SlideShare a Scribd company logo

Codemotion Rome 2018 "Continuous Delivery with Containers: The Good, the Bad and the Ugly"

Download as PPTX, PDF
Daniel Bryant, profile picture
Daniel Bryant

This document discusses the integration of container technology with continuous delivery (CD), highlighting the importance of container images as the core of the build pipeline and the challenges posed by microservices. It emphasizes the necessity of metadata for containers, the significance of feedback in improving processes, and the need for robust testing and security checks within the CD pipeline. Overall, it argues for the adaptation of existing CD practices to leverage modern container tools while addressing operational concerns.

Technology
1 of 63
Downloaded 19 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
Continuous Delivery with Containers: The Good, the Bad, and the Ugly Daniel Bryant @danielbryantuk
Containers: Expectations versus reality 15/04/2018 @danielbryantuk “DevOps”
Setting the scene… • Continuous delivery is a large topic • No business focus today (value stream etc) • PaaS and Serverless are super interesting… • But I’m assuming you’re all-in on containers • Focusing today on the process and tooling • No live coding today • Mini-book contains more details (thanks nginx!) 15/04/2018 @danielbryantuk bit.ly/2jWDSF7
TL;DR – Containers and CD • Container image becomes the build pipeline ‘single binary’ • Adding metadata to containers images is vital, but challenging • Must validate container constraints on system quality attributes (NFRs) 15/04/2018 @danielbryantuk
@danielbryantuk • Independent Technical Consultant, Product Architect at Datawire • Architecture, DevOps, Java, microservices, cloud, containers • Continuous Delivery (CI/CD) advocate • Leading change through technology and teams 15/04/2018 @danielbryantuk
Continuous Delivery 101 15/04/2018 @danielbryantuk
Continuous Delivery • Produce valuable and robust software in short cycles • Optimising for feedback and learning • Not (necessarily) Continuous Deployment 15/04/2018 @danielbryantuk
Velocity (with stability) is key to business success “Continuous delivery is achieved when stability and speed can satisfy business demand. Discontinuous delivery occurs when stability and speed are insufficient.” - Steve Smith (@SteveSmithCD) 15/04/2018 @danielbryantuk
Creation of a build pipeline is mandatory for continuous delivery 15/04/2018 @danielbryantuk
15/04/2018 @danielbryantuk Feedback: - Was our initial hypothesis proven? - How can we improve business, architecture and ops?
The impact of containers on CD 15/04/2018 @danielbryantuk
Container technology (and CD) • OS-level virtualisation • cgroups, namespaces, rootfs • Package and execute software • Container image == ‘single binary’ 15/04/2018 @danielbryantuk
15/04/2018 @danielbryantuk
15/04/2018 @danielbryantuk
Microservices multiply the challenges 15/04/2018 @danielbryantuk https://www.youtube.com/watch?v=b9Fu1So0bXA
Creating a pipeline for containers 15/04/2018 @danielbryantuk
15/04/2018 @danielbryantuk
Make your dev environment like production • Develop locally or copy/code in container • Must build/test containers locally • Perform (at least) happy path tests • Use identical base images from production • With same configuration 15/04/2018 @danielbryantuk
Working remotely, locally… 15/04/2018 @danielbryantuk https://opencredo.com/working-locally-with-microservices/ https://www.telepresence.io/
Lesson learned: Dockerfile content is super important • OS choice • Configuration • Build artifacts • Exposing ports • Java • JDK vs JRE and Oracle vs OpenJDK? • Golang • Statically compiled binary in scratch? • Python • Virtualenv? 15/04/2018 @danielbryantuk
Please talk to the sysadmin people: Their operational knowledge is invaluable 15/04/2018 @danielbryantuk
Different test and prod containers? • Create “test” version of container • Full OS (e.g. Ubuntu) • Test tools and data • Easy to see app/configuration drift • Use test sidecar containers instead • ONTEST proposal by Alexi Ledenev 15/04/2018 @danielbryantuk http://blog.terranillius.com/post/docker_testing/
Docker multi-stage builds 15/04/2018 @danielbryantuk http://blog.alexellis.io/mutli-stage-docker-builds/ https://github.com/moby/moby/pull/31257 https://github.com/moby/moby/pull/32063
15/04/2018 @danielbryantuk
Building images with Jenkins • My report covers this • Build as usual… • Build Docker Image • Cloudbees Docker Build and Publish Plugin • Push image to registry 15/04/2018 @danielbryantuk
Lesson learned: Metadata is valuable • Application metadata • Version / GIT SHA • Build metadata • Build date • Image name • Vendor • Quality metadata • QA control, signed binaries, ephemeral support • Security profiles (AppArmor), Security audited etc 15/04/2018 @danielbryantuk
Metadata – Beware of “latest” Docker Tag • Beware of the ‘latest’ Docker tag • “Latest” simply means • the last build/tag that ran without a specific tag/version specified • Ignore “latest” tag • Version your tags, every time • danielbryantuk/test:2.4.1 15/04/2018 @danielbryantuk
Metadata - Adding Labels at build time • Docker Labels • Add key/value data to image 15/04/2018 @danielbryantuk
Metadata - Adding Labels at build time • Microscaling Systems’ Makefile • Labelling automated builds on DockerHub (h/t Ross Fairbanks) • Create file ‘/hooks/build’ • label-schema.org • microbadger.com 15/04/2018 @danielbryantuk
Metadata - Adding Labels at runtime 15/04/2018 @danielbryantuk $ docker run -d --label uk.co.danielbryant.lbname=frontdoor nginx • Can ’docker commit’, but creates new image • Not possible to update running container • Docker Proposal: Update labels #21721
External registry with metadata support 15/04/2018 @danielbryantuk
Grafeas + Kritis 15/04/2018 @danielbryantuk
15/04/2018 @danielbryantuk
15/04/2018 @danielbryantuk
15/04/2018 @danielbryantuk
Running tests with containers 15/04/2018 @danielbryantuk
Testing NFRs in the build pipeline • Architecture • Performance and Load testing • Gatling / jmeter / Flood.io • Security testing • Findsecbugs / OWASP Dependency check • Bdd-security (OWASP ZAP) / Arachni • Gauntlt / Serverspec • Docker Bench for Security / CoreOS Clair 15/04/2018 @danielbryantuk
Security Visibility: Basic (Java) Code Scanning 15/04/2018 @danielbryantuk
Dependency Scanning 15/04/2018 @danielbryantuk www.owasp.org/index.php/OWASP_Dependency_Check
Static Image Scanning 15/04/2018 @danielbryantuk github.com/arminc/clair-scanner
Delaying NFRs to the ‘Last Responsible Moment’ Newsflash! Sometimes the last responsible moment is up-front Modern platforms/architectures don’t necessarily make this easier 15/04/2018 @danielbryantuk
Important things not covered 15/04/2018 @danielbryantuk
Mechanical sympathy: Docker and Java • Watch for JVM cgroup/taskset awareness (with JDK <= 8) • getAvailableProcessors() may incorrectly report the number of cpus in Docker (JDK-8140793) • Runtime.availableProcessors() ignores Linux taskset command (JDK-6515172) • Default fork/join thread pool sizes (and others) is based from host CPU count • Set container memory appropriately • JVM requirements = Heap size (Xmx) + Metaspace + JVM overhead • Account for native thread requirements e.g. thread stack size (Xss) • Entropy • Host entropy can soon be exhausted by crypto operations and /dev/random blocks • -Djava.security.egd=file:/dev/./urandom (notes on this) 15/04/2018 @danielbryantuk 43
Deployment 15/04/2018 @danielbryantuk https://blog.hasura.io/draft-vs-gitkube-vs-helm-vs-ksonnet-vs-metaparticle-vs-skaffold-f5aa9561f948
Observability is core to continuous delivery 15/04/2018 @danielbryantuk www.infoq.com/articles/monitoring-containers-at-scale
Containers are not a silver bullet 15/04/2018 @danielbryantuk
Moving to containers: Going all-in? 15/04/2018 @danielbryantuk OR
Should I build my own container platform? Probably not (Unless you are Google, AWS or IBM) Whatever you decide… push it through a pipeline ASAP! 15/04/2018 @danielbryantuk
Using containers does not get rid of the need for good architectural practices 15/04/2018 @danielbryantuk
15/04/2018 @danielbryantuk https://speakerdeck.com/caseywest/containercon-north-america-cloud-anti-patterns
Summary 15/04/2018 @danielbryantuk
In summary • Continuous delivery is vitally important in modern architectures/ops • Container images must be the (single) source of truth within pipeline • And metadata added as appropriate… • Mechanical sympathy is important (assert properties in the pipeline) • Not all developers are operationally aware • The tooling is now becoming stable/mature • We need to re-apply existing CD practices with new technologies/tooling 15/04/2018 @danielbryantuk
Thanks for listening… Twitter: @danielbryantuk Email: daniel.bryant@tai-dev.co.uk Writing: https://www.infoq.com/profile/Daniel-Bryant Talks: https://www.youtube.com/playlist?list=PLoVYf_0qOYNeBmrpjuBOOAqJnQb3QAEtM 15/04/2018 @danielbryantuk bit.ly/2jWDSF7 Coming soon!
Bedtime reading 15/04/2018 @danielbryantuk
Bonus slides (for extra context) 15/04/2018 @danielbryantuk
Containerise an existing (monolithic) app? • For • We know the monolith well • Allows homogenization of the pipeline and deployment platform • Can be a demonstrable win for tech and the business • Against • Can be difficult (100+ line scripts) • Often not designed for operation within containers, nor cloud native • Putting lipstick on a pig? 15/04/2018 @danielbryantuk
Key lessons learned • Conduct an architectural review • Architecture for Developers, by Simon Brown • Architecture Interview, by Susan Fowler • Look for data ingress/egress • File system access • Support resource constraints/transience • Optimise for quick startup and shutdown • Evaluate approach to concurrency • Store configuration (secrets) remotely 15/04/2018 @danielbryantuk
New design patterns 15/04/2018 @danielbryantuk bit.ly/2efe0TP
Microservices… Containers and microservices are complementary Testing and deployment change 15/04/2018 @danielbryantuk https://specto.io/blog/recipe-for-designing-building-testing-microservices.html
15/04/2018 @danielbryantuk
15/04/2018 @danielbryantuk
15/04/2018 @danielbryantuk
Quick Aside: Running *entire* system locally 15/04/2018 @danielbryantuk https://news.ycombinator.com/item?id=13960107 https://opencredo.com/working-locally-with-microservices/ https://www.datawire.io/telepresence/ | https://hoverfly.io/

More Related Content

PPTX
JAX DevOps 2018 "Continuous Delivery Patterns for Modern Architectures"
Daniel Bryant
 
PPTX
Devoxx 2017 "Continuous Delivery with Containers: The Good, the Bad, and the ...
Daniel Bryant
 
PPTX
SATURN 2018 "Continuous Delivery with Containers" Extended 90 version
Daniel Bryant
 
PPTX
deliver:Agile 2018 "Continuous Delivery Patterns for Modern Architectures"
Daniel Bryant
 
PPTX
O'Reilly SACON "Continuous Delivery Patterns for Contemporary Architecture"
Daniel Bryant
 
PPTX
vJUG24 2017 "Continuous Delivery Patterns for Contemporary Architecture"
Daniel Bryant
 
PPTX
microXchg 2018: "What is a Service Mesh? Do I Need One When Developing 'Cloud...
Daniel Bryant
 
PDF
JAXDevOps 2017 "The Seven (More) Deadly Sins of Microservices
Daniel Bryant
 
JAX DevOps 2018 "Continuous Delivery Patterns for Modern Architectures"
Daniel Bryant
 
Devoxx 2017 "Continuous Delivery with Containers: The Good, the Bad, and the ...
Daniel Bryant
 
SATURN 2018 "Continuous Delivery with Containers" Extended 90 version
Daniel Bryant
 
deliver:Agile 2018 "Continuous Delivery Patterns for Modern Architectures"
Daniel Bryant
 
O'Reilly SACON "Continuous Delivery Patterns for Contemporary Architecture"
Daniel Bryant
 
vJUG24 2017 "Continuous Delivery Patterns for Contemporary Architecture"
Daniel Bryant
 
microXchg 2018: "What is a Service Mesh? Do I Need One When Developing 'Cloud...
Daniel Bryant
 
JAXDevOps 2017 "The Seven (More) Deadly Sins of Microservices
Daniel Bryant
 

What's hot (20)

PPTX
O'Reilly/Nginx 2016: "Continuous Delivery with Containers: The Trials and Tri...
Daniel Bryant
 
PDF
#AATC2017: "Continuous Delivery with Containers: The Trials and Tribulations"
Daniel Bryant
 
PDF
DevOpsCon 2017 "Continuous Delivery with Containers"
Daniel Bryant
 
PDF
AllDayDevOps: "Microservices: The People and Organisational Impact"
Daniel Bryant
 
PPTX
vJUG 2017 "Continuous Delivery with Java and Docker: The Good, the Bad, and t...
Daniel Bryant
 
PPTX
J1 2015 "Building a Microservice Ecosystem: Some Assembly Still Required"
Daniel Bryant
 
PPTX
ContainerSched 2017 "Continuous Delivery with Containers: The Good, the Bad, ...
Daniel Bryant
 
PDF
JAXLondon 2017 "Continuous Delivery with Containers and Java"
Daniel Bryant
 
PDF
Moving to Agile Methods and DevOps on IBM i with ARCAD Pack for Rational 1479...
Philippe Krief
 
PPT
Innovate2014 Better Integrations Through Open Interfaces
Steve Speicher
 
PPTX
CloudNativeLondon 2017: "What is a Service Mesh, and Do I Need One when Devel...
Daniel Bryant
 
PPSX
CI-CD Jenkins, GitHub Actions, Tekton
Araf Karsh Hamid
 
PPTX
Your API is Bad and You Should Feel Bad
Amanda Folson
 
PPTX
Enterprise Software Architecture styles
Araf Karsh Hamid
 
PPTX
Microservice Architecture
Dhaval Shah
 
PPT
Innovate2014 Panel - Best Practices on Implementing Integrations
Steve Speicher
 
PPSX
Microservices, Containers, Kubernetes, Kafka, Kanban
Araf Karsh Hamid
 
PPTX
Knockout js
Andrey Kolodnitsky
 
PDF
cross cloud inter-operability with iPaaS and serverless for Telco cloud SDN/NFV
Krishna-Kumar
 
PPTX
Bahrain ch9 introduction to docker 5th birthday
Walid Shaari
 
O'Reilly/Nginx 2016: "Continuous Delivery with Containers: The Trials and Tri...
Daniel Bryant
 
#AATC2017: "Continuous Delivery with Containers: The Trials and Tribulations"
Daniel Bryant
 
DevOpsCon 2017 "Continuous Delivery with Containers"
Daniel Bryant
 
AllDayDevOps: "Microservices: The People and Organisational Impact"
Daniel Bryant
 
vJUG 2017 "Continuous Delivery with Java and Docker: The Good, the Bad, and t...
Daniel Bryant
 
J1 2015 "Building a Microservice Ecosystem: Some Assembly Still Required"
Daniel Bryant
 
ContainerSched 2017 "Continuous Delivery with Containers: The Good, the Bad, ...
Daniel Bryant
 
JAXLondon 2017 "Continuous Delivery with Containers and Java"
Daniel Bryant
 
Moving to Agile Methods and DevOps on IBM i with ARCAD Pack for Rational 1479...
Philippe Krief
 
Innovate2014 Better Integrations Through Open Interfaces
Steve Speicher
 
CloudNativeLondon 2017: "What is a Service Mesh, and Do I Need One when Devel...
Daniel Bryant
 
CI-CD Jenkins, GitHub Actions, Tekton
Araf Karsh Hamid
 
Your API is Bad and You Should Feel Bad
Amanda Folson
 
Enterprise Software Architecture styles
Araf Karsh Hamid
 
Microservice Architecture
Dhaval Shah
 
Innovate2014 Panel - Best Practices on Implementing Integrations
Steve Speicher
 
Microservices, Containers, Kubernetes, Kafka, Kanban
Araf Karsh Hamid
 
Knockout js
Andrey Kolodnitsky
 
cross cloud inter-operability with iPaaS and serverless for Telco cloud SDN/NFV
Krishna-Kumar
 
Bahrain ch9 introduction to docker 5th birthday
Walid Shaari
 
Ad

Similar to Codemotion Rome 2018 "Continuous Delivery with Containers: The Good, the Bad and the Ugly" (20)

PPTX
Continuous Delivery with Containers: The Good, the Bad, and the Ugly - Daniel...
Codemotion
 
PPTX
Continuous Delivery with Containers: The Good, the Bad, and the Ugly
Daniel Bryant
 
PPTX
O'Reilly 2016: "Continuous Delivery with Containers: The Trials and Tribulati...
OpenCredo
 
PPTX
CodeOne SF 2018 "Continuous Delivery with Containers: Lessons Learned"
Daniel Bryant
 
PPTX
JAX London 2014 "Building Java Applications for the Cloud: The DHARMA princip...
Daniel Bryant
 
PDF
DCEU 18: Continuous Delivery with Docker Containers and Java: The Good, the B...
Docker, Inc.
 
PPTX
DockerCon EU 2018 "Continuous Delivery with Docker and Java"
Daniel Bryant
 
PPTX
OReilly SACON 2016 "A Practical Guide for Continuous Delivery with Containers"
Daniel Bryant
 
PPTX
JavaOne 2014: Cloud Developer's DHARMA: Redefining 'done' for Cloud applications
Daniel Bryant
 
PPTX
jSpring 2018 "Continuous Delivery Patterns for Modern Architectures and Java"
Daniel Bryant
 
PDF
GOTO Chicago/CraftConf 2017 "The Seven (More) Deadly Sins of Microservices"
Daniel Bryant
 
PPTX
Jax London 2018: "Testing Microservices from Development to Production"
Daniel Bryant
 
PPTX
LJC 05/14 "Cloud Developer's DHARMA"
Daniel Bryant
 
PDF
Haufe #msaday - Seven More Deadly Sins of Microservices by Daniel Bryant
OpenCredo
 
PDF
The seven more deadly sins of microservices final
Haufe-Lexware GmbH & Co KG
 
PDF
Haufe #msaday - Building a Microservice Ecosystem by Daniel Bryant
OpenCredo
 
PDF
Building a microservice ecosystem
Haufe-Lexware GmbH & Co KG
 
PDF
Haufe #msaday: "Building a Microservice Ecosystem"
Daniel Bryant
 
PPTX
CodeOne 2019: "Continuous Delivery with Docker and Java"
Daniel Bryant
 
PDF
vJUG24 2016 "Seven (More) Deadly Sins of Microservice"
Daniel Bryant
 
Continuous Delivery with Containers: The Good, the Bad, and the Ugly - Daniel...
Codemotion
 
Continuous Delivery with Containers: The Good, the Bad, and the Ugly
Daniel Bryant
 
O'Reilly 2016: "Continuous Delivery with Containers: The Trials and Tribulati...
OpenCredo
 
CodeOne SF 2018 "Continuous Delivery with Containers: Lessons Learned"
Daniel Bryant
 
JAX London 2014 "Building Java Applications for the Cloud: The DHARMA princip...
Daniel Bryant
 
DCEU 18: Continuous Delivery with Docker Containers and Java: The Good, the B...
Docker, Inc.
 
DockerCon EU 2018 "Continuous Delivery with Docker and Java"
Daniel Bryant
 
OReilly SACON 2016 "A Practical Guide for Continuous Delivery with Containers"
Daniel Bryant
 
JavaOne 2014: Cloud Developer's DHARMA: Redefining 'done' for Cloud applications
Daniel Bryant
 
jSpring 2018 "Continuous Delivery Patterns for Modern Architectures and Java"
Daniel Bryant
 
GOTO Chicago/CraftConf 2017 "The Seven (More) Deadly Sins of Microservices"
Daniel Bryant
 
Jax London 2018: "Testing Microservices from Development to Production"
Daniel Bryant
 
LJC 05/14 "Cloud Developer's DHARMA"
Daniel Bryant
 
Haufe #msaday - Seven More Deadly Sins of Microservices by Daniel Bryant
OpenCredo
 
The seven more deadly sins of microservices final
Haufe-Lexware GmbH & Co KG
 
Haufe #msaday - Building a Microservice Ecosystem by Daniel Bryant
OpenCredo
 
Building a microservice ecosystem
Haufe-Lexware GmbH & Co KG
 
Haufe #msaday: "Building a Microservice Ecosystem"
Daniel Bryant
 
CodeOne 2019: "Continuous Delivery with Docker and Java"
Daniel Bryant
 
vJUG24 2016 "Seven (More) Deadly Sins of Microservice"
Daniel Bryant
 
Ad

More from Daniel Bryant (20)

PDF
ITKonekt 2023: The Busy Platform Engineers Guide to API Gateways
Daniel Bryant
 
PDF
CraftConf 2023 "Microservice Testing Techniques: Mocks vs Service Virtualizat...
Daniel Bryant
 
PDF
PlatformCon 23: "The Busy Platform Engineers Guide to API Gateways"
Daniel Bryant
 
PDF
Java Meetup 23: 'Debugging Microservices "Remocally" in Kubernetes with Telep...
Daniel Bryant
 
PPTX
DevRelCon 2022: "Is Product Led Growth (PLG) the “DevOps” of the DevRel World"
Daniel Bryant
 
PDF
Fall 22: "From Kubernetes to PaaS to... err, what's next"
Daniel Bryant
 
PDF
Building Microservice Systems Without Cooking Your Laptop: Going “Remocal” wi...
Daniel Bryant
 
PDF
KubeCrash 22: Debugging Microservices "Remocally" in Kubernetes with Telepres...
Daniel Bryant
 
PDF
JAX London 22: Debugging Microservices "Remocally" in Kubernetes with Telepre...
Daniel Bryant
 
PDF
CloudBuilders 2022: "The Past, Present, and Future of Cloud Native API Gateways"
Daniel Bryant
 
PDF
KubeCon EU 2022: From Kubernetes to PaaS to Err What's Next
Daniel Bryant
 
PDF
Devoxx UK 22: Debugging Java Microservices "Remocally" in Kubernetes with Tel...
Daniel Bryant
 
PDF
DevXDay KubeCon NA 2021: "From Kubernetes to PaaS to Developer Control Planes"
Daniel Bryant
 
PDF
JAX London 2021: Jumpstart Your Cloud Native Development: An Overview of Prac...
Daniel Bryant
 
PDF
Container Days: Easy Debugging of Microservices Running on Kubernetes with Te...
Daniel Bryant
 
PDF
Canadian CNCF: "Emissary-ingress 101: An introduction to the CNCF incubation-...
Daniel Bryant
 
PDF
MJC 2021: "Debugging Java Microservices Running on Kubernetes with Telepresence"
Daniel Bryant
 
PDF
LJC 4/21"Easy Debugging of Java Microservices Running on Kubernetes with Tele...
Daniel Bryant
 
PDF
GOTOpia 2/2021 "Cloud Native Development Without the Toil: An Overview of Pra...
Daniel Bryant
 
PPTX
HashiCorp Webinar: "Getting started with Ambassador and Consul on Kubernetes ...
Daniel Bryant
 
ITKonekt 2023: The Busy Platform Engineers Guide to API Gateways
Daniel Bryant
 
CraftConf 2023 "Microservice Testing Techniques: Mocks vs Service Virtualizat...
Daniel Bryant
 
PlatformCon 23: "The Busy Platform Engineers Guide to API Gateways"
Daniel Bryant
 
Java Meetup 23: 'Debugging Microservices "Remocally" in Kubernetes with Telep...
Daniel Bryant
 
DevRelCon 2022: "Is Product Led Growth (PLG) the “DevOps” of the DevRel World"
Daniel Bryant
 
Fall 22: "From Kubernetes to PaaS to... err, what's next"
Daniel Bryant
 
Building Microservice Systems Without Cooking Your Laptop: Going “Remocal” wi...
Daniel Bryant
 
KubeCrash 22: Debugging Microservices "Remocally" in Kubernetes with Telepres...
Daniel Bryant
 
JAX London 22: Debugging Microservices "Remocally" in Kubernetes with Telepre...
Daniel Bryant
 
CloudBuilders 2022: "The Past, Present, and Future of Cloud Native API Gateways"
Daniel Bryant
 
KubeCon EU 2022: From Kubernetes to PaaS to Err What's Next
Daniel Bryant
 
Devoxx UK 22: Debugging Java Microservices "Remocally" in Kubernetes with Tel...
Daniel Bryant
 
DevXDay KubeCon NA 2021: "From Kubernetes to PaaS to Developer Control Planes"
Daniel Bryant
 
JAX London 2021: Jumpstart Your Cloud Native Development: An Overview of Prac...
Daniel Bryant
 
Container Days: Easy Debugging of Microservices Running on Kubernetes with Te...
Daniel Bryant
 
Canadian CNCF: "Emissary-ingress 101: An introduction to the CNCF incubation-...
Daniel Bryant
 
MJC 2021: "Debugging Java Microservices Running on Kubernetes with Telepresence"
Daniel Bryant
 
LJC 4/21"Easy Debugging of Java Microservices Running on Kubernetes with Tele...
Daniel Bryant
 
GOTOpia 2/2021 "Cloud Native Development Without the Toil: An Overview of Pra...
Daniel Bryant
 
HashiCorp Webinar: "Getting started with Ambassador and Consul on Kubernetes ...
Daniel Bryant
 

Recently uploaded (20)

PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Teaching material agriculture food technology
LiaRayya
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Approach and Philosophy of On baking technology
30anthuong17
 

Codemotion Rome 2018 "Continuous Delivery with Containers: The Good, the Bad and the Ugly"

  • 1. Continuous Delivery with Containers: The Good, the Bad, and the Ugly Daniel Bryant @danielbryantuk
  • 2. Containers: Expectations versus reality 15/04/2018 @danielbryantuk “DevOps”
  • 3. Setting the scene… • Continuous delivery is a large topic • No business focus today (value stream etc) • PaaS and Serverless are super interesting… • But I’m assuming you’re all-in on containers • Focusing today on the process and tooling • No live coding today • Mini-book contains more details (thanks nginx!) 15/04/2018 @danielbryantuk bit.ly/2jWDSF7
  • 4. TL;DR – Containers and CD • Container image becomes the build pipeline ‘single binary’ • Adding metadata to containers images is vital, but challenging • Must validate container constraints on system quality attributes (NFRs) 15/04/2018 @danielbryantuk
  • 5. @danielbryantuk • Independent Technical Consultant, Product Architect at Datawire • Architecture, DevOps, Java, microservices, cloud, containers • Continuous Delivery (CI/CD) advocate • Leading change through technology and teams 15/04/2018 @danielbryantuk
  • 7. Continuous Delivery • Produce valuable and robust software in short cycles • Optimising for feedback and learning • Not (necessarily) Continuous Deployment 15/04/2018 @danielbryantuk
  • 8. Velocity (with stability) is key to business success “Continuous delivery is achieved when stability and speed can satisfy business demand. Discontinuous delivery occurs when stability and speed are insufficient.” - Steve Smith (@SteveSmithCD) 15/04/2018 @danielbryantuk
  • 9. Creation of a build pipeline is mandatory for continuous delivery 15/04/2018 @danielbryantuk
  • 10. 15/04/2018 @danielbryantuk Feedback: - Was our initial hypothesis proven? - How can we improve business, architecture and ops?
  • 11. The impact of containers on CD 15/04/2018 @danielbryantuk
  • 12. Container technology (and CD) • OS-level virtualisation • cgroups, namespaces, rootfs • Package and execute software • Container image == ‘single binary’ 15/04/2018 @danielbryantuk
  • 15. Microservices multiply the challenges 15/04/2018 @danielbryantuk https://www.youtube.com/watch?v=b9Fu1So0bXA
  • 16. Creating a pipeline for containers 15/04/2018 @danielbryantuk
  • 18. Make your dev environment like production • Develop locally or copy/code in container • Must build/test containers locally • Perform (at least) happy path tests • Use identical base images from production • With same configuration 15/04/2018 @danielbryantuk
  • 19. Working remotely, locally… 15/04/2018 @danielbryantuk https://opencredo.com/working-locally-with-microservices/ https://www.telepresence.io/
  • 20. Lesson learned: Dockerfile content is super important • OS choice • Configuration • Build artifacts • Exposing ports • Java • JDK vs JRE and Oracle vs OpenJDK? • Golang • Statically compiled binary in scratch? • Python • Virtualenv? 15/04/2018 @danielbryantuk
  • 21. Please talk to the sysadmin people: Their operational knowledge is invaluable 15/04/2018 @danielbryantuk
  • 22. Different test and prod containers? • Create “test” version of container • Full OS (e.g. Ubuntu) • Test tools and data • Easy to see app/configuration drift • Use test sidecar containers instead • ONTEST proposal by Alexi Ledenev 15/04/2018 @danielbryantuk http://blog.terranillius.com/post/docker_testing/
  • 23. Docker multi-stage builds 15/04/2018 @danielbryantuk http://blog.alexellis.io/mutli-stage-docker-builds/ https://github.com/moby/moby/pull/31257 https://github.com/moby/moby/pull/32063
  • 25. Building images with Jenkins • My report covers this • Build as usual… • Build Docker Image • Cloudbees Docker Build and Publish Plugin • Push image to registry 15/04/2018 @danielbryantuk
  • 26. Lesson learned: Metadata is valuable • Application metadata • Version / GIT SHA • Build metadata • Build date • Image name • Vendor • Quality metadata • QA control, signed binaries, ephemeral support • Security profiles (AppArmor), Security audited etc 15/04/2018 @danielbryantuk
  • 27. Metadata – Beware of “latest” Docker Tag • Beware of the ‘latest’ Docker tag • “Latest” simply means • the last build/tag that ran without a specific tag/version specified • Ignore “latest” tag • Version your tags, every time • danielbryantuk/test:2.4.1 15/04/2018 @danielbryantuk
  • 28. Metadata - Adding Labels at build time • Docker Labels • Add key/value data to image 15/04/2018 @danielbryantuk
  • 29. Metadata - Adding Labels at build time • Microscaling Systems’ Makefile • Labelling automated builds on DockerHub (h/t Ross Fairbanks) • Create file ‘/hooks/build’ • label-schema.org • microbadger.com 15/04/2018 @danielbryantuk
  • 30. Metadata - Adding Labels at runtime 15/04/2018 @danielbryantuk $ docker run -d --label uk.co.danielbryant.lbname=frontdoor nginx • Can ’docker commit’, but creates new image • Not possible to update running container • Docker Proposal: Update labels #21721
  • 31. External registry with metadata support 15/04/2018 @danielbryantuk
  • 32. Grafeas + Kritis 15/04/2018 @danielbryantuk
  • 36. Running tests with containers 15/04/2018 @danielbryantuk
  • 37. Testing NFRs in the build pipeline • Architecture • Performance and Load testing • Gatling / jmeter / Flood.io • Security testing • Findsecbugs / OWASP Dependency check • Bdd-security (OWASP ZAP) / Arachni • Gauntlt / Serverspec • Docker Bench for Security / CoreOS Clair 15/04/2018 @danielbryantuk
  • 38. Security Visibility: Basic (Java) Code Scanning 15/04/2018 @danielbryantuk
  • 40. Static Image Scanning 15/04/2018 @danielbryantuk github.com/arminc/clair-scanner
  • 41. Delaying NFRs to the ‘Last Responsible Moment’ Newsflash! Sometimes the last responsible moment is up-front Modern platforms/architectures don’t necessarily make this easier 15/04/2018 @danielbryantuk
  • 42. Important things not covered 15/04/2018 @danielbryantuk
  • 43. Mechanical sympathy: Docker and Java • Watch for JVM cgroup/taskset awareness (with JDK <= 8) • getAvailableProcessors() may incorrectly report the number of cpus in Docker (JDK-8140793) • Runtime.availableProcessors() ignores Linux taskset command (JDK-6515172) • Default fork/join thread pool sizes (and others) is based from host CPU count • Set container memory appropriately • JVM requirements = Heap size (Xmx) + Metaspace + JVM overhead • Account for native thread requirements e.g. thread stack size (Xss) • Entropy • Host entropy can soon be exhausted by crypto operations and /dev/random blocks • -Djava.security.egd=file:/dev/./urandom (notes on this) 15/04/2018 @danielbryantuk 43
  • 45. Observability is core to continuous delivery 15/04/2018 @danielbryantuk www.infoq.com/articles/monitoring-containers-at-scale
  • 46. Containers are not a silver bullet 15/04/2018 @danielbryantuk
  • 47. Moving to containers: Going all-in? 15/04/2018 @danielbryantuk OR
  • 48. Should I build my own container platform? Probably not (Unless you are Google, AWS or IBM) Whatever you decide… push it through a pipeline ASAP! 15/04/2018 @danielbryantuk
  • 49. Using containers does not get rid of the need for good architectural practices 15/04/2018 @danielbryantuk
  • 52. In summary • Continuous delivery is vitally important in modern architectures/ops • Container images must be the (single) source of truth within pipeline • And metadata added as appropriate… • Mechanical sympathy is important (assert properties in the pipeline) • Not all developers are operationally aware • The tooling is now becoming stable/mature • We need to re-apply existing CD practices with new technologies/tooling 15/04/2018 @danielbryantuk
  • 53. Thanks for listening… Twitter: @danielbryantuk Email: daniel.bryant@tai-dev.co.uk Writing: https://www.infoq.com/profile/Daniel-Bryant Talks: https://www.youtube.com/playlist?list=PLoVYf_0qOYNeBmrpjuBOOAqJnQb3QAEtM 15/04/2018 @danielbryantuk bit.ly/2jWDSF7 Coming soon!
  • 55. Bonus slides (for extra context) 15/04/2018 @danielbryantuk
  • 56. Containerise an existing (monolithic) app? • For • We know the monolith well • Allows homogenization of the pipeline and deployment platform • Can be a demonstrable win for tech and the business • Against • Can be difficult (100+ line scripts) • Often not designed for operation within containers, nor cloud native • Putting lipstick on a pig? 15/04/2018 @danielbryantuk
  • 57. Key lessons learned • Conduct an architectural review • Architecture for Developers, by Simon Brown • Architecture Interview, by Susan Fowler • Look for data ingress/egress • File system access • Support resource constraints/transience • Optimise for quick startup and shutdown • Evaluate approach to concurrency • Store configuration (secrets) remotely 15/04/2018 @danielbryantuk
  • 58. New design patterns 15/04/2018 @danielbryantuk bit.ly/2efe0TP
  • 59. Microservices… Containers and microservices are complementary Testing and deployment change 15/04/2018 @danielbryantuk https://specto.io/blog/recipe-for-designing-building-testing-microservices.html
  • 63. Quick Aside: Running *entire* system locally 15/04/2018 @danielbryantuk https://news.ycombinator.com/item?id=13960107 https://opencredo.com/working-locally-with-microservices/ https://www.datawire.io/telepresence/ | https://hoverfly.io/