Nine Pillars of Containers Best Practices

OCT 15, 2018

By Marc Hornbeek and Eric Glasser, Trace3

While it is true you can easily “containerize” nearly any software quite quickly, this alone will not realize the benefits of an effective container deployment.   Those that are serious about containers will do well to learn from others.  This blog enumerates nine pillars of best practices for containers.

Leaders need to understand and sponsor a clear vision for containers. Leaders explain why containers are valuable to the business. Containers increase speed and agility for deploying an application when implemented effectively. Containers aren’t tied to software on physical machines, providing a solution for application-portability.

  • Ensure documentation and training cover the nine pillars of container best practices described in this article.
  • Maintain visibility into deployed containers to validate performance and ensure lessons learned are actioned.

Culture in organizations that work well with containers reflect the value of containers. These organizations strive for consistency and repeatability delivering predictable reliable services and products at any scale.

  • Developers own the containers that are used to run their apps
  • Groups own their portion of the environment and exports it as a service
  • Containers are contracted deliverables between development and operations

Application Design. Building containers that scale require application designers to master the best practices for building and running containers.

  • Applications follow the 12factor.net model
  • Applications are as small and follow the single responsibility principal
  • Content is limited to what is needed at runtime
  • Build patterns include only dependencies needed for builds
  • Container files have the least number of layers for readability
  • Order things from least to most often changed to increase caching efficiency

Continuous Integration (CI) within organizations that have multiple teams working concurrently on a project and different code bases is challenging.  During the integration stage it is critical to assess the application and understand the impact of code changes. Considering dependencies, it is important to know how containers affect integration, testing, and acceptance stages prior to deployment to production.

  • CI pipeline uses the same container platform and concepts as the applications
  • Container images are built from one source code version
  • Images have tags following a standard
  • Automated pipelines move containers between environments
  • Layer 7 routing is used for cluster ingress, and application routing.

Continuous Testing (CT) with containers has significant advantages when best practices are followed. Containers allow the job of orchestrating many test configuration variations to be migrated from infrastructure teams to developers. Developers specify what their application needs in a Dockerfile during the testing phase, and their continuous-deployment tool builds and runs the container.

  • Statically test container contents before building the container
  • Everything a service or application needs for testing is placed inside a container
  • Test using the same container definition that is deployed
  • Test the container before pushing it to a shared environment

Continuous Monitoring with containers considers the ephemeral nature of containers, and proliferation of objects, services and metrics to track. Instead of tracking the health of individual containers, track clusters of containers and applications using monitoring agents.

  • Agents are installed on host servers, which push commonly formatted monitoring log data to a centralized monitoring application
  • Monitor applications instead of just infrastructure

Continuous Security with containers, contrary to a popular myth, improves security compared to non-container deployments provided that best practices are followed.

  • Do not run containers as root user
  • Deploy containers with signed images
  • Vulnerabilities are patched by deploying new container versions
  • Encrypt traffic between containers
  • Credentials are not stored in containers
  • Update base operating systems regularly
  • Containers access only resources needed

Containerized Infrastructure environments sit between the host server (whether it’s virtual or bare-metal) and the application. This offers advantages compared to legacy or traditional infrastructure. Containerized applications start faster because you don’t have to boot an entire server. Containerized deployments are “denser” because containers don’t require you to virtualize a complete operating system. Containerized applications are more scalable because of the ease of spinning up new containers.

  • Containers are decoupled from infrastructure
  • Container deployments declare resources needed (storage, compute, memory, network)
  • Place specialized hardware containers in their own cluster
  • Use smaller clusters to reduce complexity between teams

Continuous Delivery/Deployment: Services comprised of containers available from the registry can be deployed after each commit allowing new feature deliveries to users quickly. To minimize risk during deployment the following best practices are important.

  • Containers are not modified between pipeline stages
  • Using an orchestration system (E.g. Kubernetes or Docker Swarm)
  • Developers do not interact directly with the orchestration system.
  • Green/Blue deployments ensure no down time during a deployment

In this article we listed nine pillars of best practices for containers.   While is it clear that containers offer immense value for software deployment, the adherence to best practices is essential to realized their value.

 

 

References:

“An introduction to containers and microservices for enterprise leaders”, Mykhaylo Shaforostov, AppDynamics (Computerworld), 22 June, 2018 08:00
“Containers Will Not Fix Your Broken Culture (and Other Hard Truths)”, Bridget Kromhout, queue.acm.org, Febrary 2018 
“Dockerize your culture and build a business app container image – seriously”, devopsagenda.techtarget.com, Chris Tozzi, September 2017
“The essential guide to software containers for application development”, techbeacon.com, David Linthicum Chief Cloud Strategy Officer, Deloitte Consulting
“4 myths about containers and continuous delivery—It doesn't get easier”, techbeacon.com, Todd DeCapua, Technology leader, speaker & author CSC
The Importance of Continuous Testing, oreilly.com
“RETHINKING MONITORING FORCONTAINER OPERATIONS”, 25 Jan 2017 11:33am, by Lawrence Hecht thenewstack.io
“Security for Containers — or, Containers for Security”, Dimitri Stiliadis, April 2018, containerjournal.com
“What are containers and why do you need them?” Paul Rubens, CIO | JUN 27, 2017 3:00 AM PT
“Containers vs. Legacy Infrastructure: What Containers Do Differently?”, Christopher Tozzi, July 2017

One Response to “Nine Pillars of Containers Best Practices”

October 16, 2018 at 9:00 pm, Michael Ka said:

Nice overview guys! I was hoping to see more around run-time and network security- eg east-west traffic visualization and inline L7 firewalls to isolate container traffic. BTW we are in your 360View system

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *