Shipping Our Own Product in a Docker Container

Our Product Development team received requirements late last year that represented a new (but not totally unexpected) deployment scenario that needed to be supported in order for us to penetrate the Federal Government market by mid-2016. We needed to be able to deliver our hosted KnowledgeBase, and its associated REST micro services, entirely on-premises for use in secure networks such as SIPRNET and JWICS.

Because we had already been working on providing support for managing content inside Docker containers as an addition to our core value proposition, our awareness about the possibilities of using Docker as a distribution platform was fairly mature (at least from a strictly technical implementation perspective). As a result, we quickly moved forward with designing and building the new modules into containers.

We also realized additional benefits for our development and processes by containerizing our services. For example, it suddenly became much easier for us to deliver things to the testing environment, so easy, in fact, that we began to use this model not only for the KB services, but also for the Hub product itself. Installer and OS coverage testing efficiency both increased exponentially because we were able to automate these into our CI builds and run against multiple Linux flavors and versions in hours rather than days, as had been the case using more traditional methods.

We have a long tradition at Black Duck of—to put a twist on an old expression—eating our own “duckfood,” which is to say that we use our own products ourselves. It makes perfect sense, because our products are targeted at software development organizations of all sizes, and we do feel that we add a lot of value to this endeavor.

And so it came to pass quite early in the process that we scanned our new Hub containers with the Hub itself.

It was an eye opening experience to say the least. Coming from a world where we simply had to worry about the license obligations and vulnerabilities in our own application code (mainly Java and JavaScript), the Bill of Materials (which details all of the open source software in the container) we were now confronted with was daunting. Many of the base images we were using had vulnerabilities that we needed to patch before we could distribute on top of them. Moreover, we were now in a position of needing to monitor not only our own OSS jar files, but entire operating systems for vulnerabilities that could crop up at any time post-shipment.

So we added additional features to the Hub to help us with this. The most significant of these was the ability to match and Linux modules to the distribution and patch level. Accordingly, we also found ways to track exactly what CVEs had been fixed in those patches and backports, and which still required attention.

All in all, adopting a containerized deployment strategy has been a huge win for our organization, but we also learned that there can be more to it than meets the eye. Make sure you protect yourselves and your customers by carefully inspecting everything you may be getting (knowingly or unknowingly) in the containers you use, and keep careful track of them over time.

1 Comment
Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.
1 Comment

MORE BY THIS AUTHOR

Improving Stability, Installs & Updates with Docker

| Aug 16, 2017

We heard our customers loud and clear. Our old AppManager product on which we ran the Hub on wasn't working for you. That's why we re-platformed our Black Duck Hub solution on the Docker platform.  There are a lot of positive things to say about our Dockerized app, including scalability, high

| MORE >

Jeep Hack 2016 & Why We Need Open Source Research

| Aug 10, 2016

One of the presentations I was most excited to attend at this year's Black Hat conference was the return of Charlie Miller and Chris Valasek and their exploration of attack vectors against a 2014 Jeep Cherokee. Attentive readers surely remember their positively disturbing and headline catching

| MORE >

How Do You Hire an Open Source Software Developer?

| May 13, 2016

We recently added a chat feature on our website, which has led to some pretty interesting questions. I decided to share this one about hiring an open source software developer because many people may have the same question - and I can provide an answer to a broader audience here. "We’re

| MORE >