Containers 101

29 Apr 2022 by Chris Hudson

Tech Insights: Digital Transformation: Application Modernization: Application Containers

Modernization Strategy – Aligning with Customer needs, organizations across all sectors are using, creating, and adopting applications and software to providing more customer-aligned products and services at unbelievable speeds. These digital transformation efforts are pushing Application Development groups to leverage more cloud based and cloud native technologies. The key advantages of containers are speed, simplicity/flexibility and efficiency (savings). App containerization helps developers and related lines of business move faster, scale to meet demands quickly, build and package applications for the cloud with the ability to easily move workloads in multiple environments faster.

Key Takeaways

  • Containers allow businesses to simplify development and application deployments, allowing faster time to market and higher quality of the applications.
  • Integrate automated security checks/tests in CI/CD pipelines (CI CD Pipeline is the software development queue where developers can submit changes to be deployed to production) reduces your security technical debt as each time it is built the scans verify compliance.
  • Using containers reduces vendor lock in, thereby reducing technical debt and increasing agility to deploy to different infrastructure providers.
  • Decreases environmental drift allowing for quicker troubleshooting when bugs are found decreasing mean time to resolution (get back to operation faster)
  • Application development might not be a core part of your business, but the software you buy will come in containers

What

Containerization is an approach to software development that bundles the application and all needed libraries/dependencies into a standardized deployable unit. Containers lead to higher efficiency & utilization of infrastructure by increasing application density for the given hardware than traditional virtual machines. The container image becomes immutable – the files and state cannot be changed after it is created.

Containerized deployments allow organizations to break down applications into smaller chunks causing applications to be deployed faster, with higher quality, and ultimately cheaper than traditional big server farms and monolithic apps. This streamlines Infrastructure requirements with less risk of configuration errors and environmental drift.

Cloud-native applications are developed as loosely coupled micro-services running in containers managed by orchestration platforms allowing applications to move from one environment to another quickly and reliably. Example: developers laptop going to testing, staging into production, production to multiple regions/Disaster recovery sites. This is used for on-premise, hybrid, private & public cloud deployments. Changes can be isolated and deployment decisions can be made in response to application needs and market changes quickly.

Monolith to Micro-services Factors driving the growth of the Application Container market are businesses going through digital transformations. Our clients are changing to providing more customer-aligned products and services, along with the vast adoption of micro-services architecture and cloud based/cloud native applications. Deploying containers are used to help build, manage, and easily move applications for on-premise, hybrid cloud, and multi-cloud environments.

Image of Deployment types Kubernetes link

Why

Different versions of the operating systems redhat vs Debian or the java run times are different in all the environments, or the security policies are different between test and prod

  • VM’s – include the OS (40GB) + application per VM, so a host with 3 vms has 120gb storage requirement and is running 3 instances of os
  • Containers there is only 1 os shared between all containers (shared parts are read only with write data mounted externally) making them much smaller, faster to initialize, faster to delete and reduces overall resource utilization.
  • Virtualization and containers are also coming to be seen as complementary technologies rather than competing ones.

Business Problems solved

  • Legacy Costs: Lift & Shift - migrating Virtual Machines from on premise data centers to the cloud is the first step in the maturity processes and if stopped at this point this is a very costly step.
  • Cost Optimization to place workloads where the cost is the lowest for the needed performance, identify savings for hosting in the public cloud vs. on-premises.
  • Improved flexibility and reliability for easier and more dependable maintenance
    • The introduction of automation for patching and security upgrades
    • Quickly respond to security vulnerabilities with containerized or streamlined code
    • Opportunities for increased reliability and redundancy
  • Increased agility in accelerating the release cycle
    • Containers streamline deployments by making it more efficient and eliminating the difference between development and production environments
    • Saving time and money while maintaining software

Tech problems solved

  • Loosely coupled, distributed, elastic, liberated micro-services: applications are broken into smaller, independent pieces and can be deployed and managed dynamically – not a monolithic stack running on one big single-purpose machine.
    • Agile application creation and deployment with increased ease and efficiency of container image creation compared to VM image use.
    • Resource isolation: predictable application performance.
    • Resource utilization: high efficiency and density.
    • Breaking applications into smaller units (microservices/serverless functions/api’s) allows for improved testing and reducing dependency complexity.
  • Building Cloud agnostic strategies
    • Modifying applications to use containers allows for flexibility and reduces vendor lock in (operational efficiency) allowing for different deployment options in the future, with minimal impact to current tooling and expertise.
    • Speed and agility to deploy to Multi cloud/hybrid environments – enhancements to operational efficiency and delivering customer enhancements to the market.
    • Environmental consistency across development, testing, and production: Runs the same on a laptop as it does in the cloud.
    • Continuous development, integration, and deployment providing for reliable and frequent container image build and deployment with quick and efficient rollbacks (due to image immutability).
    • Cloud and OS distribution portability: Runs on Ubuntu, RHEL, CoreOS, on-premises, on major public clouds, and anywhere else.
    • Consistent environment from dev to prod to DR, leveraging containers allows for environments to be configured closer reducing environment impacts and changes.
    • Run anywhere - Deployment to multiple cloud environments and on premise can be tricky unless abstracted away allowing faster development and deployment.
    • Have ability to deploy containers on existing virtualized environments (such as VMs or the cloud), utilizing current infrastructure while benefiting from both VM and container advantages, while on premise this is a good maturity point as it allows you to introduce new tech, skills, and deployment processes while furthering your capabilities for cloud migrations and leveraging native cloud development.
    • Tech stacks are changing and evolving, by using defined containers you have a software bill of materials built into the platform allowing you to easily audit and update applications and their dependencies reducing technical debt.

  • Dev and Ops separation of concerns: create application container images at build/release time rather than deployment time, thereby decoupling applications from infrastructure.

  • Better observability: not only surfaces OS-level information and metrics, but also application health and other signals.

Maturity Model

Crawl

  • Dev is using containers as deployment artifact 1-10 containers
  • standardized deployment – use the FaaS/PaaS, config mgmt. tools running minimal amount of apps., container provisioning is in place
  • no container orchestration

Walk

  • simple container orchestration is in place
  • basic workload optimizations
  • few clusters usually long lived, and manually configured

Run

  • Has on-ramp recipes creating a Platform as a Service for application containers
  • Modernization factory – used for appdev, infrastructure groups specify the standards, enforcement processes (early detection/prevention)
  • Container orchestration becomes complex quickly at scale where cluster lifecycle becomes unwieldy quickly without best practices & SOLID architecture in place.
    • how are they created: namespaces (prod/dev/test/middleware/data layers), multi-cluster management, and workload orchestration
    • policies & configurations enforced
    • plugins/components utilized
    • cost reporting
    • data governance
    • image creation repository & updates process
  • advanced workload optimizations

Challenges

  • Misconfigurations at the host, containers, or between containers
  • Monitoring - Speed at which containers scale up and down – they are short lived
  • Cross communication between services
  • New set of tools, skills, staff
  • Many people believe containers make their apps more secure by default - just because the app is isolated to its own container without proper processes in place can lead to an increase surface area for attacks.
  • Containers don’t prevent appsec issues (SQL injection, xss), and densely packed images increase risk. The Software Engineering Institute estimates that 90 percent of reported security incidents result from exploits against defects in the design or code of software. (Department of Homeland Security)
  • FinOps—cost visibility, cost showback/chargeback, and cost optimization—you quickly realize that you’re encountering the same difficulties you faced as you moved into the cloud.
    • Containers represent another layer of virtualization on top of cloud virtualization, which creates a new wrinkle of complexity when it comes to tracking its costs.

Best Practices

  • Carefully consider the capital expenditure (capex) and operational expenditure (opex) of the container stack including the software, additional modules, and infrastructure. Identify additional overhead with previous enterprise virtualization and infrastructure as they may have an increased cost than moving to public cloud resources.
  • Continuous deployment with containers – to prod we must go! - quickly and safely and with enough controls so manual approvals are not warranted.
  • IaC for the host/bare metal
  • Security spans design, development, deployment, and running apps
  • Container dependencies constantly need to be maintained, hardened
  • Pen-testing including the additional layers: app, container, container host, vm image, and vm host
  • Private vs Public Registries add additional surface attack to the secure software development lifecycle (sSDLC)
  • Service Mesh: configurable infrastructure layer for microservices applications including secure communication, logging, load balancing, authorization, service discovery.
  • Infrastructure as Code (IaC): using templates and source control to version infrastructure and its configuration.
  • AIOps: use big data and analytics to decision on alerts & actions
  • Edge computing: containers are being used more in edge computing stacks allowing for better maintenance and management.
  • On Premise Software: will begin to ship only in containers and you will need the skills and platform to host them.

A recent 451 Research Market Monitor report estimates the application container software market will be worth $1.1 billion in 2017. Growing at a compound annual growth rate of 35%, researchers expect the market to reach more than $3.4 billion in 2021.

Container Market Summary

Container Platforms

Container Platforms are technology solutions designed to automate all aspects of coordinating and managing containers (container life cycle) and their dynamic environments.

Cloud Providers

Microsoft, AWS, Google Cloud all provide managed or hosted Kubernetes clusters allowing to reduce the operational and administrative tasks associated at the host level. This reduces administration burden such as Host OS patching, Kubernetes patching, networking, and monitoring are part of the managed services, but also restricts some of the flexibility for a fully customized container environment.

Interesting Container Platform Companies

  • Cloudbolt
  • Docker Enterprise (Mirantis)
  • Kubernetes
  • Morpheus
  • Rancher Labs
  • VMWare Tanzu

Container Security

Container security is the protection of containerized applications and infrastructure throughout the software development lifecycle. This includes securing images, containers, hosts, runtime registries and orchestrators. This is done through application hardening, system hardening, vulnerability scanning, configuration management, micro segmentation, and anomaly detection.

  • Vulnerability and Configuration assessments – Multiple checkpoints needed scanning of images
    • during build for vulnerabilities using latest versions and only approved and hardened images
    • scanning the image repository – things change from the time of build to deployment time
    • scanning during deployment – ensuring the environment is hardened and built to standards
    • Scan all underlying hardware as well, build systems, registries, and deployment servers
  • Image Assurance
  • Run Time scanning – look for abnormalities host, cluster, and container level, ensure workload protection

Interesting Container Security Companies

  • AquaSec + Argon
  • Snyk
  • SysDiag
  • Synopsis
  • Prisma Cloud (Twistlock)

References

© chudson121.github.io 2016

Last Modified: 2022-10-17 18:38:23 +0000

About this site