Automating Zero-Downtime Production Cluster Upgrades for Amazon ECS

Automating Zero-Downtime Production
Cluster Upgrades for Amazon ECS

Matt Callanan
Engineering Manager/Tech Lead
“Cloud Acceleration Team”
Expedia
Brisbane, Australia
• mcallanan@expedia.com
• linkedin.com/in/matthewcallanan
• @mcallana

Cluster Management
• How to upgrade the EC2 infrastructure underlying a live
production Amazon ECS cluster without affecting service
availability.
• How to safely relocate hundreds of tasks onto new
Amazon EC2 instances with zero-downtime to
applications.

Region 1
Region 2 Region 3 Region 4 Region
5
Expedia ECS Cluster Statistics
2,600 ECS Services (1,100 Applications)
13,000 Containers
860 EC2 Instances (13 ECS Clusters)

Region 1
Region 2 Region 3 Region 4 Region
5
Expedia ECS Cluster Topology
Production Cluster Test Environment Cluster
480 Services
230 Instances

Production Cluster Visualization
230 Instances 480 Services 3,200 Containers
c3vis Open Source: https://github.com/ExpediaDotCom/c3vis

ECS Cluster Creation
Cloud
Formation
Stack
EC2 Instances
Auto Scaling Group
Amazon
ECS Cluster

Immutable Servers
Amazon-provided Base AMI
Standard Chef cookbook
Custom setup baked into AMI
ecs-optimized AMI
Expedia standard image
Docker Config
Daemon containers
Golden AMI
docker ecs-agent

Immutable Servers
ecs-optimized AMI
Docker Config
Daemon containers
Golden AMI
docker ecs-agent
ecs-optimized AMI
Docker Config
Daemon containers
Cluster Instance
Custom bootstrap:
• ECS Cluster Config
• Start ECS Agent, Docker
• Cron: Restart ECS agent
• Cron: Custom Metrics
docker ecs-agent

Zero-Downtime Cluster Upgrades

First Approach
• CloudFormation Auto-Scaling Rolling Update

Default Cloud Formation Auto-Scaling Rolling Update
Old Instance
New Instance
Terminating Instance
Active Task
Relocated Task
Stopped Task

A
A
Old Instance
New Instance
Active Task
Relocated Task
Stopped Task

A
A
Old Instance
New Instance
Active Task
Relocated Task
Stopped Task
Problem:
Tasks stop before they are relocated.
Even with tasks on distinct instances, outage can
happen if new instances are not pulling images
fast enough

A
Old Instance
New Instance
Active Task
Relocated Task
Stopped Task

A
A
Problem:
Tasks start on instances
about to be terminated
Old Instance
New Instance
Active Task
Relocated Task
Stopped Task

Old Instance
New Instance
Active Task
Relocated Task
Stopped Task
Problem:
Service “A” experiences downtime

A
A
Old Instance
New Instance
Active Task
Relocated Task
Stopped Task
Problem:
Tasks bunch up on first
few new instances

First Approach: Problem Summary
• CloudFormation  AutoScaling
Asynchrony
• Rolling Update not granular enough
• Outside our control
• Rollbacks with no ability for manual
intervention
• Tasks stop before they are relocated
• Service outage can happen if new
instances are not pulling images fast
enough
• Tasks are not evenly spread across new
instances
CloudFormation
Auto Scaling

Second Approach
• Custom Rolling Update automation
• Programmatic Update Script using
Ruby SDK
• But still took 10 (nail-biting) hours to
update a cluster with 100 instances
• Any issues during the process required
manual intervention Auto Scaling

Third Approach
• “PRISM”
• Project Replaced in Sixty Minutes

“PRISM” Goals
• Zero-downtime for applications as their workloads get relocated onto new instances
Safety
• Complete as fast as possible
Speed
• Quickly retreat back to known-good state if anything goes wrong
Rollbackable
• Resumeable if anything goes wrong
Idempotent
• Drain in batches to prevent burden on Docker registry and network
• Avoid having tasks relocated to instances about to be drained
Avoid “thundering herd” scenario

“PRISM” Phases
Phase 1: Expand
Phase 2: Relocate Tasks
Phase 3: Clean Up

Zero-Downtime Cluster Updates
Cloud
Formation
Stack
EC2 Instances
Auto Scaling group
Amazon
ECS
Cluster

Amazon
ECS
Cluster
Cloud
Formation
Stack
EC2 Instances
Auto Scaling group
Cloud
Formation
Stack
EC2 Instances
Auto Scaling group
Phase 1: Expand Cluster

Phase 2: Relocate Tasks
Amazon
ECS
Cluster
Cloud
Formation
Stack
EC2 Instances
Auto Scaling group
Cloud
Formation
Stack
EC2 Instances
Auto Scaling group
Draining…

Phase 3: Clean Up
Amazon
ECS
Cluster
Cloud
Formation
Stack
EC2 Instances
Auto Scaling group
Cloud
Formation
Stack
EC2 Instances
Auto Scaling group

Phase 3: Clean Up
Amazon
ECS
ClusterCloud
Formation
Stack
EC2 Instances
Auto Scaling group

Old Instance
New Instance
Draining Instance
A
Active Task
Relocated Task
“DRAINING” Task
A
Blue Auto-Scaling Group
Blue CFN Stack
Cluster Update – Phase 1: Expand

AA
Blue CFN Stack
Disable Auto-Scaling Processes
Old Instance
New Instance
Draining Instance
Active Task
Relocated Task
“DRAINING” Task

AA
Blue CFN Stack
Green Auto-Scaling Group
Green CFN Stack
Disable Auto-Scaling Processes Disable Auto-Scaling Processes
Old Instance
New Instance
Draining Instance
Active Task
Relocated Task
“DRAINING” Task

AA
Blue CFN Stack
Green CFN Stack
state = ‘pre-drain’
Disable Auto-Scaling Processes Disable Auto-Scaling Processes
Old Instance
New Instance
Draining Instance
Active Task
Relocated Task
“DRAINING” Task

AA
Blue CFN Stack
Green CFN Stack
Cluster Update – Phase 2: Relocate Tasks (batches of 3 instances)
Old Instance
New Instance
Draining Instance
Active Task
Relocated Task
“DRAINING” Task

Blue CFN Stack
Green CFN Stack
Old Instance
New Instance
Draining Instance
Active Task
Relocated Task
“DRAINING” Task
AA

Blue CFN Stack
Green CFN Stack
Old Instance
New Instance
Draining Instance
Active Task
Relocated Task
“DRAINING” Task
A
AAA

Blue CFN Stack
A
A
Green CFN Stack
Old Instance
New Instance
Draining Instance
Active Task
Relocated Task
“DRAINING” Task
AA

Blue CFN Stack
A
A
Green CFN Stack
Old Instance
New Instance
Draining Instance
Active Task
Relocated Task
“DRAINING” Task

Blue CFN Stack
A
Green CFN Stack
Old Instance
New Instance
Draining Instance
Active Task
Relocated Task
“DRAINING” Task
A

A
A
Green CFN Stack
Cluster Update – Phase 3: Clean Up
Old Instance
New Instance
Draining Instance
Active Task
Relocated Task
“DRAINING” Task

A
A
Green CFN Stack
Resume Auto-Scaling Processes
Cluster Update – Phase 3: Clean Up
Old Instance
New Instance
Draining Instance
Active Task
Relocated Task
“DRAINING” Task

Pre-flight Checks
• Before Cluster Create/Update
• Check # instances available of target instance type
• Check IP addresses available in target subnets
• Check EBS volume space available of target volume type

Drain on Scale-down with Lifecycle Lambda
• Lambda triggered by AutoScaling
EC2_INSTANCE_TERMINATE SNS events
• Updates instance state to “DRAINING”
• ASG has 30-minute heartbeat to keep instance in
Terminating:Wait state for 30mins
• Allows ECS to safely relocate any tasks that are part of a
service to another instance

AutoScaling Lifecycle Hook
resource "ECSContainerInstanceTerminating",
Type: "AWS::AutoScaling::LifecycleHook",
Properties: {
AutoScalingGroupName: ref("ECSAutoScalingGroup"),
LifecycleTransition: "autoscaling:EC2_INSTANCE_TERMINATING",
DefaultResult: "CONTINUE",
RoleARN: ref("LifecycleHookRoleARN"),
NotificationTargetARN: ref("ECSAutoscalingLifecycleTopic"),
HeartbeatTimeout: 1800 # 30 minutes
},

Avoid Relocating to Old Instance
• Problem:
• Tasks can get rescheduled to another old instance in the ASG that is about to be replaced - so
tasks can get bumped from instance to instance until all instances are replaced
• Solution:
• Deploy services with placement constraint
• This means that a service won’t be placed on an instance that has an attribute named “state” with
value “pre-drain”
• At cluster replacement time, we will stand up all new clusters, place old clusters into the “pre-
drain” state, and terminate the old instances in batches.
• Relocated tasks will only be placed on new instances, avoiding the default “thundering herd”
scenario
placement_constraints = [ {
type: 'memberOf',
expression: 'attribute:state !exists or attribute:state != pre-drain'
}]

Task Definition Placement Constraint

Task Definition Placement Constraint
• “state” is a custom ECS Instance Attribute
• By default, the “state” attribute doesn’t exist on instances
• Set only to “pre-drain” during cluster update
• Prevents ECS scheduling tasks on instances that are about to be drained
• Removed from instance only in case of rollback of cluster update

Instance Launch Considerations
• Worked with AWS Auto-Scaling team to enable more
appropriate Auto-Scaling “Launch Rate”
• Start the ECS agent with exponential backoff
• Throttle on container instance registration rate = 1 per
second/60 max per minute

Gotchas
• Found a number of apps don't relocate easily
• Slows down prod upgrades and old stack decommissions

Related
AWS re:invent 2017: Going Big with Containers: Customer
Case Studies of Large-Scale (ENT209)
• https://www.youtube.com/watch?v=L3l_ZiYRrks
• Covers full scope of Expedia’s ECS deployment
automation platform

Automating Zero-Downtime Production Cluster Upgrades for Amazon ECS

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Automating Zero-Downtime Production Cluster Upgrades for Amazon ECS

Similar to Automating Zero-Downtime Production Cluster Upgrades for Amazon ECS (20)

Recently uploaded

Recently uploaded (20)

Automating Zero-Downtime Production Cluster Upgrades for Amazon ECS