Runners clearing hurdles

How to manage containers at scale: 3 challenges

For DevOps teams, containers are becoming the preferred means for application delivery. Because these teams expect containers to be on-boarded quickly, IT operation managers must be prepared to support the rapid deployment of containers from staging to production.

But IT Ops is also concerned with governance and adhering to corporate policies, which can present challenges for scaling containers at speed. Here's how to tackle those problems.

The Journey to Hybrid Cloud: A Design and Transformation Guide

Provisioning

Containers introduce issues for provisioning. For one thing, containers are updated rapidly, and those running in production have a short lifespan of just a few days, says Srikanth Natarajan, head of the technology strategy office in the IT Operations Management Business at Micro Focus.

"This means, when IT provisions a container and tracks it as an asset, it needs to determine how to track that asset given its short lifespan. Or should it even track that as an asset? Instead, should it just track the application the container is representing as the asset?"
Srikanth Natarajan

Another challenge is to determine where to deploy a container—a vital consideration, given the number of containers being released to IT and the pace of releases, Natarajan says.

“IT cannot simply keep using the same machines [that] the earlier version of a container got deployed into. This is because containers for cloud-native applications, in particular, are meant to be moved around depending on the load in those containers.”

The provisioning of large deployments is nearly impossible to manage without a container orchestration mechanism such as Kubernetes, Docker Enterprise, or Red Hat OpenShift, says Torrey Jones, principal consultant at Greenlight Group.

IT also needs people and engineers familiar with programming microservices, Jones says. IT "may struggle" unless it has engineers who are comfortable with both development and operations, he says.

Another challenge for IT is scanning of container images for security vulnerabilities prior to deployment into production, says Natarajan. The solution: Tools that understand the container image structures and can check for issues.

IT also needs to have a process so as soon as an image is released for adoption into production, it is scanned and certified for production, he says. This also means IT needs a fast way to update the official images into production repositories that host the various container images.

Monitoring

Because containers have short lifespans, they're classified as ephemeral workloads. Monitoring ephemeral workloads is challenging because their identities keep changing. This affects the downstream processing of monitoring data for things such as operational reports that rely on reasonably stable identities.

New methods have to be invented for keeping track of changing versions of containers while tracking them all along as belonging to an application, Natarajan says.

"Current tools don't solve this problem well."
—Natarajan

And because containers are meant to be closed artifacts, an agent cannot be deployed inside them for post-deployment monitoring, he says.

Therefore, either containers have to be designed to publish the key monitoring data that IT needs, or monitoring systems have to use special outside-the-container techniques to collect monitoring data, which may limit information or cause some scaling or other data collection issues. "There are various collection techniques being built in the industry to deal with these challenges, but it is not clear how uniform those techniques are," Natarajan says.

Clay Roach, chairman and CTO at J9 Technologies, says that containers can be managed and monitored in much the same ways that virtualized servers are managed and monitored.

"It increases our capability to manage applications more effectively because the single points of failure are generally architected out of a container-based deployment."
Clay Roach

That's actually one of the reasons why containers have taken off, Roach explains. "You have a more reliable means of managing applications because you can more easily cluster them and test those cluster servers and test fail-over conditions a lot easier." Because of that, customers can more easily manage the stress conditions and the corner case conditions outside of the production environment than they could previously.

Automation is key to monitoring containers at scale, says Roach.

The tools have to be more effective at looking at the metrics and "doing the analytics for us and then telling us what they think is a problem," he says. Luckily, at the same time containerization is happening, "we're seeing a lot more with deep learning systems, where we are more effectively able to leverage those analytics tools to look deep" into the metrics that could possibly affect a container. 

Additionally, IT has the challenge of having accurate dependency mapping for container monitoring, Natarajan says.

Given that container deployment and orchestration tools keep moving containers to different locations or start additional instances of containers based on scale demands of the application, monitoring tools need to keep pace with the changes at a much higher frequency for IT to have an accurate picture of the deployment.

This may not be the case in state-of-the-art tools today, and hence must be addressed for IT to have effective monitoring, Natarajan says.

"This does not mean the current tools are completely useless. They will need to be enhanced for this new reality."
—Natarajan

Compliance

IT also needs to ensure that any infrastructure or application that is being put into production complies with corporate policies.

But that is really no different from how IT operations managers deal with traditional and new-generation workloads that they’ve built in the cloud, says David Linthicum, senior vice president at Cloud Technology Partners.

"You’re dealing with how you’re going to handle data, different types of encryption, and it's really very dependent on the industry you’re in."
David Linthicum

For example, the healthcare industry has to maintain compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA): If personally identifiable information flows through those containers, the servers and the people who handle them and everything that touches that data must be HIPAA-compliant, Linthicum says.

So either the people have gone through training or the hardware and software's been validated to be HIPAA-compliant, he says. "The same goes for Sarbanes-Oxley transactions—you’re just doing it in containers versus traditional workloads. So not much really changes. You’re still dealing with regulations." Container tech is a somewhat different from traditional workloads, he explains, "but it’s fundamentally the same sort of processes that are involved."

With containers, the challenge for IT is to ensure that they're built correctly and operate correctly once deployed.

"The build part of the compliance needs to be addressed prior to provisioning. However, for checking runtime compliance, the challenge is to obtain the data from running containers for checking against compliance rules." 
—Linthicum

It is also not clear what will be the scope of compliance-checking that will need to be done. Consequently, new benchmarks and policies may have to be defined. For example, if the corporate policy is to not run some containers in a cloud, then IT needs to make sure that the deployment tools don't migrate them to the cloud. This needs to be done both proactively and reactively via deployment policies, Natarajan says.

There will also need to be compliance policies and checking of the container hosts against those policies "to ensure they have the proper security constraints placed on them to avoid any unnecessary container-to-container interaction," he says.

Next steps: Choose your path forward wisely

One overriding recommendation for provisioning, monitoring, and compliance is for IT operations managers to determine whether their existing vendors plan to support containers, says Dave Bartoletti, principal analyst at Forrester Research.

The second step is for IT to find out how their organization's developers plan to use containers, he says.

"If they’re a replacement for virtual machines, then you probably want to extend the tools you already use for virtual machines to support containers."
Dave Bartoletti

However, if the plan is to build a brand-new, container-native application, then maybe it doesn't make sense to extend the existing tools. Rather, look at some of the more container-native tools, Bartoletti says. "There are a huge number of small companies building security, compliance, and monitoring solutions specifically for containers."

The Journey to Hybrid Cloud: A Design and Transformation Guide
Topics: IT Ops