@apxltd said in Feature Request: Limit Container Images to those that are inherited from another feed:
Is this Dockerfile typically stored in source control, alongside the application source code? In a world of cookie-cutter microservices and microapps, it seems these Dockerfiles should be nothing more than the absolute basics on top of a base specific image?
Separately, but related... I just read up on multi-stage builds and the Builder pattern vs. Multi-stage builds in Docker, but I'm struggling to see how this all adds up to real-world use inside of organizations?
Is this really a pattern that is emerging?
This all goes together as one is the cause of the other. In many ways, Microservices are and should be cookie cutter. But in many ways they cannot be (and still have reasonable dev practices).
Here is an example:
Consider a medium sized company that has 3 microservices. They use .Net Core 3.1.12 for their auto build. They setup their build servers and they get things working great.
A month goes past and they need a new micro service. They go to develop, it but .Net Core has updated to a newer version. They are now faced with a choice.
- They update the build server to the newer version.
- They make a new build server.
- They develop with the older version of .Net Core
All three options have issues.:
-
Updating the build server means that the 3 microservices are also getting upgraded. Something that may not be in their prioritized list of work at this time. (We almost never do this option.)
-
Making a new build server gets expensive as all most dependencies are always putting out new versions. (We have quite a few build servers because of this.)
-
Using older tech stifles innovation and keeps features and bug fixed that were in later versions of dependencies out of the final product.
We trade off between numbers 2 and 3, as number 1 is too risky for my company.
Multistage Dockerfiles help fix this issue. Each build is done in its own sandbox. The initial 3 microservices can keep using .Net Core 3.1.12 (or a company approved descendent image). They do this because their dockerfile has not changed.
But the new micro service can user the latest version of the .Net Core SDK Container (or a company approved decendant image) in its docker file. And, because of Docker, they can all run on the same build server.
Giving development teams not only control over their own base image, but over the tools to compile/build their code? This just seems to add another layer to what ought to be a very simple process, and more opportunities for supply-chain attacks.
As my company's IT Software Architect this is something I worry about a lot! Hence the reason for my request that started this chain. I need to know that all the containers in the multi stage build file were containers that came from an approved ProGet source. (Not just the final one.)
We use mostly Microsoft technologies at my company. So if some developer goes and downloads a PHP or Ruby container and uses it to build an containerized application, I want them blocked as soon as they try to upload the image to ProGet. This allows me to enforce our technology chain.
How much more would you pay (or encourage your organization to pay) for ProGet if this feature were to be there?
The costs to a company of allowing developers to "just use what works best for them" are big. Management wants to be able to move developers between teams. And as product dependencies get old and need to be replaced or upgraded, each migration plan takes time to come up with. If you have to be making custom migration plans for .Net, Angular, React, VueJs, Ruby, PHP etc as each has a new major version it becomes very expensive.
But developers really like to use the new shiny stuff. And many will just do it if they can. And Multistage Dockerfiles make it even easier because they don't have to ask for anything to be installed on the build server anymore. If you are not really careful, you can get it trouble fast.
I am still planning out how I will enforce our tech stack as we move to containers in earnest. It could be a parsing of the Dockerfile, or it could be a proget hook.
Still, if there were a solution that just worked, it would be worth money to my company. I don't get approve purchases, but I do recommend them a lot. (For example, I just got another ProGet license approved as a Sandbox instance).
My company starts to balk after you get over a few thousand dollars unless the value is really big. For example, the enterprise version is too expensive for just HA features (from my company's point of view). If this container feature was in the Basic version and it went up around 30% I don't think my company would complain.
But small companies just don't need a feature like this. (Not sure of you have small companies in your customer demographics).
And in general you have to be careful about price hikes. ProGet has a nice position in the market right now. It has great features and is much cheaper than its competitors. You could lose some market share if you raise your prices too high.