Learn a best-practices process for Docker packaging in this conference talk from the Docker Community All-Hands. Discover a six-step approach to efficiently package applications in a production-ready manner, prioritizing security, automation, correctness, reproducibility, and optimization. Explore practical examples and insights on listening configurations, system package updates, security scanning, image tagging, and dependency management. Understand the importance of ongoing processes in Docker packaging, including security updates and reproducible builds. Gain valuable tips on making images identifiable, choosing stable base images, and optimizing build times and image sizes. Recognize how Docker packaging interacts with various organizational processes and learn to implement an iterative Dockerizing process that addresses the most critical aspects first.
Zero to Production-Ready - A Best-Practices Process for Docker Packaging
Overview
Syllabus
Zero to production-ready: a best-practices process for Docker packaging Itamar Turner-Trauring
complicated: Processes! • Packaging interacts with multiple organizational processes: Software development
Today: learn a packaging process 1. You have limited time at work, can get interrupted at any moment 2. Many best practices. Which should you do first 3. You need an iterative Dockerizing processi Most important parts first. Each step builds on previous steps.
A six steps packaging process 1. Get something working 2. Security
Example: Listen on 0.0.0.0 . Problem: If you listen on 127.0.0.1, that's localhost inside the container . No one else can talk to a different computer container's localhost. • Solution listen on 0.0.0.8 so your server is accessible
Security . Before you can deploy anything publicly, it needs to be secure . So we do that next
Example: Update system packages
Interlude: Packaging requires ongoing processes . Example best practices so far are done once. during initial packaging • Packaging isn't just about configuration files though • You also need ongoing processes
Example: Security updates . Docker images are immutable artifacts, security updates require new image . Need ongoing process to: 1. Learn about security updates to dependencies 2. Update dependencies 3. Rebuild image 4. Redeploy application
Integrating with your development process . Packaging interacts with how your team
Example: Run security scanners . trivy can scan both Python dependencies and system packages for known security issues • bandit will find potential vulnerabilities in your code.eg SQL injection or use of pickle.
Example: Tag based on branch . You want to build image for feature branch 123-more-cowbell automatically • You want production not to be impacted.
Operational correctness and debuggability .Youve started automatically building and probably deploying • It's running in production! . Want it to run well in production • More likely to see errors, lots of images, need debugability
Example: Make images identifiable Tags are not embedded in the image so can't be used to identify an image • Identity can be embedded using labels.
Reproducibility . This week, your major dependencies probably won't change dramatically . Over six months, some of them will. • Over two years, most of them will. So next, you want reproducible builds so you can update in a controlled manner.
Reproducibility as a process . Latest dependencies on every rebuild: No reproducibility • Thus: pin (freeze) your application dependencies (pip-tools/poetrypipenu). • If you don't update: obsolete dependencies. dangerous upgrades . Django LTS helps somewhat bute Dango 2.2 security updates end April 2022. Thus: need organizational process to update
Example: Choose a stable base image . You'll want a Linux os which does security updates while still guaranteeing backwards compatibility for example Ubuntu LTS, Debian Stable, or Red Hat Enterprise Linux • The official python images are based on Debian Stable, but give access to newer Pythons.
5. Example: Pin Python dependencies pip-tools can turn this requirements. In
Faster builds and smaller images . Your images are now packaged correctly, so now you can focus on optimizations. . Your time is expensive, you don't want to wait for builds • Smaller images can speed up test runs and production startup
Example: Don't use Alpine Linux Alpine Linux can't use most precompiled wheels from PyPI. • As a result, you need to compile (almost) everything • Examples install pandas and matplotlib. python: 3.8-slim-buster: 30 seconds. python: 3.8-alpine: 1500 seconds, 50 slower!
Example: Disable pip's caching . By default pip keeps copies of the downloaded package, in case you reinstall later, . This wastes space, increasing image size, and you won't need it
Recap of steps 1. Get something working 2. Security
Packaging isn't just about artifacts . Dockerizing requires artifacts: Dockerfile. builds scripts, etc. . But packaging also interacts with and requires processes! Interacts with development processes: version control branching, testing, CL Need process for security updates. Need process for dependence updates.
Taught by
Docker
