Scribd Logo
Upload

Welcome to Scribd!

  • Container Pipeline Service

    Uploaded by

    Kathiresan Jayabalan
    8 views25 pages
    The document describes a CentOS Community Container Pipeline that provides a solution to lint, build, and scan container images on a regular basis by triggering builds when code is pushed to a git repository. The pipeline flow includes linting and building container images, scanning them for vulnerabilities and package updates, delivering images to a registry, and notifying users. It aims to address limitations of existing solutions like limited scanning capabilities, lack of regular scans, and no handling of image dependencies. The pipeline uses open source tools like Dockerfile Lint, OpenShift Build Config, and Atomic Scanner running on CentOS infrastructure.

    Original Description:

    Container Pipeline Service

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document describes a CentOS Community Container Pipeline that provides a solution to lint, build, and scan container images on a regular basis by triggering builds when code is pushed to a git repository. The pipeline flow includes linting and building container images, scanning them for vulnerabilities and package updates, delivering images to a registry, and notifying users. It aims to address limitations of existing solutions like limited scanning capabilities, lack of regular scans, and no handling of image dependencies. The pipeline uses open source tools like Dockerfile Lint, OpenShift Build Config, and Atomic Scanner running on CentOS infrastructure.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    8 views25 pages

    Container Pipeline Service

    Uploaded by

    Kathiresan Jayabalan
    The document describes a CentOS Community Container Pipeline that provides a solution to lint, build, and scan container images on a regular basis by triggering builds when code is pushed to a git repository. The pipeline flow includes linting and building container images, scanning them for vulnerabilities and package updates, delivering images to a registry, and notifying users. It aims to address limitations of existing solutions like limited scanning capabilities, lack of regular scans, and no handling of image dependencies. The pipeline uses open source tools like Dockerfile Lint, OpenShift Build Config, and Atomic Scanner running on CentOS infrastructure.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 25

    git push to lint,build and scan

    your containers
    Bamacharan Kundu (@bamachrn)
    Imagine... ● You are maintaining 10 images

    ● All images are based on same image


    Life is good… right?
    Imagine...
    ● Meltdown / Spectre hits the world!

    ● CentOS base image gets updated

    ● Manually update all your images!


    What if there’s
    about 100 images?
    This sucks!
    CentOS Community
    Container Pipeline
    Why yet another pipeline?

    ● No solution to lint, build, scan images on regular basis

    ● No triggers other than code push to git repo

    ● Limited scanning capabilities; available for a cost

    ● No regular scan reports on all the images

    ● No dependency between images (parent-child relationship)

    ● No open source solution to do all of these!


    Flow explained ● PR on container-index (one-time)

    ● Pre Build

    ● Lint

    ● Build

    ● Scan

    ● Deliver (Push) and Notify


    PR on ● Create a yaml entry in container-index

    container-index ● Job is created and we trigger the build


    Example yaml file
    Pre Build ● Generate binaries/artifacts

    ● Use the artifact(s) to create image


    Lint ● Lint the Dockerfile

    ● Point out common errors and warnings

    ○ Running privileged container

    ○ Lack of yum clean all

    ○ Lack of labels

    ○ Lack of CMD/EXPOSE commands


    Build ● Build the container image

    ● Build through custom build context


    Scan ● Package update scanner

    ○ rpm

    ○ npm

    ○ pip

    ○ gem

    ● Container capabilities

    ● RPM verification
    Deliver (Push) ● Deliver the image to

    registry.centos.org

    ● Tag the image with user’s desired tag

    ● User is notified on their email with

    ○ Status of build

    ○ Cause of build

    ○ Image repository with logs


    What else?
    Weekly scan, ● Scanners run on weekly basis

    Repo update ● Scanner reports emailed to the user


    tracking, ● Automatically rebuild for RPM updates
    automated build ● Rebuild images when:
    trigger ○ base image gets updated

    ○ git push

    ● Custom build context


    Toolchain ● Dockerfile Lint → Project Atomic

    Dockerfile Lint

    ● Build → OpenShift Build Config

    ● Scan → Atomic Scanner

    ● Registry → Docker distribution

    ● CI → CentOS CI (https://ci.centos.org/)
    Quick Notes ● Canonical source of truth for images

    maintained by the CentOS team


    registry.centos.org ● SCLo images - nodejs, python, etc.

    ● Eclipse Che stacks

    ● Language stacks (go, python, java)


    What’s next?
    Plan ● Major update on UI

    ○ Real time build status

    ○ Lint, Build logs and scan Results

    ● On demand scale up to minimize

    waiting time

    ● Test images on

    ○ OpenShift

    ○ CentOS
    Resources

    ● https://github.com/CentOS/container-pipeline-service/

    ● https://github.com/CentOS/container-index/

    ● #centos-devel on Freenode

    ● centos-devel@centos.org
    Thank you!

    You might also like