The big thing about Amazon’s announcement of a new container registry service coming later this year is the identity access management layer it will provide, at least according to Avi Cavale, co-founder and CEO of Shippable.
Shippable also announced an integration with Amazon’s EC2 Container Service that will include the AWS registry when it launches later this year.
“It’s all about permission management of rules between machines, what can pull from machine to machine,” he told The New Stack’s Alex Williams.
“[Amazon has] an identity access management layer that has been hardened over the last probably seven to eight years, and containers have just been added to that. So suddenly, if you’re on my production machine, only you can pull these production images, because I don’t want you to pull these golden images, which are security-hardened into non-production machines so it can get contaminated.
“You can use security rules, you can control a lot, and I think every IT manager has to be thrilled to have all this under one identity umbrella. … It’s not just human identity, machines have identity. It’s machine-to-machine identity. Amazon is built around having that built natively into its infrastructure.”
Amazon also is launching a service scheduler to run containers in data centers across multiple AWS service zones, an integration with Docker Compose and a ECS command-line interface.
The new container registry will fully integrate with its EC2 Container Service, unveiled at the conference last year.
Amazon CTO Dr. Werner Vogels told the crowd that customers could create their own repositories for storing and launching container images, but many don’t want to because it takes resources they’d rather use elsewhere. And for smaller companies, those required resources make it prohibitive.
“This makes it part of the development process,” he said of the new service.
Customers have said they need a registry that is highly available and scalable, globally accessible and that can deployments that span two or more AWS regions, Jeff Barr, AWS evangelist writes in a blog post.
Amazon EC2 Container Registry (Amazon ECR) will:
- Be a fully managed service with no software to install or infrastructure to scale.
- Integrate with AWS Identity and Access Management (IAM) to simplify authorization and to provide fine-grained control.
- Transfer container images to and from Amazon EC2 Container Registry via HTTPS.
- Support Docker Registry HTTP API V2 allowing you to use Docker CLI commands or other Docker tools.
- Integrate with third-party developer tools through partners including CloudBees, Codeship, CoreOS, Mesosphere, Shippable and others.
Shippable co-founder and CEO Avi Cavale spoke with The New Stack’s Alex Williams about how Shippable fits in with Amazon ECS, namely that it handles much of the infrastructure that runs containers behind the scenes.
Shippable’s integration with ECS , which is available now, will allow users to deploy Dockerized applications from any Git-based source to Amazon ECS without having to write any special DevOps automation code.
Shippable says in its announcement that it provides the workflows around the ECS services, including continuous integration and image management as well as deployment and configuration management.
In future versions, users will be able to fully configure, provision and deploy containerized applications on AWS using the Shippable pipeline for load balancing, cluster instances, and push and pull images from Amazon EC2 Container Registry, according to the company.
Cavale described how Shippable fits in Docker Compose, a tool for defining and running multi-container applications, and Amazon’s other container plans.
The whole deployment of managing the container service, figuring out how the routing rules change, all of that is handled behind the scenes by ECS, he said.
“You have an infrastructure that runs containers. What you need now is what are the different versions of different images of these containers that should run in beta vs. stress test vs. production, and I want to be able to roll back and roll forward those versions with one click. How is that related to the changeset in GitHub? Did that changeset actually go through CI before we actually built an image that could be deployed into this container service? This entire pipeline is what Shippable is focused on,” he said.
Shippable’s focus is not to host containers, but to create containers that can be continuously deployed.
“We want to bring containers all the way from source code through CI, create immutable Docker container images, push it to a registry and have that entire history, including that application manifest of what versions of container are [making up] my application 1.0 version or whatever version it is. The whole concept of an application is getting lost in this microservices world.
“What people are doing without containers is they build this golden image. Then they name that file in a particular way, then they maintain all those golden images … and use that golden image to get it deployed. That golden image is too heavy because it’s a VMDI or something of a virtual machine image.
“What we’re doing with Docker containers that can be made super lightweight means you no longer have a monolithic one image. You’re going to have 20 containers that’s all microservices, now we need to manage 20 golden image versions of the container. So very soon, it’s not humanly possible to keep track of all these things. So we have a platform that makes that automatable. We have CI which tests your code and CD which gives you continuous delivery of those version images and version manifests of an application.”
A number of rivals, however, including Docker, have already made their play in container registries. That raises the question of whether the AWS container registry will displace the Docker registry for AWS users.
The Docker Trusted Registry, formerly known as Docker Hub Enterprise, became part of the AWS Marketplace last month. The registry, unveiled in June, also is available on the Microsoft Azure Marketplace and from IBM.
The Docker Trusted Registry server provides Lightweight Directory Access Protocol (LDAP) and Active Directory integration with existing authentication systems. It also offers role-based access-control (RBAC) and audit logs for authorization and compliance for authorization and compliance.
The advantage of using Amazon’s registry, however, is that it will use AWS Identity Access Management, which provides fine-grained control, for example machine-to-container registry authorization for Docker images, similar to Kerberos authorization for servers, according to Manisha Sahasrabudhe, co-founder and head of marketing at Shippable. Overall, Amazon’s offerings have better integrations with other Amazon services, potentially have lower network latency, and help reduce network charges, he said.
There are a host of competing registries.
CoreOS announced a stand-alone Docker container registry for private deployments last October.
The Google Container Registry also has emerged from beta. Container images stored there are encrypted at rest, and the access is authenticated using Google Cloud Platform OAuth, and transmitted over SSL.
With SUSE Linux Enterprise Server 12, which includes verified pre-built images, SUSE enables customers to build a private on-premise registry using Portus, an open source front-end and authorization tool.
And Red Hat has a created a container certification program with independent software vendors (ISVs) and container registry of certified images.
CoreOS, Docker, IBM, Red Hat and Shippable are sponsors of The New Stack.