Container
Containers are standardized, lightweight runtime environments that package, isolate, and enable portable execution of applications and their dependencies across environments.
Classification
- ComplexityMedium
- Impact areaTechnical
- Decision typeArchitectural
- Organizational maturityIntermediate
Technical context
Principles & goals
Use cases & scenarios
Compromises
- Unsecure images lead to attack vectors
- Lack of orchestration increases operational effort
- Resource overcommitment can jeopardize stability
- use small, focused images and multi-stage builds
- sign and scan images before deployment
- define resource limits and health probes
I/O & resources
- application code and build instructions (e.g., Dockerfile)
- container registry for image distribution
- runtime environment / container runtime
- versioned container images
- deployment manifests (e.g., Kubernetes YAML)
- running container instances
Description
Containers are lightweight, isolated runtime environments that package applications with their dependencies to run consistently across development, test, and production environments. They enable reproducible deployments, efficient resource utilization, and fast scaling, shape architectural choices, and require orchestration, security practices, and image lifecycle management. Proven practices and tools are essential for reliable operation.
✔Benefits
- Portability across environments
- Faster startup and deployment times
- Improved resource utilization
✖Limitations
- No complete kernel isolation like VMs
- Lack of standardization of some runtime behaviors
- Image size and build complexity can grow
Trade-offs
Metrics
- container startup time
Time from start command to service readiness; important for scalability and autoscaling.
- image size
Container image size affects transfer and startup times as well as registry storage needs.
- resource consumption per container
CPU and memory consumption for capacity planning and avoiding overcommit.
Examples & implementations
Microservice deployment at an e-commerce provider
Each microservice team delivers container images orchestrated by a Kubernetes platform; CI/CD automates builds and security checks.
Continuous delivery pipeline with container builds
Container images are versioned, signed in a registry, and rolled out to multiple environments via automated tests.
Platform for data processing jobs
Batch and streaming jobs run in isolated containers, easing portability between on-prem and cloud.
Implementation steps
define minimal base images and build processes
automate image builds in CI and scan for vulnerabilities
establish image tagging, registry policies, and rollback processes
introduce orchestration and configure resource limits
⚠️ Technical debt & bottlenecks
Technical debt
- unstructured image hierarchy without base standards
- outdated base images without regular updates
- missing automation for image scanning and signing
Known bottlenecks
Misuse examples
- running build tools directly in production image
- leaving sensitive data inside images
- manually patching running containers without rebuild
Typical traps
- assumptions about host kernel features cause runtime failures
- insufficient image scanning finds vulnerabilities too late
- misconfigured resource limits cause OOM failures
Required skills
Architectural drivers
Constraints
- • host kernel compatibility
- • policies for image signing and scanning
- • resource quotas and limits at cluster level