Best Practices In Implementing Container Image Promotion Pipelines
A presentation at CNCF Webinar by Baruch Sadogursky
Best Practices In Implementing Container Image Promotion Pipelines
Software I like Software I know really well
đ© @jbaruch #DataDrivenDevOps #PureAccelerate http://jfrog.com/shownotes @ErinMeyerINSEADâs âCulture Mapâ
shownotes Ăhttp://jfrog.com/shownotes Ă Slides Ă Video Ă Links Ă Comments, Ratings Ă Raffle @jbaruch #cncf http://jfrog.com/shownotes
The Promotion Pyramid Prod Build/Deploy time Pre-Prod Staging Integr. tests Dev Integration tests Development builds Amount of builds Amount of binaries
Pipeline: quality gates and visibility If quality requirments are hit CI SERVER 1 If quality requirments are hit 2 Integration If quality requirments are hit 3 System Testing 4 Staging Production * @jbaruch #cncf
- Quality gates - http://jfrog.com/shownotes
$docker build @jbaruch #cncf http://jfrog.com/shownotes
Letâs docker build in every env! @jbaruch #cncf http://jfrog.com/shownotes
Thatâs why. FROM ubuntu Latest version RUN apt-get install -y software-properties-common python RUN apt-get install -y nodejs RUN mkdir /var/www Latest version ADD app.js /var/www/app.js Latest version Latest version CMD [â/usr/bin/nodeâ, â/var/www/app.jsâ] @jbaruch #cncf http://jfrog.com/shownotes
Thatâs why. FROM ubuntu:19.04 Better now? RUN apt-get install -y software-properties-common python RUN apt-get install -y nodejs RUN mkdir /var/www ADD app.js /var/www/app.js CMD [â/usr/bin/nodeâ, â/var/www/app.jsâ] @jbaruch #cncf http://jfrog.com/shownotes
Thatâs why. FROM ubuntu:4033353383af19ec179c01dda7f355a246c6adcafaf93c8f98 And now? RUN apt-get install -y software-properties-common python RUN apt-get install -y nodejs RUN mkdir /var/www ADD app.js /var/www/app.js CMD [â/usr/bin/nodeâ, â/var/www/app.jsâ] @jbaruch #cncf http://jfrog.com/shownotes
Thatâs why. FROM ubuntu:4033353383af19ec179c01dda7f355a246c6adcafaf93c8f98 RUN apt-get install -y software-properties-common python RUN apt-get install -y nodejs RUN mkdir /var/www What about those? ADD app.js /var/www/app.js CMD [â/usr/bin/nodeâ, â/var/www/app.jsâ] @jbaruch #cncf http://jfrog.com/shownotes
Thatâs why. FROM ubuntu:4033353383af19ec179c01dda7f355a246c6adcafaf93c8f98 RUN mvn clean install What about this? CMD âjava âjar Main.classâ @jbaruch #cncf http://jfrog.com/shownotes
Thatâs why. FROM ubuntu:4033353383af19ec179c01dda7f355a246c6adcafaf93c8f98 RUN download_random_sh*t_from_the_internet.sh And how about this? CMD [â/usr/bin/nodeâ, â/var/www/app.jsâ] @jbaruch #cncf http://jfrog.com/shownotes
Thatâs why you donât trust Docker @jbaruch #cncf http://jfrog.com/shownotes
Whatâs up with the gates?! - QA shouldnât test dev images - non-tested images shouldnât be staged - non-staged, non-tested or dev images shouldnât end up in production!!! @jbaruch #cncf http://jfrog.com/shownotes
Letâs build Rock-solid pipeline!
How do I separate dev from prod?! @jbaruch #cncf http://jfrog.com/shownotes
Option 1: metadata tags @jbaruch #cncf http://jfrog.com/shownotes
Option 2: Docker Repositories
Separate registries per environment If quality requirments are hit CI SERVER 1 If quality requirments are hit 2 Integration If quality requirments are hit 3 System Testing 4 Staging Production * @jbaruch #cncf
- Quality gates - http://jfrog.com/shownotes
Trumped-up limitations @jbaruch #cncf http://jfrog.com/shownotes
The Anatomy of Docker Tag @jbaruch #cncf http://jfrog.com/shownotes
Wait a second, how can I have more than one registry per host now?! @jbaruch #cncf http://jfrog.com/shownotes
How can we support this? https://host:8081/registry/docker-dev/busybox https://host:8081/registry/docker-qa/busybox https://host:8081/registry/docker-staging/busybox https://host:8081/registry/docker-prod/busybox @jbaruch #cncf http://jfrog.com/shownotes
âONE REGISTRY PER HOST OUGHT TO BE ENOUGH FOR ANYBODY.â
Panic! @jbaruch #cncf http://jfrog.com/shownotes
Virtual hosts/ports to the rescue docker tag host:port/busybox Registry host Tag name https://host:port/v2/busybox https://host:8081/registry/docker-dev/busybox Context name Registry name Tag name
server { listen 5001; } server_name 192.168.99.100; if ($http_x_forwarded_proto = â) { set $http_x_forwarded_proto $scheme; } rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/docker-dev/$1/$2; ⊠} @jbaruch #cncf http://jfrog.com/shownotes
Letâs abuse things! @jbaruch #cncf http://jfrog.com/shownotes
Letâs abuse things! @jbaruch #cncf http://jfrog.com/shownotes
But then you realize⊠Wait a second, now I need to pull, retag and push for every step?! @jbaruch #cncf http://jfrog.com/shownotes
@jbaruch #cncf http://jfrog.com/shownotes
dev cluster test cluster staging cluster prod cluster @jbaruch #cncf http://jfrog.com/shownotes
Repository (docker): Top level directory in a registry Repository (the rest of the world): A registry @jbaruch #cncf http://jfrog.com/shownotes
Win-win-win
- Single point of access to multiple registries when needed - Completely isolated environments - Immediate and free promotions
@jbaruch #cncf http://jfrog.com/shownotes
Win-win
- Simplicity of latest - Always know what it really means - As long as you promoted immutable artifact @jbaruch #cncf http://jfrog.com/shownotes
But what about the rest of the dependencies?
@jbaruch #cncf http://jfrog.com/shownotes
Own your dependencies
- Your base image - Your infra - Your application files @jbaruch #cncf http://jfrog.com/shownotes
conclusions
- Build only once - Separate environments - Promote what youâve built - Own your dependencies @jbaruch #cncf http://jfrog.com/shownotes
Q&A and Links Ă@jbaruch Ă#CNCF Ăhttp://jfrog.com/shownotes
Surprisingly, implementing a secure, robust and fast promotion pipelines for container images is not as easy as it might sound. Automating dependency resolution (base images), implementing multiple registries for different maturity stages and making sure that we actually run in production containers from the images we intended can be tricky. In this talk, we will compare different approaches, compile a wish-list of features and create a pipeline that checks all the boxes using free and open-source tools.
