28
Configuration Changes Don’t Have to be Scary Testing with Containers Andy Henroid <[email protected]>
| Date post: | 15-Apr-2017 |
| Category: |
Software |
| Upload: | andrew-henroid |
| View: | 55 times |
| Download: | 0 times |
Who Am I?
2
3
This Talk
Containers for Testing? Yes!ComplicationsDemos!Other [Questionable] Ideas
4
…I know, right?
Skeptics welcome
0
10
20
30
40
50
60
Docker Run VM Boot Docker Build+Run
Tim
e (s
econ
ds)
debian:8 centos:7
5
Containers: Fast & Efficient
0
10
20
30
40
50
60
Docker Run VM Boot Docker Build+Run
Tim
e (s
econ
ds)
debian:8 centos:7
6
What Does “Fast & Efficient” Actually Mean?
Back of the Envelope
40𝑠/𝑉𝑀𝑏𝑜𝑜𝑡 + 10𝑠/𝑡𝑒𝑠𝑡1.1𝑠/𝐷𝑜𝑐𝑘𝑒𝑟𝑟𝑢𝑛 + 10𝑠/𝑡𝑒𝑠𝑡
=4.5 tests in containers for every test run in a VM
0200400600800
10001200140016001800
Docker Image VM Image Docker Compressed
Size
(MB)
debian:8 ubuntu:16.04 centos:7 fedora:24
7
Containers: Compact & Abundant Images
And 60% smaller yet over
the network
8
Ask yourself, Do I really need all of this?
9
Or pick your favorite open-source tool:+
10
Docker Tooling: Not Bad
+
Puppet Agents Puppet Master
12
Abstraction is Powerful
vs
13
Containers Have Limits
14
Containers are not VMs…
15
Not VMs… But We Can Pretend They Are
16
Containers: Ephemeral & “Safe” Sandboxes?
Containers have security implications• Shared OS kernel & resourcesAnd more security exposure with privileged containers, additional capabilities
[For Testing] Are you willing to sacrifice some degree of security for performance?
From Jérome Petazzoni’s talk“Is it safe to run applications in containers?”
Run containers inside VM(s)Enable SELinuxRemove or separate secrets & credentialsPlenty of prior art for securing containers in production
17
From “Is it safe to run applications in containers?”
If you answered, “No. Security over Performance.”
18
Other Concerns: Image Size, Mutability
0100200300400500600700800
Docker Image Docker + Puppet
Size
(MB)
debian:8 ubuntu:16.04 centos:7 fedora:24
3.2x!
Puppet Agent Puppet Master
20
The Hard Part: Modeling Your Environment
Good news: Your CM code does most of the work
Prior art for fine tuning, e.g. see Reliant’s PuppetConf talk here
21
Scaling Up
Your test matrix: Go big!More platformsMore configurationsIn parallel
4.0.0 4.1.0 4.2.0 4.3.0 4.4.0 4.5.0 4.6.0 4.7.0 4.8.0centos:5 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓centos:6 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓centos:7 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓debian:7 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓debian:8 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓fedora:22 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓fedora:23 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓fedora:24 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ubuntu:12.04 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ubuntu:14.04 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ubuntu:16.04 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
4.0.0 4.1.0 4.2.0 4.3.0 4.4.0 4.5.0 4.6.0 4.7.0 4.8.0centos:5 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓centos:6 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓centos:7 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓debian:7 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓debian:8 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓fedora:22 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓fedora:23 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓fedora:24 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ubuntu:12.04 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ubuntu:14.04 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ubuntu:16.04 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
Puppet4.0.0 4.1.0 4.2.0 4.3.0 4.4.0 4.5.0 4.6.0 4.7.0 4.8.0
centos:5 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓centos:6 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓centos:7 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓debian:7 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓debian:8 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓fedora:22 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓fedora:23 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓fedora:24 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ubuntu:12.04 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ubuntu:14.04 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ubuntu:16.04 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
22
Now on to more controversial topics…
“Who needs Config Management? We use containers!”
23
Have You Heard This One?
Given a container:How was it built?
How do you run it?
What is inside right now?
When do you rebuild?
24
Docker Tooling: Not Bad… Could It Be Better?
What packages are in the base image?
What version of Puppet & dependencies?
Is this the one and only way to run this container?
Puppet lives in separate mounted container
Inventoried container can be Immutable
Inventory is JSON• Query with standard tools• Use for container health
checks, extend container metadata, etc.
26
Unpacking It All
Configuration Management + Containers: Better TogetherTesting: A very good place to start
Many free and open-source toolsBase container imagesBuild, run, inspect containersDSL integration and much more…
You can do it too…on your laptop!
Thank you! Questions?
The shortest path to better software.
