Our Product Development team received requirements late last year that represented a new (but not totally unexpected) deployment scenario that needed to be supported in order for us to penetrate the Federal Government market by mid-2016. We needed to be able to deliver our hosted KnowledgeBase, and its associated REST micro services, entirely on-premises for use in secure networks such as SIPRNET and JWICS.
Because we had already been working on providing support for managing content inside Docker containers as an addition to our core value proposition, our awareness about the possibilities of using Docker as a distribution platform was fairly mature (at least from a strictly technical implementation perspective). As a result, we quickly moved forward with designing and building the new modules into containers.
We also realized additional benefits for our development and processes by containerizing our services. For example, it suddenly became much easier for us to deliver things to the testing environment, so easy, in fact, that we began to use this model not only for the KB services, but also for the Hub product itself. Installer and OS coverage testing efficiency both increased exponentially because we were able to automate these into our CI builds and run against multiple Linux flavors and versions in hours rather than days, as had been the case using more traditional methods.
We have a long tradition at Black Duck of—to put a twist on an old expression—eating our own “duckfood,” which is to say that we use our own products ourselves. It makes perfect sense, because our products are targeted at software development organizations of all sizes, and we do feel that we add a lot of value to this endeavor.
And so it came to pass quite early in the process that we scanned our new Hub containers with the Hub itself.
So we added additional features to the Hub to help us with this. The most significant of these was the ability to match and Linux modules to the distribution and patch level. Accordingly, we also found ways to track exactly what CVEs had been fixed in those patches and backports, and which still required attention.
All in all, adopting a containerized deployment strategy has been a huge win for our organization, but we also learned that there can be more to it than meets the eye. Make sure you protect yourselves and your customers by carefully inspecting everything you may be getting (knowingly or unknowingly) in the containers you use, and keep careful track of them over time.