How do you buy a used Linux container? A quick search of “how to buy a shipping container” will turn up a wealth of information, especially how to evaluate used ones. While all analogies are imperfect, this one is pretty good and it does highlight an interesting problem – basically, any Linux container image over a minute old is used in the software world. But, they can be distributed in that same state for years. So, how do we evaluate a used Linux container and what are the different criteria that we need to think about?
Well, let’s start with the analogy. You would think it’s easy to buy a used shipping container right? Just a big hunk of corrugated steal? Look for one’s that’s not too rusted and you should be fine? Not really – it seams like it should be so simple, but there’s a lot more to it than most people think. And, there is even more criteria to evaluate when dealing with software containers. Below is a set of criteria that I developed based on a real buying guide for shipping containers – the similarities are striking….
Step 1: Decide how long you will need to use the container
If this is just a test for showing some co-workers some code, do it quick and dirty. If on the other hand, this is something that needs to go into production, think about the long term effects of any architectural decisions you make. Remember, you will have to deal with the container image format, orchestration choices, as well as the software in the container for long enough to get a return on investment from setting up all of the infrastructure. Companies don’t buy ships, trains and trucks that carry 20′ containers, just to switch over to 40′ containers a year later, and neither should you. Think before you pick your infrastructure.
Step 2: Evaluate the Container Format
In the physical world of shipping, a buyer has to decide on the type of container. This could be 20 foot, 40 foot, half height, refrigerated, liquid tank, etc. In fact, there are at least 14 common types of shipping containers to choose from. But, they are all defined by a set of ISO standards, so equipment is interchangeable. Whether you want to buy new ship to shore cranes, or used container ships, your investment is protected – you don’t have to start from scratch with all new equipment.
The same is true in the software world. There are a lot of different tools, much like the cranes, trucks, and trains. Today, Garden, Warden, LXC, LXD, Docker, Open Containers Initiative (OCI 1.0), are all popular formats. The OCI format looks to be the most promising because it has been agreed upon by a lot of different community members. This means that you will be able to move OCI containers between any environment that supports OCI. This could be a registry server in AWS, a local instance of Kubernetes, OpenShift Online or any other service that is compatible with OCI. For a deeper understanding of OCI, check out The Open Containers Initiative: Software Containers vs. Shipping Containers, but basically, this set of standards enables the ecosystem just like shipping container standards.
Step 5: Search Online for Containers
In the shipping world, this means getting on the phone and calling different vendors, or looking on ebay. Luckily, in the software world, we don’t have to use the phone (crazy right?), it’s as easy as searching DockerHub or the Red Hat Container Catalog. Look for built in tools like the Red Hat Container Health Index to make it easier to find trusted containers.
You can’t always find exactly what you are looking for, but often you can find examples that get you close. If you can’t find a prebuilt container that is exactly what you want, you can typically build your own using example Dockerfiles or even use existing playbooks with Ansible Container.
Step 4: Evaluate the Condition of the Container Before You Use it
In the physical world of shipping, you evaluate the a shipping container to make sure it is airtight, doesn’t have a bunch of dents, isn’t rusted, has factory paint, is made out of corten steel, etc.
In the software world, if you didn’t build the container yourself, you need to be very careful. You need to worry about three main things: architecture, performance, and security. All three of these things need to be designed into the software container. An advantage in the software world is that it makes it easy to scan a container, so do that as well. Start with a known, good base image like Red Hat Enterprise Linux from the Red Hat Container Catalog. Use built in scanning tools to verify operating system components. Use third party scanners like Anchore, Sonatype, Black Duck, or Twistlock to scan any content which your developers add.
There is more to buying a shipping container than most people think. There is even more to think about with a software containers. The recently published OCI 1.0 format is critical because it allows for all of this infrastructure and investment to happen. You can’t build or invest in cranes, trucks, trains and infrastructure until you have a standard. Like in the world of shipping, think through how choices you make affect not only your particular application, but also the entire infrastructure. To truly be able to move applications from developers laptop, all the way to the cloud, it requires investment in understanding all of the repercussions of design decisions made right now.