Date post: | 15-Apr-2017 |
Category: |
Software |
Upload: | andrew-henroid |
View: | 55 times |
Download: | 0 times |
0
10
20
30
40
50
60
Docker Run VM Boot Docker Build+Run
Tim
e (s
econ
ds)
debian:8 centos:7
5
Containers: Fast & Efficient
0
10
20
30
40
50
60
Docker Run VM Boot Docker Build+Run
Tim
e (s
econ
ds)
debian:8 centos:7
6
What Does “Fast & Efficient” Actually Mean?
Back of the Envelope
40𝑠/𝑉𝑀𝑏𝑜𝑜𝑡 + 10𝑠/𝑡𝑒𝑠𝑡1.1𝑠/𝐷𝑜𝑐𝑘𝑒𝑟𝑟𝑢𝑛 + 10𝑠/𝑡𝑒𝑠𝑡
=4.5 tests in containers for every test run in a VM
0200400600800
10001200140016001800
Docker Image VM Image Docker Compressed
Size
(MB)
debian:8 ubuntu:16.04 centos:7 fedora:24
7
Containers: Compact & Abundant Images
And 60% smaller yet over
the network
16
Containers: Ephemeral & “Safe” Sandboxes?
Containers have security implications• Shared OS kernel & resourcesAnd more security exposure with privileged containers, additional capabilities
[For Testing] Are you willing to sacrifice some degree of security for performance?
From Jérome Petazzoni’s talk“Is it safe to run applications in containers?”
Run containers inside VM(s)Enable SELinuxRemove or separate secrets & credentialsPlenty of prior art for securing containers in production
17
From “Is it safe to run applications in containers?”
If you answered, “No. Security over Performance.”
18
Other Concerns: Image Size, Mutability
0100200300400500600700800
Docker Image Docker + Puppet
Size
(MB)
debian:8 ubuntu:16.04 centos:7 fedora:24
3.2x!
20
The Hard Part: Modeling Your Environment
Good news: Your CM code does most of the work
Prior art for fine tuning, e.g. see Reliant’s PuppetConf talk here
21
Scaling Up
Your test matrix: Go big!More platformsMore configurationsIn parallel
4.0.0 4.1.0 4.2.0 4.3.0 4.4.0 4.5.0 4.6.0 4.7.0 4.8.0centos:5 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓centos:6 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓centos:7 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓debian:7 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓debian:8 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓fedora:22 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓fedora:23 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓fedora:24 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ubuntu:12.04 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ubuntu:14.04 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ubuntu:16.04 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
4.0.0 4.1.0 4.2.0 4.3.0 4.4.0 4.5.0 4.6.0 4.7.0 4.8.0centos:5 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓centos:6 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓centos:7 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓debian:7 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓debian:8 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓fedora:22 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓fedora:23 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓fedora:24 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ubuntu:12.04 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ubuntu:14.04 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ubuntu:16.04 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
Puppet4.0.0 4.1.0 4.2.0 4.3.0 4.4.0 4.5.0 4.6.0 4.7.0 4.8.0
centos:5 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓centos:6 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓centos:7 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓debian:7 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓debian:8 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓fedora:22 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓fedora:23 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓fedora:24 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ubuntu:12.04 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ubuntu:14.04 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ubuntu:16.04 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
Given a container:How was it built?
How do you run it?
What is inside right now?
When do you rebuild?
24
Docker Tooling: Not Bad… Could It Be Better?
What packages are in the base image?
What version of Puppet & dependencies?
Is this the one and only way to run this container?
Puppet lives in separate mounted container
Inventoried container can be Immutable
Inventory is JSON• Query with standard tools• Use for container health
checks, extend container metadata, etc.
26
Unpacking It All
Configuration Management + Containers: Better TogetherTesting: A very good place to start
Many free and open-source toolsBase container imagesBuild, run, inspect containersDSL integration and much more…
You can do it too…on your laptop!