I just dropped my COMPLETE Docker course on YouTube! 🚀

~5 hrs long, starting with the basics and progressing to a complete full-stack application deployment! 💻

The best part? It's FREE! Links below 👇

Thank you to @shipyardbuild for sponsoring! 🙏 Here are all of the relevant links! 🔗

YouTube:
GitHub: github.com/sidpalas/devop…
Shipyard: shipyard.social/MainPage

"Containers are secure by default, right?" 🫣

There are two categories of concerns for container security:

- Image security (What vulns exist in the image that someone could exploit?)
- Runtime security (What might an attacker be able to do if they gain access?)

1/N Image Security:

Keep the attack surface area small!

- Use small + secure base images with minimal CVEs
- Multi-stage builds can help enable use of minimal base for the release stage
- Don't install things you don't need!

Shoutout to @chainguard_dev for their base images!

2/N

Okay, folks, it's your turn! 🫵

let's see if you can apply the techniques from my tweets last week to improve this crappy Golang Dockerfile! 🚀

Reply with suggestions and I'll apply those suggestions and append them to this thread! 🤝 @kitarp29 suggests splitting it into a multi-stage build with a separate build and deployment stage. 🙏

Why would we want to do this?

How did I do Pratik? What else needs to change?

https://twitter.com/kitarp29/status/1637798671948427266

This is a valid Dockerfile for a NodeJS application. It is also a pile of 💩!

We can improve:
- 🔒 Security
- 🏎️ Build speed
- 👁️ Clarity

Follow along as we go from 💩 to 🥇!

(code in alt text) First, let's pin the base image to at least a minor version (🔒+🏎️)

By choosing a small base image, we:
- Reduce image size (speeding up build/transfer)
- Reduce attack surface area
- Prevent breaking due to an upstream update

There are 100k+ public images on Dockerhub! 📦

Linux distributions, databases, command lines utilities, and more! 🎉

Here are some of my favorites: Need to test out a command in <Ubuntu/Debian/Alpine> but are running a different operating system on your host?

❯ docker run -it ubuntu:22.04

💥 Boom! Now you have a bash shell in that distro. Need a different version? Just change the image tag!

❯ docker run -it ubuntu:23.04

Don't run stateful applications in containers... 🙅‍♂️

...without first understanding how container filesystems and volumes work! 😎

So how do they work? Let's explore! When we create a container from an image, the layers in the image are treated as read-only, and a new read/write layer is created on top.

Data created at runtime will be stored in this top layer. However, that layer is tied to the container so if it is deleted so is the data!

How do containers work? 🤔 📦

There are 3 fundamental Linux technologies that software like @Docker use behind the scenes to work their magic.

Namespaces, control groups, and union filesystems.

Let's explore these features! Namespaces provide isolation between a container and the host it is running on (and other containers running on the same host).

They wrap a global system resource to make it appear to processes within the namespace that they have their own isolated instance.

1/ There are many ways to manage credentials in Kubernetes, some better than others: 🔐

- Kubernetes Secrets
- Encrypt Secrets (Bitnami, KSOPS)
- External secret stores
- Secrets Store CSI Driver
- Sidecar injectors (Vault, Conjur)

Here's the rundown: 🧵 2/ Kubernetes has a resource type called a "secret" which can be used to store credentials.

These credentials are base64 encoded (used to enable binary data, NOT as a security mechanism). The YAML below defines a secret with:

USER_NAME=myusername
PASSWORD=supersecret

📢 Calling Kubernetes Beginners!

Follow along and let's deploy your first app to Kubernetes today!

We will:
- Create a minimal API w/ Python
- Containerize it w/ Docker
- Push to DockerHub
- Spin up a cluster w/ Civo
- Define the K8s resources
- Deploy!

Let's GO! 🚀

(1/19) This thread should have everything you need, but if you get stuck or want more details, I recorded a complete video walkthrough on my YouTube channel here:

(2/19)

DevOps is dead 💀, long live Platform Engineering!

1) Developers don't like dealing with infra
2) Companies need control of their infra as they grow

Platform Engineering (and Internal Developer Platforms) enable these two facts to coexist. Here's how:

(1/n) Fact 1: Most developers don't like dealing with infrastructure.

They want to write code and run it somewhere but don't care much where that is.

Functions as a Service (e.g. Lambda) or Platforms as a Service (e.g. Vercel) provide this experience.

(2/n)

Why does Kubernetes even exist?

In order to answer this question, it is helpful to take a look back at the past 20+ years of web application deployment & operations: ⌛

1/n Two decades ago, modern clouds didn't exist (AWS started in 2006), but deploying web applications still required access to servers! 🖥

You either racked them yourself or rented them from a colocation facility, but either way, they were slow to procure and painful to manage!

2/n

So you want to build an application platform with Kubernetes?

There are MANY decisions you will need to make along your journey.

A thread 🧵:

(1/n) Should you even be using Kubernetes?

If you are operating many, containerized, microservices k8s can provide a great base for building an app platform.

If you have a single monolithic app, you will almost certainly be better served by a different approach!

(2/n)