Shulou(Shulou.com)06/03 Report--

Today, Xiaobian will bring you an article about container precautions, error avoidance, and key management. Xiao Bian thinks it is quite practical, so share it for everyone to make a reference. Let's follow the editor and have a look.

Container technology makes application packaging very simple, and containers will become the most mainstream deployment method in the future. According to authoritative advisory bodies

Gartner predicts that more than 75% of Tencent Cloud Organization worldwide will run applications in containers by 2022, a significant increase from less than 30% today.

From the perspective of data alone, containers and K8S have been well used in traditional data centers and cloud native applications in recent years, but the current container ecosystem is not perfect and lacks sufficient mature operational practice cases. Container integration, networking, and automated deployment remain thorny issues. In addition, because cloud native applications require a highly automated infrastructure environment and professional operation and maintenance skills, the application of containers in enterprises is still limited.

1 Considerations for deploying containers in a production environment

Therefore, running containers in a specific production environment still requires a long learning process. Before deploying containers in a production environment, organizations must carefully consider the following six questions:

DevOps: Do you have a DevOps team to do DevOps and enable agile development and deployment models?

(2) Workloads: Is there a dedicated person responsible for containerized workloads?

(3) Rapid integration: Do you understand how to integrate IT infrastructure and have the ability to integrate across platforms?

(4) Payment model: Do you know what kind of operation and orchestration engine is used, and their payment model?

(5) Training skills: Do you know what new skills to learn and what rules to apply to ensure successful container deployment?

ROI: What is the return on investment?

However, many Tencent Cloud Organization often underestimate the amount of effort required to run containers in production environments. To make containers work properly in the enterprise, try to avoid the following six wrong behaviors.

(1) Start deploying containers without mature DevOps practice experience.

(2) Selecting containers with proprietary components causes them to be locked.

(3) Common tools and compliance requirements are not implemented in the Tencent Cloud Organization.

(4) There is no cutting-edge technical training service for development and operation personnel.

(5) When choosing tools, they do not consider the needs of developers and operators.

(6) Choose complex workloads with high dependencies and correlations.

2 Container practice needs to focus on six aspects of management

After deploying containers in production environments, enterprises should pay special attention to the security of the containers themselves. Issues such as Docker host security, Docker image security, runtime security, orchestration security, etc., mean that securing containers will be an ongoing challenge. Deploying containers in production environments requires a focus on security compliance, continuous monitoring, data persistence, network security issues, lifecycle management, container orchestration, and more.

1. security compliance

Security cannot always be an afterthought. It needs to be embedded in the DevOps process. Tencent Cloud Organization needs to consider security issues across the full lifecycle of containers, including different phases of application construction, development, deployment, and operation.

(1) Integrate mirror scanning into the CI/CD of the enterprise to find vulnerabilities in time. Scan applications during the build and run phases of the software development lifecycle. The focus is on scanning and validating open source components, libraries, and frameworks.

(2) Check safety configuration against CIS baseline.

(3) Establish mandatory access control, encrypt and manage sensitive information such as SSL keys or database credentials, and provide them only at runtime.

(4) Avoid privileged containers through policy management to reduce the impact of potential corruption.

(5) Deploy security products that provide whitelisting, behavior monitoring, and anomaly detection to prevent malicious activity.

2. continuous monitoring

Developers focus primarily on functional applications of containers rather than monitoring their performance. Traditional monitoring tools focus on host-level metrics such as CPU utilization, memory utilization, I/O, latency, and network bandwidth. But that's not enough, and there's a lack of container or workload level metrics.

(1) Security personnel should focus on monitoring at the container and service level, achieving fine-grained monitoring of "applications" rather than just physical hosts.

(2) Prioritize tools and vendors that provide deep integration with container orchestration (especially Kubernetes).

(3) Use tools that provide fine-grained logging, automated service discovery, and real-time operational recommendations.

3. container storage

As the use of stateful workload containers increases, customers need to consider the persistence and security of data outside of physical hosts. Even if the container is gone, the data must still be there. If the enterprise's primary use case for containers is migrating legacy applications or stateless use cases, the security requirements for storage will not change significantly. But if you are refactoring an application or providing a new, microservices-oriented stateful application, security personnel need a storage platform that maximizes workload availability, flexibility, and performance. For example, in order to better support container migration and data sharing, Docker introduced the Volume plugin interface mechanism, allowing third-party storage vendors to support Docker Volume and expand on this basis.

(1) Choose a storage solution that is consistent with microservice architecture principles and that supports API-driven, distributed architecture, on-premises and public cloud deployments.

(2) Avoid using proprietary plug-ins and interfaces. Instead, preference is given to vendors that are tightly integrated with Kubernetes and support standard interfaces such as Container Storage Interfaces (CSIs).

4. container network

Developers are most concerned with agility and portability of software development, wanting applications to be portable across the software development lifecycle. While in the traditional enterprise network model IT creates a network environment for development, testing, production, etc. of each project, even this does not necessarily align well with business flows. In a container business environment, the container network problem is even more complex. For example, container networks span multiple tiers, and although it is feasible to open services directly on host ports, port conflicts will be encountered when deploying multiple applications, making it more difficult to expand clusters and replace hosts.

Network solutions therefore need to be tightly integrated with Kubernetes primitives and policy engines. Security and operations personnel need to strive for a high degree of network automation and provide developers with the right tools and flexibility.

Analyze whether existing container-as-a-service (CaaS) or software-defined networking (SDN) solutions support Kubernetes networks. If not, you can choose to integrate the application layer network and policy engine through a container network interface (CNI).

(2) Ensure that the chosen CaaS, PaaS tool provides Load Balancer control for the host cluster, or choose a third-party proxy server.

(3) Train network engineers on the use of Linux networks and automated network tools to fill the skills gap.

5. Container Life Cycle Management

For a highly automated and seamless application delivery pipeline, Tencent Cloud Organization needs to complement container orchestration with other automation tools, such as configuration management tools like Chef, Puppet, Ansible and Terraform and application release automation tools. Although there is overlap between these tools and CaaS offerings, the complementarities are much greater than the overlaps.

(1) Establish standards for container base images, considering image size, flexibility for developers to add components, and licensing.

(2) Use a container-aware configuration management system to manage the lifecycle of container images. Once the system senses that a new version of an image limited by rules has been pushed into the repository, it will immediately trigger the automatic deployment function to update the specified container with the new image.

(3) Integrate the CaaS platform with application automation tools, which automate the entire application workflow.

6. container orchestration

Because container orchestration tools manage clusters of containers that host various types of services. Both the Kubernetes community and third-party security agencies have improved and strengthened the security of components and resources in Kubernetes, including computing resource security, cluster security and related component security. This needs to focus on privacy management, authorization management, identity control, layout control plane, network certificates and so on need to be fully considered.

Among them, the key to container deployment is to provide orchestration and scheduling capabilities. The orchestration layer interfaces with the application to keep the container running in the desired state. The container scheduling system places containers on the best hosts in the cluster according to the requirements of the orchestration layer. For example, scheduling is provided by Apache Mesos, orchestration is provided by Marathon, or orchestration and scheduling are provided using a single tool, Kubernetes or Docker Swarm. When customers make decisions between orchestration engines or across Kubernetes distributions, they need to focus on the following:

(1) Depth and breadth of OS and container runtime support;

(2) stability of the whole product during operation;

(3) extensibility;

(4) support for stateful applications;

Simplicity of operation and quality of supplier support;

(6) Support and development of open source;

(7) deployment difficulty and License cost;

(8) Support for mixed clouds.

3 Container Technology and DevOps

The relationship between containers and DevOps is like a coffee mate. Containers can evolve rapidly, also thanks to DevOps hands-on experience. In a traditional development environment, development teams write code, QA teams test software applications, and hand them over to operations teams for day-to-day management. To solve the problems in traditional development models, many enterprises have adopted DevOps process + microservice theory + using containers and container orchestration tools. In fact, DevOps was originally CI/CD, but now it is just a few standards and management such as release and deployment to form DevOps.

In a cloud-native environment, not only is software development and release fast, but the platform itself needs to be treated as a product because it is dynamic and evolving in terms of functionality and scale. The Platform Operations team aims for a standardized platform that is automated, scalable and resilient. The responsibilities of the platform operations team include deployment, operation, customization of CaaS and PaaS products, development and operation of standardized middleware, and automation, deployment, security enablement of IaaS provisioning, etc. The Tencent Cloud Organization needs to create a DevOps team to operate containers, not isolated IT operations teams.

In the case of container security, enterprises need a solution that integrates into DevOps processes without slowing down software development. At present, some security vendors at home and abroad have made outstanding achievements in this regard, such as Ivy Container Security Solutions, which can provide product services such as container image scanning, *** detection and compliance baseline implementation, and resolve the security challenges brought by containers.

The above is the container precautions, error avoidance, key management details, after reading whether there is any harvest? If you want to know more about it, welcome to pay attention to industry information!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.