A presentation at Developers Summit 2020 in in Tokyo, Japan by Baruch Sadogursky
Best Practices In Implementing Container Image Promotion Pipelines コンテナイメージのプロモーションパイプライン ベストプラクティス
Poll time 会場のお客様に聞く
Dockerをご存知ですか? Familiar with Docker* *Among Docker meetup attendees *Docker Meetupの参加者の結果
気に入ってるソフトウエア Software I like よく知ってるソフトウエア Software I know really well
気に入ってるけど… 信用してはいない!
バウ・サドガスキー
🎩 日本 @jbaruch #DataDrivenDevOps #PureAccelerate http://jfrog.com/shownotes @ErinMeyerINSEAD’s “Culture Map”
shownotes Øhttp://jfrog.com/shownotes Ø Slides Ø Video Ø Links Ø Comments, Ratings Ø Raffle @jbaruch #DevelopersSummit http://jfrog.com/shownotes
The Promotion Pyramid プロモーションのピラミッド Prod ビルドやデプロイに かかる時間 Build/Deploy time Pre-Prod Staging Integr. tests バイナリーの量 Dev Integration tests Amount of binaries Development builds Amount of builds ビルドの量
Pipeline: quality gates and visibility 品質を管理し可視化する If quality requirments are hit CI SERVER 1 If quality requirments are hit 2 Integration If quality requirments are hit 3 System Testing 4 Staging Production * @jbaruch #DevelopersSummit
$docker build @jbaruch #DevelopersSummit http://jfrog.com/shownotes
Let’s docker build in every env! 全部の環境でdocker buildしてしまえ! 品質要件を満たすなら 次のステージに移す ステータスがOKなら VCSコミットする 品質要件を満たさなければ そのビルドは壊れてる @jbaruch #DevelopersSummit http://jfrog.com/shownotes
That’s why. なぜなら… FROM ubuntu Latest version RUN apt-get install -y software-properties-common python RUN apt-get install -y nodejs RUN mkdir /var/www Latest version ADD app.js /var/www/app.js Latest version Latest version CMD [“/usr/bin/node”, “/var/www/app.js”] @jbaruch #DevelopersSummit http://jfrog.com/shownotes
That’s why. なぜなら… FROM ubuntu:19.04 Better now? RUN apt-get install -y software-properties-common python RUN apt-get install -y nodejs RUN mkdir /var/www ADD app.js /var/www/app.js CMD [“/usr/bin/node”, “/var/www/app.js”] @jbaruch #DevelopersSummit http://jfrog.com/shownotes
That’s why. なぜなら… FROM ubuntu:4033353383af19ec179c01dda7f355a246c6adcafaf93c8f98 And now? RUN apt-get install -y software-properties-common python RUN apt-get install -y nodejs RUN mkdir /var/www ADD app.js /var/www/app.js CMD [“/usr/bin/node”, “/var/www/app.js”] @jbaruch #DevelopersSummit http://jfrog.com/shownotes
That’s why. なぜなら… FROM ubuntu:4033353383af19ec179c01dda7f355a246c6adcafaf93c8f98 RUN apt-get install -y software-properties-common python RUN apt-get install -y nodejs RUN mkdir /var/www What about those? ADD app.js /var/www/app.js CMD [“/usr/bin/node”, “/var/www/app.js”] @jbaruch #DevelopersSummit http://jfrog.com/shownotes
That’s why. なぜなら… FROM ubuntu:4033353383af19ec179c01dda7f355a246c6adcafaf93c8f98 RUN mvn clean install What about this? CMD ”java –jar Main.class” @jbaruch #DevelopersSummit http://jfrog.com/shownotes
That’s why. なぜなら… FROM ubuntu:4033353383af19ec179c01dda7f355a246c6adcafaf93c8f98 RUN download_random_sh*t_from_the_internet.sh And how about this? CMD [“/usr/bin/node”, “/var/www/app.js”] @jbaruch #DevelopersSummit http://jfrog.com/shownotes
That’s why you don’t trust Docker @jbaruch #DevelopersSummit だからDockerはあてにならない http://jfrog.com/shownotes
What’s up with the gates?! それじゃGateはどうなるの? @jbaruch #DevelopersSummit http://jfrog.com/shownotes
What’s up with the gates?! いやいやコイツじゃなくて
Let’s build Rock-solid pipeline! 鉄板のPipelineを作ってみようぜ
How do I separate dev from prod?! 開発環境と本番環境を どう切り離すのか? @jbaruch #DevelopersSummit http://jfrog.com/shownotes
Option 1: metadata tags @jbaruch #DevelopersSummit http://jfrog.com/shownotes
Option 2: Docker Repositories
Separate registries per environment 環境ごとにレジストリを分ける If quality requirments are hit CI SERVER 1 If quality requirments are hit 2 Integration If quality requirments are hit 3 System Testing 4 Staging Production * @jbaruch #DevelopersSummit
requirements 大切なこと… -Registry per environment -Easy access to all the images -Fast Promotion -Keep working with latest and knowing what it is 常に最新のモノを十分理解して利用する @jbaruch #DevelopersSummit http://jfrog.com/shownotes
The Anatomy of Docker Tag Docker Tagの構造 @jbaruch #DevelopersSummit http://jfrog.com/shownotes
Wait a second, how can I have more than one registry per host now?! ちょっと待ってよ! ホストごとに1つ以上の レジストリって持てる? @jbaruch #DevelopersSummit http://jfrog.com/shownotes
How can we support this? こうゆうのをどうサポートする? https://host:8081/registry/docker-dev/busybox https://host:8081/registry/docker-qa/busybox https://host:8081/registry/docker-staging/busybox https://host:8081/registry/docker-prod/busybox @jbaruch #DevelopersSummit http://jfrog.com/shownotes
Panic! パニック @jbaruch #DevelopersSummit http://jfrog.com/shownotes
Virtual hosts/ports to the rescue docker tag host:port/busybox Registry host Tag name https://host:port/v2/busybox https://host:8081/registry/docker-dev/busybox Context name Registry name Tag name
server { listen 5001; } server_name 192.168.99.100; if ($http_x_forwarded_proto = ”) { set $http_x_forwarded_proto $scheme; } rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/docker-dev/$1/$2; … } @jbaruch #DevelopersSummit http://jfrog.com/shownotes
But then you realize… ここでハタと気づく.. Wait a second, now I need to pull, retag and push for every step?! ちょっと待ってよ! つまりステップ毎にプルして、 タグつけ直してプッシュするっ てこと? ありえないでちゅ… @jbaruch #DevelopersSummit http://jfrog.com/shownotes
@jbaruch #DevelopersSummit http://jfrog.com/shownotes
dev cluster test cluster staging cluster prod cluster @jbaruch #DevelopersSummit http://jfrog.com/shownotes
Repository (docker): Top level directory in a registry Repository (the rest of the world): A registry @jbaruch #DevelopersSummit http://jfrog.com/shownotes
@jbaruch #DevelopersSummit http://jfrog.com/shownotes
Win-win
requirements 大切なこと… -Registry per environment -Easy access to all the images - Fast Promotion - Keep working with latest and knowing what it is @jbaruch #DevelopersSummit http://jfrog.com/shownotes
But what about the rest of the dependencies? でもそれ以外の依存関 係はどーするの? 依存関係は?
@jbaruch #DevelopersSummit http://jfrog.com/shownotes
Own your dependencies 自分でしっかり管理する
conclusions まとめ…
Q&A and Links Ø@jbaruch Ø# DevelopersSummit Øhttp://jfrog.com/shownotes
Ayana Yokota / 横田紋奈(よこな) デベロッパーアドボケイト at JFrog Twitter: @ihcomega マイブームはサウナ
Surprisingly, implementing a secure, robust and fast promotion pipelines for container images is not as easy as it might sound. Automating dependency resolution (base images), implementing multiple registries for different maturity stages and making sure that we actually run in production containers from the images we intended can be tricky. In this talk, we will compare different approaches, compile a wish-list of features and create a pipeline that checks all the boxes using free and open-source tools.