Implementing a continuous delivery (CD) pipeline is not trivial, and the introduction of container technology to the development stack can bring additional challenges and requirements. This session looks at the high-level steps that are essential for creating an effective pipeline for creating and deploying containerized applications. Topic covered include the impact of containers on CD, adding metadata to container images, validating NFR changes imposed by executing Java applications within a container, and lessons learned (the hard way) in production. A supporting O’Reilly report, “Containerizing Continuous Delivery in Java,” will be available.
3. Setting the scene…
• Continuous delivery is a large topic
• No business focus today (value stream etc)
• PaaS and Serverless are super interesting…
• But I’m assuming you’re all-in on containers
• Focusing today on the process and tooling
• No live coding today
• Books contains more details
22/10/2018 @danielbryantuk
bit.ly/2jWDSF7
bit.ly/2BTjpir
4. tl;dr – Containers and CD
• Container image becomes the build pipeline ‘single binary’
• Adding metadata to containers images is vital (but challenging)
• Must validate container constraints on system quality attributes (NFRs)
22/10/2018 @danielbryantuk
5. @danielbryantuk
• Tech Consultant, Product Architect at Datawire, InfoQ News Manager
• Ex-academic, software developer, ops, ex-CTO, conference tourist
• Continuous Delivery (CI/CD) advocate
• Leading change through technology and teams
22/10/2018 @danielbryantuk
7. Continuous Delivery
• Produce valuable and robust software in short cycles
• Optimising for feedback and learning
• Not (necessarily) Continuous Deployment
22/10/2018 @danielbryantuk
8. Velocity (with stability) is key to business success
“Continuous delivery is achieved when stability and
speed can satisfy business demand.
Discontinuous delivery occurs when stability and speed
are insufficient.”
- Steve Smith (@SteveSmithCD)
22/10/2018 @danielbryantuk
9. Creation of a build pipeline is mandatory for continuous delivery
22/10/2018 @danielbryantuk
18. Make your dev environment like production
• Develop locally or copy/code in container
• Must build/test containers locally
• Perform (at least) happy path tests
• Use identical base images from production
• With same configuration
22/10/2018 @danielbryantuk
19. Quick aside: Working remotely, locally…
22/10/2018 @danielbryantuk
https://opencredo.com/working-locally-with-microservices/
https://www.telepresence.io/
20. Lesson learned: Dockerfile content is super important
• OS choice (alpine or Distroless?)
• Configuration
• Build artifacts
• Exposing ports
• Oracle vs OpenJDK vs …?
• JDK vs JRE (vs jlinked binary?)
• Hotspot vs OpenJ9 vs GraalVM vs…?
• JIT vs AOT?
22/10/2018 @danielbryantuk
21. Please talk to the sysadmin people:
Their operational knowledge is invaluable
22/10/2018 @danielbryantuk
22. And watch out for these antipatterns/patterns
22/10/2018 @danielbryantuk
23. Antipattern: Different test and prod containers?
• Create “test” version of container
• Full OS (e.g. Ubuntu)
• Test tools and data
• Easy to see app/configuration drift
• Use test sidecar containers instead
• ONTEST proposal by Alexi Ledenev
22/10/2018 @danielbryantuk
http://blog.terranillius.com/post/docker_testing/
24. Pattern: Multi-stage building for minimisation
22/10/2018 @danielbryantuk
https://dzone.com/articles/multi-stage-docker-image-build-for-java-apps
27. Building Container Images: Jenkins (X?)
• Jenkins
• My O’Reilly report covers this
• Build as usual…
• Build Docker Image
• Cloudbees Docker Build and Publish Plugin
• Push image to registry
• All-in on Kubernetes?
• You can use Jenkins X
22/10/2018 @danielbryantuk
28. Other options: Docker buildkit and Google Jib
22/10/2018 @danielbryantuk
github.com/GoogleContainerTools/jibgithub.com/moby/buildkit
29. Other options: Docker buildkit and Google Jib
22/10/2018 @danielbryantuk
github.com/GoogleContainerTools/jibgithub.com/moby/buildkit
30. Lesson learned: Metadata is valuable
• Application metadata
• Version / GIT SHA
• Build metadata
• Build date
• Image name
• Vendor
• Quality metadata
• QA control, signed binaries, ephemeral support
• Security profiles (AppArmor), Security audited etc
22/10/2018 @danielbryantuk
31. Metadata - Adding Labels at build time
• Docker Labels
• Add key/value data to image
22/10/2018 @danielbryantuk
32. Metadata - Adding Labels at build time
• Microscaling Systems’ Makefile
• Labelling automated builds on
DockerHub (h/t Ross Fairbanks)
• Create file ‘/hooks/build’
• label-schema.org
• microbadger.com
22/10/2018 @danielbryantuk
33. Metadata - Adding Labels at runtime
22/10/2018 @danielbryantuk
$ docker run -d --label
uk.co.danielbryant.lbname=frontdoor nginx
• Can ’docker commit’, but creates new image
• Not possible to update running container
• Docker Proposal: Update labels #21721
40. Delaying NFRs to the ‘Last Responsible Moment’
Newsflash!
Sometimes the
last responsible moment
is up-front
Modern platforms/architectures
don’t necessarily make this easier
22/10/2018 @danielbryantuk
42. Mechanical sympathy: Docker and Java
• Watch for JVM cgroup/taskset awareness (with JDK <= 8)
• getAvailableProcessors() may incorrectly report the number of cpus in Docker (JDK-8140793)
• Runtime.availableProcessors() ignores Linux taskset command (JDK-6515172)
• Default fork/join thread pool sizes (and others) is based from host CPU count
• Set container memory appropriately
• JVM requirements = Heap size (Xmx) + Metaspace + JVM overhead
• Account for native thread requirements e.g. thread stack size (Xss)
• Entropy
• Host entropy can soon be exhausted by crypto operations and /dev/random blocks
• -Djava.security.egd=file:/dev/./urandom (notes on this)
22/10/2018 @danielbryantuk 42
43. Performance
• Java 11
• Eclipse OpenJ9
• www.eclipse.org/openj9/oj9_performance.html
• Ahead of Time (AOT) Compilation
• Application Class Data Sharing (ACDS)
• blog.codefx.org/java/application-class-data-sharing/
22/10/2018 @danielbryantuk
https://www.ibm.com/developerworks/library/j-rtj2/
53. In summary
• Continuous delivery is vitally important with modern architecture/tech
• Container images must be the (single) source of truth within pipeline
• And metadata added as appropriate…
• Mechanical sympathy is important (assert properties in the pipeline)
• Not all developers are operationally aware
• The tooling is now becoming stable/mature
• We need to re-apply existing CD practices with new technologies/tooling
22/10/2018 @danielbryantuk