18 verbs for a runtime. Containers and anti-patterns.

Much to my dismay, over the last year I've heard stories on how teams were leveraging the power of container technologies to go back to the good ol' anti patterns.

A year ago, I wrote an article focusing specifically on one of them, the shortcuts taken by people consuming content from the Docker Hub. Since then I believe things have improved significantly. Vendors have a good cadence on releasing docker images in the hub and Docker is offering trusted containers in the Store. Of course there's the matter of adoption (and updating that that FROM line in your Dockerfile), but the ecosystem is there!. While it may look like a small thing, compromising a container through any of thousands of privilege escalation vulnerabilities, may seriously compromise the security of a system.

Containers are immutable, sure, at build time, not at runtime!. So re-deploying often is a good practice. After all, if one container (of potentially thousands of micro services running on containers) get compromised, I wonder how long it would take anyone to find out!. I've recently started exploring a few tools that mitigate that vector. Secrets vaults are extremely useful, allowing you to rotate passwords programmatically (check Hashicorp's Vault, for example).

You should use containers to leverage agility, split your application into loosely coupled components that can be developed individually, released often, and with good API contracts between them, so other teams know what to expect!.

Having a portable runtime is great... but not if you're just looking at it as an "ops overhead". Those runtimes (again, potentially thousands of them) need to still adhere to best practices just as any part of your infrastructure.

And then there is the build issue, and back to the 18 verbs in the Dockerfile. Of which he most commonly used, is of course RUN. If you're waiting for a test to tell you that your build process failed, then you lost precious time, and a lot of consistency in your build process. Puppet has recently announced a container build functionality which is extremely useful for these cases. Take any existing Puppet code, and use it to build a container using the features that you already know and love.