@alicegoldfuss She's telling us about the idyllic picture painted by advertisements (for instance, for cars) with the fancy 0-60 numbers... vs. the tiny small words "laboratory setting" or "test track". #VelocityConf
That's how @alicegoldfuss feels about container talks. Presenter comes out and says "BAM, I will revolutionize your infrastructure? What's that? Run more than one container? No problem! [with shipping container images overlaid on cars]" #VelocityConf
"Is this why sysadmins are so mad?" @alicegoldfuss wants to see more "Docker WTFs" and fewer "Docker 101s". We need to be able to make better decisions about containers. And she calls herself "Edward DevOpsHands" #VelocityConf
She ran containers in prod since 2015 since Docker 0.6, paving the road behind them; and now she's on the k8s platform team at GitHub.
We have a host, which is a box, and an OS, which is a box, and a container daemon, which is a box, and on top of that you have containers WHICH ARE SMALLER BOXES.
But to your kernel, they're all just running processes. python processes, ruby processes, and then the dockerd and kubelet. They're not hidden in boxes, they're processes like any others, born from tarballs, anchored to namespaces, controlled by cgroups. #VelocityConf
Containers are just a bunch of native linux features stapled together. There is no such singular concept in the kernel.
Namespaces determine what a process can see. cgroups determine what a process can use.
Four lessons to give us a better sense of whether containers are right for us: (1) Containers have strengths when used for the right purposes -- for scaling stateless applications and making them portable and more easily revised/deployed. Data in, data out. #VelocityConf
(2) Disaster recovery. Avoids that developer's laptop that runs a critical piece of our infrastructure every day at 3am. We deploy our apps in the same way to the same places, making environments reproducible.
We can by default redeploy/restart even others' apps. #VelocityConf
(3) Development environments. We can run dev built applications in the same way as our production applications, and tear down cleanly afterwards.
And we don't have to repro on our laptop. #VelocityConf
Lesson number 2: containers have weaknesses:
Stateful apps [ed: like hairspray]. Databases, for instance. If you're not having billions of requests per second, you probably don't need to containerize databases.
You *can* get stability/recovery/provisioning BUT... #VelocityConf
It's cheaper to do that with a cloud provider doing that work with the right tooling for you! Even if it's more money to the cloud provider, it's cheaper than your development time to do things right.
Are you *sure* you want to do that in-house? #VelocityConf
There are some ways to handle this, such as using network-mounted storage backing containerized databases, but then you get network bound.
Or you can save the data locally, but then you get no benefits except sounding good on resume. #VelocityConf
"Seriously, consider going to the cloud for your databases. It will save you time and hardship. You didn't really want that HN blogpost anyways." --@alicegoldfuss#VelocityConf
Lesson 3: It's never "just" containers. Lots of decisions to make. How will you build your tarballs? You don't have to use docker in prod. Orchestration matters too. Managing clusters, SLOs, and automating your networking and access controls. #VelocityConf
Here are all your choices for k8s networking: calico, flannel, cilium, linkerd, istio, envoy...
and how many of them will survive the next few years? and will your engineers be able to submit bugs and patches? #VelocityConf
but now you have to integrate with your infrastructure. for instance, deployment. Do you need to build new integration and tooling? which will you fix first if they both break?
How are you going to monitor? provision? and *debug* the extra abstraction. #VelocityConf
You need processes for gradually rolling out the new platform to users; it'll take a year to get a container platform off the ground with just one service running on it.
and you'll be coping with a hybrid/chimera for a while. set your expectations accordingly. #VelocityConf
Lesson number 4 (final lesson) -- even if you're going to disregard the rest of Alice's advice and do "Kubernetes in the App Store.":
Containers need headcount. hypothetical "Why not just give it to ops?" #VelocityConf
Deploying containers is like building a new datacenter with a completely new software stack requiring a completely new team, not just adding one more jenkins to your pile of jenkins. #VelocityConf
Make sure you hire the right people -- ops specialists who know the skeletons, deployment folks who understand the landscape, tooling/glue writers, and monitoring/metrics specialists. Kernel engineers who can debug interactions. Networking specialists. #VelocityConf
Get people who understand infosec and build it in from the start. And developer advocates or internal sponsors who can get people to adopt. #VelocityConf
and you need, last, but not least, a product & project manager. When something fails, you need the breathing room and heatshielding.
You can pull these from other teams, but BACKFILL THEM or @alicegoldfuss will get mad at you for trying to be sneaky. She sees all. #VelocityConf
You need a team, not necessarily one person for each role, but 6-8 people in total ideally, and 4+ people at minimum. Oncall of less than 4 people is untenable and will cause your platform to plummet into the sea.
And give them space to experiment and succeed. #VelocityConf
[ed: this talk is so good and I wish I could also capture all of @alicegoldfuss's quips including about the LKML, but instead I just got the best concrete points]
Recap: benefits/drawbacks of containers, don't use them for stateful, use cloud providers instead #VelocityConf
And invest sufficiently in the team if you're building a container platform.
There's no one right answer to "should I run containers in prod?" If you have stateless services, a large platform, and lots of resources, go for it. #VelocityConf
If your databases have nicknames, you have a monolith, and a small team with no org support... don't. Unless you want to spite Alice.
"Containers are just a tool", says @alicegoldfuss. "They're a little tricky, but if you have a good team, you'll get there in the end." --@alicegoldfuss [fin and raucous applause] #VelocityConf
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Final talk I'll be getting to at #VelocityConf before I dash to Toronto: @IanColdwater on improving container security on k8s.
@IanColdwater She focuses on hardening her employer's cloud container infrastructure, including doing work on k8s.
She also was an ethical hacker before she went into DevOps and DevSecOps. #VelocityConf
She travels around doing competitive hacking with CTFs. It's important to think like an attacker rather than assuming good intents and nice user personas that use our features in the way the devs intended things to be used. #VelocityConf
My colleague @sethvargo on microservice security at #VelocityConf: traditionally we've thought of traditional security as all-or-nothing -- that you put the biggest possible padlock on your perimeter, and you have a secure zone and untrusted zone.
@sethvargo We know that monoliths don't actually work, so we're moving towards microservices. But how does this change your security model?
You might have a loadbalancer that has software-defined rules. And you have a variety of compartmentalized networks. #VelocityConf
You might also be communicating with managed services such as Cloud SQL that are outside of your security perimeter.
You no longer have one resource, firewall, loadbalancer, and security team. You have many. Including "Chris." #VelocityConf
The problems we're solving: (1) why are monoliths harder to migrate? (2) Should you? (3) How do I start? (4) Best practices #VelocityConf
.@krisnova is a Gaypher (gay gopher), is a k8s maintainer, and is involved in two k8s SIGs (cluster lifecycle & aws, but she likes all the clouds. depending upon the day). And she did SRE before becoming a Dev Advocate! #VelocityConf
"just collect data and figure out later how you'll use it" doesn't work any more. #VelocityConf
We used to be optimistic before we ruined everything.
Mozilla also used to not collect data, and only had data on number of downloads, but its market share went down because they weren't measuring user satisfaction and actual usage. #VelocityConf