Fast and efficient, containers make an ideal environment for testing. This talk will show how containers can be used to safely and effectively test configuration changes before deploying to production. Using Docker, Puppet, and other open source tools, we will demonstrate a containerized and fully-automated test environment and compare to VM-based alternatives. We will examine the benefits of containers for ad-hoc exploratory testing and accelerating and expanding test coverage through parallelization.

1. Configuration Changes
Don’t Have to be Scary
Testing with Containers
Andy Henroid <andy.henroid@puppet.com>

2. Who Am I?
2

3. 3
This Talk
Containers for Testing? Yes!
Complications
Demos!
Other [Questionable] Ideas

4. 4
…I know, right?
Skeptics welcome

5. 0
10
20
30
40
50
60
Docker Run VM Boot Docker Build+Run
Time(seconds)
debian:8 centos:7
5
Containers: Fast & Efficient

6. 0
10
20
30
40
50
60
Docker Run VM Boot Docker Build+Run
Time(seconds)
debian:8 centos:7
6
What Does “Fast & Efficient” Actually Mean?
Back of the Envelope
40𝑠/𝑉𝑀 𝑏𝑜𝑜𝑡 + 10𝑠/𝑡𝑒𝑠𝑡
1.1𝑠/𝐷𝑜𝑐𝑘𝑒𝑟 𝑟𝑢𝑛 + 10𝑠/𝑡𝑒𝑠𝑡
= 4.5 tests in containers
for every test run in a VM

7. 0
200
400
600
800
1000
1200
1400
1600
1800
Docker Image VM Image Docker
Compressed
Size(MB)
debian:8 ubuntu:16.04 centos:7 fedora:24
7
Containers: Compact & Abundant Images
And 60%
smaller yet over
the network

8. 8
Ask yourself,
Do I really need
all of this?

9. 9
Or pick your favorite
open-source tool:
+

10. 10
Docker Tooling: Not Bad
+

11. Puppet Agents Puppet Master

12. 12
Abstraction is Powerful
vs

13. 13
Containers Have Limits

14. 14
Containers are not VMs…

15. 15
Not VMs… But We Can Pretend They Are

16. 16
Containers: Ephemeral & “Safe” Sandboxes?
Containers have security
implications
• Shared OS kernel & resources
And more security exposure
with privileged containers,
additional capabilities
[For Testing] Are you
willing to sacrifice some
degree of security for
performance?
From Jérôme Petazzoni’s talk
“Is it safe to run applications in containers?”

17. Run containers inside VM(s)
Enable SELinux
Remove or separate secrets &
credentials
Plenty of prior art for securing
containers in production
17
From “Is it safe to run applications in containers?”
If you answered, “No. Security over Performance.”

18. 18
Other Concerns: Image Size, Mutability
0
100
200
300
400
500
600
700
800
Docker Image Docker + Puppet
Size(MB)
debian:8 ubuntu:16.04 centos:7 fedora:24
3.2x!

19. Puppet Agent Puppet Master

20. 20
The Hard Part: Modeling Your Environment
Good news: Your CM code
does most of the work
Prior art for fine tuning, e.g.
see Reliant’s PuppetConf talk
here

21. 21
Scaling Up
Your test matrix: Go big!
More platforms
More configurations
In parallel
4.0.0 4.1.0 4.2.0 4.3.0 4.4.0 4.5.0 4.6.0 4.7.0 4.8.0
centos:5 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
centos:6 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
centos:7 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
debian:7 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
debian:8 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
fedora:22 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
fedora:23 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
fedora:24 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
ubuntu:12.04 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
ubuntu:14.04 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
ubuntu:16.04 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
4.0.0 4.1.0 4.2.0 4.3.0 4.4.0 4.5.0 4.6.0 4.7.0 4.8.0
centos:5 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
centos:6 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
centos:7 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
debian:7 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
debian:8 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
fedora:22 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
fedora:23 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
fedora:24 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
ubuntu:12.04 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
ubuntu:14.04 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
ubuntu:16.04 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
Puppet
4.0.0 4.1.0 4.2.0 4.3.0 4.4.0 4.5.0 4.6.0 4.7.0 4.8.0
centos:5 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
centos:6 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
centos:7 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
debian:7 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
debian:8 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
fedora:22 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
fedora:23 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
fedora:24 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
ubuntu:12.04 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
ubuntu:14.04 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
ubuntu:16.04 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

22. 22
Now on to more
controversial
topics…

23. “Who needs Config Management? We use containers!”
23
Have You Heard This One?

24. Given a container:
How was it built?
How do you run it?
What is inside right now?
When do you rebuild?
24
Docker Tooling: Not Bad… Could It Be Better?
What packages are in the base image?
What version of Puppet
& dependencies?
Is this the one and only way to run this container?

25. Puppet lives in separate
mounted container
Inventoried container
can be Immutable
Inventory is JSON
• Query with standard tools
• Use for container health
checks, extend container
metadata, etc.

26. 26
Unpacking It All
Configuration Management + Containers: Better Together
Testing: A very good place to start
Many free and open-source tools
Base container images
Build, run, inspect containers
DSL integration and much more…
You can do it too…on your laptop!

27. Thank you! Questions?

28. The shortest path
to better software.