I originally had a throwaway joke on Twitter that became an article: 17 Ways to Run Containers on AWS. That was all well and good, and because I don’t know when to leave well enough alone, a few months later I wrote 17 More Ways to Run Containers on AWS. And now, since I don’t know when to leave well enough alone and stop beating the greasy smear on the sidewalk where the horse used to be, I want to introduce the third article in this series.
Because the line “17 ways to run containers on AWS” has had some staying power, I want to first give a bit of context here behind what the point of me writing these roundups is. It started off as a customer frustration on my part; I wanted a container to run and instead found myself facing the paradox of choice. I figured I’d start listing off all of the different options and was kinda surprised just how many ways there are to run a container using an AWS service. It makes sense on some level; containers have become many things, but to my worldview they’re first and foremost a packaging format. This list could almost be reskinned as “ways to execute a binary on AWS,” but that’s less fun and nowhere near as engaging.
You could also deal with the very real fact that a lot of security issues distill down to “running a cryptocurrency miner in someone else’s account;” on some way a lot of these container approaches do provide an abuse vector for bad actors to profit at the customer’s expense, so I suppose I could take the high road and say it’s here as a warning to maintain vigilance about security.
But honestly? I just think it’s funny. Let’s dive in. The headlines are all clickable links if you want to explore further.
In 2021 ECR Public got a “launch with App Runner” button, and the world has… basically not changed all that much as a direct result of that feature, if I’m being honest.
2. RDS Custom
Once upon a time it was easy to figure out the difference between RDS and EC2; then RDS Custom came along and blurred the line. You can now use explicit AMIs for your RDS Custom instances, and yes Virginia: they can run containers.
I do not know why genomics requires its own specific CLI, but it spins up a few specific things to support that niche style of workload in a variety of different locations, including of course on Fargate-managed containers. Please don’t create a monster with it.
Yes, I already listed CloudFormation in a previous roundup. However, this talks about the BreakingFormation zero day vulnerability that Orca Security reported to AWS that they fixed; before that you could apparently make requests on behalf of a CloudFormation infrastructure server. I suppose as a result you could safely say that this particular way to run containers has been deprecated.
5. AWS Panorama
AWS Panorama is a device that brings image recognition to your existing cameras; you can of course provision it via containers.
There are a few ways to do this via Systems Manager, and I’ve hit them before. This new way is to use Systems Manager’s on-premises instance management capability, thus solving the long-standing problem I’ve had of not paying AWS to run containers on my own laptop.
You may well posit that it’s ridiculous for me to call this option out as distinct from EC2, which I’ve covered previously. I agree with you–and yet, the AWS Containers marketing website does too! Who am I to argue with AWS Marketing? After all, they never responded to my [CMO Application](https://www.youtube.com/watch?v=2ve_Xmtx7_o).
Look, I have absolutely zero idea why you would use one cloud’s tooling to run workloads on another cloud, but apparently this is either something customers do, or something cloud marketers fervently wish that customers would do. So they made this technically possible, and it’s extremely cursed.
Yes, that’s right, I said IAM. All you have to do to prove this is to commit root credentials to GitHub and wait. You will very shortly find containers coming out of your ears, which is why free tier surprises have grown geometrically in recent years. Cryptominers are spectacular at wringing out every last cycle from an AWS account, and quickly. But hope is not lost! If you want to configure a service that confuses you, scope IAM credentials to that service and publish the creds in public. Wait a few minutes, and you’ll discover that whatever that service is has been transformed into a cryptocurrency miner. Close the access off, replace the containers with your workloads, and knock off early for lunch. Weaponizing bad actors to do your job is fast becoming mainstream thanks to ChatGPT…
Yes, someone has done this and it’s amazing. Allison Thackston installed Docker on a DeepRacer car to solve a problem, and I’m absolutely here for this.
AWS released CodeCatalyst and it is a freaking wonder of a service. It does so much right (A customer identity beyond that tied to a specific AWS account! A free tier that will never charge you because your card isn’t ever charged until you affirmatively upgrade! A unified view of AWS products in service of getting your application up!), and I’m excited to see where it goes. That said, it lets you spin up applications in a few different key ways and of *course* containers are prolific within it, so here it is on the list.
This connects sources to targets–but it can also enrich the data along the way via Lambda functions or Step Functions. Both of those in turn can do their work via containers, so yup–there you go.
Another attempt at the “spin an application up” space, Application Composer lets you drag and drop components (such as containers) into place before converting the result into that most sinful of languages, YAML.
This one is very far below the belt, but I couldn’t help myself. I posted a gist explaining how some service (I believe it was App Runner?) wasn’t doing what it was supposed to be doing. Some helpful AWS employee ran through the gist, saw that the container spun up with a web server listening, hit it… and was rewarded with the linked image. I assure you, it’s worth the click. I would also like to point out that this person did absolutely nothing wrong, and was attempting to help a customer who in this instance was being a complete jackhole. Please don’t do this; it’s honestly the one thing on this list that I regret doing.
I’ve been using Finch for a bit now as a drop-in replacement for Docker Desktop for Mac. As a result of this, if Finch *doesn’t* run containers I’m going to be filing a GitHub issue or two about it.
If you are the US Government and wish to use the Joint Warfighting Cloud Capability contract to just absolutely destroy some faraway place, their new offering is available exclusively to you. Details are obviously sparse, but I have to assume that you can drop this thing, laden with containers all the while, and have it parachute down to the battlefield. I suppose we’ll continue to lie to ourselves as a society and say we’re exporting democracy when we’re really exporting Docker containers.
17. Workshop Studio
Usually you need a facilitator at an event to get access to this, but as of this writing they claim that a browsable catalog of workshops is coming soon. That lets you spin up infrastructure in a sandboxed environment for which you are not responsible to pay, and achieve a goal. So very often, that goal includes containers along the way.
And there you have it, 17 ways to run containers. Please, please, please tell me that I won’t have to write a fourth installment? That said, if I’ve missed any please take a second to let me know what they are.