I’ve been looking at mixing it all up - completely - post 2 of 2.
The other part to look at is the VM’s and app hosting. If I end up running linux on a box to serve it all, I can host many/all of the basic apps I use directly on there. But should they be isolated, and to what degree?
All the hipsters are into containers today but with them I see a common problem of software security/patching. On the operations side we’re trading in a full blown VM with a guest OS we support and patch, for a black box container running whatever the developer put in it. People also push/pull these container images from a global repository all the time; at least there is a reputation system but we know how they can be gamed. I’m just concerned about the contents of the image as it’s possible the container maintainer is not the same team as the software you want which is in it. The container could contain any code which will run on your network. You’re putting the trust in an additional party - or taking on the container packaging role yourself.
If you take on the role yourself, then you need to ask yourself what are you gaining or protecting yourself from anyway. I run a few python based webapps each as a service out of systemd on a centos VM. One VM, several services, each as a separate user. This VM only has read only NFS access except for a folder where their config/database resides (or where they need to drop or write files). This level of isolation isn’t too dissimiliar to containers within docker. With one exception - docker you create a container per app. It is true application isolation.
This lead me to wonder how far should you take it. I run Observium to monitor everything and it uses mysql (mariadb) for some things. Should this database engine be within the container (self contained single app container) or should the database be separate and use linked containers so the app server can find it’s DB server if it ever moves to a separate host. The usual googleing turned up a few answers but none that made it totally clear one way or the other. It always depended on x, y or z.
If it’s all self contained, then the external attack footprint is smaller (fewer ports opened), but then you lose the ability to scale the app server separately to the DB server, or even run them on separate hosts. Not a huge issue for me to be honest - but lets do things properly and over engineer.
Putting the database in a container of it’s own has similar shortcomings to the integrated one. The database files need to be external to the container, which is fine, we want clear separation of data from code so that’s ok. Then what about backups? Is there a scheduled task to connect to the container and run the backup (or is the job inside the container), again writing outside the container. How it connects would vary if it’s integrated or separate container due to ports being opened. In this case, do we share this DB container with another application which might also need the same database engine. Suggestions say no, due to version dependecies possibly changing between the applications. Yikes. Now we’re running multiple DB instances on potentially the same hardware. It’s also not clear to what degree memory deduplication works on docker - if at all. This quote sealed that deal for me: If you have a docker host running on top of a hypervisor, then it should be possible for either the docker host or the hypervisor to do memory deduplication and compression. So we’re back to running a hypervisor to make up for a kernel feature which exists but doesn’t work with docker due to process isolation (cgroups), oops.
Docker also seems to go against my ansible quest. Since the docker way of updating is to throw the instance away and start a new one - the data you need to keep is not touched as it’s outside of the container. I do like this bit, but I’ve already done that by having the apps sit on an NFS export. This approach does have merit, as the dockerfile is a top down script on how to build the container content. Being focused on a single goal some I’ve looked at are quire concise, however others are hugely complicated. YMMV.
Oh and then don’t forget you can run containers on ESX now with Vsphere Integrated Containers.
I’ve said many times before, the plot chickens.