Container DevOps: Building Containers into the DevOps Process
Learn how DevOps teams can benefit from containers, how to deploy containers in a DevOps environment, and best practices for using containers effectively
What Does Containerization Mean for DevOps?
Containerization entails placing a software component and its environment, dependencies, and configuration, into an isolated unit called a container. This makes it possible to deploy an application consistently on any computing environment, whether on-premises or cloud-based.
Docker containers are a natural fit for DevOps, providing significant advantages compared to virtualization or bare-metal deployment. They are easier and faster to deploy, require fewer resources to run, are easier to manage, and are generally more flexible. These advantages help DevOps teams break applications into microservices, each of which can be rapidly updated and deployed, increasing development velocity and improving agility. In addition, containers allow DevOps teams to standardize the way applications are packaged, delivered and deployed across the development lifecycle.
In this article, you will learn:
How Can Containers Benefit DevOps Teams?
The integration of software development and IT operations requires rapid change while keeping the cost of change low. Thanks to auditable and replicable organizational processes, teams work together at a higher pace and develop a culture based on experimentation and transparency. IT teams can identify inefficiencies and shift priorities faster.
Consequently, containers are a fundamental component of many DevOps processes. They are lightweight, can be deployed consistently in multiple environments, and are easy to transfer from one team to another. In this way, they help foster cross-organizational collaboration.
The transition to containers is helping developers and security teams address issues earlier in the development process before they become issues in production environments (a concept known as “shift left security”). Many organizations are fostering collaboration between DevOps and security teams to address security concerns from the onset of the development lifecycle – a pattern known as DevSecOps.
Containers promote shift left because they typically support a single, isolated service, which is easier to automatically test, troubleshoot, and fix throughout the development lifecycle. A containerized model allows issues to be fixed at the container level without having to re-architect and redeploy entire applications, which can be too complicated and too resource-intensive for agile DevSecOps methodologies.
Related content: read our guide to Docker in production ›
Building Containers into a DevOps Process: Deployment Considerations
Building and Publishing Container Images
Managing and orchestrating containers has become an integral aspect of DevOps. When an image changes, the containers based on it must be reconstructed. An alternative approach is to push new application code directly to containers already running, although this practice can introduce its own array of potential risks to functionality and security if done without taking appropriate steps to validate the impact of the change.
To streamline the process and to allow for best practices to be baked into established workflows, it is important to use scripts and automation to accelerate the container build step.
When containers are orchestrated by tools like Kubernetes, the orchestrator pulls images from a container registry to provision containers and pods. This requires an automated process for building container images. The CI/CD pipeline creates a container image in a build server, images are published to a container registry, and the orchestrator pulls the latest version of an image from there to run containerized services.
Using Open Source Base Images from Public Registries
DockerHub, Harbor, and other container registries provide image compilation support to simplify this process. You can connect the container registry to the source code repository, such as GitHub, and trigger image rebuilding whenever code is modified. You can use command-line tools, third-party solutions, or APIs to publish images to the registry in an automated manner.
Related content: read our guide to the Docker registry ›
Deploying Containers to a Cluster
To deploy containers to a cluster, DevOps teams define configuration files (typically in YAML formats), and use the semantics of the container orchestrator API. The container orchestrator specifies:
- The number of instances of a specific container image that exist at runtime
- Internal networking required for connecting with other containers
- Container-mounted volumes and persistent volumes
- Container scheduling rules
- Cluster lifecycle management
- Resource management of nodes in the cluster
With the orchestrator handling these complexities, DevOps teams can focus on deciding what and when to deploy, and fine-tune orchestrator configuration to support the required performance and availability levels.
Best Practices for Containers and DevOps
Inspect Container Images Early in Development
In a DevOps environment, developers commonly use container images from public repositories, and may also build their own images with custom components. DevOps teams must scan and verify images early in development and build phases to ensure critical vulnerabilities in base images are identified and resolved before moving on to the next stage. This process should be fully automated for easy adoption and fast remediation of issues by developers.
Related content: read our guide to container registry scanning ›
Integrate Application Security Testing
It is crucial to test for vulnerabilities in applications and container images. If not done properly, unmitigated vulnerabilities and weaknesses in application code can expose containers to security risks such as code injection and cross-site scripting (XSS). This can put sensitive data at risk, impact the performance of web applications, or result in non-compliance with standards and regulations.
Start by testing applications against the OWASP Top 10, and use tools like Static or Dynamic Application Security Testing (SAST/DAST) to perform more comprehensive, automated testing of applications and custom code.
Software Composition Analysis (SCA) also helps identify known vulnerabilities in any open source components or third-party libraries. These steps must be done during development, following the application’s build phase, and during the testing or validation phase before deployment.
Automating security testing during the build process and integrating it into the CI/CD pipeline will ensure a smooth workflow between all stakeholders and minimize disruption when issues are detected.
Container Platform Approaches
There are several types of container platforms. You can use cloud-based managed Kubernetes services like Google Kubernetes Engine (GKE) or Amazon Elastic Kubernetes Service (EKS), on-premise managed Kubernetes systems like Rancher, or build your own Kubernetes infrastructure, either on-premises or in the cloud.
The best platform is one that requires the least management overhead and the shortest learning curve. If you can afford the expense of distributed system engineering, you may consider a self-managed container orchestration approach. Otherwise, select a managed service. Upgrading and configuring Kubernetes can be complicated, and any option you choose should provide a robust solution to support necessary upgrades and identify ways to optimize configuration for greater security and better performance.
Use a Private Registry
Public cloud-provided registry services are typically billed by bandwidth and storage capacity. They are cohesively integrated with the provider’s container solutions, fully managed, and thus very convenient.
Private registries may entail higher management overhead, but they provide better content control and pipeline integration. And, because they can reside on your local network, they usually offer better performance than remote registries. They also support a greater variety of security requirements, since they can be deployed on-premises with distinct security configurations, such as in air-gapped environments without access to the public Internet, for example.
Rolling Infrastructure Updates
Regular maintenance and ongoing operational requirements of host operating systems, container platforms (such as Docker), orchestrators (such as Kubernetes), and the underlying infrastructure, can be difficult and resource-intensive. The complexities of such an environment can introduce potential points of failure and lead to oversights in security preparations.
A critical part of this maintenance is performing automated upgrades and frequent patching of operating systems on container hosts. Manage your infrastructure configuration programmatically using Continuous Configuration Automation (CCA) tools. Additionally, scripts and software used to automatically update infrastructure should be committed to version control and managed just like application code. It should be thoroughly tested before using it in production.
Automation
Maximize software delivery agility by automating as many parts of your application delivery pipeline as possible, from validation to security testing to deployment and runtime. Automation can provide agility even in non-containerized environments, but successful container deployment and management is essential to achieving the scale and performance required by today’s DevOps methodologies.
Monitoring all aspects of the environment, including configuration management, security, and compliance is a critical step toward full automation because it eliminates the need for cadenced manual review of these factors. Configure policies or conditional triggers to automate remediation when issues are detected or to accelerate the issue management process when human intervention is required.
Container DevOps Security with Aqua
Aqua Security provides solutions to support container security initiatives and to help organizations maintain secure configurations of their cloud and Kubernetes environments. Aqua analyzes container images for vulnerabilities (e.g., CVEs, vendor advisories), malware, embedded secrets, and configuration issues to facilitate remediation and reduce your attack surface.
Aqua integrates across CI/CD pipelines to help you secure the build, supports infrastructure security requirements in single- and multi-cloud environments, and provides capabilities to ensure container security at runtime. Configure and automatically enforce policies to support compliance and ensure container immutability by detecting and blocking suspicious behaviors.