SlideShare a Scribd company logo

Continuous Delivery with Containers: The Good, the Bad, and the Ugly

Download as PPTX, PDF
Daniel Bryant, profile picture
Daniel Bryant

The document discusses the role of containers in continuous delivery (CD), emphasizing that container images should serve as the single source of truth within build pipelines while adding necessary metadata is crucial. It highlights the importance of building, testing, and validating containers to meet system quality attributes, as well as navigating challenges posed by microservices. Additionally, the presentation underlines that while containers have significant advantages, they do not eliminate the need for robust architectural practices.

Technology
1 of 61
Downloaded 14 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
Continuous Delivery with Containers: The Good, the Bad, and the Ugly Daniel Bryant @danielbryantuk
Containers: Expectations versus reality 13/07/2018 @danielbryantuk “DevOps”
Setting the scene… • Continuous delivery is a large topic • No business focus today (value stream etc) • PaaS and Serverless are super interesting… • But I’m assuming you’re all-in on containers • Focusing today on the process and tooling • No live coding today • Mini-book contains more details (thanks nginx!) 13/07/2018 @danielbryantuk bit.ly/2jWDSF7
TL;DR – Containers and CD • Container image becomes the build pipeline ‘single binary’ • Adding metadata to containers images is vital, but challenging • Must validate container constraints on system quality attributes (NFRs) 13/07/2018 @danielbryantuk
@danielbryantuk • Tech Consultant, Product Architect at Datawire, InfoQ News Manager • Academic, software developer, DBA, ops, CTO, conference vagabond • Continuous Delivery (CI/CD) advocate • Leading change through technology and teams 13/07/2018 @danielbryantuk
Continuous Delivery 101 13/07/2018 @danielbryantuk
Continuous Delivery • Produce valuable and robust software in short cycles • Optimising for feedback and learning • Not (necessarily) Continuous Deployment 13/07/2018 @danielbryantuk
Velocity (with stability) is key to business success “Continuous delivery is achieved when stability and speed can satisfy business demand. Discontinuous delivery occurs when stability and speed are insufficient.” - Steve Smith (@SteveSmithCD) 13/07/2018 @danielbryantuk
Creation of a build pipeline is mandatory for continuous delivery 13/07/2018 @danielbryantuk
13/07/2018 @danielbryantuk Feedback: - Was our initial hypothesis proven? - How can we improve business, architecture and ops?
The impact of containers on CD 13/07/2018 @danielbryantuk
Container technology (and CD) • OS-level virtualisation • cgroups, namespaces, rootfs • Package and execute software • Container image == ‘single binary’ 13/07/2018 @danielbryantuk
13/07/2018 @danielbryantuk
13/07/2018 @danielbryantuk
Microservices multiply the challenges 13/07/2018 @danielbryantuk https://www.youtube.com/watch?v=b9Fu1So0bXA
Creating a pipeline for containers 13/07/2018 @danielbryantuk
13/07/2018 @danielbryantuk
Make your dev environment like production • Develop locally or copy/code in container • Must build/test containers locally • Perform (at least) happy path tests • Use identical base images from production • With same configuration 13/07/2018 @danielbryantuk
Working remotely, locally… 13/07/2018 @danielbryantuk https://opencredo.com/working-locally-with-microservices/ https://www.telepresence.io/
Lesson learned: Dockerfile content is super important • OS choice • Configuration • Build artifacts • Exposing ports • Java • JDK vs JRE and Oracle vs OpenJDK? • Golang • Statically compiled binary in scratch? • Python • Virtualenv? 13/07/2018 @danielbryantuk
Please talk to the sysadmin people: Their operational knowledge is invaluable 13/07/2018 @danielbryantuk
Different test and prod containers? • Create “test” version of container • Full OS (e.g. Ubuntu) • Test tools and data • Easy to see app/configuration drift • Use test sidecar containers instead • ONTEST proposal by Alexi Ledenev 13/07/2018 @danielbryantuk http://blog.terranillius.com/post/docker_testing/
Docker multi-stage builds 13/07/2018 @danielbryantuk http://blog.alexellis.io/mutli-stage-docker-builds/ https://github.com/moby/moby/pull/31257 https://github.com/moby/moby/pull/32063
13/07/2018 @danielbryantuk
Building images with Jenkins • My report covers this • Build as usual… • Build Docker Image • Cloudbees Docker Build and Publish Plugin • Push image to registry 13/07/2018 @danielbryantuk
Lesson learned: Metadata is valuable • Application metadata • Version / GIT SHA • Build metadata • Build date • Image name • Vendor • Quality metadata • QA control, signed binaries, ephemeral support • Security profiles (AppArmor), Security audited etc 13/07/2018 @danielbryantuk
Metadata – Beware of “latest” Docker Tag • Beware of the ‘latest’ Docker tag • “Latest” simply means • the last build/tag that ran without a specific tag/version specified • Ignore “latest” tag • Version your tags, every time • danielbryantuk/test:2.4.1 13/07/2018 @danielbryantuk
Metadata - Adding Labels at build time • Docker Labels • Add key/value data to image 13/07/2018 @danielbryantuk
Metadata - Adding Labels at build time • Microscaling Systems’ Makefile • Labelling automated builds on DockerHub (h/t Ross Fairbanks) • Create file ‘/hooks/build’ • label-schema.org • microbadger.com 13/07/2018 @danielbryantuk
Metadata - Adding Labels at runtime 13/07/2018 @danielbryantuk $ docker run -d --label uk.co.danielbryant.lbname=frontdoor nginx • Can ’docker commit’, but creates new image • Not possible to update running container • Docker Proposal: Update labels #21721
External registry with metadata support 13/07/2018 @danielbryantuk
Grafeas + Kritis 13/07/2018 @danielbryantuk
13/07/2018 @danielbryantuk
13/07/2018 @danielbryantuk
Running tests with containers 13/07/2018 @danielbryantuk
Testing NFRs in the build pipeline • Architecture • Performance and Load testing • Gatling / jmeter / Flood.io • Security testing • Findsecbugs / OWASP Dependency check • Bdd-security (OWASP ZAP) / Arachni • Gauntlt / Serverspec • Docker Bench for Security / CoreOS Clair 13/07/2018 @danielbryantuk
Security Visibility: Basic (Java) Code Scanning 13/07/2018 @danielbryantuk
Dependency Scanning 13/07/2018 @danielbryantuk www.owasp.org/index.php/OWASP_Dependency_Check
Static Image Scanning 13/07/2018 @danielbryantuk github.com/arminc/clair-scanner
Delaying NFRs to the ‘Last Responsible Moment’ Newsflash! Sometimes the last responsible moment is up-front Modern platforms/architectures don’t necessarily make this easier 13/07/2018 @danielbryantuk
Important things not covered 13/07/2018 @danielbryantuk
Mechanical sympathy: Docker and Java • Watch for JVM cgroup/taskset awareness (with JDK <= 8) • getAvailableProcessors() may incorrectly report the number of cpus in Docker (JDK-8140793) • Runtime.availableProcessors() ignores Linux taskset command (JDK-6515172) • Default fork/join thread pool sizes (and others) is based from host CPU count • Set container memory appropriately • JVM requirements = Heap size (Xmx) + Metaspace + JVM overhead • Account for native thread requirements e.g. thread stack size (Xss) • Entropy • Host entropy can soon be exhausted by crypto operations and /dev/random blocks • -Djava.security.egd=file:/dev/./urandom (notes on this) 13/07/2018 @danielbryantuk 42
Deployment 13/07/2018 @danielbryantuk https://blog.hasura.io/draft-vs-gitkube-vs-helm-vs-ksonnet-vs-metaparticle-vs-skaffold-f5aa9561f948
Observability is core to continuous delivery 13/07/2018 @danielbryantuk www.infoq.com/articles/monitoring-containers-at-scale
Containers are not a silver bullet 13/07/2018 @danielbryantuk
Moving to containers: Going all-in? 13/07/2018 @danielbryantuk OR
Using containers does not get rid of the need for good architectural practices 13/07/2018 @danielbryantuk
13/07/2018 @danielbryantuk https://speakerdeck.com/caseywest/containercon-north-america-cloud-anti-patterns
Summary 13/07/2018 @danielbryantuk
In summary • Continuous delivery is vitally important with modern architecture/tech • Container images must be the (single) source of truth within pipeline • And metadata added as appropriate… • Mechanical sympathy is important (assert properties in the pipeline) • Not all developers are operationally aware • The tooling is now becoming stable/mature • We need to re-apply existing CD practices with new technologies/tooling 13/07/2018 @danielbryantuk
Thanks for listening… Twitter: @danielbryantuk Email: daniel.bryant@tai-dev.co.uk Writing: https://www.infoq.com/profile/Daniel-Bryant Talks: https://www.youtube.com/playlist?list=PLoVYf_0qOYNeBmrpjuBOOAqJnQb3QAEtM 13/07/2018 @danielbryantuk bit.ly/2jWDSF7 Coming soon!
Bedtime reading 13/07/2018 @danielbryantuk
Bonus slides (for extra context) 13/07/2018 @danielbryantuk
Containerise an existing (monolithic) app? • For • We know the monolith well • Allows homogenization of the pipeline and deployment platform • Can be a demonstrable win for tech and the business • Against • Can be difficult (100+ line scripts) • Often not designed for operation within containers, nor cloud native • Putting lipstick on a pig? 13/07/2018 @danielbryantuk
Key lessons learned • Conduct an architectural review • Architecture for Developers, by Simon Brown • Architecture Interview, by Susan Fowler • Look for data ingress/egress • File system access • Support resource constraints/transience • Optimise for quick startup and shutdown • Evaluate approach to concurrency • Store configuration (secrets) remotely 13/07/2018 @danielbryantuk
New design patterns 13/07/2018 @danielbryantuk bit.ly/2efe0TP
Microservices… Containers and microservices are complementary Testing and deployment change 13/07/2018 @danielbryantuk https://specto.io/blog/recipe-for-designing-building-testing-microservices.html
13/07/2018 @danielbryantuk
13/07/2018 @danielbryantuk
13/07/2018 @danielbryantuk
Quick Aside: Running *entire* system locally 13/07/2018 @danielbryantuk https://news.ycombinator.com/item?id=13960107 https://opencredo.com/working-locally-with-microservices/ https://www.datawire.io/telepresence/ | https://hoverfly.io/

More Related Content

PPTX
jSpring 2018 "Continuous Delivery Patterns for Modern Architectures and Java"
Daniel Bryant
 
PDF
CNCF Webinar Series: "Creating an Effective Developer Experience on Kubernetes"
Daniel Bryant
 
PDF
Velocity NY 2018 "The Cloud Native Developer Workflow"
Daniel Bryant
 
PDF
CloudNativeLondon 2018: "In Search of the Perfect Cloud Native Developer Expe...
Daniel Bryant
 
PDF
GOTOpia 2/2021 "Cloud Native Development Without the Toil: An Overview of Pra...
Daniel Bryant
 
PDF
microXchg 2019: "Creating an Effective Developer Experience for Cloud-Native ...
Daniel Bryant
 
PDF
Knative makes Developers Incredible on Serverless
Daniel Oh
 
PPTX
JAX DevOps 2019: "Creating an Effective Developer Experience for Cloud-native...
Daniel Bryant
 
jSpring 2018 "Continuous Delivery Patterns for Modern Architectures and Java"
Daniel Bryant
 
CNCF Webinar Series: "Creating an Effective Developer Experience on Kubernetes"
Daniel Bryant
 
Velocity NY 2018 "The Cloud Native Developer Workflow"
Daniel Bryant
 
CloudNativeLondon 2018: "In Search of the Perfect Cloud Native Developer Expe...
Daniel Bryant
 
GOTOpia 2/2021 "Cloud Native Development Without the Toil: An Overview of Pra...
Daniel Bryant
 
microXchg 2019: "Creating an Effective Developer Experience for Cloud-Native ...
Daniel Bryant
 
Knative makes Developers Incredible on Serverless
Daniel Oh
 
JAX DevOps 2019: "Creating an Effective Developer Experience for Cloud-native...
Daniel Bryant
 

What's hot (20)

PDF
DevXDay KubeCon NA 2021: "From Kubernetes to PaaS to Developer Control Planes"
Daniel Bryant
 
PPTX
Codemotion Rome 2018 "Continuous Delivery with Containers: The Good, the Bad ...
Daniel Bryant
 
PDF
Full Steam Ahead, R2DBC!
VMware Tanzu
 
PDF
vodQA Pune (2019) - Jenkins pipeline As code
vodQA
 
PDF
JAX London 2021: Jumpstart Your Cloud Native Development: An Overview of Prac...
Daniel Bryant
 
PPTX
[Konveyor] roles &amp; processes that make application modernization projects...
Konveyor Community
 
PPTX
SnapyX
ekino
 
PPTX
Platform engineering 101
Sander Knape
 
PDF
Crossing the Streams! Rollout Strategies to Keep Your Users Happy!
VMware Tanzu
 
PPTX
12 factor app
Dmytro Panin
 
PPTX
CodeOne 2019: "Continuous Delivery with Docker and Java"
Daniel Bryant
 
PDF
victoriia basarab - special aspects of dev ops platform development
Dariia Seimova
 
PDF
Chris Homer - Moving the entire stack to k8s within a year – lessons learned
Dariia Seimova
 
PDF
Secrets of Successful Digital Transformers
VMware Tanzu
 
PDF
Is Platform Engineering the new Ops?
AWS Germany
 
PDF
Next ’19 的 Istio 場次 重點摘要
William Yeh
 
PDF
Cloud Ambassador Programs
Cloud Study Network
 
PDF
The Twelve Factor App
Pablo Fullana
 
PDF
Dev ops
Eman Abdelmohsen
 
PDF
給 RD 的 Kubernetes 初體驗 (gcpug 2019-06 version)
William Yeh
 
DevXDay KubeCon NA 2021: "From Kubernetes to PaaS to Developer Control Planes"
Daniel Bryant
 
Codemotion Rome 2018 "Continuous Delivery with Containers: The Good, the Bad ...
Daniel Bryant
 
Full Steam Ahead, R2DBC!
VMware Tanzu
 
vodQA Pune (2019) - Jenkins pipeline As code
vodQA
 
JAX London 2021: Jumpstart Your Cloud Native Development: An Overview of Prac...
Daniel Bryant
 
[Konveyor] roles &amp; processes that make application modernization projects...
Konveyor Community
 
SnapyX
ekino
 
Platform engineering 101
Sander Knape
 
Crossing the Streams! Rollout Strategies to Keep Your Users Happy!
VMware Tanzu
 
12 factor app
Dmytro Panin
 
CodeOne 2019: "Continuous Delivery with Docker and Java"
Daniel Bryant
 
victoriia basarab - special aspects of dev ops platform development
Dariia Seimova
 
Chris Homer - Moving the entire stack to k8s within a year – lessons learned
Dariia Seimova
 
Secrets of Successful Digital Transformers
VMware Tanzu
 
Is Platform Engineering the new Ops?
AWS Germany
 
Next ’19 的 Istio 場次 重點摘要
William Yeh
 
Cloud Ambassador Programs
Cloud Study Network
 
The Twelve Factor App
Pablo Fullana
 
Dev ops
Eman Abdelmohsen
 
給 RD 的 Kubernetes 初體驗 (gcpug 2019-06 version)
William Yeh
 
Ad

Similar to Continuous Delivery with Containers: The Good, the Bad, and the Ugly (20)

PPTX
Continuous Delivery with Containers: The Good, the Bad, and the Ugly - Daniel...
Codemotion
 
PPTX
SATURN 2018 "Continuous Delivery with Containers" Extended 90 version
Daniel Bryant
 
PPTX
CodeOne SF 2018 "Continuous Delivery with Containers: Lessons Learned"
Daniel Bryant
 
PDF
DCEU 18: Continuous Delivery with Docker Containers and Java: The Good, the B...
Docker, Inc.
 
PPTX
DockerCon EU 2018 "Continuous Delivery with Docker and Java"
Daniel Bryant
 
PPTX
Devoxx 2017 "Continuous Delivery with Containers: The Good, the Bad, and the ...
Daniel Bryant
 
PPTX
O'Reilly/Nginx 2016: "Continuous Delivery with Containers: The Trials and Tri...
Daniel Bryant
 
PPTX
O'Reilly 2016: "Continuous Delivery with Containers: The Trials and Tribulati...
OpenCredo
 
PPTX
vJUG 2017 "Continuous Delivery with Java and Docker: The Good, the Bad, and t...
Daniel Bryant
 
PPTX
ContainerSched 2017 "Continuous Delivery with Containers: The Good, the Bad, ...
Daniel Bryant
 
PPTX
OReilly SACON 2016 "A Practical Guide for Continuous Delivery with Containers"
Daniel Bryant
 
PDF
Ambassador Developer Office Hours: Summer of Kubernetes Ship Week 1: Intro to...
Ambassador Labs
 
PPTX
deliver:Agile 2018 "Continuous Delivery Patterns for Modern Architectures"
Daniel Bryant
 
PPTX
Jax London 2018: "Testing Microservices from Development to Production"
Daniel Bryant
 
PDF
JAXDevOps 2017 "The Seven (More) Deadly Sins of Microservices
Daniel Bryant
 
PDF
JAXLondon 2017 "Continuous Delivery with Containers and Java"
Daniel Bryant
 
PDF
DevOpsCon 2017 "Continuous Delivery with Containers"
Daniel Bryant
 
PDF
#AATC2017: "Continuous Delivery with Containers: The Trials and Tribulations"
Daniel Bryant
 
PPTX
JAX London 2014 "Building Java Applications for the Cloud: The DHARMA princip...
Daniel Bryant
 
PPTX
O'Reilly SACON NY 2018 "Continuous Delivery Patterns for Contemporary Archite...
Daniel Bryant
 
Continuous Delivery with Containers: The Good, the Bad, and the Ugly - Daniel...
Codemotion
 
SATURN 2018 "Continuous Delivery with Containers" Extended 90 version
Daniel Bryant
 
CodeOne SF 2018 "Continuous Delivery with Containers: Lessons Learned"
Daniel Bryant
 
DCEU 18: Continuous Delivery with Docker Containers and Java: The Good, the B...
Docker, Inc.
 
DockerCon EU 2018 "Continuous Delivery with Docker and Java"
Daniel Bryant
 
Devoxx 2017 "Continuous Delivery with Containers: The Good, the Bad, and the ...
Daniel Bryant
 
O'Reilly/Nginx 2016: "Continuous Delivery with Containers: The Trials and Tri...
Daniel Bryant
 
O'Reilly 2016: "Continuous Delivery with Containers: The Trials and Tribulati...
OpenCredo
 
vJUG 2017 "Continuous Delivery with Java and Docker: The Good, the Bad, and t...
Daniel Bryant
 
ContainerSched 2017 "Continuous Delivery with Containers: The Good, the Bad, ...
Daniel Bryant
 
OReilly SACON 2016 "A Practical Guide for Continuous Delivery with Containers"
Daniel Bryant
 
Ambassador Developer Office Hours: Summer of Kubernetes Ship Week 1: Intro to...
Ambassador Labs
 
deliver:Agile 2018 "Continuous Delivery Patterns for Modern Architectures"
Daniel Bryant
 
Jax London 2018: "Testing Microservices from Development to Production"
Daniel Bryant
 
JAXDevOps 2017 "The Seven (More) Deadly Sins of Microservices
Daniel Bryant
 
JAXLondon 2017 "Continuous Delivery with Containers and Java"
Daniel Bryant
 
DevOpsCon 2017 "Continuous Delivery with Containers"
Daniel Bryant
 
#AATC2017: "Continuous Delivery with Containers: The Trials and Tribulations"
Daniel Bryant
 
JAX London 2014 "Building Java Applications for the Cloud: The DHARMA princip...
Daniel Bryant
 
O'Reilly SACON NY 2018 "Continuous Delivery Patterns for Contemporary Archite...
Daniel Bryant
 
Ad

More from Daniel Bryant (20)

PDF
ITKonekt 2023: The Busy Platform Engineers Guide to API Gateways
Daniel Bryant
 
PDF
CraftConf 2023 "Microservice Testing Techniques: Mocks vs Service Virtualizat...
Daniel Bryant
 
PDF
PlatformCon 23: "The Busy Platform Engineers Guide to API Gateways"
Daniel Bryant
 
PDF
Java Meetup 23: 'Debugging Microservices "Remocally" in Kubernetes with Telep...
Daniel Bryant
 
PPTX
DevRelCon 2022: "Is Product Led Growth (PLG) the “DevOps” of the DevRel World"
Daniel Bryant
 
PDF
Fall 22: "From Kubernetes to PaaS to... err, what's next"
Daniel Bryant
 
PDF
Building Microservice Systems Without Cooking Your Laptop: Going “Remocal” wi...
Daniel Bryant
 
PDF
KubeCrash 22: Debugging Microservices "Remocally" in Kubernetes with Telepres...
Daniel Bryant
 
PDF
JAX London 22: Debugging Microservices "Remocally" in Kubernetes with Telepre...
Daniel Bryant
 
PDF
CloudBuilders 2022: "The Past, Present, and Future of Cloud Native API Gateways"
Daniel Bryant
 
PDF
KubeCon EU 2022: From Kubernetes to PaaS to Err What's Next
Daniel Bryant
 
PDF
Devoxx UK 22: Debugging Java Microservices "Remocally" in Kubernetes with Tel...
Daniel Bryant
 
PDF
Container Days: Easy Debugging of Microservices Running on Kubernetes with Te...
Daniel Bryant
 
PDF
Canadian CNCF: "Emissary-ingress 101: An introduction to the CNCF incubation-...
Daniel Bryant
 
PDF
MJC 2021: "Debugging Java Microservices Running on Kubernetes with Telepresence"
Daniel Bryant
 
PDF
LJC 4/21"Easy Debugging of Java Microservices Running on Kubernetes with Tele...
Daniel Bryant
 
PPTX
HashiCorp Webinar: "Getting started with Ambassador and Consul on Kubernetes ...
Daniel Bryant
 
PDF
Ambassador Fest: "Kubernetes Workflow 101: The Big Picture of Idea to an API ...
Daniel Bryant
 
PDF
ADDO 2020: "The past, present, and future of cloud native API gateways"
Daniel Bryant
 
PDF
GOTOpia 2020: "The Past, Present, and Future of Cloud Native API Gateways"
Daniel Bryant
 
ITKonekt 2023: The Busy Platform Engineers Guide to API Gateways
Daniel Bryant
 
CraftConf 2023 "Microservice Testing Techniques: Mocks vs Service Virtualizat...
Daniel Bryant
 
PlatformCon 23: "The Busy Platform Engineers Guide to API Gateways"
Daniel Bryant
 
Java Meetup 23: 'Debugging Microservices "Remocally" in Kubernetes with Telep...
Daniel Bryant
 
DevRelCon 2022: "Is Product Led Growth (PLG) the “DevOps” of the DevRel World"
Daniel Bryant
 
Fall 22: "From Kubernetes to PaaS to... err, what's next"
Daniel Bryant
 
Building Microservice Systems Without Cooking Your Laptop: Going “Remocal” wi...
Daniel Bryant
 
KubeCrash 22: Debugging Microservices "Remocally" in Kubernetes with Telepres...
Daniel Bryant
 
JAX London 22: Debugging Microservices "Remocally" in Kubernetes with Telepre...
Daniel Bryant
 
CloudBuilders 2022: "The Past, Present, and Future of Cloud Native API Gateways"
Daniel Bryant
 
KubeCon EU 2022: From Kubernetes to PaaS to Err What's Next
Daniel Bryant
 
Devoxx UK 22: Debugging Java Microservices "Remocally" in Kubernetes with Tel...
Daniel Bryant
 
Container Days: Easy Debugging of Microservices Running on Kubernetes with Te...
Daniel Bryant
 
Canadian CNCF: "Emissary-ingress 101: An introduction to the CNCF incubation-...
Daniel Bryant
 
MJC 2021: "Debugging Java Microservices Running on Kubernetes with Telepresence"
Daniel Bryant
 
LJC 4/21"Easy Debugging of Java Microservices Running on Kubernetes with Tele...
Daniel Bryant
 
HashiCorp Webinar: "Getting started with Ambassador and Consul on Kubernetes ...
Daniel Bryant
 
Ambassador Fest: "Kubernetes Workflow 101: The Big Picture of Idea to an API ...
Daniel Bryant
 
ADDO 2020: "The past, present, and future of cloud native API gateways"
Daniel Bryant
 
GOTOpia 2020: "The Past, Present, and Future of Cloud Native API Gateways"
Daniel Bryant
 

Recently uploaded (20)

PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
KodekX | Application Modernization Development
KodekX
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Encapsulation theory and applications.pdf
gurumoop
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 

Continuous Delivery with Containers: The Good, the Bad, and the Ugly

  • 1. Continuous Delivery with Containers: The Good, the Bad, and the Ugly Daniel Bryant @danielbryantuk
  • 2. Containers: Expectations versus reality 13/07/2018 @danielbryantuk “DevOps”
  • 3. Setting the scene… • Continuous delivery is a large topic • No business focus today (value stream etc) • PaaS and Serverless are super interesting… • But I’m assuming you’re all-in on containers • Focusing today on the process and tooling • No live coding today • Mini-book contains more details (thanks nginx!) 13/07/2018 @danielbryantuk bit.ly/2jWDSF7
  • 4. TL;DR – Containers and CD • Container image becomes the build pipeline ‘single binary’ • Adding metadata to containers images is vital, but challenging • Must validate container constraints on system quality attributes (NFRs) 13/07/2018 @danielbryantuk
  • 5. @danielbryantuk • Tech Consultant, Product Architect at Datawire, InfoQ News Manager • Academic, software developer, DBA, ops, CTO, conference vagabond • Continuous Delivery (CI/CD) advocate • Leading change through technology and teams 13/07/2018 @danielbryantuk
  • 7. Continuous Delivery • Produce valuable and robust software in short cycles • Optimising for feedback and learning • Not (necessarily) Continuous Deployment 13/07/2018 @danielbryantuk
  • 8. Velocity (with stability) is key to business success “Continuous delivery is achieved when stability and speed can satisfy business demand. Discontinuous delivery occurs when stability and speed are insufficient.” - Steve Smith (@SteveSmithCD) 13/07/2018 @danielbryantuk
  • 9. Creation of a build pipeline is mandatory for continuous delivery 13/07/2018 @danielbryantuk
  • 10. 13/07/2018 @danielbryantuk Feedback: - Was our initial hypothesis proven? - How can we improve business, architecture and ops?
  • 11. The impact of containers on CD 13/07/2018 @danielbryantuk
  • 12. Container technology (and CD) • OS-level virtualisation • cgroups, namespaces, rootfs • Package and execute software • Container image == ‘single binary’ 13/07/2018 @danielbryantuk
  • 15. Microservices multiply the challenges 13/07/2018 @danielbryantuk https://www.youtube.com/watch?v=b9Fu1So0bXA
  • 16. Creating a pipeline for containers 13/07/2018 @danielbryantuk
  • 18. Make your dev environment like production • Develop locally or copy/code in container • Must build/test containers locally • Perform (at least) happy path tests • Use identical base images from production • With same configuration 13/07/2018 @danielbryantuk
  • 19. Working remotely, locally… 13/07/2018 @danielbryantuk https://opencredo.com/working-locally-with-microservices/ https://www.telepresence.io/
  • 20. Lesson learned: Dockerfile content is super important • OS choice • Configuration • Build artifacts • Exposing ports • Java • JDK vs JRE and Oracle vs OpenJDK? • Golang • Statically compiled binary in scratch? • Python • Virtualenv? 13/07/2018 @danielbryantuk
  • 21. Please talk to the sysadmin people: Their operational knowledge is invaluable 13/07/2018 @danielbryantuk
  • 22. Different test and prod containers? • Create “test” version of container • Full OS (e.g. Ubuntu) • Test tools and data • Easy to see app/configuration drift • Use test sidecar containers instead • ONTEST proposal by Alexi Ledenev 13/07/2018 @danielbryantuk http://blog.terranillius.com/post/docker_testing/
  • 23. Docker multi-stage builds 13/07/2018 @danielbryantuk http://blog.alexellis.io/mutli-stage-docker-builds/ https://github.com/moby/moby/pull/31257 https://github.com/moby/moby/pull/32063
  • 25. Building images with Jenkins • My report covers this • Build as usual… • Build Docker Image • Cloudbees Docker Build and Publish Plugin • Push image to registry 13/07/2018 @danielbryantuk
  • 26. Lesson learned: Metadata is valuable • Application metadata • Version / GIT SHA • Build metadata • Build date • Image name • Vendor • Quality metadata • QA control, signed binaries, ephemeral support • Security profiles (AppArmor), Security audited etc 13/07/2018 @danielbryantuk
  • 27. Metadata – Beware of “latest” Docker Tag • Beware of the ‘latest’ Docker tag • “Latest” simply means • the last build/tag that ran without a specific tag/version specified • Ignore “latest” tag • Version your tags, every time • danielbryantuk/test:2.4.1 13/07/2018 @danielbryantuk
  • 28. Metadata - Adding Labels at build time • Docker Labels • Add key/value data to image 13/07/2018 @danielbryantuk
  • 29. Metadata - Adding Labels at build time • Microscaling Systems’ Makefile • Labelling automated builds on DockerHub (h/t Ross Fairbanks) • Create file ‘/hooks/build’ • label-schema.org • microbadger.com 13/07/2018 @danielbryantuk
  • 30. Metadata - Adding Labels at runtime 13/07/2018 @danielbryantuk $ docker run -d --label uk.co.danielbryant.lbname=frontdoor nginx • Can ’docker commit’, but creates new image • Not possible to update running container • Docker Proposal: Update labels #21721
  • 31. External registry with metadata support 13/07/2018 @danielbryantuk
  • 32. Grafeas + Kritis 13/07/2018 @danielbryantuk
  • 35. Running tests with containers 13/07/2018 @danielbryantuk
  • 36. Testing NFRs in the build pipeline • Architecture • Performance and Load testing • Gatling / jmeter / Flood.io • Security testing • Findsecbugs / OWASP Dependency check • Bdd-security (OWASP ZAP) / Arachni • Gauntlt / Serverspec • Docker Bench for Security / CoreOS Clair 13/07/2018 @danielbryantuk
  • 37. Security Visibility: Basic (Java) Code Scanning 13/07/2018 @danielbryantuk
  • 39. Static Image Scanning 13/07/2018 @danielbryantuk github.com/arminc/clair-scanner
  • 40. Delaying NFRs to the ‘Last Responsible Moment’ Newsflash! Sometimes the last responsible moment is up-front Modern platforms/architectures don’t necessarily make this easier 13/07/2018 @danielbryantuk
  • 41. Important things not covered 13/07/2018 @danielbryantuk
  • 42. Mechanical sympathy: Docker and Java • Watch for JVM cgroup/taskset awareness (with JDK <= 8) • getAvailableProcessors() may incorrectly report the number of cpus in Docker (JDK-8140793) • Runtime.availableProcessors() ignores Linux taskset command (JDK-6515172) • Default fork/join thread pool sizes (and others) is based from host CPU count • Set container memory appropriately • JVM requirements = Heap size (Xmx) + Metaspace + JVM overhead • Account for native thread requirements e.g. thread stack size (Xss) • Entropy • Host entropy can soon be exhausted by crypto operations and /dev/random blocks • -Djava.security.egd=file:/dev/./urandom (notes on this) 13/07/2018 @danielbryantuk 42
  • 44. Observability is core to continuous delivery 13/07/2018 @danielbryantuk www.infoq.com/articles/monitoring-containers-at-scale
  • 45. Containers are not a silver bullet 13/07/2018 @danielbryantuk
  • 46. Moving to containers: Going all-in? 13/07/2018 @danielbryantuk OR
  • 47. Using containers does not get rid of the need for good architectural practices 13/07/2018 @danielbryantuk
  • 50. In summary • Continuous delivery is vitally important with modern architecture/tech • Container images must be the (single) source of truth within pipeline • And metadata added as appropriate… • Mechanical sympathy is important (assert properties in the pipeline) • Not all developers are operationally aware • The tooling is now becoming stable/mature • We need to re-apply existing CD practices with new technologies/tooling 13/07/2018 @danielbryantuk
  • 51. Thanks for listening… Twitter: @danielbryantuk Email: daniel.bryant@tai-dev.co.uk Writing: https://www.infoq.com/profile/Daniel-Bryant Talks: https://www.youtube.com/playlist?list=PLoVYf_0qOYNeBmrpjuBOOAqJnQb3QAEtM 13/07/2018 @danielbryantuk bit.ly/2jWDSF7 Coming soon!
  • 53. Bonus slides (for extra context) 13/07/2018 @danielbryantuk
  • 54. Containerise an existing (monolithic) app? • For • We know the monolith well • Allows homogenization of the pipeline and deployment platform • Can be a demonstrable win for tech and the business • Against • Can be difficult (100+ line scripts) • Often not designed for operation within containers, nor cloud native • Putting lipstick on a pig? 13/07/2018 @danielbryantuk
  • 55. Key lessons learned • Conduct an architectural review • Architecture for Developers, by Simon Brown • Architecture Interview, by Susan Fowler • Look for data ingress/egress • File system access • Support resource constraints/transience • Optimise for quick startup and shutdown • Evaluate approach to concurrency • Store configuration (secrets) remotely 13/07/2018 @danielbryantuk
  • 56. New design patterns 13/07/2018 @danielbryantuk bit.ly/2efe0TP
  • 57. Microservices… Containers and microservices are complementary Testing and deployment change 13/07/2018 @danielbryantuk https://specto.io/blog/recipe-for-designing-building-testing-microservices.html
  • 61. Quick Aside: Running *entire* system locally 13/07/2018 @danielbryantuk https://news.ycombinator.com/item?id=13960107 https://opencredo.com/working-locally-with-microservices/ https://www.datawire.io/telepresence/ | https://hoverfly.io/