Best Practices In Implementing Container Image Promotion Pipelines
A presentation at DevOps Institute SKILup Day: Enterprise Kubernetes by Baruch Sadogursky
Best Practices In Implementing Container Image Promotion Pipelines 1
Software I like Software I know really well
š© @jbaruch #DataDrivenDevOps #PureAccelerate http://jfrog.com/shownotes @ErinMeyerINSEADās āCulture Mapā
https://jfrog.com/shownotes SLIDES VIDEO @jbaruch LINKS #SKILupDay COMMENTS, RATINGS http://jfrog.com/shownotes RAFFLE
The Promotion Pyramid Prod Build/Deploy time Pre-Prod Staging Integr. tests Dev Integration tests Development builds Amount of builds Amount of binaries
Pipeline: quality gates and visibility If quality requirments are hit CI SERVER 1 If quality requirments are hit 2 Integration If quality requirments are hit 3 System Testing 4 Staging Production * @jbaruch #SKILupDay
- Quality gates - http://jfrog.com/shownotes
$docker build @jbaruch #SKILupDay http://jfrog.com/shownotes
Letās docker build in every env! @jbaruch #SKILupDay http://jfrog.com/shownotes
Thatās why. FROM ubuntu Latest version RUN apt-get install -y software-properties-common python RUN apt-get install -y nodejs RUN mkdir /var/www Latest version ADD app.js /var/www/app.js Latest version Latest version CMD [ā/usr/bin/nodeā, ā/var/www/app.jsā] @jbaruch #SKILupDay http://jfrog.com/shownotes
Thatās why. FROM ubuntu:19.04 Better now? RUN apt-get install -y software-properties-common python RUN apt-get install -y nodejs RUN mkdir /var/www ADD app.js /var/www/app.js CMD [ā/usr/bin/nodeā, ā/var/www/app.jsā] @jbaruch #SKILupDay http://jfrog.com/shownotes
Thatās why. FROM ubuntu:4033353383af19ec179c01dda7f355a246c6adcafaf93c8f98 And now? RUN apt-get install -y software-properties-common python RUN apt-get install -y nodejs RUN mkdir /var/www ADD app.js /var/www/app.js CMD [ā/usr/bin/nodeā, ā/var/www/app.jsā] @jbaruch #SKILupDay http://jfrog.com/shownotes
Thatās why. FROM ubuntu:4033353383af19ec179c01dda7f355a246c6adcafaf93c8f98 RUN apt-get install -y software-properties-common python RUN apt-get install -y nodejs RUN mkdir /var/www What about those? ADD app.js /var/www/app.js CMD [ā/usr/bin/nodeā, ā/var/www/app.jsā] @jbaruch #SKILupDay http://jfrog.com/shownotes
Thatās why. FROM ubuntu:4033353383af19ec179c01dda7f355a246c6adcafaf93c8f98 RUN mvn clean install What about this? CMD ājava ājar Main.classā @jbaruch #SKILupDay http://jfrog.com/shownotes
Thatās why. FROM ubuntu:4033353383af19ec179c01dda7f355a246c6adcafaf93c8f98 RUN download_random_sh*t_from_the_internet.sh And how about this? CMD [ā/usr/bin/nodeā, ā/var/www/app.jsā] @jbaruch #SKILupDay http://jfrog.com/shownotes
Thatās why you donāt trust Docker @jbaruch #SKILupDay http://jfrog.com/shownotes
Whatās up with the gates?! - QA shouldnāt test dev images - non-tested images shouldnāt be staged - non-staged, non-tested or dev images shouldnāt end up in production!!! @jbaruch #SKILupDay http://jfrog.com/shownotes
Letās build Rock-solid pipeline! @jbaruch #SKILupDay http://jfrog.com/shownotes
How do I separate dev from prod?! @jbaruch #SKILupDay http://jfrog.com/shownotes
Option 1: metadata tags @jbaruch #SKILupDay http://jfrog.com/shownotes
Option 2: Docker Repositories
Separate registries per environment If quality requirments are hit CI SERVER 1 If quality requirments are hit 2 Integration If quality requirments are hit 3 System Testing 4 Staging Production * @jbaruch #SKILupDay
- Quality gates - http://jfrog.com/shownotes
Trumped-up limitations @jbaruch #SKILupDay http://jfrog.com/shownotes
The Anatomy of Docker Tag @jbaruch #SKILupDay http://jfrog.com/shownotes
Wait a second, how can I have more than one registry per host now?! @jbaruch #SKILupDay http://jfrog.com/shownotes
How can we support this? https://host:8081/registry/docker-dev/busybox https://host:8081/registry/docker-qa/busybox https://host:8081/registry/docker-staging/busybox https://host:8081/registry/docker-prod/busybox @jbaruch #SKILupDay http://jfrog.com/shownotes
āONE REGISTRY PER HOST OUGHT TO BE ENOUGH FOR ANYBODY.ā
Panic! @jbaruch #SKILupDay http://jfrog.com/shownotes
Virtual hosts/ports to the rescue docker tag host:port/busybox Registry host @jbaruch Tag name #SKILupDay http://jfrog.com/shownotes
Virtual hosts/ports to the rescue docker tag host:port/busybox Registry host Tag name https://host:port/v2/busybox @jbaruch #SKILupDay http://jfrog.com/shownotes
Virtual hosts/ports to the rescue docker tag host:port/busybox Registry host Tag name https://host:port/v2/busybox https://host:8081/registry/docker-dev/busybox Context name Registry name Tag name
server { listen 5001; } server_name 192.168.99.100; if ($http_x_forwarded_proto = ā) { set $http_x_forwarded_proto $scheme; } rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/docker-dev/$1/$2; ā¦ } @jbaruch #SKILupDay http://jfrog.com/shownotes
Letās abuse things! @jbaruch #SKILupDay http://jfrog.com/shownotes
Letās abuse things! @jbaruch #SKILupDay http://jfrog.com/shownotes
But then you realizeā¦ Wait a second, now I need to pull, retag and push for every step?! @jbaruch #SKILupDay http://jfrog.com/shownotes
@jbaruch #SKILupDay http://jfrog.com/shownotes
dev cluster test cluster staging cluster prod cluster @jbaruch #SKILupDay http://jfrog.com/shownotes
Repository (docker): Top level directory in a registry Repository (the rest of the world): A registry @jbaruch #SKILupDay http://jfrog.com/shownotes
Win-win-win
- Single point of access to multiple registries when needed - Completely isolated environments - Immediate and free promotions
@jbaruch #SKILupDay http://jfrog.com/shownotes
Win-win
- Simplicity of latest - Always know what it really means - As long as you promoted immutable artifact @jbaruch #SKILupDay http://jfrog.com/shownotes
But what about the rest of the dependencies?
@jbaruch #SKILupDay http://jfrog.com/shownotes
Own your dependencies
- Your base image - Your infra - Your application files @jbaruch #SKILupDay http://jfrog.com/shownotes
conclusions
- Build only once - Separate environments - Promote what youāve built - Own your dependencies @jbaruch #SKILupDay http://jfrog.com/shownotes
THANK YOU! Meet me in the Network Chat Lounge for questions Ć Ć Ć @jbaruch #SKILupDay http://jfrog.com/shownotes 61 61
Surprisingly, implementing a secure, robust and fast promotion pipelines for container images is not as easy as it might sound. Automating dependency resolution (base images), implementing multiple registries for different maturity stages and making sure that we actually run in production containers from the images we intended can be tricky. In this talk, we will compare different approaches, compile a wish-list of features and create a pipeline that checks all the boxes using free and open-source tools.
