The operation of the
container cannot simply refer to the practical experience of the virtual machine. For example, almost any workload can be immediately virtualized, but some workloads are suitable for containerized deployment, and some are not.
This article answers the 10 most common questions when enterprises use containers to help you better understand
container deployment and workload containerization.
1. What is the most suitable use case for containers?
In a production environment, the ideal application type most suitable for containerized deployment should be microservices. Microservices are a focused task that only represents a small part of the entire application. Because microservices focus on a single task, it can scale and expand independently of other parts of the application. In addition, because microservices are highly cohesive and loosely coupled, they can be deployed and released independently of each other.
In addition, using container infrastructure to build microservices can realize its advantages faster and better. As long as the external-facing API does not destroy application compatibility, software developers can quickly iterate and improve the entire microservice without affecting the microservices of other developers. However, most traditional enterprise applications do not conform to the microservice architecture, so not all enterprises are suitable for using microservices.
2. What are the key factors that need to be considered when deploying containers?
(1) UI interface management and API
Management user interface UI, including those graphical UI based on API (that is, external system directly uses API to access the system).
(2) Mirror warehouse
Public image repositories, such as Docker Hub provides publicly managed container image repositories. Many container management systems provide private image repositories in which enterprise organizations can manage their own images.
(3) Arrangement and scheduling
The orchestration layer enables the container to run in the required state and provides rolling update and rollback functions. Of course, Kubernetes has become the de facto standard for container orchestration.
(4) Container runtime
When the container is running, the cluster node can obtain the container image in the mirror warehouse, and it can also generate the correct file structure to run the container on the host. It can also interact with the network and storage plugins, and it can also create, start and stop the container.
(5) Security control
Implement security policies through security components, including key management, security scanning, image signing, network isolation and encryption, and role-based access control (RBAC), etc.
(6) Continuous monitoring
The monitoring program can provide visualization capabilities of cluster nodes, containers, and microservices.
(7) DevOps workflow
DevOps is not important for container deployment, but they are usually used together. For example, DevOps tools, CI/CD pipeline tools, and container image generators need to work together.
3. Is it possible to run containers in Windows and VMware environments?
The Windows container ecosystem is not mature enough to be widely used in production environments. Windows containers lack the support of container orchestration tools. For example, the latest Kubernetes software version only provides beta support for Windows containers. In addition, very few Windows applications are supported by containers. Windows servers also have very limited support for authentication, security, and networking. Several existing components are either in "beta" or "preview" versions. Of course, despite these limitations, Windows containers can also be used for specific scenarios, such as in-house development scenarios, through which containers can obtain agility, portability, and cost advantages.
VMware's vSphere can integrate the Docker engine with vSphere, providing a way for containers to run in lightweight VMs. In addition, VMware also provides a container management portal and private warehouse for secure storage of images.
4. Should you choose CaaS, Kubernetes or BYO container management solutions
There are multiple products on the market that allow companies to deploy containers on a large scale. These products provide different levels of abstraction for application developers. The most abstract product is the container-as-a-service product (CaaS), which used to be mostly PaaS products, such as Cloud Foundry and OpenShift. These CaaS products abstract the details of the infrastructure from the developers and provide application tools in a structured way. The BYO container management solution provides the least abstraction and the greatest flexibility, but adds complexity.
BYO: Try to avoid using BYO, except in rare cases. Because few organizations have the ability to achieve it. For organizations that want BYO, you can choose to integrate some fast-moving open source products.
Kubernetes: At least understand the infrastructure conceptually and be able to practice it, then choosing a relatively flexible K8S release is a feasible solution. Some CaaS products provide some developer tool options, but also provide developers with more direct options for container orchestration and scheduling components.
PaaS: If you have just entered the development of microservices, then use the services provided by PaaS.
5. Will container technology be less secure than virtual machine technology (VM)?
The container technology itself is not unsafe. In fact, in order to prevent attacks due to the destruction of other containers, each application and user in the container are isolated from each other. Therefore, it is essential to ensure the integrity of the OS kernel of the shared host and to ensure the isolation of containers on the host. In addition, communication between containers needs to be monitored and protected, and traditional security tools are mostly ineffective in this regard.
When using container technology, it is recommended to consider the following 3 points:
Use a hardened operating system, usually a "thin client operating system," which can limit the attack surface and supplement it with a strict and automated patch management system.
Take control measures during the construction and operation of the container, such as scanning the software during the software development life cycle to find vulnerabilities early.
By using fine-grained container security tools to actively detect and monitor abnormal behaviors, container security products such as Qingteng Honeycomb can provide container and server-level security visualizations, and help prevent malicious application traffic.
6. Can the container handle sensitive data and applications?
By focusing on container security for container deployment, combined with existing encryption and other security tools, then containers can be used to process sensitive data and applications. In addition, some container security vendors’ solutions can also be used to ensure container security, such as Qingteng Cloud’s container solutions. Of course, for this method to be successful, the security team must participate in the process of deploying containers for sensitive data as early as possible.
7. Is the container suitable for COTS applications?
More and more software vendors now use containerized deployment as an option for their products. Some vendors use agile development models to meet containerized deployment methods and incorporate them as part of their software writing, testing, and delivery. These applications have been refactored into microservices that naturally adapt to containers. However, there are also suppliers who are reluctant to provide container deployment because they are afraid that they will lose the market if they do not provide containerized deployment functions. In this case, COTS is mostly not suitable for containers, because these applications may still be integral in nature, or applications may not Independently extendable attributes. In addition, if the enterprise itself does not have an existing container infrastructure to manage, then the container deployment of COTS applications may not be suitable for the enterprise.
In most cases, you should avoid packaging COTS applications without the explicit support of the supplier to avoid errors.
8. What is the relationship between Foundry, OpenShift and other products and containers
Cloud Foundry is an application PaaS platform that supports multiple frameworks, languages, runtime environments, cloud platforms and application services, enabling developers to deploy and expand applications in a few seconds without worrying about any infrastructure problem. Therefore, it is also a relatively fixed container frame. The reason for this description is that it is pre-configured to facilitate installation and maintenance.
OpenShift is Red Hat’s cloud development platform as a service (PaaS) that enables developers to create, test, and run their applications and deploy them to the cloud. OpenShift widely supports multiple programming languages and frameworks, such as Java, Ruby, and PHP. In addition, it also provides a variety of integrated development tools such as Eclipse integration, JBoss Developer Studio and Jenkins.
When evaluating PaaS products for container scenarios, companies need to pay attention to the scope of services they provide, distinguish whether they support container scenarios, or need custom configuration or third-party component services to support container scenarios.
9. Should the application be refactored to better support containers?
In production, if containers are deployed to support the elastic workload of microservices, containers will bring the greatest help. Therefore, whether to refactor the application to support containerized deployment depends on whether the organization plans to use containers in the development, testing, and production stages.
In addition, when enterprises decide to refactor applications to better support containers, they should first refactor stateless parts of applications, such as the front-end part of web applications, and refactor them into microservices to support the use of containers. In addition, enterprises can build new applications through the microservice architecture to avoid refactoring in the future.
10. What is the effect of deploying container services in the public cloud?
Cloud IaaS service providers provide fully managed services without the need to deal with virtual machines or underlying infrastructure. This trend is now also applied to containers. For example, AWS Fargate provides managed container services that abstract the underlying infrastructure for developers Focus on the tasks that need to be performed, not the number of instances in the Kubernetes cluster.
