Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Simplifying the Journey of Your Containerized A...

Kyle Quest
July 20, 2023
Programming
0
180

Simplifying the Journey of Your Containerized Application from Dev to Production

Creating a containerized application PoC is deceptively simple. Making it production ready is a lot of work though. This talk will cover what’s necessary to have a production ready containerized application and the steps to get there. We’ll explore the best practices and gotchas containerizing applications. We’ll also compare creating production ready containers the hard way and the easy way.

Video: https://www.youtube.com/watch?v=8iJ_6VUzk1I

Kyle Quest

July 20, 2023
Tweet

More Decks by Kyle Quest

See All by Kyle Quest
Malicious Compliance Automated: When You Have 4000 Vulnerabilities and only 24 Hours Before Release
kcq
0
9
How to get Slim with SOCI and Star(g)s: Minifying Containers with Lazy Image Loading in ContainerD
kcq
1
200
Improving Developer Experience with Containers: Making it Easy to Understand, Optimize, and Troubleshoot Your Containers
kcq
0
53
Building a Tool to Debug Minimal Container Images in Kubernetes, Docker and ContainerD
kcq
0
370

Other Decks in Programming

See All in Programming
traP の部内 ISUCON とそれを支えるポータル / PISCON Portal
ikura_hamu
0
220
ASP. NET CoreにおけるWebAPIの最新情報
tomokusaba
0
100
最近のVS Codeで気になるニュース 2025/01
74th
1
220
Simple組み合わせ村から大都会Railsにやってきた俺は / Coming to Rails from the Simple
moznion
3
3k
良いユニットテストを書こう
mototakatsu
13
3.6k
asdf-ecspresso作って 友達が増えた話 / Fujiwara Tech Conference 2025
koluku
0
1.5k
PHPカンファレンス 2024|共創を加速するための若手の技術挑戦
weddingpark
0
140
watsonx.ai Dojo #6 継続的なAIアプリ開発と展開
oniak3ibm
PRO
0
190
PHPとAPI Platformで作る本格的なWeb APIアプリケーション(入門編) / phpcon 2024 Intro to API Platform
ttskch
0
400
自動で //nolint を挿入する取り組み / Gopher's Gathering
utgwkk
1
120
混沌とした例外処理とエラー監視に秩序をもたらす
morihirok
15
2.6k
php-conference-japan-2024
tasuku43
0
440

Featured

See All Featured
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
3.6k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
174
51k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
248
1.3M
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
7.1k
BBQ
matthewcrist
85
9.4k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
3
250
Side Projects
sachag
452
42k
Building Flexible Design Systems
yeseniaperezcruz
328
38k
Git: the NoSQL Database
bkeepers
PRO
427
64k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
6
500
Producing Creativity
orderedlist
PRO
343
39k
No one is an island. Learnings from fostering a developers community.
thoeni
19
3.1k

Transcript

  1. Simplifying the Journey of Your Containerized Application from Dev to

    Production

  2. The Problem

  3. None
  4. None

  5. What We Need for Production

  6. • Ops plane integrations (logging, metrics, monitoring) • Optimized build

    and deploy time • Security (vulnerabilities and capabilities that can be exploited) • Handling secrets properly • Persisting data • Resource limits for colocated containers

  7. Let's Start the Journey

  8. None
  9. None
  10. None
  11. None

  12. What’s Wrong?

  13. None

  14. • Big container image • Problems with build caching •

    Running as root • Only the major version of node is pinned

  15. Common Gotchas

  16. • Lack of version pinning turns into reproducibility problems •

    Cache busting instruction combinations cause slow builds • Large build contexts result in slow builds and bigger images • Not handling signals and not handling orphaned processes • Deleted data is not deleted if...

  17. Let’s Improve the Dockerfile

  18. None
  19. None

  20. Best Practices

  21. • Single app/function • Pin versions for dependencies to have

    reproducible builds • Keep your image as small as possible • Minimize the number of layers • Structure layers for better build time caching • Make sure to handle zombie processes and signals properly • Don’t run as root • Harden container images • Don’t embed secrets or configs in container images • Use available security capabilities • Use container images as ‘promotion’ artifacts*

  22. Alpine Gotchas

  23. • Many musl libc related problems • Network/DNS problems •

    Performance problems • Crashes • Lots of package related headaches ◦ Hard to pin package versions ◦ Limited package availability ◦ Disappearing older packages ◦ Building your own packages can be challenging if they include native code • Lag in security updates • Limited vulnerability scanner coverage

  24. Doing it the Hard Way

  25. • Builder pattern or multi-stage builds • Using a small

    base image • Manually optimizing Dockerfile instructions* • Manually hardening container images :-(
  26. None
  27. None
  28. None
  29. None
  30. None
  31. None

  32. Let’s Simplify

  33. • Buildpacks (PaaS roots) • Build tool plugins (to generate

    Dockerfiles or images) • Project generators (e.g., Yeoman)
  34. None

  35. • Opinionated • Limited ability to customize • Complexity (not

    a problem when it all works) • Generated Dockerfile quality isn’t always great • Limited/basic optimizations

  36. Optimizing with DockerSlim

  37. • Keep your Dockerfile simple • No tricks with Dockerfile

    instructions • No need for multi-stage if you don’t want it • Same base image you are used to • Optimizes alpine, distroless and buildpack based images too
  38. None

  39. Summary

  40. None

  41. Key Takeaways

  42. • Use buildpacks or app tool generated Dockerfiles if it

    works for you • For custom Dockerfiles where you need more control: ◦ Use non-root user in Dockerfiles ◦ Install your app dependencies first and your app code after • Use DockerSlim for advanced optimizations and security