DevOps
Docker Container Anti Patterns
This blog will explain 10 containers anti-patterns that I’ve seen over the past few months:
- Data or logs in containers – Containers are ideal for stateless applications and are meant to be ephemeral. This means no data or logs should be stored in the container otherwise they’ll be lost when the container terminates. Instead use volume mapping to persist them outside the containers. ELK stack could be used to store and process logs. If managed volumes are used during early testing process, then remove them using
-v
switch with thedocker rm
command. - IP addresses of container – Each container is assigned an IP address. Multiple containers communicate with each other to create an application, for example an application deployed on an application server will need to talk with a database. Existing containers are terminated and new containers are started all the time. Relying upon the IP address of the container will require constantly updating the application configuration. This will make the application fragile. Instead create services. This will provide a logical name that can be referred independent of the growing and shrinking number of containers. And it also provides a basic load balancing as well.
- Run a single process in a container – A
Dockerfile
has use oneCMD
andENTRYPOINT
. Often, CMD will use a script that will perform some configuration of the image and then start the container. Don’t try to start multiple processes using that script. Its important to follow separation of concerns pattern when creating Docker images. This will make managing your containers, collecting logs, updating each individual process that much harder. You may consider breaking up application into multiple containers and manage them independently. - Don’t use
docker exec
– Thedocker exec
command starts a new command in a running container. This is useful for attaching a shell using the docker exec -it {cid} bash. But other than that the container is already running the process that its supposed to be running. - Keep your image lean – Create a new directory and include Dockerfile and other relevant files in that directory. Also consider using .dockerignore to remove any logs, source code, logs etc before creating the image. Make sure to remove any downloaded artifacts after they are unzipped.
- Create image from a running container – A new image can be created using the
docker commit
command. This is useful when any changes in the container have been made. But images created using this are non-reproducible. Instead make changes in the Dockerfile, terminate existing containers and start a new container with the updated image. - Security credentials in Docker image – Do not store security credentials in the Dockerfile. They are in clear text and checked into a repository. This makes them completely vulnerable. Use
-e
to specify passwords as runtime environment variable. Alternatively--env-file
can be used to read environment variables from a file. Another approach is to usedCMD
orENTRYPOINT
to specify a script. This script will pull the credentials from a third party and then configure your application. latest
tag: Starting with an image likecouchbase
is tempting. If no tags are specified then a container is started using the imagecouchbase:latest
. This image may not actually be latest and instead refer to an older version. Taking an application into production requires a fully controller environment with exact version of the image. Read this Docker: The latest confusion post by fellow Docker Captain @adrianmouat. Make sure to always use tag when running a container. For example, usecouchbase:enterprise-4.5.1
instead of justcouchbase
.- Impedance mismatch – Don’t use different images, or even different tags in dev, test, staging and production environment. The image that is the “source of truth” should be created once and pushed to a repo. That image should be used for different environments going forward. In some cases, you may consider running your unit tests on the WAR file as part of maven build and then create the image. But any system integration testing should be done on the image that will be pushed in production.
- Publishing ports – Don’t use
-P
to publish all the exposed ports. This will allow you to run multiple containers and publish their exposed ports. But this also means that all the ports will be published. Instead use-p
to publish specific ports.
What other anti-patterns do you follow?
Docker for Java developers is a self-paced hands-on workshop that explains how to get started with Docker for Java developers.
Interested in a more deep dive tutorial? Watch this 2-hours tutorial from JavaOne!
couchbase.com/containers shows how to run Couchbase in a variety of frameworks.
Reference: | Docker Container Anti Patterns from our JCG partner Arun Gupta at the Miles to go 3.0 … blog. |