15 Questions AWS Users Ask About DDC For AWS
Docker is deployed across all major cloud service providers, including AWS. So when we announced Docker Datacenter for AWS (which makes it even easier to deploy DDC on AWS) and showed live demos of the solution at AWS re:Invent 2016 it was no surprise that we received a ton of interest about the solution. Docker Datacenter for AWS, as you can guess from its name, is now the easiest way to install and stand up the Docker Datacenter (DDC) stack on an AWS EC2 cluster. If you are an AWS user and you are looking for an enterprise container management platform, then this blog will help answer questions you have about using DDC on AWS.
In last week’s webinar, Harish Jayakumar, Solutions Engineer at Docker, provided a solution overview and demo to showcase how the tool works, and some of the cool features within it.
We also hosted a live Q&A session at the end where we opened up the floor to the audience and did our best to get through as many questions as we could. Below, are fifteen of the questions that we received from the audience. We selected these because we believe they do a great job of representing the overall set of inquiries we received during the presentation. Big shout out to Harish for tag teaming the answers with me.
Q 1: How many VPCs are required to create a full cluster of UCP, DTR and the workers.
A: With the DDC Template it creates one new VPC along with its subnets and security groups.
However, if you do want to use DDC with your existing VPC you can always deploy DDC directly without using the Cloud Formation template if you would like.
Q 2: Is the $150/monthly cost per instance. Is this for an EC2 instance?
A: Yes, the $150/month cost is per EC2 instance. This is our monthly subscription model and is is purchasable directly on Docker Store. We also offer have annual subscriptions that are currently priced at $1,500 per node/per year or $3,000 per node/per year.
Q 3: Would you be able to go over how to view logs for each containers? And what’s the type of log output that UCP shows in the UI?
A: Within the UCP UI you can click on the “Resources” tab-> and then go to “Containers.” Once you have selected “Containers, you can click on each individual container and see the logs within the UI.
Q 4: How does the resource allocation work? Can we over allocate CPU or RAM?
A: Yes. By default, each container’s access to the host machine’s CPU cycles is unlimited, but you can set various constraints to limit a given container’s access to the host machine’s CPU cycles. For RAM, Docker can enforce hard memory limits, which allow the container to use no more than a given amount of user or system memory. Or you Docker can provide soft limits, which allow the container to use as much memory as it needs unless certain conditions are met, such as when the kernel detects low memory or contention on the host machine.
Q 5: Can access to the console via UCP be restricted via RBAC constraints?
A: Yes. Here is a blog explaining access controls in detail: http://dockr.ly/2jNjK86
Q 6: Can we configure alerting from Docker Datacenter based on user definable ined criteria (e.g. resource utilization of services)?
A: Yes, but with a little tweaking. Everything with Docker is event driven- so you can configure to trigger alerts for each event and take the necessary action. Within the UI, you can see all of the usage of resources listed. You have the ability to set how you want to see the notifications associated with it.
Q 7: Is there a single endpoint in front of the three managers?
A: Within UCP, we suggest teams deploy three managers to ensure high availability of the cluster. As far as the single endpoint, you can configure one if you would like. For example, you can configure an ELB in AWS to be in front of those three (3) managers and then they can reach to that one load balancer instead of accessing the individual manager with their ip.
Q 8: Do you have to use DTR or can you use alternative registries such as AWS ECR, Artifactory, etc.?
A: With the Cloud Formation template, it is only DTR. Docker Datacenter is the end to end enterprise container management solution and DTR/UCP are integrated. This means they share several components between them. They also have SSO enabled between the components so the same LDAP/AD group can be used. Also, the solution ensures a secure software supply chain including signing and scanning. The chain is only made possible when using the full solution. The images are signed and scanned by DTR and because of integration you can simply enable UCP to not run containers based of images that haven’t been signed. We call this policy enforcement.
Q 9: So there is a single endpoint in front of the mgrs (like a Load balancer) where I can config my docker cli to?
A: Yes, that is correct.
Q 10: How many resources on the VMs or Physical machines are needed to run Docker Datacenter on prem? Let’s say for three UCP manager nodes and three worker nodes.
A: The CloudFormation template does it all for you. However, if you plan to install DDC outside of the Cloud Formation template here are the infrastructure requirements you should consider: http://dockr.ly/2l7wdED
Q 11: How does this demo of DDC for AWS compare to https://aws.amazon.com/quickstart/architecture/docker-ddc/
A: It is the same. But stay tuned, as we will be providing an updated version in the coming weeks.
Q 12: If you don’t use a routing mesh, would you need to route to each specific container? How do you know their individual IPs? Is it possible to have a single-tenant type of architecture where each user has his own container running?
A: The routing mesh is available as part of the engine. It’s turned on by default and it routes to containers cluster wide. Before the Routing mesh ( prior to Docker 1.12) you will have to route to a specific container and its port. It does not have to be the ip specifically. You can route host names to specific services from within the UCP UI. We also introduced the concept of alias – where you can associate a container by its name and the engine has a built in DNS to handle the routing for you. However, I would encourage looking at routing mesh, which is available in Docker 1.12 and above.
Q 13: Are you using Consul as a K/V store for the overlay network ?
A: No we are not using Consul as the K/V store nor does Docker require an external K/V store. The state is stored using a distributed database on the manager nodes called Raft store. Manager nodes are part of a Raft consensus group. This enables them to share information and elect a leader. A leader is the central authority maintaining the state, which includes lists of nodes, services and tasks across the swarm in addition to making scheduling decisions.
Q 14: How do you work with node draining in the context of Auto Scaling Groups (ASG)?
A: The node drain drains all the workloads from a node. It prevents a node from receiving new tasks from the manager. It also means the manager stops tasks running on the node and launches replica tasks on a node with ACTIVE availability. The node does remaining the ASG group.
Q 15: Is DDC for AWS dependent on AWS EBS?
A: We use EBS volumes for the instances, but we aren’t using it for persistent storage, more of a local disk cache. Data there will go away if instance goes away.