Docker Container Lifecycles -
Problem or Opportunity?
BaruchSadogurskyDev Advocate @JFrog
What Frog?
What Frog?
What Frog?
What Frog?
JFrog Xray
Poll Time!
Poll Time!
Heard about Docker
Can do the tutorial
PoCing, playing etc.
Production, baby!
JFrog Artifactory + Docker
Who’s using Docker and nothing else?
The Promotion Pyramid
Development builds
Dev Integration tests
Integr. tests
Staging
Pre-Prod
Prod
Amount of builds
Bu
ild/D
eplo
y ti
me
Amount of binaries
Pipeline: Quality Gates and Visibility
Source: Agile ALM, Michael Hüttermann, Manning Publications Co.
$docker build
Too easy!
That’s why.
Let’s fix it!
Let’s fix it (again)!
Let’s fix it (again)!
What you code is (not) what you get
The stronger the quality gates, more trust you have.
Not so fast…
Trumped-up limitations
The Anatomy of Docker Tag
Wait a second, how can I have more than one
repository per host now?!
How can we support this?
https://host:8081/artifactory/docker-dev/busybox
https://host:8081/artifactory/docker-staging/busybox
https://host:8081/artifactory/docker-qa/busybox
https://host:8081/artifactory/docker-prod/busybox
Panic!
Virtual hosts/ports to the rescue
https://host:8081/artifactory/docker-dev/busybox
docker tag host:port/busybox
Context name
Virtual repository nameTag name
server {
listen 5001;
server_name 192.168.99.100;
if ($http_x_forwarded_proto = '') {
set $http_x_forwarded_proto $scheme;
}
rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/docker-dev/$1/$2;
…
}
}
But then you realize…
Wait a second, now I need to pull, retag and push for
every step?!
Virtual Repositories FTW
What we did?
What we did?
- Minimize number of repositories docker
interact with
What we did?
- Minimize number of repositories docker
interact with
- deploy to virtual (backed by dev repository)
What we did?
- Minimize number of repositories docker
interact with
- deploy to virtual (backed by dev repository)
- promote within artifactory
What we did?
- Minimize number of repositories docker
interact with
- deploy to virtual (backed by dev repository)
- promote within artifactory
- Resolve from virtual (production-ready
images)
Why?
Finding the needle in haystack of
binaries
Finding the needle in haystack of
binaries- What deployed where
- Tracing binaries to sources
Finding the needle in haystack of
binaries- What deployed where
- Tracing binaries to sources
- Cherry pick the one to prod
Adding Metadata
Consuming Metadata
Let’s talk security
Access Control
r/w on repo level
is not enough
r/w on repo level
is not enough
- read, write, delete, annotate
- on any level – registry, repo, image or
tag
Content Control – Don’t Lose It
Thank you!