The document discusses the tension between operations (ops) teams and container technology, highlighting misconceptions and challenges in managing containers. Key points include the need for security collaboration between developers and ops, the realities of container management, and the importance of automation. The conclusion encourages ops teams to embrace container technology while prioritizing security and automation.

1. Ops hates containers. Why?
Martin Alfke - example42 GmbH

2. Ops hates containers! Why? OpenRheinRuhr 2018 - Martin Alfke © example42 GmbH !2
Developers say:
• Ops are responsible for
• base container image
• running container
• staging containers
• container security
Customer meeting with Dev, Sec and Ops

3. Ops hates containers! Why? OpenRheinRuhr 2018 - Martin Alfke © example42 GmbH
Customer meeting with Dev, Sec and Ops
!3
Security / Developer dialogue:
• Security:
• “Dev must ensure security”
• “Dev must name Kernel
capabilities and CGroup settings”
• Developers:
• “what is CGroup settings?”
• Security:
• “We probably should meet when
we all know the basics.”

4. Ops hates containers! Why? OpenRheinRuhr 2018 - Martin Alfke © example42 GmbH
DOCKER DOCKER DOCKER DOCKER DOCKER DOCKER
!4
Image: wikimedia.org

5. Ops hates containers! Why? OpenRheinRuhr 2018 - Martin Alfke © example42 GmbH
Container Myths
!5
• No need for configuration
management - anywhere
• Easier to build, deploy and run
• Easier to test and verify
• Easier to fix issues
Image: tatlin

6. Ops hates containers! Why? OpenRheinRuhr 2018 - Martin Alfke © example42 GmbH
Container Myths - Part 2
!6
• No need to check status and health?
• No need to identify security?
• No need to login, no need for logs?
• No need for dedicated hardware,
runs on cloud?
Image: tatlin

7. Ops hates containers! Why? OpenRheinRuhr 2018 - Martin Alfke © example42 GmbH
Container de-mystified
!7
• It is just a change-root, delivered as
a ‘package’
• Build steps are layers like VCS
commits
• Containers need infrastructure
• Containers are managed like
binaries
Image: tatlin

8. Ops hates containers! Why? OpenRheinRuhr 2018 - Martin Alfke © example42 GmbH
Container Runtime
!8
• People start with docker because it
is easy
• docker pull / docker run
• like curl -k | sudo bash
Image: tatlin

9. Ops hates containers! Why? OpenRheinRuhr 2018 - Martin Alfke © example42 GmbH
OPS, NET, SEC: Act!
!9
Simple can be harder than complex: You have to work hard to
get your thinking clean to make it simple. But it's worth it in the
end because once you get there, you can move mountains. -
Steve Jobs [BusinessWeek, May 25, 1998]

10. Ops hates containers! Why? OpenRheinRuhr 2018 - Martin Alfke © example42 GmbH
OPS, NET, SEC: Act!
!10
• Mainframe
• PC
• VM
• Container
Image: example42 GmbH

11. Ops hates containers! Why? OpenRheinRuhr 2018 - Martin Alfke © example42 GmbH
OPS, NET, SEC: Act!
!11
• Uptime decreasing
• Maintenance increasing
Image: example42 GmbH

12. Ops hates containers! Why? OpenRheinRuhr 2018 - Martin Alfke © example42 GmbH
OPS, NET, SEC: Act!
!12
• Staff does not scale
with platform
Image: example42 GmbH

13. Ops hates containers! Why? OpenRheinRuhr 2018 - Martin Alfke © example42 GmbH
OPS, NET, SEC: Act!
!13
• 100% Automation !
Image: example42 GmbH

14. Ops hates containers! Why? OpenRheinRuhr 2018 - Martin Alfke © example42 GmbH
OPS, NET, SEC: Act!
!14
• 80/20 - Pattern:
Image: tatlin

15. Ops hates containers! Why? OpenRheinRuhr 2018 - Martin Alfke © example42 GmbH
OPS, NET, SEC: Act!
!15
• 80/20 - Pattern:
• 80% time spending on 20% not
automated
Image: tatlin

16. Ops hates containers! Why? OpenRheinRuhr 2018 - Martin Alfke © example42 GmbH
Containers
!16
Image: wikimedia.org

17. Ops hates containers! Why? OpenRheinRuhr 2018 - Martin Alfke © example42 GmbH
Understanding containers
!17
• Short living instances
• 12factor (http://12factor.net)
• Persistant vs volatile data
• Single node view
Image: tatlin

18. Ops hates containers! Why? OpenRheinRuhr 2018 - Martin Alfke © example42 GmbH
Troubleshoot containers
!18
• registry and container build process
• docker down
• docker in docker
Image: tatlin

19. Ops hates containers! Why? OpenRheinRuhr 2018 - Martin Alfke © example42 GmbH
Using containers
!19
• CI/CD Pipelines
• Build Processes
• Dashboards
• Puppet Infrastructure(!) (https://
github.com/puppetlabs/
pupperware/)
Image: tatlin

20. Ops hates containers! Why? OpenRheinRuhr 2018 - Martin Alfke © example42 GmbH
Container Management
!20
Image: wikimedia.org

21. Ops hates containers! Why? OpenRheinRuhr 2018 - Martin Alfke © example42 GmbH
Understanding container management
!21
• Multi node container runtime
• Orchestration
• Network (Egress / Ingress / Proxy)
• Maintenance
Image: tatlin

22. Ops hates containers! Why? OpenRheinRuhr 2018 - Martin Alfke © example42 GmbH
Troubleshoot container management
!22
• Kill a node / container
• Why running an CM API service as
container might be a bad idea?
• Misconfiguration
• Upgrades
Image: tatlin

23. Ops hates containers! Why? OpenRheinRuhr 2018 - Martin Alfke © example42 GmbH
Managing container orchestration
!23
Installation and configuration of an
application stack.
• Puppet
• Ansible
• Chef
• Saltstack
Image: tatlin

24. Ops hates containers! Why? OpenRheinRuhr 2018 - Martin Alfke © example42 GmbH
Commercial container management
!24
• Self hosted vs Managed
• everybody does K8s?
Image: tatlin

25. Ops hates containers! Why? OpenRheinRuhr 2018 - Martin Alfke © example42 GmbH
Other container management
!25
• Mesos/Aurora/Marathon
• Titus (Netflix)
• Docker Swarm
• Nomad/Terraform
• CoreOS / rkt
Image: tatlin

26. Ops hates containers! Why? OpenRheinRuhr 2018 - Martin Alfke © example42 GmbH
Was there something in the past?
!26
Image: tatlin

27. Ops hates containers! Why? OpenRheinRuhr 2018 - Martin Alfke © example42 GmbH
Containers and CfgMgmt
!27
• Where do you run your databases?
• Can you move everything to
containers?
• What about legacy applications?
Image: tatlin

28. Ops hates containers! Why? OpenRheinRuhr 2018 - Martin Alfke © example42 GmbH
Containers and Monitoring
!28
• Dynamic Resources need dynamic
monitoring solution
• Global platform and service health
• Some monitoring tools for
containers: sysdig, cAdvisor, Puppet
Discovery, Prometheus
Image: tatlin

29. Ops hates containers! Why? OpenRheinRuhr 2018 - Martin Alfke © example42 GmbH
Containers and Hardware
!29
• Serverless does not mean no
hardware
• Opsless does not mean no Ops
• Check with finance (CAPEX vs.
OPEX)
Image: tatlin

30. Ops hates containers! Why? OpenRheinRuhr 2018 - Martin Alfke © example42 GmbH
Conclusion
!30
Image: tatlin

31. Ops hates containers! Why? OpenRheinRuhr 2018 - Martin Alfke © example42 GmbH
Conclusion
!31
• Containers adoption increases.
• Ops people: start learning, stop play
and complaining.
• Security first - even on PoC
• Automate everything
• Choose your container tools and
environments. Image: tatlin

32. Ops hate not having full control
of their systems. Not containers.
Martin Alfke - example42 GmbH