Various container build services offer developers to build their image with a git push and scan the container for known CVEs (as a paid service). What they don't provide is Dockerfile linting; scanners that would scan for available package updates (rpm, pip, npm, gem); a build process that rebuilds an image not only on git push but also when there's RPM update in its enabled repo or when its base image is updated.
Welcome to CentOS Container Pipeline project. It provides all these and more, out of the box, free of cost, on CentOS infra, and with focus on open source developers. All it needs is link to git repo containing the Dockerfile. And also email address to provide all that helpful information. ;)
9. Why yet another pipeline?
● No solution to lint, build, scan images on regular basis
● No triggers other than code push to git repo
● Limited scanning capabilities; available for a cost
● No regular scan reports on all the images
● No dependency between images (parent-child relationship)
● No open source solution to do all of these!
10.
11. Flow explained ● PR on container-index (one-time)
● Pre Build
● Lint
● Build
● Test
● Scan
● Deliver (Push) and Notify
14. Pre Build ● Generate binaries/artifacts
● Use the artifact(s) to create image
15. Lint ● Lint the Dockerfile
● Point out common errors and warnings
○ Running privileged container
○ Lack of yum clean all
○ Lack of labels
○ Lack of CMD/EXPOSE commands
16. Build ● Build the container image
● Build through custom build context
17. Test ● Removed from the scope after CFP :-(
● Different types of testing
○ Code testing (unit, functional, etc.)
○ Container testing
○ Volume mounts
● Users will have to rely on CI
19. Deliver (Push) ● Deliver the image to registry.centos.org
● Tag the image with user’s desired tag
● User is notified on their email with
○ Cause of build
○ Linter results
○ Build logs
○ Scanner reports
23. Quick Notes ● Canonical source of truth for images
maintained by the CentOS team
● SCLo images - nodejs, python, etc.
● Eclipse Che stacks
● Language stacks (go, python, java)
25. Plan ● Major updates in UI
○ Logs, reports, etc.
○ Go-to place for getting started
● “On-demand” build for an image
● OpenShift cluster
● Test images on
○ RHEL
○ CentOS
○ Atomic Host