Containerize Everything!

@oscarrenalias

github.com/oscarrenalias

oscar.renalias@accenture.com

oscar@renalias.net

www.linkedin.com/oscarrenalias

www.slideshare.net/oscarrenalias

This is going to be opinionated

Old-fashioned clients can run containers too!

Architecture

nginx

Tomcat TomcatTomcatTomcat

PostgreSQL Solr

Architecture services

Rundeck

Yum repo & mirror

Reverse proxy

Docker Registry

Why containerize everything?

Simplified packaging, deployment and execution

Flexibly provision components on inflexible infrastructure

Better resource utilization

Anyone can have a production-like environment on their local workstation…

…or any other server

Our container principles

One single logical service per container

Containers are cattle, not pets

No SSH in containers

Try not to persist state in the container

Containers are independent (and unaware!) of where they’re running

Host port forwarding for network communication

How?

Container hierarchies

base

java

tomcat

service

nginx postgres

centos:6

frontend database Infra 1 Infra N

Building containers

Building containers automatically

Publish artifacts

Integration Test

Build & unit test

Testing containers

Container under test

Test container:• Ruby• ServersSpec• ServerSpec Tests

FROM …

Testing containersContainer under test

Test container

Storing containers

Registry 2.0

Deploying and running containers

Registry

Container host

Build & Publish

Pull

docker run

supervisor is your friend, if you need it

Application and container configuration

Application container

confd

Host

Application and container configuration

Application (container)

Application configuration

Security

Run containers with their own user

USER <user>

Keeping containers up-to-date

base

java

tomcat

service

nginx postgres

centos:6

frontend database Infra 1 Infra N

OpenSSL Bug!

base

java

tomcat

service

nginx postgres

frontend database Infra 1 Infra N

Be mindful of SELinux

Operating containers

Container state

Real world: don’t keep it in the container if you can avoid it

Ideal world: containers don’t have state

vs

Logging

• Write to host (and use external aggregator)• Log to standard output (< 1.6)• Standard output + syslog logging driver

(>= 1.6)

Monitoring

Container processes are just like any other process and service – use existing tools

The darker side of Docker

Immutable containers are fun… until there’s an urgent security update

Docker will keep evolving

Sooner or later you will be bitten by a weird interaction between

Docker or kernel or PAM or SElinux/AppArmor, and a container

No version pinning in the registry: “centos:6, is that you? You looked

different yesterday!”

Docker security needs attention from implementers

https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=docker16.100

Our lessons learned

Docker as a container engine *is* ready for production workloads

Docker works well as a convenient way of packaging, deploying and running

applications

Containerizing everything does give you more flexibility…

…but be pragmatic

Dockerfiles are all you could possibly need to build

containers

Start small – containerizing everything is a fair goal but takes time