Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Continuous Delivery Foundation / cdCon 2020 / 20 Oct 2020
Continuous Delivery Foundation / cdCon 2020 / 20 Oct 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: CI/CD with Open Source Screwdriver - Jithin Emmanuel & Tiffany Kyi, Verizon Media

Description

CI/CD with Open Source Screwdriver - Jithin Emmanuel & Tiffany Kyi, Verizon Media

Now part of the Continuous Delivery Foundation, Screwdriver is an open source CICD platform, originally created and open sourced by Yahoo/Verizon Media. At Yahoo/Verizon Media, Screwdriver is used to run more than 60,000 software builds every day. Yahoo! Japan also uses and contributes to Screwdriver. In this session, core contributors to Screwdriver will provide an overview of its features and capabilities, and how it is used at scale covering use-cases across Mobile, Web applications and Library development across various programming languages.

A

Hello, everyone welcome to this talk on ci cd at verizon media using screwdriver. I am jitin emmanuel.

A

uh I have with me tiffany, who is my colleague from ryzen media uh talking about myself, I'm an engineering manager with verizon media for my yahoo, and I am also the product owner for open source screwdriver and I ensure running, and you can find me on github at github.com e.

B

Hi everyone, I'm tiffany, I'm a software engineer. I've been working on screwdriver for the last five years and in my spare time I like to play volleyball and read, and you can find me on github at tky.

A

All right uh speaking about screwdrivers screwdriver is an open source product which is built for continuous delivery. Screwdriver is built on top of other open source technologies like kubernetes docker node.js go line.

A

This is a one of a quote from one of our partners from symphony aram, who is also using screwdriver for their builds.

A

uh These are some stats from screwdriver product usage within verizon media, so we have over 30 000 build pipelines which runs over 30 000 daily bills. So our use cases spans from mobile builds uh like ios, apps, android, apps and a lot of uh bills which pertain to specific programming languages like java, nodejs golang.

A

Also, we run thousands of deployment pipelines where we use technologies like chef or just plain ssh and few of our internal tools to manage deployments to our thousands of hosts, and uh we provide multiple programming languages uh through something called templates. So templates is a way which is a feature and screwdriver wherein you can expose common, build solutions.

A

We have templates pertaining to building uh node.js apps how to deploy it and uh other programming languages. Like java golang, we run over three build clusters in screwdriver. Your build farm is called a build cluster and we operate three of them, uh so some of them are on-prem and we also support a jenkins-based build cluster which is used for building our ios applications.

A

We have over 400, build nodes and roughly around 10 15 application notes and speaking about the history of screwdriver, it's gone through multiple iterations. It started off as an internal product at yahoo in 2011, and we open source that in 2016, after seeing the tremendous value it brought to our internal developers and uh ever since then, the product development, hap and product feature will work. Everything happens in the open source and uh we have a notion of tying to a developer's daily habits, which is nothing but writing code testing and to the release.

A

So we enable a git ops kind of model where everything is checked into our source. Control management system and developer creates a pull request. Then screwdriver stats support, request flow and, uh if everything looks good, then the pull request is merged and ultimately it stacks your production, workflow and how this is all ties up is through this yaml configuration file.

A

So we call this screwdriver.yaml. It's uh it's! It's not if it's a pretty simple syntax, where you simply define your jobs and its configuration in this specific example, it has two jobs, build and publish and uh it deter and it defines what conditions from a job. So in the first job, if you see it says it requires full pr pull request and commit.

A

So that means this job runs whenever there is a request or a commit to the source control management system, and then it defines what docker container to run the build, and it defines a bunch of steps in the second job you see it has a requires on the build. So this is how you build relationships between jobs and this yaml config. We visually represent it on a nice workflow graph, where you can see on the right side, it shows relationship between the jobs and the conditions for triggering it.

A

So, as you can see from this configuration, it shows like it uses an image that is a docker container and it uses a node container, so we do containerize builds. So what that means is, you are built, it's run inside a container and all the dependencies and libraries which is needed. Your build can be provided within the container and uh we ultimately, where you execute your build, is based on something called a build executor.

A

We have multiple versions of it and you can define, say: okay, it should run on a cube and it is or it should run directly on a docker and if you want a stricter build isolation, which is especially important in our use case, because screwdriver is a multi-tenant environment where you have different teams unrelated coming and building their applications.

A

So in order to ensure strict security and build isolation, we go one level deeper and we use a different kubernetes, runtime environment called cutter containers and that provides lightweight virtual machines where you can run your build. So so you give a bit more build isolation. So, prior to cutter, containers became production ready. We used to use another technology called hyper d. That is all that also provides you a vm based build executor. But right now all our efforts have been on opera productionizing cutter container runtime within ryzen media build clusters.

A

This is how it looks on a higher level on how screwdriver interfaces with kubernetes so from the screwdriver api screwdriver determines what is the build executor to use and if it sees kubernetes is the executor, then it goes and schedules the build. So internally within your kubernetes cluster, you can configure what is the time, so we use container d to set kata a seven time and ultimately, your build board will be executed using cutter containers a certain time so on a bit more higher level.

A

This is how the screwdriver architecture looks like you have the user, who is going to interact either using an acm source control management system like github, or they come and use the screwdriver it ui directly and all the actions go through screwdriver api, which schedules the build, and we do log storage. We provide a bit of cash and ultimately, the built-in mains weather, where the artifacts are published, um to look into how the verizon media has implemented this architecture.

A

This is a diagram which shows how the various components within our build infrastructure.

A

So we have the so we use an on-prem uh cloud model uh model where screwdriver application is deployed or running on aws cloud, but our build clusters. They are running on our own from data centers so that it can talk to various internal systems and we have the screwdriver ui api or running in nws.

A

So, ultimately, all the bills they get directed to a rabbitmq based queuing system which determines which build cluster, the queues or the bills should be routed to so uh then we have this workers running on data centers, which picks up the build and they get sent to either kubernetes or to jenkins, based on the build executor configuration so our ios bills. They runs through jenkins, while the rest of the bills goes through our kubernetes infrastructure.

A

So, as you can see from the diagram, the each build talks to a bunch of other systems like docker registry artifactory and each bills are also given an identity so that it can be used for doing secure application. Use cases like deploying somewhere using ssh credentials.

A

So each build is given at short-lived ssh, cs search used provided by a certificate authority which we maintain internally, and we also use athens, another open source product from verizon media, which gives us x, 509 certs, which that can be used further used for role-based access control use cases.

A

So if you have any questions on this, we can. uh We are happy to take questions at the end of the talk.

A

uh These are some of our stats from our prometheus metrics, so we use prometheus to monitor a wide range of metrics like our application, health. That's what is shown here. It shows the response times and uh how our api ports are behaving.

A

So we we run our api using apjs library, and these are the metrics which are exposed by happy js prometheus to consume, and we connect that to our grafana dashboard, where this data is finally exposed for our first development and uh another metric we track religiously, is how long a build is in our queue.

A

So we have multiple uh build clusters and we want to see- or we want to make sure that the build weighs as low as possible within the queueing. So we should have enough capacity to run our bills, so this matrix tells us how long a build is waiting to get scheduled or executed, and we also look at something called the setup time. That is a time taken for a build to set up the container, and we want to bring that as low as possible.

A

We do optimized caching to make sure that frequently used containers are cached and so that our user builds a very fast set of time.

A

That's pretty much what I had to share and uh any questions on this we will take at the end so now after tiffany to do a case study on one of our pipelines. Thank you.

B

All right, so I'm gonna do a demonstration of a couple of features in screwdriver based on our api pipeline, so just to demonstrate our pipeline. Here's an overview there's a graph here. This is our pipeline page and, as you can see, there's each one of these bubbles is a job. So there's a main publish beta job and the ones on the left are.

A

The ones.

B

That trigger this pipeline, so there's also some remote ones here, um like this pipeline sd at 73 is pipeline 73 and you can navigate to it by clicking on the bubble directly and what this means is once this artifact bookend finishes not bookend pipeline finishes running successfully.

B

It will trigger this api pipeline to start at this main job.

B

So, just to give you an idea of what that looks like in code, here's our screwdriver yaml, which is a configuration to set up the workflow for your pipeline and a bunch of other configurations, um and just to do that connection that I mentioned earlier with the remote pipeline trigger you just need to add another requires field, so the pr and commit are if a pr is um merged or if a commit is merged and to trigger your pipeline based on another one. You can just add another field with the pipeline id and job.

B

Some other features that we have in screwdriver.

B

As you can see here, we have annotations. So this annotations is just extra configuration uh some things depending on how your cluster is set up. You can configure things such as what type of ram or cpu you want to use. In this case, we wanted to opt for the turbo ones.

B

Some other features we have are secrets so, instead of just adding an environment variable as on this line here, unlike node options, you can also add a secret environment variables that are stored directly in screwdriver and by having this line here, I'm just mentioning the name of the variable.

B

It means that this main job will have access to this secret, and I can show you how the secrets are stored here on the secrets: tab in your pipeline. Here's a list of all your environment variables and you can easily add more on this line here.

B

Some other features we have that we're using.

B

um So I mentioned the concept of a job, so this main is a job here, there's also the published job, and if you look at the lines um 17 here, here's a list of all the steps that occur in main, it's just a bunch of commands that you might run from a command line normally so in the publish job we're actually replacing. All of these steps by using a template, so template is just the idea of replacing a whole job, so the template will have similar things like a bunch of steps.

B

What image, which is the docker container, that you're using and all these things to kind of, simplify your job configuration and another thing we've done in this published job is we've added this command here. A screwdriver command is similar to a template, in that it kind of simplifies your configuration, but instead of replacing a whole job, the command just replaces a step, so it might be like a bash script or something like that.

B

So, if you want to look for which templates are available, they're published publicly in your screwdriver cluster, so other users can also access them so, like here you can search by namespace like I want to find all the golang namespace templates, and you can look at um what a template will do so here it'll tell you how to use it, what steps are run and that template and all the different versions available.

B

Similarly, we also have a commands page that is shared as well. Some other things we're doing in this yaml. We also have this shared line here, which means, instead of having to rewrite like if all of your jobs want to use the same image such as node 12. In this example, you don't have to write it over and over again in each job. You can just put it under shared, and let's say one of your jobs needs a different image.

B

You can just replace it in the specific job that you want, and the last thing I'm going to mention in this demo is the cache. So we have this feature in screwdriver called the cache where you can reuse.

A

Previously,.

B

Downloaded or installed modules or files, or anything like that so in this example, it'll be our node modules and you can specify like what scope and there will be a link on the next slide for more details. But in this case I'll show you really quickly.

B

um The previous pipeline that we're looking at our api pipeline, if you look in the previous in the first step in the teardown, there's a cache teardown step, and here it's uploading files to the cache and then in the subsequent job. If you go to the publish job you can see in the setup step under the cash bookend, it's downloading those files, so it should save a lot of time, so you don't have to re-install a bunch of things that you're going to share within the same event and just to go back to the slides.

B

This is a list of all the things that I just mentioned earlier in the demo and a link to the documentation for it. If you want to read more about it and for users, we have.

B

An easily accessible screwdriver cluster that you can look at if you just want to read and like click around, to see how screwdriver kind of looks and feels.

B

Unfortunately, it's not open to the public right now, because we use this to build our own screwdriver, but you can still log in as a guest and read uh and look at different pipelines.

B

So here's a bunch of links, if you want to see our home page, it's screwdriver.cd and there's also documentation contributing section, and we have a slack and blog if you want to follow along.

B

If you have any questions, feel free to ask or contact us now, so here's just our contact yeah! That's the end of our talk.

A

Hello hi. Thank you everyone for listening, um so we are open for questions and I see that there are a few questions already. There was some question around slides. I think provided that in the chat. Then there was a question on rabbit empty usage.

A

So that's an optional component which you can use if you have multiple build clusters, and it also lets you if the individual team says okay, I have my bill should only run in specific hardware or teams are free to bring their own build clusters and that can be registered as its own build cluster.

A

There was a question on how to create hundreds of jobs of pipelines without repetiting code uh and what we gave an example of another feature called external config.

A

Then there is also templates and shared commands where you can create reusable configurations.

A

And how much is this flexible with hybrid cloud non-cloud? So that's kind of the model in which we also operate. The screwdriver itself is running in verizon media in a hybrid model.

A

We have our application running in the cloud, that's where our users go and use the ui create their pipelines and the builds themselves they are running in on cloud exam and so on. So that's where the build clusters come into picture and this allows our organizations to uh do deployments to their production servers which are running in our corporate environment.

A

So this is question of. Why is qatar used so so, as we explained earlier, so we enabled content rice bills right, and that means that your bills are going to contain equipment, environment and within a big organization. We have different teams like yahoo mail, our finance, all of them using scootraver to build their applications, and so we operate in a multi-tenant model environment and we want to make sure that the bills get the strictest isolation possible.

A

And so we use kata, say kubernetes runtime, where we get a bit more uh security and uh and such a virtual box. I don't think that's something which was in scope of a project. So we were looking at something which aligns more with kubernetes and its runtime and uh cut up.

A

We felt that aligns with our use cases and that's why we went ahead with kata after doing with prototyping on other technologies,.

A

Also, one thing I want to highlight is that screwdriver is an open source project and currently we are an incubation project with continuous delivery foundation.

A

uh So this has been a great experience so far, and uh I want to thank the foundation for the silicon conductance of city corn and giving us an opportunity to present our talk about screwdriver, and we are also participating in october 1st through our association with the continuous delivery foundation.

A

I think the details are in our home page screwdriver.cd, and if anyone is interested in contributing to screwdriver, we are october 1st. We are more than welcome to guide you on uh on setting things up and we have a. I believe we share the slides. The slides has a few useful links where you can see our documentation, our slack channel, where most of the team usually hangs and uh yeah. We are more than happy to help all right.

A

If, uh if there are more questions, I think we'll hang around in the chat and try answering, but thank you. Everyone for your time, greatly appreciated.