Best Practices In Implementing Container Image Promotion Pipelines

A presentation at DevOps World 2020 in September 2020 in by Baruch Sadogursky

Slide 1

Slide 1

n I s e c i t c a r P Best g n i t n e m e l p Im es n i l e p i P n o i t o Prom e g a m I r e n i a Cont

Slide 2

Slide 2

Slide 3

Slide 3

Software I like Software I know really well

Slide 4

Slide 4

Slide 5

Slide 5

Slide 6

Slide 6

đŸŽ© @jbaruch #DataDrivenDevOps #PureAccelerate #DevOpsWorld http://jfrog.com/shownotes@ErinMeyerINSEAD’s “Culture Map”

Slide 7

Slide 7

shownotes Øhttp://jfrog.com/shownotes Ø Slides Ø Video Ø Links Ø Comments, Ratings Ø Raffle @jbaruch #DevOpsWorld http://jfrog.com/shownotes

Slide 8

Slide 8

Slide 9

Slide 9

Slide 10

Slide 10

The Promotion Pyramid Prod Build/Deploy time Pre-Prod Staging Integr. tests Dev Integration tests Development builds Amount of builds Amount of binaries

Slide 11

Slide 11

Pipeline: quality gates and visibility If quality requirments are hit CI SERVER 1 If quality requirments are hit 2 Integration If quality requirments are hit 3 System Testing 4 Staging Production * @jbaruch #DevOpsWorld

  • Quality gates - http://jfrog.com/shownotes

Slide 12

Slide 12

$docker build @jbaruch #DevOpsWorld http://jfrog.com/shownotes

Slide 13

Slide 13

Slide 14

Slide 14

Let’s docker build in every env! @jbaruch #DevOpsWorld http://jfrog.com/shownotes

Slide 15

Slide 15

Slide 16

Slide 16

That’s why. FROM ubuntu Latest version RUN apt-get install -y software-properties-common python RUN apt-get install -y nodejs RUN mkdir /var/www Latest version ADD app.js /var/www/app.js Latest version Latest version CMD [“/usr/bin/node”, “/var/www/app.js”] @jbaruch #DevOpsWorld http://jfrog.com/shownotes

Slide 17

Slide 17

That’s why. FROM ubuntu:19.04 Better now? RUN apt-get install -y software-properties-common python RUN apt-get install -y nodejs RUN mkdir /var/www ADD app.js /var/www/app.js CMD [“/usr/bin/node”, “/var/www/app.js”] @jbaruch #DevOpsWorld http://jfrog.com/shownotes

Slide 18

Slide 18

That’s why. FROM ubuntu:4033353383af19ec179c01dda7f355a246c6adcafaf93c8f98 And now? RUN apt-get install -y software-properties-common python RUN apt-get install -y nodejs RUN mkdir /var/www ADD app.js /var/www/app.js CMD [“/usr/bin/node”, “/var/www/app.js”] @jbaruch #DevOpsWorld http://jfrog.com/shownotes

Slide 19

Slide 19

That’s why. FROM ubuntu:4033353383af19ec179c01dda7f355a246c6adcafaf93c8f98 RUN apt-get install -y software-properties-common python RUN apt-get install -y nodejs RUN mkdir /var/www What about those? ADD app.js /var/www/app.js CMD [“/usr/bin/node”, “/var/www/app.js”] @jbaruch #DevOpsWorld http://jfrog.com/shownotes

Slide 20

Slide 20

That’s why. FROM ubuntu:4033353383af19ec179c01dda7f355a246c6adcafaf93c8f98 RUN mvn clean install What about this? CMD ”java –jar Main.class” @jbaruch #DevOpsWorld http://jfrog.com/shownotes

Slide 21

Slide 21

That’s why. FROM ubuntu:4033353383af19ec179c01dda7f355a246c6adcafaf93c8f98 RUN download_random_sh*t_from_the_internet.sh And how about this? CMD [“/usr/bin/node”, “/var/www/app.js”] @jbaruch #DevOpsWorld http://jfrog.com/shownotes

Slide 22

Slide 22

That’s why you don’t trust Docker @jbaruch #DevOpsWorld http://jfrog.com/shownotes

Slide 23

Slide 23

Slide 24

Slide 24

Slide 25

Slide 25

What’s up with the gates?! - QA shouldn’t test dev images - non-tested images shouldn’t be staged - non-staged, non-tested or dev images shouldn’t end up in production!!! @jbaruch #DevOpsWorld http://jfrog.com/shownotes

Slide 26

Slide 26

Let’s build Rock-solid pipeline!

Slide 27

Slide 27

How do I separate dev from prod?! @jbaruch #DevOpsWorld http://jfrog.com/shownotes

Slide 28

Slide 28

Option 1: metadata tags @jbaruch #DevOpsWorld http://jfrog.com/shownotes

Slide 29

Slide 29

Slide 30

Slide 30

Option 2: Docker Repositories

Slide 31

Slide 31

Slide 32

Slide 32

Separate registries per environment If quality requirments are hit CI SERVER 1 If quality requirments are hit 2 Integration If quality requirments are hit 3 System Testing 4 Staging Production * @jbaruch #DevOpsWorld

  • Quality gates - http://jfrog.com/shownotes

Slide 33

Slide 33

Slide 34

Slide 34

Trumped-up limitations @jbaruch #DevOpsWorld http://jfrog.com/shownotes

Slide 35

Slide 35

The Anatomy of Docker Tag @jbaruch #DevOpsWorld http://jfrog.com/shownotes

Slide 36

Slide 36

Wait a second, how can I have more than one registry per host now?! @jbaruch #DevOpsWorld http://jfrog.com/shownotes

Slide 37

Slide 37

How can we support this? https://host:8081/registry/docker-dev/busybox https://host:8081/registry/docker-qa/busybox https://host:8081/registry/docker-staging/busybox https://host:8081/registry/docker-prod/busybox @jbaruch #DevOpsWorld http://jfrog.com/shownotes

Slide 38

Slide 38

“ONE REGISTRY PER HOST OUGHT TO BE ENOUGH FOR ANYBODY.”

Slide 39

Slide 39

Panic! @jbaruch #DevOpsWorld http://jfrog.com/shownotes

Slide 40

Slide 40

Virtual hosts/ports to the rescue docker tag host:port/busybox Registry host @jbaruch Tag name #DevOpsWorld http://jfrog.com/shownotes

Slide 41

Slide 41

Virtual hosts/ports to the rescue docker tag host:port/busybox Registry host Tag name https://host:port/v2/busybox @jbaruch #DevOpsWorld http://jfrog.com/shownotes

Slide 42

Slide 42

Virtual hosts/ports to the rescue docker tag host:port/busybox Registry host Tag name https://host:port/v2/busybox https://host:8081/registry/docker-dev/busybox Context name Registry name Tag name

Slide 43

Slide 43

server { listen 5001; } server_name 192.168.99.100; if ($http_x_forwarded_proto = ”) { set $http_x_forwarded_proto $scheme; } rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/docker-dev/$1/$2; 
 } @jbaruch #DevOpsWorld http://jfrog.com/shownotes

Slide 44

Slide 44

Slide 45

Slide 45

Let’s abuse things! @jbaruch #DevOpsWorld http://jfrog.com/shownotes

Slide 46

Slide 46

Let’s abuse things! @jbaruch #DevOpsWorld http://jfrog.com/shownotes

Slide 47

Slide 47

But then you realize
 Wait a second, now I need to pull, retag and push for every step?! @jbaruch #DevOpsWorld http://jfrog.com/shownotes

Slide 48

Slide 48

@jbaruch #DevOpsWorld http://jfrog.com/shownotes

Slide 49

Slide 49

dev cluster test cluster staging cluster prod cluster @jbaruch #DevOpsWorld http://jfrog.com/shownotes

Slide 50

Slide 50

Win-win-win

  • Single point of access to multiple registries when needed - Completely isolated environments - Immediate and free promotions

Slide 51

Slide 51

But what about the rest of the dependencies?

Slide 52

Slide 52

@jbaruch #DevOpsWorld http://jfrog.com/shownotes

Slide 53

Slide 53

Slide 54

Slide 54

Own your dependencies

  • Your base image - Your infra - Your application files @jbaruch #DevOpsWorld http://jfrog.com/shownotes

Slide 55

Slide 55

conclusions

  • Build only once - Separate environments - Promote what you’ve built - Own your dependencies @jbaruch #DevOpsWorld http://jfrog.com/shownotes

Slide 56

Slide 56

Q& s k n i L d n a A ch u r a b j @ Ø rld o W s p O v Ø#De otes n w o h s / om c . g o r f j / / : Øhttp