AWS Service of the week – Containers
Hello again, and welcome to another instalment of AWS Service of the Week.
This will be a little different from the series in that I will be splitting the blog into two parts.
The reason for this is due to the recent exciting news from AWS on their new feature to scan container images. There would be too much content for one instalment to describe containers and the services AWS provides, so it makes sense to separate into sections, and give you less to ingest in one go.
This blog will focus on an overview of containers, and the ECR (Elastic Container Registry) service, and next week we will look at the ECS (Elastic Container Service)
What are containers?
The best way to answer that is to relive this common frustrating scenario we have all had to face at some time.
Person 1: “This application doesn’t work on my PC; I can’t get it to install”
Person 2: “Well it installs and works fine on mine”
Person 1: “That’s odd, we have the same PC type, and Operating System”
Person 2: “Shrugs sholders”
What has happened here is that whilst the computers may look the same, and even run the same Operating System, their systems are not identical (out of sync OS updates, different python versions etc.), so there isn’t a common platform underneath for the application to work from.
In the past the resolution would have been one of the following: Google the error, run the application in compatibility modes, uninstall/reinstall the application, install other dependent applications, reboot machine, or even factory reset machine. All these work arounds take up valuable time and may not even solve the problem. So, this is where containers come to the rescue.
A container delivers a consistent Operating System layer for applications to run from and is made up of some system resources (CPU, memory, file system access etc), and an Image.
The image is the blueprint on how the application should be run.
A tool you may have heard of for this container to function is called Docker, and the Image blueprint resides in a DockerFile. The docker engine can read the DockerFile, get the underlying OS it should reside on, and install additional packages/application components to make the application run successfully.
The following is a simple DockerFile to get an Ubuntu image from the Docker registry, perform some updates and installations, and add my application code hello.py
Once I have tested that my DockerFile runs my application (hello.py) correctly in the container. I can then build an image and push this to a registry (we will come to Elastic Cloud Registry – ECR in a moment).
So now all I need Person 1 and Person 2 to do is download the Docker engine, get the image from the registry, and run the container.
And just like that the application is able to run on any machine regardless of Operating System or configuration! What magic!
Above I mentioned the term registry, and I purposely left out what it was until now, as I describe the ECR service. The registry is a storage area, where built container images (from DockerFiles) reside. For ECR they are private in scope, so are securely locked down and are very affordable to run.
You just pay for data transfer fees, and storage costs. AWS will sort out the scalability and management for you, enabling you to focus on creating great containers.
The brilliant news of the CVE scanning feature is long overdue in my opinion, and something that competing registry providers have been doing for a while now (albeit on paid license agreements). The image scanner can scan your docker image for vulnerabilities in the CVE database automatically on pushes, and report on what it finds via the console or CLI. As a developer of the image, you can then look at the CVE’s to determine if any action should be taken to harden the image and improve its security. A common example is to update a package to a new version to remove a vulnerability found.
I think the best news about this feature is that is it completely free, and with its automated scanning features, there really should be no excuse to not check your images!
Thanks for stopping by, I hope you enjoyed the overview of containers, and the ECR service, which serves as a solid foundation as we look at ECS next week!