Ressourcen

Whitepaper

Selecting an enterprise container image registry

INTRODUCTION

The need for a storage solution designed for container images arises as platforms like Kubernetes become the new standard for cloud-native application development. Traditional blob storage doesn’t address layered file systems and other aspects of container image artifacts. Container image storage should be secure, fast and stable at scale, and automation-friendly. This technology overview discusses the features all container registries share and the necessary feature set of an enterprise grade container image registry.

CONTAINER TECHNOLOGY OVERVIEW

Containers allow organizations to run their applications reliably in any computing environment by encapsulating all of an application’s dependencies. This self-contained artifact is referred to as a container image. One or more running container instances can be created from a container image. These images are then run on an orchestration platform like Red Hat® OpenShift®. The container image encapsulates everything an application needs, including the code, system tools and libraries, and generic settings.

While hypervisor-isolated virtual machines (VMs) similarly offer portability, containers offer an abstraction between the operating system system and application levels, which consumes fewer resources than a VM. Linux kernel features such as namespaces and cgroups work together to isolate running containers, making it possible to safely share the underlying compute resources. Containers are suitable for automated, highly dynamic scaling, and for automated migration in failure cases, because they decouple applications from individual hosts, often referred to as “compute nodes.” The discrete nature of software containers can help teams decompose complex feature sets into architecturally independent microservices that can be rapidly and independently iterated.

Figure 1. Container image life cycle

Container adoption has accelerated over the last several years. According to a report by Datadog, container usage increased by 40% between 2016 and 2017. Once an organization begins down the path of containerization, its proliferation often accelerates. The same report found that container adoption quintupled in production in the first 10 months.

To be able to deploy containers, container orchestrators require a registry where images are stored. Consequently, container registries are now a critical part of a modern software deployment pipeline.

CONTAINER REGISTRIES

Container adopters can choose generic blob artifact storage or a container-specific registry solution for storing images. Generic storage solutions typically treat images like binary objects and are severely limited in their ability to inspect inside the container image. However, container images use layered file systems and often come with a manifest that details what is inside. This allows container-native tools to perform more detailed auditing, security scanning, and performance optimization. Image registries are designed specifically for container images, so they provide a more robust, scalable, and better informed solution.

The registry specification was recently made independent via the Open Container Initiative (OCI) Distribution Specification project. All container registries on the market today have the core functionality in this specification: the upload (push) and download (pull) of container images. However, many organizations need a registry with additional features to make it suitable for use within their environments.

ENTERPRISE REGISTRY REQUIREMENTS

SECURITY ROBUSTNESS AND SPEED AUTOMATION
Support multiple authentication systems and identity providers High availability and scalability Build trigger
Vulnerability scanning Geosynchronous replication Git hook compatible
Encrypted command-line interface (CLI) passwords Continuous, zero downtime garbage collection Robot accounts
Detailed logging for auditings Torrent distribution Webhooks
Organizations and teams supported Integration with multiple storage backends

Extensible application programming interface (API)

 

An enterprise-ready registry should have security at the center of its design. It should:

  • Support multiple authentication systems.
  • Come with role-based access control (RBAC) management to ensure fine-grained access control of the registry.
  • Use vulnerability scanning capabilities to prevent compromised images from being deployed.
  • Record all registry activity in auditable logs so administrators can trace any activity back to a single user.

An enterprise registry must be robust and fast at scale, highly available, geographically replicated, and optimized for automation. Robot accounts and git hooks reduce the possible amount of human error and lag time from the deployment process. Garbage collection should also be automated and require no downtime.

INTRODUCING RED HAT QUAY

Red Hat Quay was the first enterprise container image storage solution on the market, and it includes features like:

  • BitTorrent downloads to decrease wait times.
  • Geosynchronous replication for redundancy and to increase the speed of downloads.
  • Automatic and continuous image garbage collection to efficiently use resources for active objects without requiring scheduled downtime or read-only mode.

Red Hat Quay features Clair, the popular open source container image scanner that analyzes vulnerabilities. In addition to being security-centric, Red Hat Quay provides a high level of automation and customization with the following features:

  • A flexible and extensible, feature-rich application programming interface (API).
  • Compatibility with multiple storage back ends and identity providers.
  • Easy user interface (UI).
  • Time machine that allows users to view all tags in the repository for up to two weeks and revert tags to a previous state.
  • Automated software deployments using robot accounts.

Red Hat Quay is backed by Red Hat’s team of technical experts and support services, which have served enterprise customers for decades.

CUSTOMER SUCCESS STORY: CISCO

When the Enterprise Platforms Services group at Cisco set out to select a container image registry for their multidatacenter architecture, they determined that they needed a solution with:

  • On-premise compatibility.
  • High availability.
  • Ability to restrict where images were pulled from.
  • Enterprise RBAC.
  • Vulnerability scanning.
  • Clear and effective UI.
  • Excellent vendor support.

After evaluating several offerings, they determined that Red Hat Quay best fulfilled all their requirements. In 2016 they successfully deployed Red Hat Quay to over 5,000 users and 420 organizations within Cisco. The Quay team provided architectural guidance on how to set up high-availability deployments and has continued to be highly responsive to feature requests and bug fixes. In addition to the Quay team’s responsiveness, Cisco users have appreciated Quay’s vulnerability scanning, build system, and UI.

CONCLUSION

Recent surveys show that the velocity of container adoption is increasing. In the coming years, major enterprises will likely have an increasing number of production applications within containers. As organizations select registries to host their container images, it is important that they select a secure, robust and fast at scale, and automatable solution, like Red Hat Quay.

To request a 30 day trial or demo of Red Hat Quay, contact us.