A presentation at St. Louis Java User Group Meetup in in St. Louis, MO, USA by Melissa McKay
LEVEL UP Your Java Container Images Melissa McKay Developer Advocate @JFrog
MELISSA MCKAY Developer Advocate @JFrog @melissajmckay linkedin.com/in/melissajmckay
THE AGENDA • Brief History • The Container Market • What is Docker? • What is a Container? • Container Gotchas
HOW ARE YOU USING CONTAINERS TODAY??? • LOCALLY • TEST/QA ENVIRONMENTS • PRODUCTION • WE DON’T USE THEM TODAY • WE ARE CONSIDERING USING THEM
ALL ABOUT … CONTAINERS
SHARING LIMITED RESOURCES 1979 / 1982- chroot
PROGRESS TOWARD VIRTUALIZATION ▪ 2000 - FreeBSD jail ▪ 2004 - Solaris Zones / snapshots ▪ 2006 - Google Process Containers / cgroups ▪ 2008 - IBM LinuX Containers (LXC) ▪ 2013 - Docker (open source!) - Google LMCTFY (open source!) ▪ 2014 - Docker trades LXC for libcontainer ▪ … more stuff happened 1 201 7 a v a J 2014 Java 8 ▪ June 2015 - Open Container Project/Initiative (OCI) ○ Runtime Specification (runtime-spec) ○ Image Specification (image-spec) ▪ … even more stuff happened and is still happening!
THE CONTAINER MARKET (according to Sysdig) 2017 - 45,000 Containers, 99% Docker 2018 - 90,000 Containers Fig. 1. 2018 Container Runtimes from: “2018 Docker usage report,” 29 May. 2018, sysdig.com/blog/2018-docker-usage-report/. Accessed 10 Jun. 2020. 18
THE CONTAINER MARKET (according to Sysdig) 2019 - 2 million Containers (includes both SaaS & on prem users) Fig. 2. 2019 Container Runtimes from: “Sysdig 2019 Container Usage Report: New Kubernetes and security insights,” 29 Oct. 2019, sysdig.com/blog/sysdig-2019-container-usage-report/. Accessed 10 Jun. 2020. 19
THE CONTAINER MARKET (according to Sysdig) 2020/21 - 2 million Containers (a subset of customer containers) Fig. 3. Container runtimes from: “REPORT.2021 Container Security And Usage Report,” Jan 2021, https://dig.sysdig.com/c/pf-2021-container-security-and-usage-report?x=u_WFRi. Accessed 21 Jan. 2021. 20
WHAT EXACTLY IS DOCKER? 21
WHAT DO WE ACTUALLY NEED/WANT? • An isolated environment where a user/application can operate, sharing the host system’s OS/kernel without interfering with the operation of another isolated environment on the same system (a container) • A way to define a container (an image format) • A way to build an image of a container • A way to manage container images • A way to distribute/share container images • A way to create a container environment • A way to launch/run a container (a container runtime) • A way to manage the lifecycle of container instances 22
DOCKER, THE WHOLE PACKAGE docker images DOCKER ENGINE DOCKER IMAGE FORMAT Dockerfile docker build docker rm docker push docker pull DOCKER HUB docker run docker stop docker ps 23
BREAKING UP THE MONOLITH OCI IMAGE FORMAT • Docker V2 Image Spec OCI CONTAINER RUNTIME • runC (which used to be libcontainer… which was written by Docker) OTHERS - containerd, rkt, cri-o, Kata, etc… https://lwn.net/Articles/741897/ https://www.ianlewis.org/en/container-runtimes-part-1-introduction-container-r 24
WHAT IF I DON’T WANNA DOCKAH?? & Skopeo https://developers.redhat.com/blog/2019/02/21/podman-and-buildah-for-docker-users/ https://www.redhat.com/en/blog/say-hello-buildah-podman-and-skopeo https://developers.redhat.com/blog/2020/02/12/podman-for-macos-sort-of/ 25
WHAT EXACTLY IS A CONTAINER? 26
CONTAINER COMPONENTS TARBALL OF A FILESYSTEM LINUX FEATURES • namespaces • cgroups • Union File systems Mix these together to create and run a container! Voila! https://docs.docker.com/get-started/overview/ 27
FILESYSTEM DETAILS … … NOTE: On OSX, containers will actually be running in a tiny Linux VM (use screen) screen ~/Library/Containers/com.docker.docker/Data/vms/0/tty screen ~/Library/Containers/com.docker.docker/Data/vms/0/tty 28
FILESYSTEM DETAILS … … 29
FILESYSTEM DETAILS 30
CONTAINER GOTCHAS 31
CONTAINER GOTCHAS - RUNNING AS ROOT 32
CONTAINER GOTCHAS - NO CONSTRAINTS 33
CONTAINER GOTCHAS - NEVER UPDATING 34
CONTAINER GOTCHAS - JAVA/JVM GOTCHAS 35
CONTAINER GOTCHAS - IMAGE BLOAT 36
MANAGING YOUR IMAGES - REMOTE BY DEFAULT START FREE: http://jfrog.co/FreeDevOpsTools_STLJUG https://dzone.com/refcardz/getting-started-with-container-registries 38
Your Dockerfile is written, your Java app is packed into an image, and your containers run successfully. Do you have an uneasy feeling that you’ve missed something or that something might be wrong? This talk will leave you with the knowledge you need to be confident in your Java container images.
This session is a must for any Java developer under the pressure of high-performance expectations and tight deadlines in a cloud-native architecture. To that end, we have learned to make use of a variety of tools and abstractions to help move us along the path to production quickly and effectively. There is a rapidly and continuously evolving ecosystem that sustains the forward march of microservice architectures and their deployments. But, there’s a dark side to using these tools in a rush to the finish line. Without taking a step back to understand what’s happening below the surface, we can find ourselves stumbling in areas concerning quality, efficiency, and even security.
For many of us, the first step was to simply get our Java application up and running as expected within a container, and Docker was our tool of choice. Now it’s time to review what you have implemented and make some improvements. Containerizing our Java applications is fairly straightforward with the latest container aware versions, but there are still pitfalls that can trip you up if you don’t know where to look. This session will dive into the best practices of packing your Java container images efficiently and effectively for the trip to production. You will learn valuable information about cloud-native tools available today for building and running containers (including Docker alternatives), container image formats, image storage concerns, and common gotchas to avoid.
for free. You
can too.