Earlier this year, I wrote a two part series called CI In The Age Of Containers - Part 1 and Part 2. My original goal was to explore the impact containers might have on the build process. My thinking was there would be a profound impact that would shake up what I knew about building deliverables, which I had done for years before containers came on the scene.
What I learned was that it didn't change the process so much, but it had a big impact on testing, which could now include compliance and security at build time. The combination of converged supply chains along with unprecedented visibility and automated tooling, create exciting times.
In Part 1 we started with the build of the deliverable, in this the Webgoat project (my fork) which as of version 8 is a spring boot app in a container. The build process is a two step process, build the JAR file and then build the container and put the JAR in it. Containers are easy to run, so 'deploying' the app for testing is a docker run command away. That pulls a lot of traditional testing into the build phase of a CI pipeline, beyond just unit testing of yesteryear. More testing means more opportunities to throw away things that don't pass all the test. Instead of publishing every build to my Sonatype Nexus Repository with a unique version, so I can deploy it to a test environment, it meant we had a lot of binaries to clean up later. A good example of how getting feedback earlier can drive waste out of a process.
In Part 2 we explored how containers create a converged supply chain, with all changes flowing through the CI pipeline. Images that are created with reliable and repeatable processes in the first place that can also be audited with modern tools like Chef Inspec and our own Sonatype Lifecycle. What's exciting though is to see the suppliers getting this same visibility back in Docker Hub and GitHub. Our Webgoat project is being built on top of the OpenJDK:8-jre-slim image, so let's look at the tags page for that back on Docker Hub.
This is amazing to me that our suppliers now have the ability to be transparent, giving us consumers the ability to make an informed choice. While the Webgoat project is intentionally insecure and might even leverage these issues, we'd want to do something about it for everyday work. In this case, the upstream project could simply rebuild, which would likely patch everything we see here in the base layer. If our supplier isn't doing this, our tests will fail, and we could, if needed, take matters into our own hands and tun the update ourselves. In Alpine, that would look like this being added to our Docker file:
apk add --update "$@" && rm -rf /var/cache/apk/*
This runs an update against the system and then flushes the cache to avoid unnecessary container bloat. Now, every time we build, we'd get the latest packages available, hopefully addressing all the issues above. Similarly, GitHub recently added security scanning to their source code repos, and recently announced they had found over 4 million issues! This type of source scanning is less reliable (perhaps a future blog to explore), but does push visibility even further upstream.
So, as I look at the landscape today and compare it to 3 years ago, when I moved from corporate delivery team to Sonatype, I get excited about how things have changed in such a short amount of time. Converged supply chains combined with automatable modern tools to inspect our deliverables give me confidence in delivery teams ability to execute at speed with quality. Increased awareness and visibility for upstream suppliers provides coverage across the whole supply chain. The age of containers is here, and it's a exciting time to be in IT.
Curtis Yanko is a Sr Principal Architect at Sonatype and a DevOps coach/evangelist. Prior to coming to Sonatype Curtis started the DevOps Center of Enablement at a Fortune 100 insurance company and chaired a Open Source Governance Committee. When he isn’t working with customers and partners on how ...
Explore All Posts by Curtis YankoTags
Code 3x Faster with Less False Positives
Build, test, and launch secure applications without rework. Explore how the Sonatype platform can enhance productivity and security.