Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Cloud Native Buildpacks / Conference Talks / 6 Jan 2021
Cloud Native Buildpacks / Conference Talks / 6 Jan 2021
Previous Meeting
Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Buildpacks: The future of containers? - Eamon Scullion - NIDC2020

Description

Cloud-native buildpacks provide organizations with a way to build consistent, more secure, and more efficient docker images. The session will be a deep dive into Cloud-native buildpacks, and how they work when compared to traditional Dockerfiles. The session will also explore the benefits and tradeoffs when transitioning to build packs and how they solve some of the industries most challenging problems.

-- Buildpacks - The future of containers?
-- Eamon Scullion

Broadcast at the Northern Ireland Developer Conference 2020
-- Day 1 / Track 2 / Talk 4

A

Hi, my name is eamon scullion and I'm a software engineer at undersquare. This talk today is about build packs, an alternative to docker files and cover a lot of different topics such as why people use docker files and docker in general, and then some of the benefits they might get from some other options out there. um So, first of all, let's talk a bit about the prehistoric days, um also known as before, 2013..

A

So back in those days, there was clear separations of concerns, developers used to focus purely on their apps, and then we had operations, people who would focus more around the actual hardware infrastructure, networking side of things, um so a developer would be happily developing their features and once they're done they'll package it up, maybe in a jar or binary or something executable and pass it off to an operations person.

A

One problem we find with that is: whenever they finally get to releasing that package, they might come across some issues which is related to maybe it works on my machine common phrase that would come from developers.

A

It might just be differences in environments in 2013, docker came along and that kind of changed the way developers work. So it kind of changed all the responsibilities so uh developers now more prior to say, here's, the environments. I want my apps to run in and it can be consistent across environments before we get to that, though um a little intro into what docker is and why people use it. So the first thing is: what is a docker container?

A

It's a standard way of packaging, your app and all its dependencies and provides good separation. So you can run apps in isolation all in the same machine.

A

One important difference between a container and a fertile machine is a container shares the actual underlying operating system, whereas in a virtual machine it has a separate operating system for each virtual machine and other concepts to be aware of is a docker image, which is um what we actually run in order to get a docker container. It kind of outlines um all the setup for your app and dependencies and all that is defined by dockerfiles.

A

So some of the benefits we get from dockerfiles and docker in general is we have consistent environments between a developer's machine right through to all their different production. Environments will no longer have the it works online machine problem and it's portable and can run anywhere where you can install docker, so um all common platforms, um and yet it's perfect for isolating apps from each other. So it's ideal for microservices architecture.

A

Some of the problems it introduces that we briefly touched on is developers now have the ability to outline their entire stack, so not only their application code but the runtime and also the underlying operating system. But when you speak to developers, we we don't really look too much in detail into the actual underlying things that are happening. So if you ask someone what operating system is actually used for your docker container, they might not be able to answer so touching on dockerfiles.

A

So it's a way to outline how your docker image is constructed, and here you see an example- that's written in node. So overall it looks fine, it's perfectly filed. It does what it's meant to, but if we dive a little deeper into it, we can see that maybe there's some questions that need answered, such as we are using the node-based docker image, but has anyone actually checked to see what operating system that runs on?

A

Has anyone checked that for any fun abilities as well as that we can see there's no image tag used, so it will pull down the latest every time, which means that your builds may differ throughout time, depending on when things are released um as well as that we are using quite a large base, docker image, so that brings along with it a lot of libraries and extra things that we don't really need.

A

One downside of this is it kind of increases the attack surface, so there's more areas for attackers to attack your app and, lastly, we can see there's no user defined, so this container will run with root by default and depending on your system. This may mean that if an attacker gets into your container, they can access your docker host and maybe spin up some extra containers and install malicious software.

A

As a summary, we can see that it's easy to get set up with dockerfiles, there's loads of materials to get started and generally when you are starting to learn, usually you'll, go to stack overflow or blog and you'll kind of copy what the experts are doing, but you may not necessarily look into what's happening underneath and that's kind of where the problems come from.

A

Unfortunately, container security is more of an afterthought for developers and I don't think it can be expected for all developers to know all the best practices and in the night of docker, as you can see here, here's like a summary of the top 10 docker security practices. That's provided by snick. You can see the link for yourself, I'm not going to cover all these, but we have covered some of them in the previous examples and I'll show how build packs can solve all these problems out of the box.

A

Also, some haunting statistics also provided by the state of open source security by snik. So, as you can see, there's a list of the most popular and official docker images and there's kind of some scary statistics about how many vulnerabilities each of them have if we actually look into where these vulnerabilities come from.

A

Most of it comes from all the kind of underlying libraries that's pulling in. You can see that, as you slim down your image and kind of cut things away that reduces the vulnerabilities.

A

Another answer as well is the operating system that it's using, maybe it's using ubuntu, but an older version, so they're the main kind of areas that you'll you'll get vulnerabilities.

A

Another thing as well: there was a survey sent out to organizations asking how aware they are of dependencies in their software, so um how well they can keep track of direct dependencies that they use in their app and also indirect dependencies.

A

So, as you can see, there's kind of crazy stats of only 28 people or of organizations are happy with how they track dependencies.

A

There's also an important concept, which is bill of materials which is actually knowing everything your app pulls in and it's it is kind of difficult to keep track of that if you're not using some open source tools or you're not actively looking for it. um So why? Why does any of this matter? So if you do discover a security vulnerability, how do you go about fixing it?

A

So, in the examples I described, if you're working in a large company, you probably have hundreds of code repos, so you'll have to reach out to every team and coordinate with them.

A

They also have probably differing ways of doing things for every team, so you'll have to get used to seeing many different types of docker files and because of the way docker caching works once you make a change, a high level change such as changing the operating system that your container is using. It's going to have to rebuild the entire image. So this could be quite a timely and lengthy process and it's really more of a chore, whereas you could be doing more important things for your business.

A

So is there another way and another way is using build packs. So what is buildpack as part of the cloud native computing foundation? They released um build packs in 2018. It was mostly started by heroku and pivotal who've been using it on their platforms for many years. I think 2011 is when hiroki started using it and the the general idea is that it takes in some source code. It detects what kind of app it is. It decides how to build it and it gives you a docker image and the key difference between the resulting image.

A

Is you receive an image with much more layers and they're, not really tied together, you're free to update things individually, so the build times and the speed is a lot faster.

A

um The main advantages of this is we have reusability, so you can have one build pack for all your apps. So if you have uh 20 java micro services, you just need one build pack to maintain and you can use that for all of your builds as well as that you have fast builds because you're only building the layers that you actually need. So it accomplishes this by rebasing, which we'll cover later on. uh We can also do modular things.

A

So if you have a an app, maybe it's a react front end and java back in you can now have a build pack made of different build packs. So you have one way to build your entire stack and also it's safe. So if you're using all the community support at once, they'll have all the latest security requirements built into them, and also you have the option to build your own.

A

So you can federate that for yourself how to actually work is we can see the lifecycle here so, first of all, it detects what type of apps that you're building and it's like the appropriate, build pack to use. We also have an analysis phase, so it'll analyze and see.

A

If there's any areas, it can reuse layers, it does the building where it actually takes the build packs and runs them against your app and then it exports them, leaving you with a docker image that you can push to docker hub or your own registry, and then finally, it catches some layers for use in your next build.

A

How does this look for developers, so we showed previously what things look like back in 2013 and now today, where developers have full control now we can go back to developers only caring about their application code.

A

They don't really have to worry about what is happening underneath where it's being deployed, it can still be put up to operations or devops and it'll be transparent and shared across your whole organization.

A

So whenever a developer does a build, they'll provide the app code and then it's the actual, build packs that does the rest of the job.

A

So we were going back before talking about what do you do in the case of a security fundability?

A

Now it's a lot more simpler because we were saying before that you had to rebuild entire images just to make one change, but with build packs you can just swap out individual layers, it uses rebasing. So it allows you to like mentioned um just do one layer at a time swap it out, and that means, rather than spending weeks, updating all of your apps. You can now do it in minutes.

A

In the this example, we're going to update the heroku version from 16 to 18, and we can just do that by replacing a single layer just popping it out, and it's done in one place and now it's replicated for all of your apps and, like we mentioned with dockerfiles, we would have to do this for absolutely every file. So every code, repo, there's a list of more advanced features that I never I haven't covered yet. But the important ones to call out is bill of materials.

A

So you can have a full view of all dependencies and indirect dependencies that your app uses and the the new abilities that you have, such as doing things modular and showing them across your organization.

A

How to get started so the main way you get started is using the pack command line tool.

A

Whenever you do get started, you can run suggest builders, and it will provide you with a list of builders that the maintainers of this recommend and usually their build packs that have been used for many years in heroku and pivotal cloud foundry.

A

If you do have your own requirements, you can build your own I've attached a link here as well with extensive documentation if you do want to get started as well. First of all, you just set your default builder in this case cloud foundry, and then you can just run packed, build to build your app, and this will work with all main languages, so java.net javascript go etc.

A

um How I actually got into looking into build packs, was spring boot. 2.3 brought in build packs and played around with it. So with out of the box. It just provides you with a new command that you can run with gradle. It's a build boot image and I'm moving its spring boot build image and it makes use of piquito build hacks and allows you to out of the box with very little configuration make use of build packs.

A

The main thing I noticed about this was actually the performance, so I was used to building and pushing hundreds of megabytes worth of images, but with this simple change it got down to kilobytes, so my usual build would take minutes. But now it's just taking seconds and like mentioned before for other frameworks, I highly recommend using the pacman command line tool and, um if you're, using a specific platform, whether it's roku cloud, foundry or google cloud platform, they provide you with first class tools and build packs for their specific platform.

A

So you can get the most optimal images possible.

A

I've also included links here of things. I've discussed, such as the docker security, best practices, as well as the snic state of open source security and also a link to build packs. But if you have any questions here is my contact, email and I'll also be around in the chat.