Best Practices In Implementing Container Image Promotion Pipelines

Best Practices In Implementing Container Image Promotion Pipelines コンテナイメージのプロモーションパイプラインベストプラクティス

Poll time 会場のお客様に聞く

Dockerをご存知ですか？ Familiar with Docker* *Among Docker meetup attendees *Docker Meetupの参加者の結果

気に入ってるソフトウエア Software I like よく知ってるソフトウエア Software I know really well

気に入ってるけど… 信用してはいない！

バウ・サドガスキー

🎩 日本 @jbaruch #DataDrivenDevOps #PureAccelerate http://jfrog.com/shownotes @ErinMeyerINSEAD’s “Culture Map”

shownotes Øhttp://jfrog.com/shownotes Ø Slides Ø Video Ø Links Ø Comments, Ratings Ø Raffle @jbaruch #DevelopersSummit http://jfrog.com/shownotes

The Promotion Pyramid プロモーションのピラミッド Prod ビルドやデプロイにかかる時間 Build/Deploy time Pre-Prod Staging Integr. tests バイナリーの量 Dev Integration tests Amount of binaries Development builds Amount of builds ビルドの量

Pipeline: quality gates and visibility 品質を管理し可視化する If quality requirments are hit CI SERVER 1 If quality requirments are hit 2 Integration If quality requirments are hit 3 System Testing 4 Staging Production * @jbaruch #DevelopersSummit

Quality gates - http://jfrog.com/shownotes

$docker build @jbaruch #DevelopersSummit http://jfrog.com/shownotes

Let’s docker build in every env! 全部の環境でdocker buildしてしまえ！品質要件を満たすなら次のステージに移すステータスがOKなら VCSコミットする品質要件を満たさなければそのビルドは壊れてる @jbaruch #DevelopersSummit http://jfrog.com/shownotes

That’s why. なぜなら… FROM ubuntu Latest version RUN apt-get install -y software-properties-common python RUN apt-get install -y nodejs RUN mkdir /var/www Latest version ADD app.js /var/www/app.js Latest version Latest version CMD [“/usr/bin/node”, “/var/www/app.js”] @jbaruch #DevelopersSummit http://jfrog.com/shownotes

That’s why. なぜなら… FROM ubuntu:19.04 Better now? RUN apt-get install -y software-properties-common python RUN apt-get install -y nodejs RUN mkdir /var/www ADD app.js /var/www/app.js CMD [“/usr/bin/node”, “/var/www/app.js”] @jbaruch #DevelopersSummit http://jfrog.com/shownotes

That’s why. なぜなら… FROM ubuntu:4033353383af19ec179c01dda7f355a246c6adcafaf93c8f98 And now? RUN apt-get install -y software-properties-common python RUN apt-get install -y nodejs RUN mkdir /var/www ADD app.js /var/www/app.js CMD [“/usr/bin/node”, “/var/www/app.js”] @jbaruch #DevelopersSummit http://jfrog.com/shownotes

That’s why. なぜなら… FROM ubuntu:4033353383af19ec179c01dda7f355a246c6adcafaf93c8f98 RUN apt-get install -y software-properties-common python RUN apt-get install -y nodejs RUN mkdir /var/www What about those? ADD app.js /var/www/app.js CMD [“/usr/bin/node”, “/var/www/app.js”] @jbaruch #DevelopersSummit http://jfrog.com/shownotes

That’s why. なぜなら… FROM ubuntu:4033353383af19ec179c01dda7f355a246c6adcafaf93c8f98 RUN mvn clean install What about this? CMD ”java –jar Main.class” @jbaruch #DevelopersSummit http://jfrog.com/shownotes

That’s why. なぜなら… FROM ubuntu:4033353383af19ec179c01dda7f355a246c6adcafaf93c8f98 RUN download_random_sh*t_from_the_internet.sh And how about this? CMD [“/usr/bin/node”, “/var/www/app.js”] @jbaruch #DevelopersSummit http://jfrog.com/shownotes

That’s why you don’t trust Docker @jbaruch #DevelopersSummit だからDockerはあてにならない http://jfrog.com/shownotes

What’s up with the gates?! それじゃGateはどうなるの？ @jbaruch #DevelopersSummit http://jfrog.com/shownotes

What’s up with the gates?! いやいやコイツじゃなくて

QA shouldn’t test dev images - non-tested images shouldn’t be staged - non-staged, non-tested or dev images shouldn’t end up in production!!! プロモートされず、テストもされてないdev imageは本番環境に移行させない!! @jbaruch #DevelopersSummit http://jfrog.com/shownotes

Let’s build Rock-solid pipeline! 鉄板のPipelineを作ってみようぜ

How do I separate dev from prod?! 開発環境と本番環境をどう切り離すのか？ @jbaruch #DevelopersSummit http://jfrog.com/shownotes

Option 1: metadata tags @jbaruch #DevelopersSummit http://jfrog.com/shownotes

Option 2: Docker Repositories

Separate registries per environment 環境ごとにレジストリを分ける If quality requirments are hit CI SERVER 1 If quality requirments are hit 2 Integration If quality requirments are hit 3 System Testing 4 Staging Production * @jbaruch #DevelopersSummit

Quality gates - http://jfrog.com/shownotes

requirements 大切なこと… -Registry per environment -Easy access to all the images -Fast Promotion -Keep working with latest and knowing what it is 常に最新のモノを十分理解して利用する @jbaruch #DevelopersSummit http://jfrog.com/shownotes

The Anatomy of Docker Tag Docker Tagの構造 @jbaruch #DevelopersSummit http://jfrog.com/shownotes

Wait a second, how can I have more than one registry per host now?! ちょっと待ってよ！ホストごとに１つ以上のレジストリって持てる？ @jbaruch #DevelopersSummit http://jfrog.com/shownotes

How can we support this? こうゆうのをどうサポートする？ https://host:8081/registry/docker-dev/busybox https://host:8081/registry/docker-qa/busybox https://host:8081/registry/docker-staging/busybox https://host:8081/registry/docker-prod/busybox @jbaruch #DevelopersSummit http://jfrog.com/shownotes

Panic! パニック @jbaruch #DevelopersSummit http://jfrog.com/shownotes

Virtual hosts/ports to the rescue docker tag host:port/busybox Registry host Tag name https://host:port/v2/busybox https://host:8081/registry/docker-dev/busybox Context name Registry name Tag name

server { listen 5001; } server_name 192.168.99.100; if ($http_x_forwarded_proto = ”) { set $http_x_forwarded_proto $scheme; } rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/docker-dev/$1/$2; … } @jbaruch #DevelopersSummit http://jfrog.com/shownotes

But then you realize… ここでハタと気づく.. Wait a second, now I need to pull, retag and push for every step?! ちょっと待ってよ！つまりステップ毎にプルして、タグつけ直してプッシュするってこと？ありえないでちゅ… @jbaruch #DevelopersSummit http://jfrog.com/shownotes

@jbaruch #DevelopersSummit http://jfrog.com/shownotes

dev cluster test cluster staging cluster prod cluster @jbaruch #DevelopersSummit http://jfrog.com/shownotes

Repository (docker): Top level directory in a registry Repository (the rest of the world): A registry @jbaruch #DevelopersSummit http://jfrog.com/shownotes

@jbaruch #DevelopersSummit http://jfrog.com/shownotes

Win-win

Simplicity of latest - Always know what it really means - As long as you promoted immutable artifact 不変の配布物をプロモートする限りは @jbaruch #DevelopersSummit http://jfrog.com/shownotes

requirements 大切なこと… -Registry per environment -Easy access to all the images - Fast Promotion - Keep working with latest and knowing what it is @jbaruch #DevelopersSummit http://jfrog.com/shownotes

But what about the rest of the dependencies? でもそれ以外の依存関係はどーするの？依存関係は？

@jbaruch #DevelopersSummit http://jfrog.com/shownotes

Own your dependencies 自分でしっかり管理する

Your base image - Your infra - Your application files ⾃分のアプリケーションファイル @jbaruch #DevelopersSummit http://jfrog.com/shownotes

conclusions まとめ…

Build only once - Separate environments - Promote what you’ve built - Own your dependencies 自分の依存関係は⾃分で管理する @jbaruch #DevelopersSummit http://jfrog.com/shownotes

Q&A and Links Ø@jbaruch Ø# DevelopersSummit Øhttp://jfrog.com/shownotes

Ayana Yokota / 横田紋奈(よこな) デベロッパーアドボケイト at JFrog Twitter: @ihcomega マイブームはサウナ