amazon web services - Enterprise private Docker registry best practices -


this question sprang mind preparing on rolling out our own private registry. enterprise best practice , why?

q1:

  1. run multiple registries 1 s3 storage backend? each registry have setting makes push dev, qa or prod (top level) folders in same s3 bucket.

  2. run 1 registry 1 s3 storage backend dev/qa/prod environments? since whole point of docker have image run anywhere same, provide different docker run parameters, since docker image same across env, run arguments pass different.

  3. run 1 registry , 1 s3 storage backend per env

q2:

what best practice promoting image dev way prod? tool sets involved. example have central gitlab our dockerfiles, when check in our new dockerfile, there hook triggers jenkins build image dockerfile , check in registry. way promote (unless chose option 2 earlier q1) images next level - qa, , prod?

q3:

if update 1 of base images, way make sure change propagates upstream other images in registry? example update customized base ubuntu dockerfile new stuff, , want other docker files use base image rebuilt , pushed registry change automatically propagated.

q4:

does play role in above if have different aws accounts, 1 dev, 1 qa, 1 prod, etc.

we chose option number two. i'll describe we're using, , though we're not big enterprise environment (a few hundred containers running @ given time), perhaps give ideas. stick single s3 backend/bucket (on single account) of our "types" of images, , namespace images appropriately. trick here our "dev" environments "production" environments. central our entire design , our raison d'etre using docker: have our development environment mirror production environment as possible. have several production machines on commodity dedicated hardware in few geographically-distinct datacenters, , run our images on top of those. using standard git workflow pushing code , changes. use bitbucket (and mirror our own self-hosted gitlab) , run tests on each push master shippable (big fan of shippable here!). coordinate custom piece of software listens webhooks on "head" server, builds/tags/commits , pushes docker image our private registry (at 1 point hosted on same "head" server). custom software webhooks simple custom server on each production machine, pulls new images private registry , zero-downtime-updates new container in place of old. use incredible , awesome nginx-proxy reverse proxy jason wilder on of our docker machines, makes process vastly easier without. if have particular requirements segregating dev/qa/prod images 1 another, suggest sharding backend little possible if keep having more possible points of failure. real strength of docker uniformity of environments can create. when "flip switch" container's task development qa production, change port number container listens on our "dev/qa" port "production" port number, , track these changes in our internal tracker. using multiple records in dns "load balance", , haven't needed scale using actual load-balancers (yet), use load-balancing feature of nginx-proxy image love much, since it's feature built-in already.

if need change our base image reason, make changes in environment (updates, whatever), , work from in our new dockerfile. these changes baked new image, gets pushed our private registry, propagates out production other "regular" code push. should note mirror all of our data on s3 (not our end-product docker images), in case tragic happens , need spin new "head" server (which uses docker of functions). fwiw, heck of price break us, being able move commodity dedicated hardware instead of ec2. luck!


-

Comments

Post a Comment

Popular posts from this blog

apache - PHP Soap issue while content length is larger -

we have developed soap based webservice post data third party webservice. accepts 4 params. in 1 of parameters accepts xml string no size limit restriction put in place. the webservice works fine in local environment running on php 5.2 , apache2. works content length long 10 mb. in staging server running nginx , php fpm.we have updated max post size , max upload filesize in php.ini , client_max_body param in nginx.conf allow upto 50 mb. but webservice client keeps on loading in staging environment. gives 502 timeout , gives soap error. can me understand issue here?
Read more

asynchronous - Python asyncio task got bad yield -

i confused how play around asyncio module in python 3.4. have searching api search engine, , want each search request run either parallel, or asynchronously, don't have wait 1 search finish start another. here high-level searching api build objects raw search results. search engine using kind of asyncio mechanism, won't bother that. # no asyncio module used here class search(object): ... self.s = some_search_engine() ... def searching(self, *args, **kwargs): ret = {} # raw searching according args , kwargs , build wrapped results ... return ret to try async requests, wrote following test case test how can interact stuff asyncio module. # here testing script @asyncio.coroutine def handle(f, *args, **kwargs): r = yield f(*args, **kwargs) return r s = search() loop = asyncio.get_event_loop() loop.run_until_complete(handle(s.searching, arg1, arg2, ...)) loop.close() by running pytest, return runtimeerror: task got bad yield : {results s...
Read more

javascript - Complete OpenIDConnect auth when requesting via Ajax -

the normal openidconnect server works like: you go a.com/secure-resource you 302 server your browser handles , sends identity server you login there it sends a.com via post you logged in on a.com , a.com/secure-resource on browser. however have scenario i'm trying solve need help. the user logged in on idserver the user logged in on a.com the user not logged in on b.com we need send ajax call web server b.com (from domain a.com ) b.com configured use openidconnect. but because request b.com via ajax, user cannot redirected idserver. (all in response 302 ) we can go ahead , handle 302 via ajax (i'm still not sure whether work, security-wise). but is there scenario in identityserver/openidconnect designed these situations? with identityserver in scenario setup server b.com use bearer token authentication, need use access token provided a.com in headers of ajax call $.ajax({ url: 'http://b.com', headers: { ...
Read more