Inkinga “yokuhlanzwa okuhlakaniphile” kwezithombe zeziqukathi nesixazululo sayo ku-werf

I-athikili ixoxa ngezinkinga zokuhlanza izithombe ezinqwabelana ekubhaliseni kweziqukathi (i-Docker Registry kanye nezifaniso zayo) kumaqiniso wamapayipi esimanje e-CI/CD wezinhlelo zokusebenza zomdabu zamafu ezilethwe ku-Kubernetes. Inqubo eyinhloko yokufaneleka kwezithombe kanye nobunzima obuwumphumela ekuhlanzeni okuzenzakalelayo, ukonga indawo nokuhlangabezana nezidingo zamaqembu kunikezwa. Ekugcineni, sisebenzisa isibonelo sephrojekthi ethile ye-Open Source, sizokutshela ukuthi lobu bunzima bunganqotshwa kanjani.

Isingeniso

Inombolo yezithombe kurejista yeziqukathi ingakhula ngokushesha, ithathe indawo yokugcina eyengeziwe futhi ngaleyo ndlela ikhulise kakhulu izindleko zayo. Ukuze ulawule, ukhawule noma ugcine ukukhula okwamukelekayo kwesikhala esikurejista, kuyamukelwa:

1. sebenzisa inombolo emisiwe yamathegi ezithombeni;
2. hlanza izithombe ngandlela thize.

Umkhawulo wokuqala kwesinye isikhathi uyamukeleka emaqenjini amancane. Uma abathuthukisi benamathegi anele anele (latest, main, test, boris njll.), ukubhalisa ngeke kukhule ngosayizi futhi isikhathi eside ngeke kudingeke ucabange ngokuyihlanza nhlobo. Phela, zonke izithombe ezingabalulekile ziyasulwa, futhi akukho msebenzi osele wokuhlanza (konke kwenziwa umqoqi wezibi ojwayelekile).

Kodwa-ke, le ndlela inciphisa kakhulu intuthuko futhi ayivamile ukusebenza kumaphrojekthi esimanje e-CI/CD. Ingxenye ebalulekile yentuthuko kwaba okuzenzakalelayo, okuvumela ukuthi uhlole, usebenzise futhi ulethe ukusebenza okusha kubasebenzisi ngokushesha okukhulu. Isibonelo, kuwo wonke amaphrojekthi ethu, ipayipi le-CI lidaleka ngokuzenzakalelayo ngokuzibophezela ngakunye. Kuyo, isithombe siqoqwe, sihlolwe, sidluliselwe kumasekethe ahlukahlukene e-Kubernetes ukuze kulungiswe amaphutha nokuhlola okusele, futhi uma konke kuhamba kahle, izinguquko zifinyelela kumsebenzisi wokugcina. Futhi lokhu akuseyona isayensi ye-rocket, kodwa okwenzeka nsuku zonke kwabaningi - okungenzeka kakhulu kuwe, njengoba ufunda lesi sihloko.

Njengoba ukulungisa iziphazamisi nokuthuthukisa ukusebenza okusha kwenziwa ngokufana, futhi ukukhishwa kungenziwa izikhathi eziningana ngosuku, kusobala ukuthi inqubo yokuthuthukisa ihambisana nenani elikhulu lezinto ezizibophezele, okusho ukuthi inombolo enkulu yezithombe kurejista. Ngenxa yalokho, kuvela inkinga yokuhlela ukuhlanzwa okuphumelelayo kokubhalisa, i.e. ukususa izithombe ezingabalulekile.

Kodwa unquma kanjani ukuthi isithombe sibalulekile?

Umbandela wokufaneleka kwesithombe

Ezimweni eziningi, imibandela eyinhloko izoba:

1. Esokuqala (esisobala kakhulu nesigxeka kunazo zonke) yizithombe ezithi okwamanje esetshenziswa Kubernetes. Ukususa lezi zithombe kungaholela ezindlekweni ezibalulekile zesikhathi sokukhiqiza (isibonelo, izithombe zingadingeka ukuze ziphindaphindeke) noma kushaye indiva imizamo yethimba yokulungisa iphutha kunoma imaphi amaluphu. (Ngenxa yalesi sizathu saze senza okukhethekile Umthengisi we-Prometheus, elandelela ukungabikho kwezithombe ezinjalo kunoma yiliphi iqoqo le-Kubernetes.)

2. Okwesibili (okungacacile kangako, kodwa futhi kubaluleke kakhulu futhi kuhlobene nokuxhashazwa) - izithombe lokho okudingekayo ekubuyiseleni emuva uma kwenzeka kutholakala izinkinga ezinkulu enguqulweni yamanje. Isibonelo, endabeni ye-Helm, lezi yizithombe ezisetshenziswa ezinguqulweni ezilondoloziwe zokukhishwa. (Ngendlela, ngokuzenzakalelayo ku-Helm umkhawulo uwukubuyekezwa okungu-256, kodwa akunakwenzeka ukuthi noma ubani udinga ngempela ukulondoloza kanjalo inombolo enkulu yezinguqulo?..) Phela, thina, ikakhulukazi, sigcina izinguqulo ukuze sikwazi ukuzisebenzisa kamuva, i.e. “buyela emuva” kubo uma kunesidingo.

3. Okwesithathu - izidingo zonjiniyela: Zonke izithombe ezihlobene nomsebenzi wazo wamanje. Isibonelo, uma sicabangela i-PR, khona-ke kunengqondo ukushiya isithombe esihambisana nokuzibophezela kokugcina futhi, yithi, ukuzibophezela kwangaphambilini: ngale ndlela unjiniyela angabuyela ngokushesha kunoma yimuphi umsebenzi futhi asebenze nezinguquko zakamuva.

4. Okwesine - izithombe ukuthi zihambisana nezinguqulo zohlelo lwethu lokusebenza, i.e. ziwumkhiqizo wokugcina: v1.0.0, 20.04.01/XNUMX/XNUMX, sierra, njll.

QAPHELA: Imibandela echazwe lapha yakhiwe ngokusekelwe kokuhlangenwe nakho kokusebenzelana nenqwaba yamaqembu okuthuthukisa avela ezinkampanini ezihlukene. Kodwa-ke, yiqiniso, ngokuya ngokucaciswa kwezinqubo zokuthuthukiswa kanye nengqalasizinda esetshenzisiwe (isibonelo, i-Kubernetes ayisetshenzisiwe), lezi zindlela zingahluka.

Ukufaneleka nezixazululo ezikhona

Izinsizakalo ezidumile ezinokubhaliswa kweziqukathi, njengomthetho, zinikeza izinqubomgomo zabo zokuhlanza izithombe: kuzo ungachaza izimo lapho ithegi isuswa khona ebhukwini. Nokho, le mibandela inqunyelwe amapharamitha afana namagama, isikhathi sokudala, nenombolo yomaka*.

* Kuncike ekusetshenzisweni kokubhaliswa kweziqukathi ezithile. Sicabangele amathuba ezixazululo ezilandelayo: I-Azure CR, i-Docker Hub, i-ECR, i-GCR, i-GitHub Packages, i-GitLab Container Registry, i-Harbour Registry, i-JFrog Artifactory, i-Quay.io - kusukela ngo-September'2020.

Le sethi yamapharamitha yanele ngokwanele ukwanelisa umbandela wesine - okungukuthi, ukukhetha izithombe ezihambisana nezinguqulo. Kodwa-ke, kuzo zonke ezinye izindlela, umuntu kufanele akhethe uhlobo oluthile lwesixazululo sokuvumelana (inqubomgomo eqinile noma, ngokuphambene, ethambile) - kuye ngokulindelwe namandla ezezimali.

Isibonelo, umbandela wesithathu - ohlobene nezidingo zonjiniyela - ungaxazululwa ngokuhlela izinqubo ngaphakathi kwamaqembu: ukuqanjwa okuqondile kwezithombe, ukugcina uhlu olukhethekile lokuvumela nezivumelwano zangaphakathi. Kodwa ekugcineni isadinga ukwenziwa ngokuzenzakalelayo. Futhi uma amandla ezixazululo ezenziwe ngomumo enganele, kufanele wenze okuthile ngokwakho.

Isimo esinemibandela emibili yokuqala siyefana: azikwazi ukwaneliseka ngaphandle kokuthola idatha evela kusistimu yangaphandle - leyo lapho izicelo zithunyelwa khona (kithi, Kubernetes).

Umfanekiso wokuhamba komsebenzi ku-Git

Ake sithi usebenza into efana nale ku-Git:

Isithonjana esinekhanda kumdwebo sibonisa izithombe zesiqukathi ezisetshenziswe ku-Kubernetes kunoma yibaphi abasebenzisi (abasebenzisi bokugcina, abahloli, abaphathi, njll.) noma ezisetshenziswa onjiniyela ukulungisa amaphutha nezinjongo ezifanayo.

Kwenzekani uma izinqubomgomo zokuhlanza zivumela kuphela ukuthi izithombe zigcinwe (zingasuswa) ngamagama amathegi anikeziwe?

Ngokusobala, isimo esinjalo ngeke sijabulise noma ubani.

Yini ezoshintsha uma izinqubomgomo zivumela ukuthi izithombe zingasuswa? ngokwesikhawu sesikhathi esinikeziwe/inombolo yezenzo zokugcina?

Umphumela uye waba ngcono kakhulu, kodwa usekude kakhulu nokuhle. Phela, sisenabo abathuthukisi abadinga izithombe ekubhaliseni (noma ezifakwe kuma-K8s) ukuze balungise iziphazamisi...

Ukufingqa isimo semakethe samanje: imisebenzi etholakala kubhalisi yeziqukathi ayinikezi ukuguquguquka okwanele lapho kuhlanzwa, futhi isizathu esiyinhloko salokhu ukuthi ayikho indlela yokuxhumana nezwe langaphandle. Kuvele ukuthi amaqembu adinga ukuguquguquka okunjalo aphoqelelwa ukuthi asebenzise ngokuzimela ukususwa kwesithombe "kusuka ngaphandle", esebenzisa i-Docker Registry API (noma i-API yomdabu yokusebenzisa okuhambisanayo).

Kodwa-ke, besifuna isixazululo sendawo yonke esizokwenza ukuhlanzwa kwezithombe ngokuzenzakalelayo emaqenjini ahlukene kusetshenziswa ukubhaliswa okuhlukile...

Indlela yethu yokuhlanza izithombe emhlabeni jikelele

Lesi sidingo sivelaphi? Iqiniso liwukuthi asilona iqembu elihlukile lonjiniyela, kodwa iqembu elisiza abaningi babo ngesikhathi esisodwa, elisiza ukuxazulula izinkinga ze-CI/CD ngokugcwele. Futhi ithuluzi lobuchwepheshe eliyinhloko lalokhu yinsizakalo yomthombo ovulekile i-werf. Okuhlukile kwayo ukuthi ayenzi umsebenzi owodwa, kodwa ihambisana nezinqubo zokulethwa okuqhubekayo kuzo zonke izigaba: ukusuka ekuhlanganiseni kuya ekusetshenzisweni.

Ukushicilela izithombe kusibhalisi* (ngokushesha ngemva kokuba zakhiwe) kuwumsebenzi osobala wokusetshenziswa okunjalo. Futhi njengoba izithombe zibekwe lapho ukuze zigcinwe, khona-ke - uma isitoreji sakho singenamkhawulo - udinga ukuba nesibopho sokuhlanza kwabo okulandelayo. Ukuthi sizuze kanjani impumelelo kulokhu, ukwanelisa zonke izindlela ezishiwo, kuzoxoxwa ngakho kabanzi.

* Nakuba amarejistri ngokwawo angase ahluke (i-Docker Registry, GitLab Container Registry, Harbour, njll.), abasebenzisi bazo babhekana nezinkinga ezifanayo. Isixazululo sendawo yonke esimweni sethu asixhomeki ekusetshenzisweni kokubhalisa, ngoba isebenza ngaphandle kwamarejistri ngokwawo futhi inikeza ukuziphatha okufanayo kwawo wonke umuntu.

Nakuba sisebenzisa i-werf njengesibonelo sokusetshenziswa, sithemba ukuthi izindlela ezisetshenziswayo zizoba usizo kwamanye amaqembu abhekene nobunzima obufanayo.

Ngakho saba matasa kwangaphandle ukuqaliswa kwendlela yokuhlanza izithombe - esikhundleni salawo makhono asevele akhelwe kukubhaliswa kweziqukathi. Isinyathelo sokuqala bekuwukusebenzisa i-Docker Registry API ukuze udale izinqubomgomo zakudala ezifanayo zenombolo yomaka kanye nesikhathi sokudalwa kwabo (okukhulunywe ngenhla). Kwengezwe kubo vumela uhlu olusekelwe ezithombeni ezisetshenziswe kungqalasizinda esetshenzisiwe, i.e. Kubernetes. Okokugcina, kwanele ukusebenzisa i-Kubernetes API ukuphindaphinda kuzo zonke izinsiza ezisetshenzisiwe futhi uthole uhlu lwamanani. image.

Lesi sixazululo esincane sixazulule inkinga ebaluleke kakhulu (umbandela No. 1), kodwa bekuyisiqalo sohambo lwethu lokuthuthukisa indlela yokuhlanza. Isinyathelo esilandelayo - futhi esithakazelisa kakhulu - kwakuyisinqumo hlobanisa izithombe ezishicilelwe nomlando we-Git.

Izikimu zokumaka

Okokuqala, sikhethe indlela lapho isithombe sokugcina kufanele sigcine khona imininingwane edingekayo yokuhlanza, futhi sakhe inqubo ezikimu zokumaka. Lapho ushicilela isithombe, umsebenzisi ukhethe inketho ethile yokumaka (git-branch, git-commit noma git-tag) futhi wasebenzisa inani elihambisanayo. Ezinhlelweni ze-CI, lawa manani asethwa ngokuzenzakalelayo ngokusekelwe kokuguquguqukayo kwendawo. Empeleni isithombe sokugcina besihlotshaniswa ne-Git ethile yakudala, ukugcina idatha edingekayo yokuhlanza kumalebula.

Le ndlela ibangele isethi yezinqubomgomo ezivumela i-Git ukuthi isetshenziswe njengomthombo owodwa weqiniso:

• Lapho ususa igatsha/umaka ku-Git, izithombe ezihlotshaniswayo ekubhalisweni zisuswe ngokuzenzakalelayo.
• Inani lezithombe ezihlotshaniswa namathegi e-Git nokuzibophezela lingalawulwa ngenani lamathegi asetshenziswe ku-schema esikhethiwe kanye nesikhathi lapho isivumelwano esihlobene sidalwe ngaso.

Sekukonke, ukuqaliswa okuwumphumela kwazanelisa izidingo zethu, kodwa inselele entsha yayisilindile maduzane. Iqiniso liwukuthi ngenkathi sisebenzisa izikimu zokumaka ezisekelwe ku-Git primitives, sihlangabezane nenani lokushiyeka. (Njengoba incazelo yabo ingaphezu kobubanzi balesi sihloko, wonke umuntu angazijwayelanisa nemininingwane lapha.) Ngakho-ke, njengoba sinqume ukushintshela endleleni ephumelela kakhudlwana yokumaka (ukumaka okusekelwe kokuqukethwe), kwadingeka sicabangele kabusha ukuqaliswa kokuhlanza izithombe.

I-algorithm entsha

Kungani? Ngokumaka okusekelwe kokuqukethwe, ithegi ngayinye inganelisa ukuzibophezela okuningi ku-Git. Lapho uhlanza izithombe, awusakwazi ukucabanga kuphela kusuka ekuzinikeleni lapho ithegi entsha yengezwe kurejista.

Nge-algorithm entsha yokuhlanza, kwanqunywa ukuthi kusuke izikimu zokumaka futhi kwakhiwe inqubo yemetha-sithombe, ngayinye egcina inqwaba:

• isibopho okwenziwa kuso ukushicilelwa (akunandaba ukuthi isithombe sengeziwe, sishintshiwe noma sihlala sinjalo endaweni yokubhalisa yeziqukathi);
• nesihlonzi sethu sangaphakathi esihambisana nesithombe esihlanganisiwe.

Ngamanye amazwi, yanikezwa ukuxhumanisa amathegi ashicilelwe nokuzibophezela ku-Git.

Ukucushwa kokugcina kanye ne-algorithm evamile

Lapho ulungiselela ukuhlanza, abasebenzisi manje banokufinyelela kuzinqubomgomo ezikhetha izithombe zamanje. Inqubomgomo ngayinye enjalo ichaziwe:

• izinkomba eziningi, i.e. Amathegi e-Git noma amagatsha e-Git asetshenziswa ngesikhathi sokuskena;
• kanye nomkhawulo wezithombe eziseshiwe zereferensi ngayinye evela kusethi.

Ukufanekisa, nansi indlela ukumiswa kwenqubomgomo okuzenzakalelayo kwaqala ngayo ukubukeka:

cleanup:
  keepPolicies:
  - references:
      tag: /.*/
      limit:
        last: 10
  - references:
      branch: /.*/
      limit:
        last: 10
        in: 168h
        operator: And
    imagesPerReference:
      last: 2
      in: 168h
      operator: And
  - references:  
      branch: /^(main|staging|production)$/
    imagesPerReference:
      last: 10

Lokhu kulungiselelwa kuqukethe izinqubomgomo ezintathu ezithobelana nemithetho elandelayo:

1. Londoloza isithombe ukuze uthole omaka be-Git abayi-10 bokugcina (ngedethi yokudala ithegi).
2. Londoloza izithombe ezingadluli kwezi-2 ezishicilelwe evikini eledlule ukuze uthole imicu engadluli kwe-10 enomsebenzi weviki eledlule.
3. Londoloza izithombe ezingu-10 zamagatsha main, staging и production.

I-algorithm yokugcina incike ezinyathelweni ezilandelayo:

• Ibuyisa i-manifest kusuka kubhalisi yesiqukathi.
• Ngaphandle kwezithombe ezisetshenziswe ku-Kubernetes, ngoba Sesiwakhethile ngaphambilini ngokuvotela i-K8s API.
• Iskena umlando we-Git futhi ingabandakanyi izithombe ngokusekelwe kuzinqubomgomo ezishiwo.
• Isusa izithombe ezisele.

Uma sibuyela emfanekisweni wethu, nakhu okwenzeka nge-werf:

Nokho, ngisho noma ungasebenzisi i-werf, indlela efanayo yokuhlanza isithombe esithuthukisiwe - ekusetshenzisweni okukodwa noma okunye (ngokwendlela ekhethwayo yokumaka isithombe) - ingasetshenziswa kwezinye izinhlelo/izinsiza. Ukuze wenze lokhu, kwanele ukukhumbula izinkinga ezivelayo futhi uthole lawo mathuba esitaki sakho esikuvumela ukuthi uhlanganise isisombululo sabo ngokushelela ngangokunokwenzeka. Sithemba ukuthi indlela esiyihambile izokusiza ukuthi ubheke udaba lwakho ngemininingwane emisha nemicabango.

isiphetho

• Ngokushesha noma kamuva, amaqembu amaningi ahlangabezana nenkinga yokuchichima kokubhalisa.
• Lapho usesha izixazululo, okokuqala kudingekile ukucacisa imibandela yokufaneleka kwesithombe.
• Amathuluzi anikezwa izinsizakalo zokubhalisa iziqukathi ezidumile akuvumela ukuthi uhlele ukuhlanza okulula kakhulu okunganaki "izwe langaphandle": izithombe ezisetshenziswe ku-Kubernetes kanye nezici zokugeleza komsebenzi weqembu.
• I-algorithm eguquguqukayo nesebenza kahle kufanele ibe nokuqonda kwezinqubo ze-CI/CD futhi ingasebenzisi ngedatha yesithombe se-Docker kuphela.

PS

Funda futhi kubhulogi yethu:

• «Ukumaka okusekelwe kokuqukethwe kumqoqi we-werf: kungani futhi kusebenza kanjani?";
• «Izindlela ezi-3 zokuhlanganisa i-werf: ukuthunyelwa e-Kubernetes nge-Helm "kuma-steroids"";
• «Ukusekelwa kwe-monorepo kanye ne-multirepo ku-werf futhi i-Docker Registry ihlangene ngani nayo";
• «ukukhishwa kwe-werf 1.1: ukuthuthukiswa komakhi namuhla nezinhlelo zesikhathi esizayo".

Source: www.habr.com