on queue 2. Lambda: Inspect running tasks an bin pack new tasks where possible ā€¢ This is one of the changes we had to make in order to use ECS for long running tasks, rather than long running services spread across many stateless instances ā€¢ Disconnects unneeded nodes from cluster allowing themselves to self terminate when they are idle Why ECS - Dynamic worker scaling VS
  • 27.
  • 28.
    Cost Savings WithSpot Instances
  • 29.
    Feature Requests ā€¢ Abilityto have spot and on-demand in same Auto Scaling Group (ASG) ā€¢ Built-in bin packing scheduler ā€¢ Give ASG a termination policy based on ECS status ā€¢ i.e. prefer instances with no running tasks
  • 30.
    Termination policy ā€¢ OldestInstance.Auto Scaling terminates the oldest instance in the group. This option is useful when you're upgrading the instances in the Auto Scaling group to a new EC2 instance type, so you can gradually replace instances of the old type with instances of the new type. ā€¢ NewestInstance. Auto Scaling terminates the newest instance in the group. This policy is useful when you're testing a new launch configuration but don't want to keep it in production. ā€¢ OldestLaunchConfiguration. Auto Scaling terminates instances that have the oldest launch configuration. This policy is useful when you're updating a group and phasing out the instances from a previous configuration. ā€¢ ClosestToNextInstanceHour. Auto Scaling terminates instances that are closest to the next billing hour. This policy helps you maximize the use of your instances and manage costs. ā€¢ Default. Auto Scaling uses its default termination policy. This policy is useful when you have more than one scaling policy associated with the group.
  • 31.
    Takeaways ā€¢ ECS isrunning well for us in a 150+ instance cluster ā€¢ Bake AMI with large files and common images into host machines ā€¢ Spot instances give 2 min warning. Keeps jobs short
  • 32.
  • 33.
  • 34.
  • 36.
    Test Assumptions ā€¢ ECSconfig ā€¢ Agent version 1.11.0 ā€¢ Docker version 1.11.2 ā€¢ Cluster config ā€¢ 8 instances backed by ASG ā€¢ ASG config ā€¢ 8 instances across 3 AZs ā€¢ Default termination policy ā€¢ 5 min health check grace period ā€¢ ELB ā€¢ Timeout 4s ā€¢ Interval 5s ā€¢ Unhealthy threshold 2 ā€¢ Healthy threshold 10 ā€¢ Enable connection draining 300s timeout ā€¢ Load generation ā€¢ 16 threads ā€¢ Throughput ā€¢ Interactive ļƒØ 490 r/s ā€¢ 10s long poll ļƒØ 1.5 r/s
  • 37.
    Operation Interactive Errors (~70mslatency, 490rps) Long Poll Errors (~10s latency, 1.5rps) Upsize ECS service 4 ļƒ  8 0 0 Downsize ECS service 8 ļƒ  4 0 0 Deploy ECS service ā€“ 50% min healthy 0 0 Stop task* 0 0 Downsize Auto Scaling Group (ASG) 0 0 Terminate EC2 instance 0 0 Stop Docker daemon (service docker stop)* 0 0 Stop EC2 instance** 0 0 Kill Docker Container (docker kill <containerId>)* 2 2 Fail health check 450 5 * No intention of running operation in practice ** Caused inconsistent state
  • 38.
  • 39.
    Workflow Auto Scaling Group LaunchConfig EC2 ECS Cluster ECS Service ECS Canary Service Application YAML Docker Registry (Artifactory) ELB Images pulled when tasks start Conductor (Bastion ECS Controller) CI Pipeline Git Repo Promoted artifactsDockerfile docker_compose.yml Test / Preview / ProductionDev Deploy new version
  • 40.
    Application definition ā€¢ Developersdefine YAML for their application ā€¢ Deploy time configuration is supplied to the ECS task definition ā€¢ Secrets are pulled by the application at startup
  • 41.
    Security conventions ā€¢ Containerrepository ā€¢ Only allow containers from internal repository ā€¢ IAM separation per service ā€¢ Either service per cluster or use new IAM for ECS functionality ā€¢ Security scanning of containers - JFrog Xray ā€¢ Process monitoring on docker host ā€“ cAdvisor from google ā€¢ Secrets or any form of config NEVER baked in containers ā€¢ Start from minimal, audited base OS ā€¢ Run container as non-privileged user w/ user namespaces Docker 1.10+ ā€¢ Monitor alas.aws.amazon.com for critical updates
  • 42.
    Source Conventions ā€¢ 3categories of container definitions 1. ā€œLibraryā€ definitions used as the basis for building other images 2. Third-party service definitions e.g. Zookeeper or Elasticsearch 3. Internal service definitions ā€¢ Repo per internal service ā€¢ Dockerfile in same repo => image versioned with code ā€¢ Docker compose for running dependent services ā€¢ Pegged versions (no builds) ā€¢ Single repo for library and third-party service definitions
  • 43.
    Build Conventions ā€¢ Integrationtests run against code running in container ā€¢ Build owns creating immutable version and publishing to artifact server ā€¢ Strict rules around ā€œFROMā€ clause ā€¢ Must point at internal artifact server ā€¢ Must be tagged following SEMVER-SHORT_SHA convention ā€¢ Never allow missing or use of ā€œlatestā€ tag for repeatable builds
  • 44.
    Logging and monitoring ā€¢Logging ā€¢ All output streams pipe to STDOUT/STDERR of the running process ā€¢ Log forwarding is provided by underlying host ā€¢ Log entries contain ā€¢ Host ā€¢ Container Id ā€¢ Image name & version ā€¢ Request Id ā€¢ Metrics ā€¢ Host level, generic container metrics provided by host ā€¢ App level metrics published directly to well defined endpoints
  • 45.
    Feature requests ā€¢ ELB ā€¢Dynamic port mapping to containers ā€¢ Fail health based on HTTP return code ā€¢ Different health endpoint for adding vs removing ā€¢ Service level security groups ā€¢ Service discovery w/o ELB ā€¢ Ability to mark container instances as un-schedulable ā€¢ Remove sharp edges around the stopped state ā€¢ Give ASG ability to set EC2 ā€shutdown behaviorā€ ā€¢ Periodic cleanup process in ECS to deregister stopped instances
  • 46.
    Takeaways ā€¢ /etc/ecs/ecs.config ā€¢ ECS_ENGINE_TASK_CLEANUP_WAIT_DURATIONfor forensics (default 1hr) ā€¢ ECS_LOGLEVEL=debug ā€¢ Beware of running services in same cluster that use the same ports ā€¢ Tune ELB health check ā€¢ Docker 1.10 for security enhancements ā€¢ Canary & Blue/Green separate service attached to same ELB ā€¢ Rollback is trivial ā€¢ ECS is incredibly easy to get up and running ā€¢ The ecosystem is changing quickly, we are moving cautiously ā€¢ ECS team has made a lot of improvements
  • 47.
    Dev OpsWall ofturmoil Automated pipeline of awesomeness
  • 48.
  • 49.
    Thank You Follow me@JonToddDotCom Join us @Okta - www.okta.com/company/careers/

Editor's Notes

  • #3Ā How many have heard of Okta? Used it?
  • #7Ā This is the full set of Okta IT and Platform products, 100-cloud based and integrated. Each of these are full featured products you could use to replace CA, RSA, or Airwatch.
  • #10Ā Java backend JS Front end Entirely hosted in the cloud in AWS In general we like using and giving back to open source
  • #14Ā Same environment dev / test / prod Environment should be versioned with code Problems with chef mutating production with bad or incorrect version of config Easy reproducibility Security audit can be done on artifact and then just monitor runtime for correct version
  • #19Ā All together we get a PATTERN FOR MICROSERVICES
  • #21Ā - We run on ecs optimized - Reduced packages - Upgrade is easier
  • #24Ā Developers can run all CI test on any topic branch Master locked down, Bacon is the gate keeper Jenkins used for job definition and lifecycle Slave pool is ECS! ECS run as short lived tasks Each day we get between 100 & 150 containers at peak load
  • #25Ā This is bacon
  • #26Ā From before: main goal repeatability and immutability Not only is the artifact and itā€™s runtime immutable but the container which builds the artifact for testing is containerized Solves classic problem: changes to environment in CI
  • #27Ā Who has the knowledge about sizing?
  • #29Ā We presently respond to Spot price termination notices( you get 2 minutes warning) by placing tasks running on a node to be terminated back into the queue to immediately get picked up by another node. Currently working on recognition of spot price instance pool cascades, so we can switch to on demand. No ability to have both spot and on demand in same ASG Something to worry about. If the prices spike, and cause large outages, what is the availability of on demand instances?
  • #32Ā We auto scale daily to around 150 instances and back down to under 20 daily. Preload Maven, NPM, & git repositories. This saved us about 4 minutes on container start time
  • #40Ā The integration point between CI and Deployment is artifactory. Any sign off or approval happens there Autoscaling groups control pool of EC2 instances Launch config sets environment variables for ECS config like cluster and ECS_ENGINE_TASK_CLEANUP_WAIT_DURATION ECS cluster per service due to IAM issues, looking forward to using new feature 1 or more services registered to a service ELB supports canary Conductor is bastion service. Allows non-operators to perform deployments
  • #41Ā Software is grouped into applications which may have multiple components YAML defines all components. In this case we have an application with a single backend running in ECS
  • #45Ā 2016-07-26T18:56:08Z [INFO] Redundant container state change for task op1-sage:15 arn:aws:ecs:us-east-1:011750033084:task/8f9920cf-a289-44bb-ac43-e436d6fb84d7, Status: (RUNNING->RUNNING) Containers: [op1-sage-app (RUNNING->RUNNING),]: op1-sage-app(docker.aue1d.saasure.com/okta-sage:1_1_0_029796_ec67fd3) (RUNNING->RUNNING) to RUNNING, but already RUNNING