SlideShare a Scribd company logo

More terrible ideas for containers

A
Andy Henroid

Today’s best practices for building and deploying Linux containers do not always align with the messy realities of containers used in production. In the wild, the vast majority of containers include entire OS filesystems, applications with complex and often poorly understood dependencies, and a plethora of libraries, with all of their attendant security vulnerability and maintenance concerns. Container orchestration systems like Kubernetes encourage us to treat containers as immutable black boxes. From these building blocks, developers can assemble, integrate, and scale distributed applications with relative ease. Containers as black boxes, is that a brilliant idea or, considering what might be lurking inside, a terrible idea? The answer is both, and after this talk, you will understand why.

Technology
1 of 20
Download to read offline
More Terrible Ideas for Containers? The Ideal and the Real Linux Container Andy Henroid <andy.henroid@puppet.com>
Who am I?
This Talk Linux Containers Big Promises Broken Dreams? Band-Aids & Better Solutions
Linux & Open Source Software: Astounding range & variety of SW Dependencies accumulate quickly Yes “DLL Hell” is a Linux problem See also: RPM Hell, Java JAR Hell, Ruby Gem Hell, … And many disparate solutions to these 4 Containers: Escape from Dependency Hell
Orchestrators like Kubernetes add: ü Dynamic Scalability ü Resource Efficiency ü High Availability ü Uniform Service Discovery ü Portability And more... Treating each container/pod as a Black Box, a homogenous unit to schedule in the cluster 5 Containers + Orchestrator = Massive Scalability
Lightweight Single-purpose Immutable Great starting point for a micro-service 6 The Ideal Linux Container 4.2MB 1 11 Image Size Image Layers Packages Alpine 3.5.2 : A minimal Docker image based on Alpine Linux with a complete package index
Heavyweight General-purpose Mutable Flexible, reusable But fast approaching VM size 7 The Real Linux Container Ideal to… far from ideal 4M 11 0.4K 129M 104 8K 190M 140 11K 240M 171 13K 716M 191 25K Image Size Packages Files Alpine Debian Nginx (Debian) Fedora GoLang (Debian)
Container tooling makes it trivial to “ADD” But there is no “REMOVE” Images grow quickly And never smaller 8 Image Size & Layers 231M 171 436M 172 Image Size Packages Fedora Fedora (after "yum update")
9 Riffing on a Cool Idea ~330K Dockerfiles on GitHub
Open-source https://github.com/anchore/anchore Image size & layers Image family tree Linux distro Packages & files CVEs And more… 10 Variations on a Theme: Opening the Black Box Ideal to.…........... alarming 449 0 8267 707 11191 1435 12792 720 25497 10720 Files Unmanaged Files Alpine Debian Nginx (Debian) Fedora GoLang (Debian)
We analyzed :latest image from >5000 top repos 136 Official + many more Wide variety: Base OS images, services, middleware, languages, … 600M+ to 10K pulls 11 Docker Hub Survey † Full data set at https://github.com/ahenroid/docker-hub-survey Fun Fact: Top 2% public Hub repos account for >99% of all Docker pulls 23.3% 2.0% 1.5% 3.1% 1.6% 31.6% 29.5% 6.6% 0.8% alpine buildroot busybox Misc. Other debian ubuntu centos fedora Lightweight = 31.5% Images Heavyweight = 68.5% Images Base Container Image
Median stats: Expansive gulf between lightweights & heavyweights 12 Docker Hub Survey 64M 20 577M 245 Image Size Packages Lightweight Heavyweight 4K 0 23K 5K Files Unmanaged Files Lightweight Heavyweight † Full data set at https://github.com/ahenroid/docker-hub-survey
Massive Scalability? Maybe. Escape from Dependency Hell? Deferred, but not actually solved. Ahead for operators: Inventory and maintenance nightmare Always Vulnerable Always Updating Always Rebuilding Even the best containers fall short 13 Container Big Promises
Labels, embedding Dockerfiles, and similar band-aids Pro: Bound to container image Cons: Not automatic Not standardized No rich data format Quickly out-of-date 14 Advice (Part I): Know What’s Inside
Container Scanning Static image scanning Everyone is doing it… Open source, hosted services, integrated with container registries Live container scanning Fewer options today 15 Advice (Part I): Know What’s Inside
Software development principles encouraging Fast Delivery Open Source: Every library you will ever need is here, ready to integrate Decomposing traditional monolithic apps is hard, fraught work 16 Quick Interlude: How Did We Get Here?
Start small and build carefully, thoughtfully FROM scratch, or more realistically, Alpine Separate & design containers by purpose Front-end web service, Jenkins build slave, ... No “Golden Container Image” Know your dependencies & question over time Be willing to redesign/refactor as your containers evolve Automated tools to identify dependency creep 17 Advice (Part II): Good Engineering Practices Engineering?!
Other Talks Continuous Delivery to Azure with Docker Using Redis with other DBs Creating custom Postgresql packages in Alpine Linux for use with Docker/Containers/VMs Libral: towards a system management API for Linux Spice up your dev environment with containers Container Images @ FB with Btrfs
Questions?
The shortest path to better software.

Recommended

Ceph, Xen, and CloudStack: Semper Melior
Ceph, Xen, and CloudStack: Semper MeliorCeph, Xen, and CloudStack: Semper Melior
Ceph, Xen, and CloudStack: Semper MeliorPatrick McGarry
 
Rebuild - Simplifying Embedded and IoT Development Using Linux Containers
Rebuild - Simplifying Embedded and IoT Development Using Linux ContainersRebuild - Simplifying Embedded and IoT Development Using Linux Containers
Rebuild - Simplifying Embedded and IoT Development Using Linux ContainersLinuxCon ContainerCon CloudOpen China
 
Fully automated kubernetes deployment and management
Fully automated kubernetes deployment and managementFully automated kubernetes deployment and management
Fully automated kubernetes deployment and managementLinuxCon ContainerCon CloudOpen China
 
Kubernetes
KubernetesKubernetes
KubernetesAnastasios Gogos
 
DockerCon EU 2015: Cultural Revolution - How to Mange the Change Docker Brings
DockerCon EU 2015: Cultural Revolution - How to Mange the Change Docker BringsDockerCon EU 2015: Cultural Revolution - How to Mange the Change Docker Brings
DockerCon EU 2015: Cultural Revolution - How to Mange the Change Docker BringsDocker, Inc.
 
What's Running My Containers? A review of runtimes and standards.
What's Running My Containers? A review of runtimes and standards.What's Running My Containers? A review of runtimes and standards.
What's Running My Containers? A review of runtimes and standards.Phil Estes
 
Introducing LinuxKit
Introducing LinuxKitIntroducing LinuxKit
Introducing LinuxKitDocker, Inc.
 
Kubernetes 101 for Developers
Kubernetes 101 for DevelopersKubernetes 101 for Developers
Kubernetes 101 for DevelopersRoss Kukulinski
 

Recommended

Ceph, Xen, and CloudStack: Semper Melior
Ceph, Xen, and CloudStack: Semper MeliorCeph, Xen, and CloudStack: Semper Melior
Ceph, Xen, and CloudStack: Semper MeliorPatrick McGarry
 
Rebuild - Simplifying Embedded and IoT Development Using Linux Containers
Rebuild - Simplifying Embedded and IoT Development Using Linux ContainersRebuild - Simplifying Embedded and IoT Development Using Linux Containers
Rebuild - Simplifying Embedded and IoT Development Using Linux ContainersLinuxCon ContainerCon CloudOpen China
 
Fully automated kubernetes deployment and management
Fully automated kubernetes deployment and managementFully automated kubernetes deployment and management
Fully automated kubernetes deployment and managementLinuxCon ContainerCon CloudOpen China
 
Kubernetes
KubernetesKubernetes
KubernetesAnastasios Gogos
 
DockerCon EU 2015: Cultural Revolution - How to Mange the Change Docker Brings
DockerCon EU 2015: Cultural Revolution - How to Mange the Change Docker BringsDockerCon EU 2015: Cultural Revolution - How to Mange the Change Docker Brings
DockerCon EU 2015: Cultural Revolution - How to Mange the Change Docker BringsDocker, Inc.
 
What's Running My Containers? A review of runtimes and standards.
What's Running My Containers? A review of runtimes and standards.What's Running My Containers? A review of runtimes and standards.
What's Running My Containers? A review of runtimes and standards.Phil Estes
 
Introducing LinuxKit
Introducing LinuxKitIntroducing LinuxKit
Introducing LinuxKitDocker, Inc.
 
Kubernetes 101 for Developers
Kubernetes 101 for DevelopersKubernetes 101 for Developers
Kubernetes 101 for DevelopersRoss Kukulinski
 
Experiences with AWS immutable deploys and job processing
Experiences with AWS immutable deploys and job processingExperiences with AWS immutable deploys and job processing
Experiences with AWS immutable deploys and job processingDocker, Inc.
 
Linuxcon secureefficientcontainerimagemanagementharbor
Linuxcon secureefficientcontainerimagemanagementharborLinuxcon secureefficientcontainerimagemanagementharbor
Linuxcon secureefficientcontainerimagemanagementharborLinuxCon ContainerCon CloudOpen China
 
containerd summit - Deep Dive into containerd
containerd summit - Deep Dive into containerdcontainerd summit - Deep Dive into containerd
containerd summit - Deep Dive into containerdDocker, Inc.
 
Whose Job Is It Anyway? Kubernetes, CRI, & Container Runtimes
Whose Job Is It Anyway? Kubernetes, CRI, & Container RuntimesWhose Job Is It Anyway? Kubernetes, CRI, & Container Runtimes
Whose Job Is It Anyway? Kubernetes, CRI, & Container RuntimesPhil Estes
 
containerd the universal container runtime
containerd the universal container runtimecontainerd the universal container runtime
containerd the universal container runtimeDocker, Inc.
 
Integrating Docker EE into Société Générale's Existing Enterprise IT Systems
Integrating Docker EE into Société Générale's Existing Enterprise IT SystemsIntegrating Docker EE into Société Générale's Existing Enterprise IT Systems
Integrating Docker EE into Société Générale's Existing Enterprise IT SystemsDocker, Inc.
 
Dockerizing OpenStack for High Availability
Dockerizing OpenStack for High AvailabilityDockerizing OpenStack for High Availability
Dockerizing OpenStack for High AvailabilityDaniel Krook
 
KuberNETes - meetup
KuberNETes - meetupKuberNETes - meetup
KuberNETes - meetupNathan Ness
 
Online Meetup: What's new in docker 1.13.0
Online Meetup: What's new in docker 1.13.0 Online Meetup: What's new in docker 1.13.0
Online Meetup: What's new in docker 1.13.0 Docker, Inc.
 
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPDockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPThomas Graf
 
In-Cluster Continuous Testing Framework for Docker Containers
In-Cluster Continuous Testing Framework for Docker ContainersIn-Cluster Continuous Testing Framework for Docker Containers
In-Cluster Continuous Testing Framework for Docker ContainersNeil Gehani
 
Zephyr: Creating a Best-of-Breed, Secure RTOS for IoT
Zephyr: Creating a Best-of-Breed, Secure RTOS for IoTZephyr: Creating a Best-of-Breed, Secure RTOS for IoT
Zephyr: Creating a Best-of-Breed, Secure RTOS for IoTLinuxCon ContainerCon CloudOpen China
 
DockerCon Keynote Ben Golub
DockerCon Keynote Ben GolubDockerCon Keynote Ben Golub
DockerCon Keynote Ben GolubdotCloud
 
Global Persistence for Docker
Global Persistence for DockerGlobal Persistence for Docker
Global Persistence for DockerDocker, Inc.
 
Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?Docker, Inc.
 
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014brendandburns
 
The top 5 Kubernetes metrics to monitor
The top 5 Kubernetes metrics to monitorThe top 5 Kubernetes metrics to monitor
The top 5 Kubernetes metrics to monitorSysdig
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes IntroductionMartin Danielsson
 
Understanding LXC & Docker
Understanding LXC & DockerUnderstanding LXC & Docker
Understanding LXC & DockerComprinno Technologies
 
Zero downtime-java-deployments-with-docker-and-kubernetes
Zero downtime-java-deployments-with-docker-and-kubernetesZero downtime-java-deployments-with-docker-and-kubernetes
Zero downtime-java-deployments-with-docker-and-kubernetesArjan Schaaf
 
Webinar Docker Tri Series
Webinar Docker Tri SeriesWebinar Docker Tri Series
Webinar Docker Tri SeriesNewt Global Consulting LLC
 
Containers demystified webinar detailed
Containers demystified webinar detailedContainers demystified webinar detailed
Containers demystified webinar detailedWitekio
 

More Related Content

What's hot

Experiences with AWS immutable deploys and job processing
Experiences with AWS immutable deploys and job processingExperiences with AWS immutable deploys and job processing
Experiences with AWS immutable deploys and job processingDocker, Inc.
 
containerd summit - Deep Dive into containerd
containerd summit - Deep Dive into containerdcontainerd summit - Deep Dive into containerd
containerd summit - Deep Dive into containerdDocker, Inc.
 
Whose Job Is It Anyway? Kubernetes, CRI, & Container Runtimes
Whose Job Is It Anyway? Kubernetes, CRI, & Container RuntimesWhose Job Is It Anyway? Kubernetes, CRI, & Container Runtimes
Whose Job Is It Anyway? Kubernetes, CRI, & Container RuntimesPhil Estes
 
containerd the universal container runtime
containerd the universal container runtimecontainerd the universal container runtime
containerd the universal container runtimeDocker, Inc.
 
Integrating Docker EE into Société Générale's Existing Enterprise IT Systems
Integrating Docker EE into Société Générale's Existing Enterprise IT SystemsIntegrating Docker EE into Société Générale's Existing Enterprise IT Systems
Integrating Docker EE into Société Générale's Existing Enterprise IT SystemsDocker, Inc.
 
Dockerizing OpenStack for High Availability
Dockerizing OpenStack for High AvailabilityDockerizing OpenStack for High Availability
Dockerizing OpenStack for High AvailabilityDaniel Krook
 
KuberNETes - meetup
KuberNETes - meetupKuberNETes - meetup
KuberNETes - meetupNathan Ness
 
Online Meetup: What's new in docker 1.13.0
Online Meetup: What's new in docker 1.13.0 Online Meetup: What's new in docker 1.13.0
Online Meetup: What's new in docker 1.13.0 Docker, Inc.
 
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPDockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPThomas Graf
 
In-Cluster Continuous Testing Framework for Docker Containers
In-Cluster Continuous Testing Framework for Docker ContainersIn-Cluster Continuous Testing Framework for Docker Containers
In-Cluster Continuous Testing Framework for Docker ContainersNeil Gehani
 
DockerCon Keynote Ben Golub
DockerCon Keynote Ben GolubDockerCon Keynote Ben Golub
DockerCon Keynote Ben GolubdotCloud
 
Global Persistence for Docker
Global Persistence for DockerGlobal Persistence for Docker
Global Persistence for DockerDocker, Inc.
 
Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?Docker, Inc.
 
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014brendandburns
 
The top 5 Kubernetes metrics to monitor
The top 5 Kubernetes metrics to monitorThe top 5 Kubernetes metrics to monitor
The top 5 Kubernetes metrics to monitorSysdig
 
Zero downtime-java-deployments-with-docker-and-kubernetes
Zero downtime-java-deployments-with-docker-and-kubernetesZero downtime-java-deployments-with-docker-and-kubernetes
Zero downtime-java-deployments-with-docker-and-kubernetesArjan Schaaf
 

What's hot (20)

Experiences with AWS immutable deploys and job processing
Experiences with AWS immutable deploys and job processingExperiences with AWS immutable deploys and job processing
Experiences with AWS immutable deploys and job processing
 
Linuxcon secureefficientcontainerimagemanagementharbor
Linuxcon secureefficientcontainerimagemanagementharborLinuxcon secureefficientcontainerimagemanagementharbor
Linuxcon secureefficientcontainerimagemanagementharbor
 
containerd summit - Deep Dive into containerd
containerd summit - Deep Dive into containerdcontainerd summit - Deep Dive into containerd
containerd summit - Deep Dive into containerd
 
Whose Job Is It Anyway? Kubernetes, CRI, & Container Runtimes
Whose Job Is It Anyway? Kubernetes, CRI, & Container RuntimesWhose Job Is It Anyway? Kubernetes, CRI, & Container Runtimes
Whose Job Is It Anyway? Kubernetes, CRI, & Container Runtimes
 
containerd the universal container runtime
containerd the universal container runtimecontainerd the universal container runtime
containerd the universal container runtime
 
Integrating Docker EE into Société Générale's Existing Enterprise IT Systems
Integrating Docker EE into Société Générale's Existing Enterprise IT SystemsIntegrating Docker EE into Société Générale's Existing Enterprise IT Systems
Integrating Docker EE into Société Générale's Existing Enterprise IT Systems
 
Dockerizing OpenStack for High Availability
Dockerizing OpenStack for High AvailabilityDockerizing OpenStack for High Availability
Dockerizing OpenStack for High Availability
 
KuberNETes - meetup
KuberNETes - meetupKuberNETes - meetup
KuberNETes - meetup
 
Online Meetup: What's new in docker 1.13.0
Online Meetup: What's new in docker 1.13.0 Online Meetup: What's new in docker 1.13.0
Online Meetup: What's new in docker 1.13.0
 
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPDockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
 
In-Cluster Continuous Testing Framework for Docker Containers
In-Cluster Continuous Testing Framework for Docker ContainersIn-Cluster Continuous Testing Framework for Docker Containers
In-Cluster Continuous Testing Framework for Docker Containers
 
Zephyr: Creating a Best-of-Breed, Secure RTOS for IoT
Zephyr: Creating a Best-of-Breed, Secure RTOS for IoTZephyr: Creating a Best-of-Breed, Secure RTOS for IoT
Zephyr: Creating a Best-of-Breed, Secure RTOS for IoT
 
DockerCon Keynote Ben Golub
DockerCon Keynote Ben GolubDockerCon Keynote Ben Golub
DockerCon Keynote Ben Golub
 
Global Persistence for Docker
Global Persistence for DockerGlobal Persistence for Docker
Global Persistence for Docker
 
Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?
 
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
 
The top 5 Kubernetes metrics to monitor
The top 5 Kubernetes metrics to monitorThe top 5 Kubernetes metrics to monitor
The top 5 Kubernetes metrics to monitor
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
 
Understanding LXC & Docker
Understanding LXC & DockerUnderstanding LXC & Docker
Understanding LXC & Docker
 
Zero downtime-java-deployments-with-docker-and-kubernetes
Zero downtime-java-deployments-with-docker-and-kubernetesZero downtime-java-deployments-with-docker-and-kubernetes
Zero downtime-java-deployments-with-docker-and-kubernetes
 

Similar to More terrible ideas for containers

Containers demystified webinar detailed
Containers demystified webinar detailedContainers demystified webinar detailed
Containers demystified webinar detailedWitekio
 
Docker introduction
Docker introductionDocker introduction
Docker introductionPhuc Nguyen
 
Demystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDemystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDr Ganesh Iyer
 
Rackspace::Solve SFO - Solve(Scale) Featuring Docker CEO Ben Golub
Rackspace::Solve SFO - Solve(Scale) Featuring Docker CEO Ben GolubRackspace::Solve SFO - Solve(Scale) Featuring Docker CEO Ben Golub
Rackspace::Solve SFO - Solve(Scale) Featuring Docker CEO Ben GolubRackspace
 
Write Once and REALLY Run Anywhere | OpenStack Summit HK 2013
Write Once and REALLY Run Anywhere | OpenStack Summit HK 2013Write Once and REALLY Run Anywhere | OpenStack Summit HK 2013
Write Once and REALLY Run Anywhere | OpenStack Summit HK 2013dotCloud
 
Docker: do's and don'ts
Docker: do's and don'tsDocker: do's and don'ts
Docker: do's and don'tsPaolo Tonin
 
Intro Docker october 2013
Intro Docker october 2013Intro Docker october 2013
Intro Docker october 2013dotCloud
 
My Journey to Becoming a Docker Captain
My Journey to Becoming a Docker CaptainMy Journey to Becoming a Docker Captain
My Journey to Becoming a Docker CaptainAjeet Singh Raina
 
Docker Understanding, What is Docker? Why Docker? How do I containerize somet...
Docker Understanding, What is Docker? Why Docker? How do I containerize somet...Docker Understanding, What is Docker? Why Docker? How do I containerize somet...
Docker Understanding, What is Docker? Why Docker? How do I containerize somet...Yogesh Wadile
 
The challenge of application distribution - Introduction to Docker (2014 dec ...
The challenge of application distribution - Introduction to Docker (2014 dec ...The challenge of application distribution - Introduction to Docker (2014 dec ...
The challenge of application distribution - Introduction to Docker (2014 dec ...Sébastien Portebois
 
Intro to Docker November 2013
Intro to Docker November 2013Intro to Docker November 2013
Intro to Docker November 2013Docker, Inc.
 
Docker Containers Deep Dive
Docker Containers Deep DiveDocker Containers Deep Dive
Docker Containers Deep DiveWill Kinard
 
Dockers and kubernetes
Dockers and kubernetesDockers and kubernetes
Dockers and kubernetesDr Ganesh Iyer
 
Docker containers & the Future of Drupal testing
Docker containers & the Future of Drupal testing Docker containers & the Future of Drupal testing
Docker containers & the Future of Drupal testing Ricardo Amaro
 

Similar to More terrible ideas for containers (20)

Webinar Docker Tri Series
Webinar Docker Tri SeriesWebinar Docker Tri Series
Webinar Docker Tri Series
 
Containers demystified webinar detailed
Containers demystified webinar detailedContainers demystified webinar detailed
Containers demystified webinar detailed
 
Docker-Intro
Docker-IntroDocker-Intro
Docker-Intro
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
 
Demystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDemystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data Scientists
 
Rackspace::Solve SFO - Solve(Scale) Featuring Docker CEO Ben Golub
Rackspace::Solve SFO - Solve(Scale) Featuring Docker CEO Ben GolubRackspace::Solve SFO - Solve(Scale) Featuring Docker CEO Ben Golub
Rackspace::Solve SFO - Solve(Scale) Featuring Docker CEO Ben Golub
 
Write Once and REALLY Run Anywhere | OpenStack Summit HK 2013
Write Once and REALLY Run Anywhere | OpenStack Summit HK 2013Write Once and REALLY Run Anywhere | OpenStack Summit HK 2013
Write Once and REALLY Run Anywhere | OpenStack Summit HK 2013
 
Docker: do's and don'ts
Docker: do's and don'tsDocker: do's and don'ts
Docker: do's and don'ts
 
Docker handons-workshop-for-charity
Docker handons-workshop-for-charityDocker handons-workshop-for-charity
Docker handons-workshop-for-charity
 
Intro Docker october 2013
Intro Docker october 2013Intro Docker october 2013
Intro Docker october 2013
 
OpenStack Summit
OpenStack SummitOpenStack Summit
OpenStack Summit
 
My Journey to Becoming a Docker Captain
My Journey to Becoming a Docker CaptainMy Journey to Becoming a Docker Captain
My Journey to Becoming a Docker Captain
 
Docker Understanding, What is Docker? Why Docker? How do I containerize somet...
Docker Understanding, What is Docker? Why Docker? How do I containerize somet...Docker Understanding, What is Docker? Why Docker? How do I containerize somet...
Docker Understanding, What is Docker? Why Docker? How do I containerize somet...
 
The challenge of application distribution - Introduction to Docker (2014 dec ...
The challenge of application distribution - Introduction to Docker (2014 dec ...The challenge of application distribution - Introduction to Docker (2014 dec ...
The challenge of application distribution - Introduction to Docker (2014 dec ...
 
Intro to Docker November 2013
Intro to Docker November 2013Intro to Docker November 2013
Intro to Docker November 2013
 
Docker Containers Deep Dive
Docker Containers Deep DiveDocker Containers Deep Dive
Docker Containers Deep Dive
 
Boycott Docker
Boycott DockerBoycott Docker
Boycott Docker
 
Docker
DockerDocker
Docker
 
Dockers and kubernetes
Dockers and kubernetesDockers and kubernetes
Dockers and kubernetes
 
Docker containers & the Future of Drupal testing
Docker containers & the Future of Drupal testing Docker containers & the Future of Drupal testing
Docker containers & the Future of Drupal testing
 

Recently uploaded

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 

Recently uploaded (20)

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 

More terrible ideas for containers

  • 1. More Terrible Ideas for Containers? The Ideal and the Real Linux Container Andy Henroid <andy.henroid@puppet.com>
  • 3. This Talk Linux Containers Big Promises Broken Dreams? Band-Aids & Better Solutions
  • 4. Linux & Open Source Software: Astounding range & variety of SW Dependencies accumulate quickly Yes “DLL Hell” is a Linux problem See also: RPM Hell, Java JAR Hell, Ruby Gem Hell, … And many disparate solutions to these 4 Containers: Escape from Dependency Hell
  • 5. Orchestrators like Kubernetes add: ü Dynamic Scalability ü Resource Efficiency ü High Availability ü Uniform Service Discovery ü Portability And more... Treating each container/pod as a Black Box, a homogenous unit to schedule in the cluster 5 Containers + Orchestrator = Massive Scalability
  • 6. Lightweight Single-purpose Immutable Great starting point for a micro-service 6 The Ideal Linux Container 4.2MB 1 11 Image Size Image Layers Packages Alpine 3.5.2 : A minimal Docker image based on Alpine Linux with a complete package index
  • 7. Heavyweight General-purpose Mutable Flexible, reusable But fast approaching VM size 7 The Real Linux Container Ideal to… far from ideal 4M 11 0.4K 129M 104 8K 190M 140 11K 240M 171 13K 716M 191 25K Image Size Packages Files Alpine Debian Nginx (Debian) Fedora GoLang (Debian)
  • 8. Container tooling makes it trivial to “ADD” But there is no “REMOVE” Images grow quickly And never smaller 8 Image Size & Layers 231M 171 436M 172 Image Size Packages Fedora Fedora (after "yum update")
  • 9. 9 Riffing on a Cool Idea ~330K Dockerfiles on GitHub
  • 10. Open-source https://github.com/anchore/anchore Image size & layers Image family tree Linux distro Packages & files CVEs And more… 10 Variations on a Theme: Opening the Black Box Ideal to.…........... alarming 449 0 8267 707 11191 1435 12792 720 25497 10720 Files Unmanaged Files Alpine Debian Nginx (Debian) Fedora GoLang (Debian)
  • 11. We analyzed :latest image from >5000 top repos 136 Official + many more Wide variety: Base OS images, services, middleware, languages, … 600M+ to 10K pulls 11 Docker Hub Survey † Full data set at https://github.com/ahenroid/docker-hub-survey Fun Fact: Top 2% public Hub repos account for >99% of all Docker pulls 23.3% 2.0% 1.5% 3.1% 1.6% 31.6% 29.5% 6.6% 0.8% alpine buildroot busybox Misc. Other debian ubuntu centos fedora Lightweight = 31.5% Images Heavyweight = 68.5% Images Base Container Image
  • 12. Median stats: Expansive gulf between lightweights & heavyweights 12 Docker Hub Survey 64M 20 577M 245 Image Size Packages Lightweight Heavyweight 4K 0 23K 5K Files Unmanaged Files Lightweight Heavyweight † Full data set at https://github.com/ahenroid/docker-hub-survey
  • 13. Massive Scalability? Maybe. Escape from Dependency Hell? Deferred, but not actually solved. Ahead for operators: Inventory and maintenance nightmare Always Vulnerable Always Updating Always Rebuilding Even the best containers fall short 13 Container Big Promises
  • 14. Labels, embedding Dockerfiles, and similar band-aids Pro: Bound to container image Cons: Not automatic Not standardized No rich data format Quickly out-of-date 14 Advice (Part I): Know What’s Inside
  • 15. Container Scanning Static image scanning Everyone is doing it… Open source, hosted services, integrated with container registries Live container scanning Fewer options today 15 Advice (Part I): Know What’s Inside
  • 16. Software development principles encouraging Fast Delivery Open Source: Every library you will ever need is here, ready to integrate Decomposing traditional monolithic apps is hard, fraught work 16 Quick Interlude: How Did We Get Here?
  • 17. Start small and build carefully, thoughtfully FROM scratch, or more realistically, Alpine Separate & design containers by purpose Front-end web service, Jenkins build slave, ... No “Golden Container Image” Know your dependencies & question over time Be willing to redesign/refactor as your containers evolve Automated tools to identify dependency creep 17 Advice (Part II): Good Engineering Practices Engineering?!
  • 18. Other Talks Continuous Delivery to Azure with Docker Using Redis with other DBs Creating custom Postgresql packages in Alpine Linux for use with Docker/Containers/VMs Libral: towards a system management API for Linux Spice up your dev environment with containers Container Images @ FB with Btrfs
  • 20. The shortest path to better software.