Uploaded image for project: 'IT Request For Comments'
  1. IT Request For Comments
  2. ITRFC-10

Container and Container Orchestration Best Practices and Recommendations

    Details

    • Type: RFC
    • Status: Implemented
    • Resolution: Done
    • Component/s: Infrastructure, Tools
    • Labels:
      None

      Description

      Container and container orchestration technology is new and best practices and recommendations are not well known or unified within the community. I propose we unify our practices and some recommendations when using these technologies. This will lead to simple integration across subsystems and allow for work to be shared.

      At a minimum, we should adopt similar security approaches, container technology and container orchestration technology choices. I recommend we adopt Kubernetes as our container orchestration technology and Docker as our container technology. Further discussion is required to come up with security approaches, additional best practices and recommendations.

        Attachments

          Issue Links

            Activity

            Hide
            jmatt J Matt Peterson [X] (Inactive) added a comment -

            To begin the discussion, one approach is to adopt part or all of an available standard. Such as the NIST standard for application container security.

            http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf

            Show
            jmatt J Matt Peterson [X] (Inactive) added a comment - To begin the discussion, one approach is to adopt part or all of an available standard. Such as the NIST standard for application container security. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf
            Hide
            pdomagala Paul Domagala [X] (Inactive) added a comment -

            Matt,

            The ITSC is intended to coordinate matters related to the core IT services that support the project. Things like Jira, confluence, identity management services, etc... Development of standards, practices and implementation of container technologies are project deliverables managed by the Project Management Office.

            Show
            pdomagala Paul Domagala [X] (Inactive) added a comment - Matt, The ITSC is intended to coordinate matters related to the core IT services that support the project. Things like Jira, confluence, identity management services, etc... Development of standards, practices and implementation of container technologies are project deliverables managed by the Project Management Office.
            Hide
            igoodenow Iain Goodenow added a comment -

            Paul- Matt was directed by the committee present at the last ITSC meeting. This topic is linked/related/similar to ITRFC-6 regarding Puppet. If that topic was acceptable, I think this one is also for the same reasons. It can be discussed at our next meeting that will occur in Dec or Jan depended on what the group voted by responding to my email from November's meeting.

            Show
            igoodenow Iain Goodenow added a comment - Paul- Matt was directed by the committee present at the last ITSC meeting. This topic is linked/related/similar to ITRFC-6 regarding Puppet. If that topic was acceptable, I think this one is also for the same reasons. It can be discussed at our next meeting that will occur in Dec or Jan depended on what the group voted by responding to my email from November's meeting.
            Hide
            pdomagala Paul Domagala [X] (Inactive) added a comment -

            I think there is a difference in that we were talking about using Puppet to manage core IT and Puppet being a core IT service. I think it's fine discussing it as long as it's within the intended scope of the ITSC. If we're talking about standards and practices for DM, the kubernetes/docker trajectory is in the WBS already. For our part, it's under 02C.07.09

            Paul's 2¢

            Show
            pdomagala Paul Domagala [X] (Inactive) added a comment - I think there is a difference in that we were talking about using Puppet to manage core IT and Puppet being a core IT service. I think it's fine discussing it as long as it's within the intended scope of the ITSC. If we're talking about standards and practices for DM, the kubernetes/docker trajectory is in the WBS already. For our part, it's under 02C.07.09 Paul's 2¢
            Hide
            pdomagala Paul Domagala [X] (Inactive) added a comment -

            This page has a good summary of where the Kubernetes/Docker initiative is at.

            Show
            pdomagala Paul Domagala [X] (Inactive) added a comment - This page has a good summary of where the Kubernetes/Docker initiative is at.
            Hide
            bemmons Ben Emmons [X] (Inactive) added a comment - - edited

            EPO and DM have been working closely on the containerized workflow of Jupyter and DM Science Platform/ EPO Portal (https://github.com/lsst-epo/vela).  This could be considered a "pathfinder" activity that can be reported on at a later date at ITSC for other groups to review for adoption within their organizations.

            Show
            bemmons Ben Emmons [X] (Inactive) added a comment - - edited EPO and DM have been working closely on the containerized workflow of Jupyter and DM Science Platform/ EPO Portal ( https://github.com/lsst-epo/vela ).  This could be considered a "pathfinder" activity that can be reported on at a later date at ITSC for other groups to review for adoption within their organizations.
            Hide
            awithers Alexander Withers [X] (Inactive) added a comment -

            NIST 800.190 does a good job of laying out general concerns and, to some extent, mitigation strategies for containers. Christopher Clausen and Kay Avila at the NCSA (LSST security operations) have begun to compile container security risks unique to LSST.  In the end, the risks and security standards have to make their way back into LSST's security plan.

            Show
            awithers Alexander Withers [X] (Inactive) added a comment - NIST 800.190 does a good job of laying out general concerns and, to some extent, mitigation strategies for containers. Christopher Clausen  and Kay Avila  at the NCSA (LSST security operations) have begun to compile container security risks unique to LSST.  In the end, the risks and security standards have to make their way back into LSST's security plan.
            Hide
            jkantor Jeff Kantor added a comment -

            This can be closed with documentation of Kubernetes/Docker best practices and notify they project they have access to the documentation. We need an actual confluence page and/or document links posted to this ITRFC in order to consider it implemented.  The best practices documentation should also address the security considerations.

            I personally think that this ITRFC can only recommend that "if" a given service is to be deployed by containerization, the best practices should be followed.  It CANNOT mandate that any service WILL be deployed by containerization.

            Show
            jkantor Jeff Kantor added a comment - This can be closed with documentation of Kubernetes/Docker best practices and notify they project they have access to the documentation. We need an actual confluence page and/or document links posted to this ITRFC in order to consider it implemented.  The best practices documentation should also address the security considerations. I personally think that this ITRFC can only recommend that "if" a given service is to be deployed by containerization, the best practices should be followed.  It CANNOT mandate that any service WILL be deployed by containerization.

              People

              • Assignee:
                jmatt J Matt Peterson [X] (Inactive)
                Reporter:
                jmatt J Matt Peterson [X] (Inactive)
                Watchers:
                Adam Thornton, Alexander Withers [X] (Inactive), Ben Emmons [X] (Inactive), Christopher Clausen, Daniel Calabrese, Donald Petravick, Frossie Economou, Gregory Dubois-Felsmann, Iain Goodenow, Jacob Rundall, Jeff Kantor, J Matt Peterson [X] (Inactive), Jonathan Sick, Joshua Hoblitt, Kay Avila, Paul Domagala [X] (Inactive), Tim Jenness, Wil O'Mullane
              • Votes:
                0 Vote for this issue
                Watchers:
                18 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Planned End:

                  Summary Panel