Configuration Changes Don't Have to be Scary: Testing with containers

transcript

Configuration ChangesDon’t Have to be ScaryTesting with Containers

Andy Henroid <andy.henroid@puppet.com>

Who Am I?

This Talk

Containers for Testing? Yes!ComplicationsDemos!Other [Questionable] Ideas

…I know, right?

Skeptics welcome

Docker Run VM Boot Docker Build+Run

debian:8 centos:7

Containers: Fast & Efficient

Docker Run VM Boot Docker Build+Run

debian:8 centos:7

What Does “Fast & Efficient” Actually Mean?

Back of the Envelope

40𝑠/𝑉𝑀𝑏𝑜𝑜𝑡 + 10𝑠/𝑡𝑒𝑠𝑡1.1𝑠/𝐷𝑜𝑐𝑘𝑒𝑟𝑟𝑢𝑛 + 10𝑠/𝑡𝑒𝑠𝑡

=4.5 tests in containers for every test run in a VM

0200400600800

10001200140016001800

Docker Image VM Image Docker Compressed

debian:8 ubuntu:16.04 centos:7 fedora:24

Containers: Compact & Abundant Images

And 60% smaller yet over

the network

Ask yourself, Do I really need all of this?

Or pick your favorite open-source tool:+

Docker Tooling: Not Bad

Puppet Agents Puppet Master

Abstraction is Powerful

Containers Have Limits

Containers are not VMs…

Not VMs… But We Can Pretend They Are

Containers: Ephemeral & “Safe” Sandboxes?

Containers have security implications• Shared OS kernel & resourcesAnd more security exposure with privileged containers, additional capabilities

[For Testing] Are you willing to sacrifice some degree of security for performance?

From Jérome Petazzoni’s talk“Is it safe to run applications in containers?”

Run containers inside VM(s)Enable SELinuxRemove or separate secrets & credentialsPlenty of prior art for securing containers in production

From “Is it safe to run applications in containers?”

If you answered, “No. Security over Performance.”

Other Concerns: Image Size, Mutability

0100200300400500600700800

Docker Image Docker + Puppet

debian:8 ubuntu:16.04 centos:7 fedora:24

Puppet Agent Puppet Master

The Hard Part: Modeling Your Environment

Good news: Your CM code does most of the work

Prior art for fine tuning, e.g. see Reliant’s PuppetConf talk here

Scaling Up

Your test matrix: Go big!More platformsMore configurationsIn parallel

4.0.0 4.1.0 4.2.0 4.3.0 4.4.0 4.5.0 4.6.0 4.7.0 4.8.0centos:5 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓centos:6 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓centos:7 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓debian:7 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓debian:8 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓fedora:22 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓fedora:23 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓fedora:24 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ubuntu:12.04 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ubuntu:14.04 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ubuntu:16.04 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Puppet4.0.0 4.1.0 4.2.0 4.3.0 4.4.0 4.5.0 4.6.0 4.7.0 4.8.0

centos:5 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓centos:6 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓centos:7 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓debian:7 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓debian:8 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓fedora:22 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓fedora:23 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓fedora:24 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ubuntu:12.04 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ubuntu:14.04 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ubuntu:16.04 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Now on to more controversial topics…

“Who needs Config Management? We use containers!”

Have You Heard This One?

Given a container:How was it built?

How do you run it?

What is inside right now?

When do you rebuild?

Docker Tooling: Not Bad… Could It Be Better?

What packages are in the base image?

What version of Puppet & dependencies?

Is this the one and only way to run this container?

Puppet lives in separate mounted container

Inventoried container can be Immutable

Inventory is JSON• Query with standard tools• Use for container health

checks, extend container metadata, etc.

Unpacking It All

Configuration Management + Containers: Better TogetherTesting: A very good place to start

Many free and open-source toolsBase container imagesBuild, run, inspect containersDSL integration and much more…

You can do it too…on your laptop!

Thank you! Questions?

The shortest path to better software.

Configuration Changes Don't Have to be Scary: Testing with containers

Software