Creating a Reproducible Build System for Docker Images

Similar documents
Creating a Reproducible Build System for Docker Images

Multi-Arch Layered Image Build System

TEN LAYERS OF CONTAINER SECURITY

TEN LAYERS OF CONTAINER SECURITY. Kirsten Newcomer Security Strategist

Docker and Oracle Everything You Wanted To Know

Red Hat OpenShift Roadmap Q4 CY16 and H1 CY17 Releases. Lutz Lange Solution

Red Hat Roadmap for Containers and DevOps

THE STATE OF CONTAINERS

ovirt and Docker Integration

Accelerate at DevOps Speed With Openshift v3. Alessandro Vozza & Samuel Terburg Red Hat

[Docker] Containerization

TEN LAYERS OF CONTAINER SECURITY

High Performance Containers. Convergence of Hyperscale, Big Data and Big Compute

개발자와운영자를위한 DevOps 플랫폼 OpenShift Container Platform. Hyunsoo Senior Solution Architect 07.Feb.2017

Travis Cardwell Technical Meeting

A Greybeard's Worst Nightmare

How Container Runtimes matter in Kubernetes?

Amir Zipory Senior Solutions Architect, Redhat Israel, Greece & Cyprus

RED HAT GLUSTER TECHSESSION CONTAINER NATIVE STORAGE OPENSHIFT + RHGS. MARCEL HERGAARDEN SR. SOLUTION ARCHITECT, RED HAT BENELUX April 2017

WHITE PAPER. RedHat OpenShift Container Platform. Benefits: Abstract. 1.1 Introduction

Continuous Integration using Docker & Jenkins

Container Security and new container technologies. Dan

Red Hat Atomic Details Dockah, Dockah, Dockah! Containerization as a shift of paradigm for the GNU/Linux OS

rkt and Kubernetes What's new (and coming) with Container Runtimes and Orchestration

ACCELERATE APPLICATION DELIVERY WITH OPENSHIFT. Siamak Sadeghianfar Sr Technical Marketing Manager, April 2016

UP! TO DOCKER PAAS. Ming

Containers, Serverless and Functions in a nutshell. Eugene Fedorenko

Introduction to Container Technology. Patrick Ladd Technical Account Manager April 13, 2016

AGILE RELIABILITY WITH RED HAT IN THE CLOUDS YOUR SOFTWARE LIFECYCLE SPEEDUP RECIPE. Lutz Lange - Senior Solution Architect Red Hat

SAINT LOUIS JAVA USER GROUP MAY 2014

Kuber-what?! Learn about Kubernetes

EE 660: Computer Architecture Cloud Architecture: Virtualization

Backup strategies for Stateful Containers in OpenShift Using Gluster based Container-Native Storage

The four forces of Cloud Native

How to make your application into a Flatpak

What s New in Red Hat OpenShift Container Platform 3.4. Torben Jäger Red Hat Solution Architect

Building Kubernetes cloud: real world deployment examples, challenges and approaches. Alena Prokharchyk, Rancher Labs

Container mechanics in Linux and rkt FOSDEM 2016

Red Hat JBoss Middleware for OpenShift 3

SBB. Java User Group 27.9 & Tobias Denzler, Philipp Oser

Containerizing GPU Applications with Docker for Scaling to the Cloud

Running MarkLogic in Containers (Both Docker and Kubernetes)

Security oriented OpenShift within regulated environments

Deployment Patterns using Docker and Chef

Container in Production : Openshift 구축사례로 이해하는 PaaS. Jongjin Lim Specialist Solution Architect, AppDev

A DEVOPS STATE OF MIND WITH DOCKER AND KUBERNETES. Chris Van Tuin Chief Technologist, West

Getting Started With Containers

Taming your heterogeneous cloud with Red Hat OpenShift Container Platform.

OpenShift 3 Technical Architecture. Clayton Coleman, Dan McPherson Lead Engineers

OpenShift Roadmap Enterprise Kubernetes for Developers. Clayton Coleman, Architect, OpenShift

A DEVOPS STATE OF MIND. Chris Van Tuin Chief Technologist, West

Next Generation Tools for container technology. Dan

Red Hat Enterprise Linux 7 Getting Started with Cockpit

Cloud & container monitoring , Lars Michelsen Check_MK Conference #4

Replacing Docker With Podman. By Dan

Orchestrating Docker containers at scale

Linux Containers Roadmap Red Hat Enterprise Linux 7 RC. Bhavna Sarathy Senior Technology Product Manager, Red Hat

How to build and run OCI containers

S Implementing DevOps and Hybrid Cloud

Docker A FRAMEWORK FOR DATA INTENSIVE COMPUTING

Simple custom Linux distributions with LinuxKit. Justin Cormack

RED HAT OPENSHIFT A FOUNDATION FOR SUCCESSFUL DIGITAL TRANSFORMATION

Investigating Containers for Future Services and User Application Support

Introduction to Virtualization and Containers Phil Hopkins

Important DevOps Technologies (3+2+3days) for Deployment

Red Hat Enterprise Linux Atomic Host 7 Getting Started with Cockpit

Kubernetes Integration Guide

Beyond 1001 Dedicated Data Service Instances

Introduction to Docker. Antonis Kalipetis Docker Athens Meetup

Convergence of VM and containers orchestration using KubeVirt. Chunfu Wen

Przyspiesz tworzenie aplikacji przy pomocy Openshift Container Platform. Jarosław Stakuń Senior Solution Architect/Red Hat CEE

ISLET: Jon Schipp, AIDE jonschipp.com. An Attempt to Improve Linux-based Software Training

Red Hat Containers Roadmap. Red Hat A panel of product directors

OpenShift Dedicated 3 Release Notes

Red Hat OpenShift Application Runtimes 1

Introduction to Containers

Devops, Docker and Security. John

Sunil Shah SECURE, FLEXIBLE CONTINUOUS DELIVERY PIPELINES WITH GITLAB AND DC/OS Mesosphere, Inc. All Rights Reserved.

DevOps in the Cloud A pipeline to heaven?! Robert Cowham BCS CMSG Vice Chair

One year of Deploying Applications for Docker, CoreOS, Kubernetes and Co.

Advanced Continuous Delivery Strategies for Containerized Applications Using DC/OS

Orchestrating the Continuous Delivery Process

LINUX CONTAINERS. Where Enterprise Meets Embedded Operating Environments WHEN IT MATTERS, IT RUNS ON WIND RIVER

Microservice Deployment. Software Engineering II Sharif University of Technology MohammadAmin Fazli

OPENSTACK Building Block for Cloud. Ng Hwee Ming Principal Technologist (Telco) APAC Office of Technology

A DEVOPS STATE OF MIND. Chris Van Tuin Chief Technologist, West

CONTAINERS AND MICROSERVICES WITH CONTRAIL

Container-based virtualization: Docker

Red Hat Quay 2.9 Deploy Red Hat Quay - Basic

Cloud I - Introduction

Azure DevOps. Randy Pagels Intelligent Cloud Technical Specialist Great Lakes Region

UNDER THE HOOD. ROGER NUNN Principal Architect/EMEA Solution Manager 21/01/2015

Zdeněk Kubala Senior QA

Go Faster: Containers, Platforms and the Path to Better Software Development (Including Live Demo)

Table of Contents 1.1. Introduction. Overview of vsphere Integrated Containers 1.2

Harbor Registry. VMware VMware Inc. All rights reserved.

Container Management : First Looks

EVERYTHING AS CODE A Journey into IT Automation and Standardization. Raphaël Pinson

Dockerized Tizen Platform

VMWARE PIVOTAL CONTAINER SERVICE

Transcription:

Creating a Reproducible Build System for Docker Images PRESENTED BY: Adam Miller Fedora Engineering, Red Hat CC BY-SA 2.0

Today's Topics Define containers in the context of Linux systems Brief History/Background Container Implementations in Linux Docker Docker Build (Dockerfile) Release Engineering Docker Layered Image Build Service OpenShift OpenShift Build Service (OSBS) Koji-containerbuild Fedora s Docker Layered Image Build Service Q&A

Containers

What are containers? Operating-system-level Virtualization We (the greater Linux community) like to call them containers OK, so what is Operating-system-level Virtualization? The multitenant isolation of multiple user space instances or namespaces. Traditional OS APP A APP B LIBS A LIBS B Containers LIBS HOST OS HARDWARE LIBS CONTAINER CONTAINER APP A APP B LIBS A LIBS HOST OS HARDWARE

Containers are not new The concept of containers is not new chroot was the original container, introduced in 1982 Unsophisticated in many ways, lacking the following: COW Quotas I/O rate limiting cpu/memory constraint Network Isolation Brief (not exhaustive) history of sophisticated UNIX-like container technology: 2000 - FreeBSD jails 2001 Linux Vserver 2004 Solaris Zones 2005 - OpenVZ 2008 LXC This is where things start to get interesting

The Modern Linux Container is Born 2008 - IBM releases LinuX Containers (LXC) Userspace tools to effectively wrap a chroot in kernel namespacing and cgroups Provided sophisticated features the chroot lacked 2011 systemd nspawn containers run a command or OS in a light-weight namespace container. Like chroot, but virtualizes the file system hierarchy, process tree, various IPC subsystems, host and domain name. 2013 DotCloud releases Docker (https://github.com/docker/docker) Originally used LXC as the backend, introduces the Docker daemon, layered images, standard toolset for building images and a distribution method (docker registry). Later makes backend driver pluggable and replaces LXC with libcontainer as default.

Modern Linux Container 2014 CoreOS releases rkt (https://github.com/coreos/rkt) rkt is an implementation of App Container(appc) specification and App Container Image(ACI) specification, built on top of systemd-nspawn. ACI and appc aimed to be a cross-container specification to be a common ground between container implementations. 2015 Open Container Project (http://opencontainers.org/) The Open Container Initiative is a lightweight, open governance structure, to be formed under the auspices of the Linux Foundation, for the express purpose of creating open industry standards around container formats and runtime. - http://opencontainers.org/ Initiative Sponsors: Apcera, AT&T, AWS, Cisco, ClusterHQ, CoreOS, Datera, Docker, EMC, Fujitsu, Google, Goldman Sachs, HP, Huawei, IBM, Intel, Joyent, Kismatic, Kyup, the Linux Foundation, Mesosphere, Microsoft, Midokura, Nutanix, Oracle, Pivotal, Polyverse, Rancher, Red Hat, Resin.io, Suse, Sysdig, Twitter, Verizon, VMWare

Modern Linux Container 2015 runc (http://runc.io/) Stand-alone command line tool for spawning containers as per the OCP specification. Containers are child processes of runc, no system daemon, can be embedded. Shares technology lineage with Docker (libcontainer and others). Compatible with Docker images. Docker Engine v1.11+ 2016 containerd (http://containerd.tools/) Containerd is a daemon with an API and a command line client, to manage containers on one machine. It uses runc to run containers according to the OCI specification. Docker Engine v1.11+

Docker

Docker Docker Engine (daemon) is the single point of entry, has language bindings for other clients and tooling. (Image verification) Containers are instances of images. Images are built in a standard way using Dockerfile SELinux support upstream in Docker. Pluggable backends for isolation mechanism, storage, networking, etc.

Docker Base vs Layered Images CONTAINER Fedora 23 BASE IMAGE Fedora 23 APP LAYER Fedora 23 APP Fedora 23 APP Fedora 23 APP Fedora 23 App APP LIBS Fedora 23 Host Fedora 24 Host HARDWARE OR VM HARDWARE OR VIRTUAL MACHINE

Dockerfile FROM fedora MAINTAINER http://fedoraproject.org/wiki/cloud RUN dnf -y update && dnf clean all RUN dnf -y install httpd && dnf clean all RUN echo "HTTPD" >> /var/www/html/index.html EXPOSE 80 # Simple startup script ADD run-httpd.sh /run-httpd.sh RUN chmod -v +x /run-httpd.sh CMD ["/run-httpd.sh"]

Docker Build $ docker build -t fedora-httpd. Sending build context to Docker daemon 24.06 kb Step 1 : FROM docker.io/fedora ---> f9873d530588 Step 2 : MAINTAINER http://fedoraproject.org/wiki/cloud ---> Running in d7c01855128e ---> 819fb0ed13b0 Removing intermediate container d7c01855128e Step 3 : LABEL RUN 'docker run -d -p 80:80 $IMAGE' ---> Running in 4288ff446166 ---> 5f2b85cdbd73 Removing intermediate container 4288ff446166 Step 4 : RUN dnf -y update && dnf -y install httpd && dnf clean all ---> Running in df63942c3979 OUTPUT OMITTED FOR BREVITY Successfully built 63bc543a1868

Release Engineering

Release Engineering What is Release Engineering? Making a software production pipeline that is Reproducible, Auditable, Definable, and Deliverable It should also be able to be automated Definition (or the closest there really is) Release engineering is the difference between manufacturing software in small teams or startups and manufacturing software in an industrial way that is repeatable, gives predictable results, and scales well. These industrial style practices not only contribute to the growth of a company but also are key factors in enabling growth. - Boris Debic of Google Inc

OpenShift

OpenShift CONTAINER CONTAINER CONTAINER CONTAINER CONTAINER SELF-SERVICE SERVICE CATALOG (LANGUAGE RUNTIMES, MIDDLEWARE, DATABASES, ) BUILD AUTOMATION DEPLOYMENT AUTOMATION APPLICATION LIFECYCLE MANAGEMENT (CI / CD) CONTAINER ORCHESTRATION & CLUSTER MANAGEMENT (KUBERNETES) NETWORKING STORAGE REGISTRY LOGS & METRICS INFRASTRUCTURE AUTOMATION & COCKPIT CONTAINER RUNTIME & PACKAGING (DOCKER) ATOMIC HOST Fedora / CentOS / Red Hat Enterprise Linux SECURITY

OpenShift/Kubernetes Overview Node Client Pod Pod Container Container Container Container Container Container Pod Pod Container Container Container Container Container Container Pod...... Pod...... Master REST API Node Scheduler

OpenShift OpenShift Container Platform built on top of Kubernetes Advanced Features Build Pipelines Image Streams Application Lifecycle Management CI/CD Integrations Binary Deployment Triggers (Event, Change, Image, Web, etc) REST API, Command line interface, IDE Integrations Web UI and Admin dashboard

Docker Layered Image Build Service

Build System osbs cli Users OSBS Registry OpenShift Origin Candidate Images atomic-reactor Stable + Updates osbs-client API Server Deployments

OSBS OpenShift Build Service Takes advantage of OpenShift s built in Build primitive with a Custom Strategy and BuildConfig Relies on OpenShift for scheduling of build tasks throughout the cluster Presents this defined component to developers/builders as CLI and Python API osbs enforces that the inputs come from auditable sources. This defines what can be the inputs to a build Git repo for source Dockerfile, git commits and builds centrally logged BuildRoot - limited docker runtime Firewall constrained docker bridge interface Unprivileged container runtime with SELinux Enforcing Inputs are sanitized before reaching to build phase Unknown or unvetted sources are disallowed by the system Uses OpenShift ImageStreams as input sources to BuildRoot Utilizes OpenShift Triggers to spawn rebuild actions based on parent image changes How often are your images rebuilt?

OSBS - Continued atomic-reactor Single-pass Docker build tool used inside constrained buildroot in OSBS Automates tasks via plugins, such as: pushing images to a registry when successfully built injecting yum/dnf repositories inside Dockerfile (change source of your packages for input sanitization/gating) change base image (FROM) in your Dockerfile to match that of the registry available inside the isolated buildroot, run simple tests after image is built Gating of updates Automated tests can be tied to the output of OSBS RelEng is able to then "promote" images to a "production" or "stable" registry/tag/repository

Fedora s Implementation Fedora Layered Image Maintainers Registry Candidate Images Stable + Updates Koji RPM Builds Container-build DistGit Dockerfile ISO & Cloud Images fedpkg container-build Service init Scripts Tests Docs OSBS OpenShift Origin atomic-reactor osbs-client API Users

Fedora s Implementation DistGit ( Distro Git ) Each Branch = Fedora Release master branch is Devel (codename Rawhide ) fedpkg Fedora Package Maintainer helper tool Manages distgit branches Initiate builds (local and remote, mock integration) Much more Koji Fedora s authoritative build system Everything for Fedora is built here or it s build is integrated here Live USB images, DVD ISOs, IaaS Cloud Images, RPMs, Docker This defines what can be the inputs to a build Koji-containerbuild Plugin to orchestrate builds between Koji and OSBS Registry Upload/download destination, point of distribution

Release Engineering Revisited What is Release Engineering? Making a software production pipeline that is Reproducible, Auditable, Definable, and Deliverable It should also be able to be automated Reproducible Given the same set of inputs we can expect the same set of outputs We can even limit the specific versions of every RPM in the container Auditable OSBS maintains a manifest of its inputs and outputs All actions are logged centrally Fedora s implementation also involves a message bus and archives all activity in a database Definable OSBS defines an OpenShfit CustomBuild, if definition violated the system will reject the build Deliverable Gating for promoting content among Docker Image Registries/Tags/Repositories

Questions? CONTACT: maxamillion@fedoraproject.org @TheMaxamillion CC BY-SA 2.0

References https://en.wikipedia.org/wiki/operating-system-level_virtualization https://coreos.com/blog/rocket https://coreos.com/blog/appc-gains-new-support https://www.docker.com https://github.com/docker/distribution http://www.redhat.com/en/insights/containers http://www.projectatomic.io http://www.openshift.org https://www.openshift.com http://www.redhat.com/en/about/blog/red-hat-and-google-collaborate-kubernetes-manage-docker-containers-scale http://rhelblog.redhat.com/2014/04/15/rhel-7-rc-and-atomic-host http://opencontainers.org http://runc.io http://queue.acm.org/detail.cfm?id=2884038 http://containerd.tools https://drive.google.com/file/d/0b_jl94nmodqdsfvseuotqvb1rnc/view?usp=sharing http://valleyproofs.debic.net/2009/03/behind-scenes-production-pushes.html https://github.com/release-engineering/koji-containerbuild https://github.com/projectatomic/atomic-reactor https://github.com/projectatomic/osbs-client https://pagure.io/koji https://fedorahosted.org/koji/wiki

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback