Devoxx 2017 "Continuous Delivery with Containers: The Good, the Bad, and the Ugly"

Continuous Delivery with Containers:
The Good, the Bad, and the Ugly
Daniel Bryant
@danielbryantuk

Containers: Expectations versus reality
08/11/2017 @danielbryantuk
“DevOps”

Setting the scene…
• Continuous delivery is a large topic
• No business focus today (value stream etc)
• PaaS and Serverless are super interesting…
• But I’m assuming you’re all-in on containers
• Focusing today on the process and tooling
• No live coding today
• Mini-book contains more details (thanks nginx!)
bit.ly/2jWDSF7

TL;DR – Containers and CD
• Container image becomes the build pipeline ‘single binary’
• Adding metadata to containers images is vital, but challenging
• Must validate container constraints on system quality attributes (NFRs)
• Cultivate container ‘mechanical sympathy’

@danielbryantuk
• Independent Technical Consultant, CTO at SpectoLabs
• Architecture, DevOps, Java, microservices, cloud, containers
• Continuous Delivery (CI/CD) advocate
• Leading change through technology and teams

@danielbryantuk

Continuous Delivery

Continuous Delivery
• Produce valuable and robust software in short cycles
• Optimising for feedback and learning
• Not (necessarily) Continuous Deployment

Creation of a build pipeline is mandatory for continuous delivery

Feedback:
- Was our initial
hypothesis proven?
- How can we improve
business, architecture
and ops?

The impact of containers on CD

Container technology (and CD)
• OS-level virtualisation
• cgroups, namespaces, rootfs
• Package and execute software
• Container image == ‘single binary’

Microservices multiply the challenges

Creating a pipeline for containers

Make your dev environment like production
• Develop locally or copy/code in container
• Must build/test containers locally
• Perform (at least) happy path tests
• Use identical base images from production
• With same configuration

Lesson learned: Dockerfile content is super important
• OS choice
• Configuration
• Build artifacts
• Exposing ports
• Java
• JDK vs JRE and Oracle vs OpenJDK?
• Golang
• Statically compiled binary in scratch?
• Python
• Virtualenv?

Please talk to the sysadmin people:
Their operational knowledge is invaluable

Different test and prod containers?
• Create “test” version of container
• Full OS (e.g. Ubuntu)
• Test tools and data
• Easy to see app/configuration drift
• Use test sidecar containers instead
• ONTEST proposal by Alexi Ledenev
http://blog.terranillius.com/post/docker_testing/

Docker multi-stage builds
http://blog.alexellis.io/mutli-stage-docker-builds/
https://github.com/moby/moby/pull/31257
https://github.com/moby/moby/pull/32063

Java specific stuff…
github.com/oracle/docker-images/tree/master/OracleJava jdk.java.net/9/ea

Hot off the press: Modularity
• Create minimal runtime images
• “jlink delivers a self-contained
distribution of your application and
the JVM, ready to be shipped.”
• Benefits:
• Reduced footprint
• Performance
• Security

Building images with Jenkins
• My report covers this
• Build as usual…
• Build Docker Image
• Cloudbees Docker Build and Publish Plugin
• Push image to registry

Storing in an image registry (DockerHub)

Metadata – Beware of “latest” Docker Tag
• Beware of the ‘latest’ Docker tag
• “Latest” simply means
• the last build/tag that ran without
a specific tag/version specified
• Ignore “latest” tag
• Version your tags, every time
• danielbryantuk/test:2.4.1

Lesson learned: Metadata is valuable
• Application metadata
• Version / GIT SHA
• Build metadata
• Build date
• Image name
• Vendor
• Quality metadata
• QA control, signed binaries, ephemeral support
• Security profiles (AppArmor), Security audited etc

Metadata - Adding Labels at build time
• Docker Labels
• Add key/value data to image

Metadata - Adding Labels at build time
• Microscaling Systems’ Makefile
• Labelling automated builds on
DockerHub (h/t Ross Fairbanks)
• Create file ‘/hooks/build’
• label-schema.org
• microbadger.com

Metadata - Adding Labels at runtime
$ docker run -d --label
uk.co.danielbryant.lbname=frontdoor nginx
• Can ’docker commit’, but creates new image
• Not possible to update running container
• Docker Proposal: Update labels #21721

Liz Rice (and Aqua) to the rescue!
github.com/aquasecurity/manifesto

External registry with metadata support

Component testing

Testing: Jenkins Pipeline (as code)

Testing individual containers

Integration testing

Introducing Docker Compose

Docker Compose & Jenkins Pipeline

Ephemeral Kubernetes Clusters
• Kubernaut (WIP)
• Manages a pool of clusters
• ”Claim” a fresh cluster
• Use Helm to install dependencies

Testing NFRs in the build pipeline
• Performance and Load testing
• Gatling / jmeter
• Flood.io
• Security testing
• Findsecbugs / OWASP Dependency check
• Bdd-security (OWASP ZAP) / Arachni
• Gauntlt / Serverspec
• Docker Bench for Security / CoreOS Clair

www.owasp.org/index.php/OWASP_Dependency_Check

github.com/arminc/clair-scanner

Delaying NFRs to the ‘Last Responsible Moment’
Newsflash!
Sometimes the
last responsible moment
is up-front
Modern platforms/architectures
don’t necessarily make this easier

Mechanical sympathy: Docker and Java
• Watch for JVM cgroup/taskset awareness
• getAvailableProcessors() may incorrectly report the number of cpus in Docker (JDK-8140793)
• Runtime.availableProcessors() ignores Linux taskset command (JDK-6515172)
• Default fork/join thread pool sizes (and others) is based from host CPU count
• Set container memory appropriately
• JVM requirements = Heap size (Xmx) + Metaspace + JVM overhead
• Account for native thread requirements e.g. thread stack size (Xss)
• Entropy
• Host entropy can soon be exhausted by crypto operations and /dev/random blocks
• -Djava.security.egd=file:/dev/./urandom (notes on this)
08/11/2017 @danielbryantuk 48

Deployment
skillsmatter.com/skillscasts/10668-looking-forward-to-daniel-bryant-talk
docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features.deploy-existing-version.html

Observability is core to continuous delivery
www.infoq.com/articles/monitoring-containers-at-scale

Containers are not a silver bullet

Moving to containers: Going all-in?
OR

Should I build my own container platform?
Probably not
(Unless you are Google, AWS or IBM)
Whatever you decide…
push it through a pipeline ASAP!

Using containers does not get rid of the need for
good architectural practices

https://speakerdeck.com/caseywest/containercon-north-america-cloud-anti-patterns

Summary

In summary
• Continuous delivery is vitally important in modern architectures/ops
• Container images must be the (single) source of truth within pipeline
• And metadata added as appropriate…
• Mechanical sympathy is important (assert properties in the pipeline)
• Not all developers are operationally aware
• The tooling is now becoming stable/mature
• We need to re-apply existing CD practices with new technologies/tooling

Bedtime reading

Thanks for listening!
• Book signing in 10 mins!
• Follow me to the O’Reilly table
• Feel free to contact me
• @danielbryantuk
• daniel.bryant@tai-dev.co.uk
bit.ly/2jWDSF7
Coming soon!

Bonus slides (for extra context)

Containerise an existing (monolithic) app?
• For
• We know the monolith well
• Allows homogenization of the
pipeline and deployment platform
• Can be a demonstrable win for
tech and the business
• Against
• Can be difficult (100+ line scripts)
• Often not designed for operation
within containers, nor cloud native
• Putting lipstick on a pig?

Key lessons learned
• Conduct an architectural review
• Architecture for Developers, by Simon Brown
• Architecture Interview, by Susan Fowler
• Look for data ingress/egress
• File system access
• Support resource constraints/transience
• Optimise for quick startup and shutdown
• Evaluate approach to concurrency
• Store configuration (secrets) remotely

New design patterns
bit.ly/2efe0TP

Microservices…
Containers and microservices are
complementary
Testing and deployment change
https://specto.io/blog/recipe-for-designing-building-testing-microservices.html

Quick Aside: Running *entire* system locally
https://news.ycombinator.com/item?id=13960107
https://opencredo.com/working-locally-with-microservices/
https://www.datawire.io/telepresence/ | https://hoverfly.io/

Devoxx 2017 "Continuous Delivery with Containers: The Good, the Bad, and the Ugly"

More Related Content

What's hot (20)

Similar to Devoxx 2017 "Continuous Delivery with Containers: The Good, the Bad, and the Ugly" (20)

More from Daniel Bryant (20)

Recently uploaded (20)

Devoxx 2017 "Continuous Delivery with Containers: The Good, the Bad, and the Ugly"