Docker Container Lifecycles -

Problem or Opportunity?

BaruchSadogurskyDev Advocate @JFrog

What Frog?

What Frog?

What Frog?

What Frog?

JFrog Xray

Poll Time!

Poll Time!

Heard about Docker

Can do the tutorial

PoCing, playing etc.

Production, baby!

JFrog Artifactory + Docker

Who’s using Docker and nothing else?

The Promotion Pyramid

Development builds

Dev Integration tests

Integr. tests

Staging

Pre-Prod

Prod

Amount of builds

Bu

ild/D

eplo

y ti

me

Amount of binaries

Pipeline: Quality Gates and Visibility

Source: Agile ALM, Michael Hüttermann, Manning Publications Co.

$docker build

Too easy!

That’s why.

Let’s fix it!

Let’s fix it (again)!

Let’s fix it (again)!

What you code is (not) what you get

The stronger the quality gates, more trust you have.

Not so fast…

Trumped-up limitations

The Anatomy of Docker Tag

Wait a second, how can I have more than one

repository per host now?!

How can we support this?

https://host:8081/artifactory/docker-dev/busybox

https://host:8081/artifactory/docker-staging/busybox

https://host:8081/artifactory/docker-qa/busybox

https://host:8081/artifactory/docker-prod/busybox

Panic!

Virtual hosts/ports to the rescue

https://host:8081/artifactory/docker-dev/busybox

docker tag host:port/busybox

Context name

Virtual repository nameTag name

server {

listen 5001;

server_name 192.168.99.100;

if ($http_x_forwarded_proto = '') {

set $http_x_forwarded_proto $scheme;

}

rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/docker-dev/$1/$2;

…

}

}

But then you realize…

Wait a second, now I need to pull, retag and push for

every step?!

Virtual Repositories FTW

What we did?

What we did?

- Minimize number of repositories docker

interact with

What we did?

- Minimize number of repositories docker

interact with

- deploy to virtual (backed by dev repository)

What we did?

- Minimize number of repositories docker

interact with

- deploy to virtual (backed by dev repository)

- promote within artifactory

What we did?

- Minimize number of repositories docker

interact with

- deploy to virtual (backed by dev repository)

- promote within artifactory

- Resolve from virtual (production-ready

images)

Why?

Finding the needle in haystack of

binaries

Finding the needle in haystack of

binaries- What deployed where

- Tracing binaries to sources

Finding the needle in haystack of

binaries- What deployed where

- Tracing binaries to sources

- Cherry pick the one to prod

Adding Metadata

Consuming Metadata

Let’s talk security

Access Control

r/w on repo level

is not enough

r/w on repo level

is not enough

- read, write, delete, annotate

- on any level – registry, repo, image or

tag

Content Control – Don’t Lose It

Thank you!