Docker ContentOfficial Repos, Project Nautilus, and the content ecosystem

Krish Garimella& Mario Ponticello

Docker adoption is driven bygreat content!

1+ billion pulls

1+ billion pulls

Librar

y

boun

tylabs

kube

rnetes

schibs

tedpa

ymen

t

gilderl

abs

barch

art deis

progri

ummes

os

1+ billion pulls

Librar

y

boun

tylabs

kube

rnetes

schibs

tedpa

ymen

t

gilderl

abs

barch

art deis

progri

ummes

os

Docker Official Repos

Why are Official Repos so successful?

…and security!

Made with love and care…

…by our partners

Maintaining the Jenkins Official RepoNicolas De Loof, Jenkins

@ndeloof, nicolas.deloof@gmail.com

Why yet another Jenkins image?

• We wanted to make Jenkins a first-class Docker citizen

• We wanted to get the Docker community involved

• We wanted to learn!

• We planned to use Docker for our own product

Because…

• How to set users, permissions, volumes, entrypoint…

• We disagreed with some of them…

• Argued…

• Read the docs…

• Had to adapt to get the image approved…

• And now, we admit that the best practices are good!

Embracing best practices

• We learned a great deal:

• Usages

• Best practices

• User misunderstanding

• Extensibility

• Docker itself!

• Possible improvements to Jenkins to make it more Docker-friendly

Getting feedback/contributions

For example…

• Human-based review

• https://github.com/docker-library/official-images/pulls

• Fairly fast for minor changes

• They want to limit the number of tags

• Not my initial use-case

• As a support engineer, I wanted all versions on Hub

Limitations

• Release early and often

• PR review is faster (~24h) if you don’t introduce big-bang changes

• Mix official with classic

• Jenkins weekly releases are published as jenkinsci/jenkins based on the exact same Dockerfile (sed)

Workarounds

Jenkins job

Jenkins job

Dockerfile jenkinsPR to « official » library

jenkinsci/jenkins

cloudbees/jenkins-

enterprise

sed s/LTS/weekly Dockerfile

Dockerfilesed s/OSS/cloudbees

Publication workflow

Thank you!Nicolas De Loof, Jenkins

@ndeloof, nicolas.deloof@gmail.com

What are users saying?

We want more great content!

The President of Docker Users

…and secure images!

…and optimized images!

Amazing apps

CommunityImages

Curated Images

Content curation today

Amazing apps

CommunityImages

Curated Images

What we need

1. Scale up the security posture assessment

2. Notify users of new vulnerabilities in existing code proactively

3. Provide visibility to end-users on the security posture of images

Project Nautilus goals

• Project Nautilus is an image-scanning service that makes it easier to build and consume high-integrity content

• Steps through a sequence of tests, including:

• Image security

• Component inventory/license management

• Image optimization

• Basic functional testing

• Functions as a source of truth for certification metadata

• Has an extensible backend; may support 3rd-party plugins

Project Nautilus details

Docker scans derived images

Docker works with partners to fix OS images

Publisher resubmits

image

Publisher calibrates

dependencies

Docker and publisher

release clean image

Project Nautilus process

APIDockerImage

Scanning

CVE ScanningSecurity

Scan

SW Inventory and License

Image Optimization

Plugins

ValidationMicroservices

HUB

End Users

Publishers

Notifications

…

Registry

…

Project Nautilus architecture

• To submit an Official Repo, visit https://docs.docker.com/docker-hub/official_repos/

• To learn more about Nautilus, email us at content@docker.com

Get involved