Containers / DevOps / Security / Contributed

Container Best Practices: What They Are and Why You Should Care

18 Aug 2021 7:00am, by

Pieter van Noordennen
Pieter van Noordennen is Senior Director of Growth at Slim.AI, a startup focused on creating better developer experiences for cloud native application development. Prior to joining Slim.AI, he led product and platform teams at Tripadvisor, building and shipping innovative, machine-learning-driven applications in high-availability, microservices-driven environments.

Containers have taken their place as one of the most powerful paradigms for application development in use today, and, accordingly, the adoption of containers is on the rise. Up to this point, the organizational focus of container adoption has been primarily on the infrastructure side, with highly specialized infrastructure personnel charged with driving the process. But now that the container market is maturing (Docker and Kubernetes are 8 and 7 years old, respectively), the organizational focus is beginning to “shift left” to what developers can do in the design phase to make containers more efficient, resilient and secure.

When containers break, it tends to be in production, and a lot of those issues could be addressed in the design phase through container best practices. “Container best practices” is a concept that empowers developers — not just DevOps — to work with containers in a safe, easy and ideally automated way. By using container best practices, developers can work faster, ship features more rapidly, endure fewer break/fix cycles and perform fewer repetitive manual optimizations (toil).

Much has been written about best practices for building containerized applications, including by the pioneers of containers, Docker and Google.  Widely accepted best practices can be organized within five key themes:

  1. Control what’s inside the container
  2. Minimize image size and optimize for build speed
  3. Control vulnerabilities and secure services
  4. Enforce standards across your organization
  5. Automate updates

As is so often the case with “ideals,” these best practices are broadly agreed upon and succinctly enumerated, but much easier said than done. Unfortunately, most organizations find it difficult to implement container best practices at scale.

Minification: Necessary but Insufficient

One of the common pitfalls organizations make is to succumb in practice to the misperception that minification of containers IS container best practices. Without a doubt, an outsized amount of time and energy is spent thinking about reducing the size of a container image (minification), and with good reason. Smaller images are safer (smaller attack surface); faster to push, pull, and scan; and just generally less cumbersome in the development lifecycle. That’s why “shrinking a container” has become a common subject for blog posts, video tutorials and Twitter posts. It’s also why the DockerSlim open source project, created and maintained by Kyle Quest, is so popular. It is best known for its ability to automatically create a functionally equivalent but smaller container.

Another common tactic for container minification could be described as “The Tale of Two Containers.” In this approach, developers first create a “dev container” comprising all the tools they love to use for development (such as Ubuntu, Python, package managers, shells, curl, vim, etc.). Then, once development is complete, developers convert their “dev containers” to  “prod containers,” typically by replacing the “heavy” underlying base image with something lighter and more secure (such as Alpine Linux).

Of course, minimization is just one subset of the broader category of container optimization. Other ways to optimize containers include (1) constructing container layers in a way that takes advantage of Docker caching mechanisms to reduce build times and (2) linting of Dockerfiles for basic security protocols.

To be sure, minification or the broader category of optimization are both important, but neither are sufficient to truly implement container best practices at scale. A more comprehensive and standardized approach to best practices is needed.

We Can Do Better: Using Automation to Implement Container Best Practices at Scale

In talking with hundreds of developers working with containers, my colleagues and I inevitably hear about two huge issues with the current focus on and approach to working with containers at scale:

  1. A lot of hand-tuning is involved in tweaking individual containers to make them ready for production. As described above, developers often work with different images for dev and prod, which just ups the amount of hand-tuning involved. These current methods are too manual and inefficient. We should automate as much of this as possible.
  1. Minification and optimization just scratch the surface of container best practices. To focus on minimization or optimization alone is to ignore all of the organizational and systemic issues that are involved in working with containers at scale over time. The goal of container best practices is to implement a holistic approach to using containers efficiently and effectively across the entire organization.

What we don’t want to do is give developers a bunch of new stuff to do or introduce another tool to an already long toolchain. That’s not shifting left. And it’s not sufficient to simply have DevOps or DevX teams handle all container-related issues. Large companies can afford to have teams of platform engineers monitoring and updating containers, but most companies will never have enough DevOps resources to make that viable.

The Time Has Come for ‘Container Best Practices’ to Lead the Way

According to the recently published Gartner Market Guide for Container Management, enterprise respondents cited the top technical benefit of container adoption as the productivity/agility of application developers; however, those same respondents cited the number one container deployment challenge as a lack of skilled resources.

This dichotomy is fairly common in the lifecycle of new technology: talent/expertise and the development of best practices typically lags behind in comparison to the adoption curve. It’s a pattern that has certainly been clear with containers and cloud-native practices.

The good news is that the container ecosystem is mature enough now to know what approaches and practices are right and worthy of standardization and automation. We can find consensus on the best ways to make containers as performant as they can be: as fast, easy to build, easy to debug and easy to deploy as possible. Organizations are also recognizing the importance of a more holistic rather than compartmentalized approach to containers, with a deeper awareness of how critical the team experience is to capitalize on the benefits of container adoption. The time is right for Container Best Practices — CBP — to come into its own.

The New Stack is a wholly owned subsidiary of Insight Partners. TNS owner Insight Partners is an investor in the following companies: Docker.

Feature image via Pixabay.

A newsletter digest of the week’s most important stories & analyses.