dockercon eu 2015: official repos and project nautilus
TRANSCRIPT
Docker ContentOfficial Repos, Project Nautilus, and the content ecosystem
Krish Garimella& Mario Ponticello
Docker adoption is driven bygreat content!
1+ billion pulls
1+ billion pulls
Librar
y
boun
tylabs
kube
rnetes
schibs
tedpa
ymen
t
gilderl
abs
barch
art deis
progri
ummes
os
1+ billion pulls
Librar
y
boun
tylabs
kube
rnetes
schibs
tedpa
ymen
t
gilderl
abs
barch
art deis
progri
ummes
os
Docker Official Repos
Why are Official Repos so successful?
…and security!
Made with love and care…
…by our partners
Maintaining the Jenkins Official RepoNicolas De Loof, Jenkins
@ndeloof, [email protected]
Why yet another Jenkins image?
• We wanted to make Jenkins a first-class Docker citizen
• We wanted to get the Docker community involved
• We wanted to learn!
• We planned to use Docker for our own product
Because…
• How to set users, permissions, volumes, entrypoint…
• We disagreed with some of them…
• Argued…
• Read the docs…
• Had to adapt to get the image approved…
• And now, we admit that the best practices are good!
Embracing best practices
• We learned a great deal:
• Usages
• Best practices
• User misunderstanding
• Extensibility
• Docker itself!
• Possible improvements to Jenkins to make it more Docker-friendly
Getting feedback/contributions
For example…
• Human-based review
• https://github.com/docker-library/official-images/pulls
• Fairly fast for minor changes
• They want to limit the number of tags
• Not my initial use-case
• As a support engineer, I wanted all versions on Hub
Limitations
• Release early and often
• PR review is faster (~24h) if you don’t introduce big-bang changes
• Mix official with classic
• Jenkins weekly releases are published as jenkinsci/jenkins based on the exact same Dockerfile (sed)
Workarounds
Jenkins job
Jenkins job
Dockerfile jenkinsPR to « official » library
jenkinsci/jenkins
cloudbees/jenkins-
enterprise
sed s/LTS/weekly Dockerfile
Dockerfilesed s/OSS/cloudbees
Publication workflow
What are users saying?
We want more great content!
The President of Docker Users
…and secure images!
…and optimized images!
Amazing apps
CommunityImages
Curated Images
Content curation today
Amazing apps
CommunityImages
Curated Images
What we need
1. Scale up the security posture assessment
2. Notify users of new vulnerabilities in existing code proactively
3. Provide visibility to end-users on the security posture of images
Project Nautilus goals
• Project Nautilus is an image-scanning service that makes it easier to build and consume high-integrity content
• Steps through a sequence of tests, including:
• Image security
• Component inventory/license management
• Image optimization
• Basic functional testing
• Functions as a source of truth for certification metadata
• Has an extensible backend; may support 3rd-party plugins
Project Nautilus details
Docker scans derived images
Docker works with partners to fix OS images
Publisher resubmits
image
Publisher calibrates
dependencies
Docker and publisher
release clean image
Project Nautilus process
APIDockerImage
Scanning
CVE ScanningSecurity
Scan
SW Inventory and License
Image Optimization
Plugins
ValidationMicroservices
HUB
End Users
Publishers
Notifications
…
Registry
…
Project Nautilus architecture
• To submit an Official Repo, visit https://docs.docker.com/docker-hub/official_repos/
• To learn more about Nautilus, email us at [email protected]
Get involved