1 00:00:06,320 --> 00:00:11,499 [Music] 2 00:00:15,599 --> 00:00:20,160 hello good morning everyone and welcome 3 00:00:17,520 --> 00:00:23,199 back to the kia auto theater uh at linux 4 00:00:20,160 --> 00:00:24,720 conference australia 2022 um 5 00:00:23,199 --> 00:00:26,320 i hope you had a great morning tea and i 6 00:00:24,720 --> 00:00:28,000 hope you had a great rest and i hope you 7 00:00:26,320 --> 00:00:31,039 have a great rest of your day 8 00:00:28,000 --> 00:00:32,960 uh our first talk today is steve ellis 9 00:00:31,039 --> 00:00:34,719 uh who is an open source technology 10 00:00:32,960 --> 00:00:36,480 evangelist in the apac office of 11 00:00:34,719 --> 00:00:38,399 technology team at red hat and a regular 12 00:00:36,480 --> 00:00:39,680 face around lca and the rest of the 13 00:00:38,399 --> 00:00:40,879 community as well 14 00:00:39,680 --> 00:00:42,239 uh this session is going to look at a 15 00:00:40,879 --> 00:00:44,399 couple of different approaches for 16 00:00:42,239 --> 00:00:45,840 creating our standard images with image 17 00:00:44,399 --> 00:00:47,440 builder for our traditional linux and 18 00:00:45,840 --> 00:00:50,559 images and builder for our container 19 00:00:47,440 --> 00:00:52,399 images it's all yours steve take it away 20 00:00:50,559 --> 00:00:53,840 hey thanks caitlin and thanks everyone 21 00:00:52,399 --> 00:00:55,680 for joining me 22 00:00:53,840 --> 00:00:58,399 and i'm really pleased to be giving this 23 00:00:55,680 --> 00:01:00,079 session after this morning's keynote 24 00:00:58,399 --> 00:01:02,879 because the term ephemeral was 25 00:01:00,079 --> 00:01:04,320 referenced and i actually put up on the 26 00:01:02,879 --> 00:01:06,000 first slide 27 00:01:04,320 --> 00:01:07,520 uh one of the definitions because some 28 00:01:06,000 --> 00:01:08,479 people say what you actually mean by 29 00:01:07,520 --> 00:01:10,799 this and 30 00:01:08,479 --> 00:01:13,760 well i think ephemeral really is a great 31 00:01:10,799 --> 00:01:15,759 way of referring to 32 00:01:13,760 --> 00:01:17,600 the way we should be treating a lot of 33 00:01:15,759 --> 00:01:19,920 our environments and a lot of our 34 00:01:17,600 --> 00:01:21,759 platforms today 35 00:01:19,920 --> 00:01:23,840 so look well we'll dig into this as we 36 00:01:21,759 --> 00:01:25,200 go through the session please use the 37 00:01:23,840 --> 00:01:27,200 questions 38 00:01:25,200 --> 00:01:30,079 tab and i'll try and come back to them 39 00:01:27,200 --> 00:01:31,920 at the end or i'll jump into the q a 40 00:01:30,079 --> 00:01:33,520 area after the 41 00:01:31,920 --> 00:01:36,079 uh the talk 42 00:01:33,520 --> 00:01:37,439 so here's like a a rough agenda 43 00:01:36,079 --> 00:01:38,479 i'm going to kick off with a bit of the 44 00:01:37,439 --> 00:01:40,640 why 45 00:01:38,479 --> 00:01:42,560 and a little bit of history 46 00:01:40,640 --> 00:01:44,159 uh we're going to dig into the what what 47 00:01:42,560 --> 00:01:45,920 is the technologies that we're digging 48 00:01:44,159 --> 00:01:47,360 we're looking at today image builder and 49 00:01:45,920 --> 00:01:48,799 builder 50 00:01:47,360 --> 00:01:51,040 and then a bit of the how we're actually 51 00:01:48,799 --> 00:01:52,399 going to do some live demo because 52 00:01:51,040 --> 00:01:54,799 you know this is a conference i love 53 00:01:52,399 --> 00:01:56,799 doing live demos and then a little bit 54 00:01:54,799 --> 00:01:58,560 of a look back did we get to where we 55 00:01:56,799 --> 00:01:59,840 wanted to be did we actually answer some 56 00:01:58,560 --> 00:02:01,680 of the why 57 00:01:59,840 --> 00:02:03,600 um and i actually think so my why isn't 58 00:02:01,680 --> 00:02:05,200 so good after listening to the keynote 59 00:02:03,600 --> 00:02:08,080 this morning liz did a much better job 60 00:02:05,200 --> 00:02:10,800 of summarizing some of the reasons why 61 00:02:08,080 --> 00:02:12,879 these tools are are important 62 00:02:10,800 --> 00:02:14,080 and why these approaches are very very 63 00:02:12,879 --> 00:02:16,879 important to the way wedges should be 64 00:02:14,080 --> 00:02:17,920 dealing with environments today 65 00:02:16,879 --> 00:02:19,920 so 66 00:02:17,920 --> 00:02:23,280 ephemeral uh terry pratchett's one of my 67 00:02:19,920 --> 00:02:25,599 favorite riders of all time and i i this 68 00:02:23,280 --> 00:02:27,520 is a terrific quote that appeared in the 69 00:02:25,599 --> 00:02:29,520 guardian a few years ago 70 00:02:27,520 --> 00:02:31,680 death appears to have some sneaking 71 00:02:29,520 --> 00:02:34,080 regard and compassion for a race of 72 00:02:31,680 --> 00:02:34,840 creatures which to him are as ephemeral 73 00:02:34,080 --> 00:02:37,920 as 74 00:02:34,840 --> 00:02:40,400 mayflies that really nicely uh positions 75 00:02:37,920 --> 00:02:43,280 it there may be a few more pateri uh 76 00:02:40,400 --> 00:02:45,280 references as we go forward 77 00:02:43,280 --> 00:02:46,640 so why why are we having this 78 00:02:45,280 --> 00:02:49,280 conversation 79 00:02:46,640 --> 00:02:52,000 let's be honest security is hard it's 80 00:02:49,280 --> 00:02:54,400 incredibly hard we're living in a 81 00:02:52,000 --> 00:02:56,080 landscape where every day every week we 82 00:02:54,400 --> 00:02:58,319 seem to have new security compromises 83 00:02:56,080 --> 00:03:00,319 and issues but to counter that change is 84 00:02:58,319 --> 00:03:01,640 hard it's really hard to convince 85 00:03:00,319 --> 00:03:03,599 customers or 86 00:03:01,640 --> 00:03:05,360 organizations to 87 00:03:03,599 --> 00:03:07,040 to change 88 00:03:05,360 --> 00:03:09,120 it's incredible the number of times 89 00:03:07,040 --> 00:03:10,879 where i've seen a security fix delayed 90 00:03:09,120 --> 00:03:13,440 for an inordinate amount of time because 91 00:03:10,879 --> 00:03:14,400 of change management the change is 92 00:03:13,440 --> 00:03:16,319 critical 93 00:03:14,400 --> 00:03:17,599 but the change has to still go through 94 00:03:16,319 --> 00:03:19,599 the process 95 00:03:17,599 --> 00:03:22,159 for many of us cloud has changed the way 96 00:03:19,599 --> 00:03:23,920 we do everything 97 00:03:22,159 --> 00:03:25,680 almost everything because not everything 98 00:03:23,920 --> 00:03:27,840 runs in the cloud we have to deal with 99 00:03:25,680 --> 00:03:31,280 more than just cloud environments and 100 00:03:27,840 --> 00:03:33,360 consistency and repeatability 101 00:03:31,280 --> 00:03:35,280 are difficult can be difficult shouldn't 102 00:03:33,360 --> 00:03:36,720 be difficult 103 00:03:35,280 --> 00:03:38,400 because we're dealing with a mix of 104 00:03:36,720 --> 00:03:40,239 environments many of us are dealing with 105 00:03:38,400 --> 00:03:41,920 physical and virtual workloads we're now 106 00:03:40,239 --> 00:03:44,000 dealing with cloud instances and we may 107 00:03:41,920 --> 00:03:45,360 be dealing with containerized workloads 108 00:03:44,000 --> 00:03:47,280 and i'm not even getting into things 109 00:03:45,360 --> 00:03:48,720 like serverless 110 00:03:47,280 --> 00:03:51,040 and then we've got all those legacy 111 00:03:48,720 --> 00:03:52,560 things that we have to deal with 112 00:03:51,040 --> 00:03:54,000 you know number of organizations are 113 00:03:52,560 --> 00:03:56,640 dealing with 114 00:03:54,000 --> 00:03:58,799 edge appliances legacy appliances and 115 00:03:56,640 --> 00:04:02,000 now everyone's going on about the future 116 00:03:58,799 --> 00:04:04,480 of iot and how do we make sure that we 117 00:04:02,000 --> 00:04:07,120 have that consistency 118 00:04:04,480 --> 00:04:10,319 and resiliency and the security we need 119 00:04:07,120 --> 00:04:11,120 for managing all those environments 120 00:04:10,319 --> 00:04:12,879 so 121 00:04:11,120 --> 00:04:14,879 let's step back a little bit and look at 122 00:04:12,879 --> 00:04:16,320 a bit of history let's look at an 123 00:04:14,879 --> 00:04:18,160 environment 124 00:04:16,320 --> 00:04:20,639 that's very long-lived 125 00:04:18,160 --> 00:04:22,320 there isn't a lot of change over time 126 00:04:20,639 --> 00:04:24,720 in fact you thought it was difficult 127 00:04:22,320 --> 00:04:26,960 changing the time on the clock radio in 128 00:04:24,720 --> 00:04:29,120 your car imagine adjusting this for 129 00:04:26,960 --> 00:04:31,520 daylight savings 130 00:04:29,120 --> 00:04:34,320 it's relatively repeatable but it's an 131 00:04:31,520 --> 00:04:35,520 amazing engineering effort to put up 132 00:04:34,320 --> 00:04:38,080 this isn't something that you're going 133 00:04:35,520 --> 00:04:39,840 to easily repeat because of the cost of 134 00:04:38,080 --> 00:04:42,160 producing it 135 00:04:39,840 --> 00:04:43,840 let's step forward a little bit into the 136 00:04:42,160 --> 00:04:45,440 realms of mechanical computing and 137 00:04:43,840 --> 00:04:47,199 honestly if you ever have the chance to 138 00:04:45,440 --> 00:04:51,199 visit the science museum in london go 139 00:04:47,199 --> 00:04:54,560 and look at this because it is stunning 140 00:04:51,199 --> 00:04:58,000 i think this is a piece of art 141 00:04:54,560 --> 00:04:59,840 but it's a very very mechanical device 142 00:04:58,000 --> 00:05:02,400 it is repeatable but it requires a high 143 00:04:59,840 --> 00:05:03,680 degree of engineering customizing it's 144 00:05:02,400 --> 00:05:05,600 hard 145 00:05:03,680 --> 00:05:08,960 changing it in some way programming 146 00:05:05,600 --> 00:05:10,320 isn't overly easy 147 00:05:08,960 --> 00:05:12,320 and then we step forward a little bit to 148 00:05:10,320 --> 00:05:14,000 turing machines and i really want to 149 00:05:12,320 --> 00:05:16,240 visit bletchley park next time i'm in 150 00:05:14,000 --> 00:05:18,160 the uk and go and have a look at this 151 00:05:16,240 --> 00:05:19,199 as one example of an early turing 152 00:05:18,160 --> 00:05:22,000 machine 153 00:05:19,199 --> 00:05:22,800 again mechanical devices 154 00:05:22,000 --> 00:05:24,960 that 155 00:05:22,800 --> 00:05:26,639 you put one wire wrong 156 00:05:24,960 --> 00:05:29,039 you make one 157 00:05:26,639 --> 00:05:30,479 uh that you've now impacted your 158 00:05:29,039 --> 00:05:33,120 programming 159 00:05:30,479 --> 00:05:34,800 that um the the nature of the devices is 160 00:05:33,120 --> 00:05:36,800 there's a high rate of things going 161 00:05:34,800 --> 00:05:39,600 wrong when we step into digital 162 00:05:36,800 --> 00:05:41,680 computing we now have a higher degree of 163 00:05:39,600 --> 00:05:43,280 control it's easier to load the 164 00:05:41,680 --> 00:05:45,759 operating system it's easier to load the 165 00:05:43,280 --> 00:05:47,680 software 166 00:05:45,759 --> 00:05:49,280 these big hawking devices that weren't 167 00:05:47,680 --> 00:05:51,199 really subject to the high rates of 168 00:05:49,280 --> 00:05:54,960 change that we need to deal with today 169 00:05:51,199 --> 00:05:56,639 and that anything but ephemeral devices 170 00:05:54,960 --> 00:05:58,960 i actually got introduced to the need 171 00:05:56,639 --> 00:06:01,520 for ephemeral computing fairly early on 172 00:05:58,960 --> 00:06:04,720 thanks to this man and this device 173 00:06:01,520 --> 00:06:06,560 clive sinclair zx81 and the infamous ram 174 00:06:04,720 --> 00:06:07,840 packs that we had 175 00:06:06,560 --> 00:06:10,000 you know there's a few things i learned 176 00:06:07,840 --> 00:06:12,400 that were really important in my early 177 00:06:10,000 --> 00:06:14,319 years of programming with the zx81 and 178 00:06:12,400 --> 00:06:16,080 later aztec spectrum 179 00:06:14,319 --> 00:06:17,840 first of all the importance of backups 180 00:06:16,080 --> 00:06:19,919 backups are critical 181 00:06:17,840 --> 00:06:22,400 backup and recovery was a something you 182 00:06:19,919 --> 00:06:24,000 really needed when with one wrong move 183 00:06:22,400 --> 00:06:25,919 your ram pack would 184 00:06:24,000 --> 00:06:27,919 wobble and you would lose all your data 185 00:06:25,919 --> 00:06:29,919 everything you did was ephemeral 186 00:06:27,919 --> 00:06:33,120 i also learned the vital importance of a 187 00:06:29,919 --> 00:06:35,600 well-placed piece of blue tack 188 00:06:33,120 --> 00:06:36,800 so stepping forward how do we install 189 00:06:35,600 --> 00:06:38,720 software 190 00:06:36,800 --> 00:06:41,680 and store the operating system in the 191 00:06:38,720 --> 00:06:44,000 case of my zx81 it was from a cassette 192 00:06:41,680 --> 00:06:45,280 tape the humble cassette tape stepping 193 00:06:44,000 --> 00:06:46,479 back in time 194 00:06:45,280 --> 00:06:49,919 we had 195 00:06:46,479 --> 00:06:51,680 things like paper tape or punch cards 196 00:06:49,919 --> 00:06:53,280 these aren't exactly reliable it's very 197 00:06:51,680 --> 00:06:54,880 easy to damage them 198 00:06:53,280 --> 00:06:57,039 and in fact if you have a look at the 199 00:06:54,880 --> 00:07:00,000 links below uh command line heroes 200 00:06:57,039 --> 00:07:01,280 season 4 from red hat really digs into 201 00:07:00,000 --> 00:07:03,759 some of the history of computing and 202 00:07:01,280 --> 00:07:05,280 some of the early methods for loading 203 00:07:03,759 --> 00:07:06,800 software 204 00:07:05,280 --> 00:07:08,240 coming forward a little we move through 205 00:07:06,800 --> 00:07:10,560 floppy disks 206 00:07:08,240 --> 00:07:12,000 through cd dvd 207 00:07:10,560 --> 00:07:14,240 media and now 208 00:07:12,000 --> 00:07:16,160 into usb keys 209 00:07:14,240 --> 00:07:18,639 they're all ways we used to bootstrap 210 00:07:16,160 --> 00:07:20,240 systems traditionally 211 00:07:18,639 --> 00:07:21,280 so when i was thinking about this talk i 212 00:07:20,240 --> 00:07:23,039 kind of stepped back and said well 213 00:07:21,280 --> 00:07:24,400 really where we're going to get to now 214 00:07:23,039 --> 00:07:26,160 is what we should be talking about is 215 00:07:24,400 --> 00:07:28,560 infrastructure as code 216 00:07:26,160 --> 00:07:32,240 and i realized way back in 2008 at 217 00:07:28,560 --> 00:07:34,160 linuxconf i actually gave a talk about 218 00:07:32,240 --> 00:07:36,639 infrastructure as code 219 00:07:34,160 --> 00:07:38,319 um we i this is part of the sysadmin 220 00:07:36,639 --> 00:07:39,759 mini confidence quite amusing actually 221 00:07:38,319 --> 00:07:41,759 going back and 222 00:07:39,759 --> 00:07:43,680 uh re-looking at this 223 00:07:41,759 --> 00:07:45,120 talk so i've actually provided the links 224 00:07:43,680 --> 00:07:48,400 here to some of the presentation 225 00:07:45,120 --> 00:07:50,479 materials and the original video 226 00:07:48,400 --> 00:07:52,560 um but while we're in that 227 00:07:50,479 --> 00:07:54,400 session we talked to 228 00:07:52,560 --> 00:07:56,160 the need for reliable repeatable 229 00:07:54,400 --> 00:07:59,039 reproducible infrastructure effectively 230 00:07:56,160 --> 00:08:00,960 infrastructure as code we talked about 231 00:07:59,039 --> 00:08:03,280 some of the technologies available back 232 00:08:00,960 --> 00:08:05,440 then around whether you should use 233 00:08:03,280 --> 00:08:07,680 system imaging versus technology like 234 00:08:05,440 --> 00:08:10,000 kickstart or precede in order to build 235 00:08:07,680 --> 00:08:11,919 up your base operating system 236 00:08:10,000 --> 00:08:13,280 we want to make sure the way we were 237 00:08:11,919 --> 00:08:15,120 doing this 238 00:08:13,280 --> 00:08:18,240 was abstracted away from whether the 239 00:08:15,120 --> 00:08:21,039 system was physical or virtual 240 00:08:18,240 --> 00:08:23,840 um there was the options around patching 241 00:08:21,039 --> 00:08:25,360 versus rebuilding systems 242 00:08:23,840 --> 00:08:27,919 when we were dealing with operating 243 00:08:25,360 --> 00:08:30,400 system updates 244 00:08:27,919 --> 00:08:32,320 uh security and hardening was still just 245 00:08:30,400 --> 00:08:33,440 as important if not more important back 246 00:08:32,320 --> 00:08:35,760 then 247 00:08:33,440 --> 00:08:38,719 so we looked at capabilities like how 248 00:08:35,760 --> 00:08:41,039 operating firewalls and 249 00:08:38,719 --> 00:08:42,959 se linux etc 250 00:08:41,039 --> 00:08:44,560 and then back then the post build 251 00:08:42,959 --> 00:08:46,720 automation tools we were looking at were 252 00:08:44,560 --> 00:08:48,480 things like cf engine and puppets you 253 00:08:46,720 --> 00:08:49,760 know ansible hadn't come along at that 254 00:08:48,480 --> 00:08:51,920 stage 255 00:08:49,760 --> 00:08:53,519 and i couldn't underestimate the under 256 00:08:51,920 --> 00:08:56,240 the importance of having things like 257 00:08:53,519 --> 00:08:57,600 single sign-on you know making sure out 258 00:08:56,240 --> 00:08:59,440 of the box that we've got the 259 00:08:57,600 --> 00:09:01,519 environments integrated with our 260 00:08:59,440 --> 00:09:03,360 identity management is incredibly 261 00:09:01,519 --> 00:09:07,040 important 262 00:09:03,360 --> 00:09:09,120 so that was all the way back in 2008 263 00:09:07,040 --> 00:09:11,519 my roles changed many times since then 264 00:09:09,120 --> 00:09:13,360 and i spend a lot of time talking to 265 00:09:11,519 --> 00:09:15,440 customers and operations teams about how 266 00:09:13,360 --> 00:09:18,880 they build and run systems 267 00:09:15,440 --> 00:09:20,320 and surprisingly or unsurprisingly 268 00:09:18,880 --> 00:09:22,480 these are still two of the most popular 269 00:09:20,320 --> 00:09:24,720 ways for systems to be bootstrapped in a 270 00:09:22,480 --> 00:09:26,399 lot of enterprises today 271 00:09:24,720 --> 00:09:28,800 the number of times where it's still 272 00:09:26,399 --> 00:09:31,600 sticking this a usb 273 00:09:28,800 --> 00:09:34,320 or even sometimes a dvd in a system in 274 00:09:31,600 --> 00:09:36,240 order to bootstrap it is just incredible 275 00:09:34,320 --> 00:09:38,080 and there's still an enormous amount of 276 00:09:36,240 --> 00:09:39,600 systems out there today which are click 277 00:09:38,080 --> 00:09:41,440 click click 278 00:09:39,600 --> 00:09:43,920 through the installer 279 00:09:41,440 --> 00:09:46,880 rather than automating the delivery and 280 00:09:43,920 --> 00:09:51,320 having your corporate customized 281 00:09:46,880 --> 00:09:51,320 approach to delivering those services 282 00:09:51,760 --> 00:09:55,839 when we talk about 283 00:09:53,519 --> 00:09:58,480 cloud computing containers and modern 284 00:09:55,839 --> 00:10:00,480 workloads we often use the terms 285 00:09:58,480 --> 00:10:02,560 pets and cattle i'm going to use some 286 00:10:00,480 --> 00:10:04,560 different terminology here today 287 00:10:02,560 --> 00:10:06,560 i want to talk about snowflakes and 288 00:10:04,560 --> 00:10:08,160 dwarf axes 289 00:10:06,560 --> 00:10:11,120 because a snowflake 290 00:10:08,160 --> 00:10:14,000 is extremely fragile a snowflake system 291 00:10:11,120 --> 00:10:15,600 is very very hard to change you may 292 00:10:14,000 --> 00:10:17,440 change one thing and the whole snowflake 293 00:10:15,600 --> 00:10:19,440 collapses 294 00:10:17,440 --> 00:10:21,440 snowflake systems are usually created in 295 00:10:19,440 --> 00:10:24,880 life to live for a long time with very 296 00:10:21,440 --> 00:10:27,920 little change or modification 297 00:10:24,880 --> 00:10:30,240 dwarf axes are incredibly robust 298 00:10:27,920 --> 00:10:31,680 again another terry pratchett reference 299 00:10:30,240 --> 00:10:34,000 see a dwarf axe may have been in your 300 00:10:31,680 --> 00:10:36,640 family for decades maybe in your family 301 00:10:34,000 --> 00:10:38,800 for generations it's had eight new heads 302 00:10:36,640 --> 00:10:41,920 and seven new arms but it's still the 303 00:10:38,800 --> 00:10:41,920 same dwarf axe 304 00:10:42,240 --> 00:10:48,160 now if we apply the dwarf axe thinking 305 00:10:44,640 --> 00:10:50,399 to systems a good system a good service 306 00:10:48,160 --> 00:10:52,880 should be like a dwarf axe it should be 307 00:10:50,399 --> 00:10:54,480 resilient it should stay up it should be 308 00:10:52,880 --> 00:10:55,760 hard-working 309 00:10:54,480 --> 00:10:57,360 but we should be able to change its 310 00:10:55,760 --> 00:10:59,600 underlying infrastructure we should be 311 00:10:57,360 --> 00:11:01,519 able to change its head and change its 312 00:10:59,600 --> 00:11:02,959 arm without the actually this service 313 00:11:01,519 --> 00:11:04,640 changing 314 00:11:02,959 --> 00:11:07,040 and to be honest i have a personal 315 00:11:04,640 --> 00:11:09,839 dwarfax and again this is a reference 316 00:11:07,040 --> 00:11:12,000 back to linuxconf in 2008 because i 317 00:11:09,839 --> 00:11:14,399 talked about the development of a myth 318 00:11:12,000 --> 00:11:16,640 tv based pvr appliance 319 00:11:14,399 --> 00:11:19,040 now my own unit 320 00:11:16,640 --> 00:11:21,600 is actually kind of the dwarf x i had 321 00:11:19,040 --> 00:11:23,200 all the way back in 2008 i've changed 322 00:11:21,600 --> 00:11:24,959 the operating system many times i've 323 00:11:23,200 --> 00:11:27,360 actually swapped it from 32-bit to 324 00:11:24,959 --> 00:11:28,880 64-bit versions of linux 325 00:11:27,360 --> 00:11:30,640 it's had many 326 00:11:28,880 --> 00:11:33,120 motherboard iterations and cpu 327 00:11:30,640 --> 00:11:36,480 iterations i've changed the hard drives 328 00:11:33,120 --> 00:11:38,000 i've changed the tuners and yet 329 00:11:36,480 --> 00:11:40,480 it's still the same 330 00:11:38,000 --> 00:11:42,880 to all facts it still has recordings 331 00:11:40,480 --> 00:11:46,240 from all the way back in 2006 332 00:11:42,880 --> 00:11:48,079 it's still providing the same service 333 00:11:46,240 --> 00:11:50,079 but i've abstracted away the 334 00:11:48,079 --> 00:11:52,320 configuration and data from the 335 00:11:50,079 --> 00:11:53,920 underlying infrastructure 336 00:11:52,320 --> 00:11:57,600 that's a really important change that 337 00:11:53,920 --> 00:11:59,839 started to come through in a great part 338 00:11:57,600 --> 00:12:01,519 by cloud cloud computing the arrival of 339 00:11:59,839 --> 00:12:03,040 cloud computing 340 00:12:01,519 --> 00:12:05,920 and another big change that came through 341 00:12:03,040 --> 00:12:08,320 with cloud computing 342 00:12:05,920 --> 00:12:11,839 was the conversation change between dev 343 00:12:08,320 --> 00:12:14,000 and ops because traditionally in many 344 00:12:11,839 --> 00:12:15,440 organizations there was a great big wall 345 00:12:14,000 --> 00:12:16,720 there was a divide 346 00:12:15,440 --> 00:12:18,079 you know there was that running joke 347 00:12:16,720 --> 00:12:20,800 that dev would throw something over the 348 00:12:18,079 --> 00:12:23,040 wall for operations to manage 349 00:12:20,800 --> 00:12:25,360 and once they started to conversate once 350 00:12:23,040 --> 00:12:27,680 they started to collaborate those walls 351 00:12:25,360 --> 00:12:30,079 started to come down 352 00:12:27,680 --> 00:12:31,519 and today most organizations also 353 00:12:30,079 --> 00:12:33,680 introduced 354 00:12:31,519 --> 00:12:36,480 security into the conversation 355 00:12:33,680 --> 00:12:38,560 now we have the term devsecops 356 00:12:36,480 --> 00:12:39,839 and boy is that something we really need 357 00:12:38,560 --> 00:12:42,399 today 358 00:12:39,839 --> 00:12:44,480 i mean i apologize for any ptsd 359 00:12:42,399 --> 00:12:46,240 flashbacks here but how many of these 360 00:12:44,480 --> 00:12:48,079 can you name 361 00:12:46,240 --> 00:12:49,519 you know because there was a period 362 00:12:48,079 --> 00:12:51,120 where 363 00:12:49,519 --> 00:12:52,560 every week there was a new super 364 00:12:51,120 --> 00:12:54,639 vulnerability 365 00:12:52,560 --> 00:12:56,959 every week there was a vulnerability 366 00:12:54,639 --> 00:12:58,959 where the logo the branding the website 367 00:12:56,959 --> 00:13:00,240 for the vulnerability was better than 368 00:12:58,959 --> 00:13:02,800 that for the 369 00:13:00,240 --> 00:13:04,240 uh our originating project 370 00:13:02,800 --> 00:13:06,880 for those of you who can't remember them 371 00:13:04,240 --> 00:13:09,279 we've got heartbleed open ssl shell 372 00:13:06,880 --> 00:13:11,680 shock which was a bash vulnerability 373 00:13:09,279 --> 00:13:14,399 poodle which was a again a ssl 374 00:13:11,680 --> 00:13:17,120 vulnerability stage fright which was a 375 00:13:14,399 --> 00:13:19,600 big android vulnerability drown which 376 00:13:17,120 --> 00:13:21,760 was another ssl vulnerability and then 377 00:13:19,600 --> 00:13:24,720 bad luck which was a samba smb 378 00:13:21,760 --> 00:13:25,839 vulnerability and bad luck was a big 379 00:13:24,720 --> 00:13:28,160 deal 380 00:13:25,839 --> 00:13:30,320 i mean they spent so much time warning 381 00:13:28,160 --> 00:13:31,200 everyone that that existed 382 00:13:30,320 --> 00:13:33,680 in the 383 00:13:31,200 --> 00:13:35,120 ite ecosystem long before it was kind of 384 00:13:33,680 --> 00:13:37,839 made public so that we could put some 385 00:13:35,120 --> 00:13:39,279 mitigations in place 386 00:13:37,839 --> 00:13:41,680 so 387 00:13:39,279 --> 00:13:42,480 having dev ops and security talk to each 388 00:13:41,680 --> 00:13:44,560 other 389 00:13:42,480 --> 00:13:46,639 really started to change everything so i 390 00:13:44,560 --> 00:13:48,880 like to say dev met obs and started to 391 00:13:46,639 --> 00:13:51,040 talk about security 392 00:13:48,880 --> 00:13:52,240 we're now seeing the need 393 00:13:51,040 --> 00:13:54,079 for 394 00:13:52,240 --> 00:13:55,839 greater consistency in environments 395 00:13:54,079 --> 00:13:58,560 because greater consistency drives 396 00:13:55,839 --> 00:14:01,519 repeatability we want consistency across 397 00:13:58,560 --> 00:14:03,760 our stack we want the same stack 398 00:14:01,519 --> 00:14:05,279 that for our developers to run as we're 399 00:14:03,760 --> 00:14:07,120 running in production 400 00:14:05,279 --> 00:14:09,519 we don't want the same surprises we used 401 00:14:07,120 --> 00:14:11,279 to have in the past where the developer 402 00:14:09,519 --> 00:14:13,199 environment had a completely different 403 00:14:11,279 --> 00:14:14,959 library a completely different operating 404 00:14:13,199 --> 00:14:16,639 system release 405 00:14:14,959 --> 00:14:19,120 and the move towards containerization 406 00:14:16,639 --> 00:14:21,440 has really helped that because 407 00:14:19,120 --> 00:14:23,360 you know developers can work on the same 408 00:14:21,440 --> 00:14:25,040 environment the same 409 00:14:23,360 --> 00:14:26,959 same base environment as we're really 410 00:14:25,040 --> 00:14:29,519 running in production 411 00:14:26,959 --> 00:14:30,880 but speed of deliveries changed 412 00:14:29,519 --> 00:14:32,720 long gone are the days where we're 413 00:14:30,880 --> 00:14:34,480 waiting months for new infrastructure to 414 00:14:32,720 --> 00:14:36,959 arrive in the data center 415 00:14:34,480 --> 00:14:39,519 waiting weeks sometimes for an operating 416 00:14:36,959 --> 00:14:41,920 system to be deployed onto it 417 00:14:39,519 --> 00:14:44,800 uh maybe days for 418 00:14:41,920 --> 00:14:47,519 allowed to get access to a system 419 00:14:44,800 --> 00:14:48,639 in fact i i know a few organizations 420 00:14:47,519 --> 00:14:50,480 where 421 00:14:48,639 --> 00:14:52,560 they're even when they try to automate 422 00:14:50,480 --> 00:14:53,920 the process for standing up their 423 00:14:52,560 --> 00:14:56,560 infrastructure 424 00:14:53,920 --> 00:15:00,160 on virtual hardware it was still taking 425 00:14:56,560 --> 00:15:02,000 weeks because several steps 426 00:15:00,160 --> 00:15:04,160 involve people as a service 427 00:15:02,000 --> 00:15:05,920 once they reduce that down and found 428 00:15:04,160 --> 00:15:08,639 ways to automate around some of the 429 00:15:05,920 --> 00:15:10,480 firewall rule changes dns allocations 430 00:15:08,639 --> 00:15:13,199 and those other steps 431 00:15:10,480 --> 00:15:14,720 they now got it down to hours 432 00:15:13,199 --> 00:15:16,079 and pretty soon they had it down to 433 00:15:14,720 --> 00:15:17,680 minutes 434 00:15:16,079 --> 00:15:19,440 and then suddenly the business is 435 00:15:17,680 --> 00:15:21,440 expecting seconds 436 00:15:19,440 --> 00:15:23,839 and if you're working in a containerized 437 00:15:21,440 --> 00:15:26,560 ecosystem you start to get used to that 438 00:15:23,839 --> 00:15:28,079 incredible speed of delivery we need it 439 00:15:26,560 --> 00:15:30,560 right now 440 00:15:28,079 --> 00:15:32,800 because ultimately businesses 441 00:15:30,560 --> 00:15:36,560 expect faster delivery than they did in 442 00:15:32,800 --> 00:15:36,560 the past cloud has changed this 443 00:15:37,279 --> 00:15:40,959 so there's a little bit of background of 444 00:15:38,880 --> 00:15:43,120 where some of my thinking's gone some of 445 00:15:40,959 --> 00:15:46,880 the conversations i've had over the last 446 00:15:43,120 --> 00:15:49,880 you know 12 13 14 years since linux conf 447 00:15:46,880 --> 00:15:49,880 2008 448 00:15:50,160 --> 00:15:55,199 what are we here to talk about today 449 00:15:51,680 --> 00:15:57,279 we're going to talk about two 450 00:15:55,199 --> 00:15:59,440 projects two capabilities that kind of 451 00:15:57,279 --> 00:16:00,720 focus on solving two parts of the 452 00:15:59,440 --> 00:16:02,959 problem 453 00:16:00,720 --> 00:16:04,320 image builder with the upstream project 454 00:16:02,959 --> 00:16:06,480 os build 455 00:16:04,320 --> 00:16:08,959 is focused on creating operating system 456 00:16:06,480 --> 00:16:10,880 images 457 00:16:08,959 --> 00:16:12,639 builder 458 00:16:10,880 --> 00:16:15,120 is focused on the container side of the 459 00:16:12,639 --> 00:16:16,560 story and builder is there to create oci 460 00:16:15,120 --> 00:16:18,639 compatible 461 00:16:16,560 --> 00:16:20,320 container images 462 00:16:18,639 --> 00:16:21,360 so we're going to dig into each of these 463 00:16:20,320 --> 00:16:23,920 and turn and then we're going to do a 464 00:16:21,360 --> 00:16:26,480 little bit of a demo 465 00:16:23,920 --> 00:16:27,920 so image builder or os build image 466 00:16:26,480 --> 00:16:31,199 builder effectively represents some of 467 00:16:27,920 --> 00:16:32,880 the us ui components for os build 468 00:16:31,199 --> 00:16:34,959 so 469 00:16:32,880 --> 00:16:38,320 it has a web ui 470 00:16:34,959 --> 00:16:40,320 that is plugged into cockpit so 471 00:16:38,320 --> 00:16:41,920 uh it's called cockpit composer and you 472 00:16:40,320 --> 00:16:44,079 can access it through the cockpit web 473 00:16:41,920 --> 00:16:46,560 interface it also has a command line 474 00:16:44,079 --> 00:16:48,160 interface composer cli and something 475 00:16:46,560 --> 00:16:50,800 that red hat's been developing for its 476 00:16:48,160 --> 00:16:51,920 customers is actually a a sas type 477 00:16:50,800 --> 00:16:53,440 service 478 00:16:51,920 --> 00:16:56,399 which means that our customers can come 479 00:16:53,440 --> 00:16:59,040 in and actually just go and request 480 00:16:56,399 --> 00:17:01,519 image builder to be run on their behalf 481 00:16:59,040 --> 00:17:03,759 to create their custom images on our 482 00:17:01,519 --> 00:17:05,760 backend platform 483 00:17:03,759 --> 00:17:08,959 builds what kind of does all the heavy 484 00:17:05,760 --> 00:17:11,839 lifting has a restful api 485 00:17:08,959 --> 00:17:15,439 um and then the workers that do all the 486 00:17:11,839 --> 00:17:16,959 actual composition now historically some 487 00:17:15,439 --> 00:17:18,959 of this is based on 488 00:17:16,959 --> 00:17:20,959 lorax composer and components at the 489 00:17:18,959 --> 00:17:23,679 welder project and the api is still 490 00:17:20,959 --> 00:17:26,240 based on the welder api 491 00:17:23,679 --> 00:17:27,199 so the restful api comes out a welder 492 00:17:26,240 --> 00:17:30,840 um 493 00:17:27,199 --> 00:17:33,919 os build compose is kind of like a 494 00:17:30,840 --> 00:17:36,160 re reworking 495 00:17:33,919 --> 00:17:38,160 of the original work that went into 496 00:17:36,160 --> 00:17:39,360 lorax composer 497 00:17:38,160 --> 00:17:40,170 so it's been 498 00:17:39,360 --> 00:17:42,559 you know um 499 00:17:40,170 --> 00:17:44,000 [Music] 500 00:17:42,559 --> 00:17:45,440 now we've got the word anyway we'll move 501 00:17:44,000 --> 00:17:47,360 on 502 00:17:45,440 --> 00:17:49,919 um here's a high-level view of the 503 00:17:47,360 --> 00:17:53,360 architecture so we've got on one side 504 00:17:49,919 --> 00:17:56,160 the the user interfaces the cli 505 00:17:53,360 --> 00:17:57,840 or the web ui they then communicate with 506 00:17:56,160 --> 00:18:01,600 os build composer 507 00:17:57,840 --> 00:18:03,120 that they run locally on your machine or 508 00:18:01,600 --> 00:18:04,720 the machine that's got the web ui and 509 00:18:03,120 --> 00:18:06,559 then they will kick off the jobs and 510 00:18:04,720 --> 00:18:07,919 then you can have a pool of workers and 511 00:18:06,559 --> 00:18:10,400 this is one of the strengths of this is 512 00:18:07,919 --> 00:18:13,039 that you can actually have 513 00:18:10,400 --> 00:18:16,559 different workers targeting different 514 00:18:13,039 --> 00:18:18,240 um operating system flavors or targeting 515 00:18:16,559 --> 00:18:20,480 different architectures so this is the 516 00:18:18,240 --> 00:18:23,280 current supported list of architectures 517 00:18:20,480 --> 00:18:25,039 from you know typical x86 through arm 518 00:18:23,280 --> 00:18:26,320 power and system z 519 00:18:25,039 --> 00:18:28,799 this is quite nice pluggable 520 00:18:26,320 --> 00:18:31,120 architecture so it should be relatively 521 00:18:28,799 --> 00:18:35,360 simple to extend it to other 522 00:18:31,120 --> 00:18:37,440 platforms as they increase in popularity 523 00:18:35,360 --> 00:18:39,360 one other nice part of this is the image 524 00:18:37,440 --> 00:18:41,520 upload capability 525 00:18:39,360 --> 00:18:42,880 so you can just have it generate an 526 00:18:41,520 --> 00:18:44,160 image and then you can pull it down 527 00:18:42,880 --> 00:18:46,240 either through the command line or the 528 00:18:44,160 --> 00:18:47,520 web interface but you can actually 529 00:18:46,240 --> 00:18:50,000 provide credentials and have it 530 00:18:47,520 --> 00:18:51,760 automatically push an image into amazon 531 00:18:50,000 --> 00:18:53,280 or azure if you're using that for your 532 00:18:51,760 --> 00:18:55,600 cloud hosted 533 00:18:53,280 --> 00:18:57,360 workloads 534 00:18:55,600 --> 00:19:00,080 so 535 00:18:57,360 --> 00:19:02,400 each platform so each target platform 536 00:19:00,080 --> 00:19:04,480 has a set of standard packages and 537 00:19:02,400 --> 00:19:05,679 requirements so at the moment we can 538 00:19:04,480 --> 00:19:08,960 target 539 00:19:05,679 --> 00:19:11,760 ami for amazon and vhd for 540 00:19:08,960 --> 00:19:14,799 azure we have vmware vmdk 541 00:19:11,760 --> 00:19:17,760 generic cucao2 openstack and we have an 542 00:19:14,799 --> 00:19:19,679 iot based image that's based on os tree 543 00:19:17,760 --> 00:19:21,039 commits 544 00:19:19,679 --> 00:19:22,000 um 545 00:19:21,039 --> 00:19:24,320 the 546 00:19:22,000 --> 00:19:26,320 one the reasoning behind this is the os 547 00:19:24,320 --> 00:19:29,360 tree gives us a nice way to do kind of a 548 00:19:26,320 --> 00:19:30,160 b testing or roll out so we can actually 549 00:19:29,360 --> 00:19:32,640 have 550 00:19:30,160 --> 00:19:34,799 the old iteration and the new iteration 551 00:19:32,640 --> 00:19:36,640 of our image on a system 552 00:19:34,799 --> 00:19:39,440 and we can push out a new image and then 553 00:19:36,640 --> 00:19:41,120 have the system flick to it 554 00:19:39,440 --> 00:19:42,640 architecture-wise as i said earlier at 555 00:19:41,120 --> 00:19:44,400 the moment we currently support four 556 00:19:42,640 --> 00:19:46,160 architectures 557 00:19:44,400 --> 00:19:47,360 so that's just some of the capabilities 558 00:19:46,160 --> 00:19:49,600 in 559 00:19:47,360 --> 00:19:51,600 image builder 560 00:19:49,600 --> 00:19:54,000 looking at builder 561 00:19:51,600 --> 00:19:55,120 is part of our attempt to kind of break 562 00:19:54,000 --> 00:19:57,200 down 563 00:19:55,120 --> 00:19:59,840 the capabilities available in today in 564 00:19:57,200 --> 00:20:02,000 docker so where docker kind of attempts 565 00:19:59,840 --> 00:20:05,120 to be an all-in-one 566 00:20:02,000 --> 00:20:07,200 tool for running containers 567 00:20:05,120 --> 00:20:09,120 building containers 568 00:20:07,200 --> 00:20:12,159 providing an api 569 00:20:09,120 --> 00:20:15,120 the container standard originally pubman 570 00:20:12,159 --> 00:20:16,559 is our way to provide an oci compatible 571 00:20:15,120 --> 00:20:19,760 runtime 572 00:20:16,559 --> 00:20:22,080 scopio's there for 573 00:20:19,760 --> 00:20:24,240 container image management and builders 574 00:20:22,080 --> 00:20:26,320 there just as a build tool now by 575 00:20:24,240 --> 00:20:28,559 separating these services out it reduces 576 00:20:26,320 --> 00:20:31,600 the attack surface these are each just 577 00:20:28,559 --> 00:20:33,360 focus on a particular capability it 578 00:20:31,600 --> 00:20:35,600 means that you can actually and and we 579 00:20:33,360 --> 00:20:37,600 do have an example in the get repository 580 00:20:35,600 --> 00:20:39,120 i'll share with you during the tour of a 581 00:20:37,600 --> 00:20:41,360 simple 582 00:20:39,120 --> 00:20:42,640 os image that can only run containers it 583 00:20:41,360 --> 00:20:43,919 can't build them 584 00:20:42,640 --> 00:20:46,159 which is a great thing because you don't 585 00:20:43,919 --> 00:20:50,000 want someone building custom containers 586 00:20:46,159 --> 00:20:50,000 on your production container host 587 00:20:50,480 --> 00:20:54,720 also around containerization is some 588 00:20:53,120 --> 00:20:57,360 standardization around runtime 589 00:20:54,720 --> 00:21:00,320 interfaces so we've now got a cryo 590 00:20:57,360 --> 00:21:03,280 standard so as long as your runtime 591 00:21:00,320 --> 00:21:05,200 supports cryo and cryo's very much been 592 00:21:03,280 --> 00:21:08,400 engineered uh with a focus around 593 00:21:05,200 --> 00:21:10,799 kubernetes then any containers built to 594 00:21:08,400 --> 00:21:11,840 work against cryo will work against your 595 00:21:10,799 --> 00:21:13,120 runtime which means you can have a 596 00:21:11,840 --> 00:21:14,559 choice of different containerized 597 00:21:13,120 --> 00:21:16,000 runtimes 598 00:21:14,559 --> 00:21:18,000 if you really want to dig into a lot 599 00:21:16,000 --> 00:21:20,000 more around 600 00:21:18,000 --> 00:21:22,000 how containerization works and some of 601 00:21:20,000 --> 00:21:23,520 the underlying capabilities i recommend 602 00:21:22,000 --> 00:21:25,280 you have a look at fraser tweeddale's 603 00:21:23,520 --> 00:21:27,840 talk from yesterday 604 00:21:25,280 --> 00:21:30,400 now builders there to as i said provide 605 00:21:27,840 --> 00:21:32,240 those oci compatible container images 606 00:21:30,400 --> 00:21:33,600 and it can do multi-stage builds with 607 00:21:32,240 --> 00:21:35,039 and without docker files and this is 608 00:21:33,600 --> 00:21:36,480 really cool because you've got several 609 00:21:35,039 --> 00:21:39,440 ways of actually engineering the way the 610 00:21:36,480 --> 00:21:39,440 build comes together 611 00:21:40,080 --> 00:21:43,600 and i think also from a security 612 00:21:42,000 --> 00:21:44,480 perspective very importantly you can 613 00:21:43,600 --> 00:21:47,679 build 614 00:21:44,480 --> 00:21:49,760 container images as a non-root user 615 00:21:47,679 --> 00:21:51,360 i think that's incredibly important and 616 00:21:49,760 --> 00:21:52,159 something i talked about last year was 617 00:21:51,360 --> 00:21:53,440 uh 618 00:21:52,159 --> 00:21:55,679 like running 619 00:21:53,440 --> 00:21:56,880 containers as a non-root user it's 620 00:21:55,679 --> 00:21:59,360 equally important to be able to build 621 00:21:56,880 --> 00:22:01,679 containers as an on-route user 622 00:21:59,360 --> 00:22:03,919 so let's get into a bit of the how 623 00:22:01,679 --> 00:22:05,840 so there's a git repository here i'll 624 00:22:03,919 --> 00:22:08,640 share it in the chat later 625 00:22:05,840 --> 00:22:10,640 what we're going to use is 626 00:22:08,640 --> 00:22:12,400 it's got all of the demo code all the 627 00:22:10,640 --> 00:22:13,520 scripts i've used to help stand this up 628 00:22:12,400 --> 00:22:16,320 and it's actually going to walk through 629 00:22:13,520 --> 00:22:17,520 of how to run some of this demo yourself 630 00:22:16,320 --> 00:22:18,880 we're going to use image builder and 631 00:22:17,520 --> 00:22:21,120 builder and we're going to actually run 632 00:22:18,880 --> 00:22:23,600 all this on a fedora host 633 00:22:21,120 --> 00:22:25,280 to keep it all free and open 634 00:22:23,600 --> 00:22:27,840 and in the 635 00:22:25,280 --> 00:22:29,840 vein of keeping it ephemeral 636 00:22:27,840 --> 00:22:31,840 i'm actually going to spin up a fedora 637 00:22:29,840 --> 00:22:33,840 cloud ready image 638 00:22:31,840 --> 00:22:36,640 that's running on my local laptop so 639 00:22:33,840 --> 00:22:38,720 it's running on kvm qemu using libert 640 00:22:36,640 --> 00:22:40,480 and then i use a small 641 00:22:38,720 --> 00:22:42,400 ansible playbook to customize it to 642 00:22:40,480 --> 00:22:44,159 install the required components so again 643 00:22:42,400 --> 00:22:45,440 all this is in the git repository so 644 00:22:44,159 --> 00:22:48,320 you've got access to all of this you can 645 00:22:45,440 --> 00:22:50,559 go and try it all out yourself 646 00:22:48,320 --> 00:22:52,640 so the ephemeral host means i can create 647 00:22:50,559 --> 00:22:54,080 it run it for the purposes of this talk 648 00:22:52,640 --> 00:22:56,159 and then tear it all down again and then 649 00:22:54,080 --> 00:22:58,720 use it again on a later date 650 00:22:56,159 --> 00:23:00,960 so first we're going to bootstrap 651 00:22:58,720 --> 00:23:02,559 our cucao2 image 652 00:23:00,960 --> 00:23:05,120 so we're going to use a standard 653 00:23:02,559 --> 00:23:07,760 off-the-shelf fedora 35 cloud image i've 654 00:23:05,120 --> 00:23:09,600 also tested this with rel85 and r9 if 655 00:23:07,760 --> 00:23:11,679 you want to play around with enterprise 656 00:23:09,600 --> 00:23:12,799 flavors of linux and then we're going to 657 00:23:11,679 --> 00:23:15,360 do the 658 00:23:12,799 --> 00:23:17,360 installation of 659 00:23:15,360 --> 00:23:19,280 builder 660 00:23:17,360 --> 00:23:21,280 image builder and also cockpits that's a 661 00:23:19,280 --> 00:23:23,120 key requirement 662 00:23:21,280 --> 00:23:25,600 now this is the fun bit because it's a 663 00:23:23,120 --> 00:23:27,520 demo there may be a few shortcuts 664 00:23:25,600 --> 00:23:30,320 um most of these cloud-ready images 665 00:23:27,520 --> 00:23:32,000 don't allow ssh's root and it's just an 666 00:23:30,320 --> 00:23:35,039 easy way for the purposes of this to do 667 00:23:32,000 --> 00:23:36,720 things quickly so i customized the image 668 00:23:35,039 --> 00:23:39,200 i stripped that cloud in it and i set 669 00:23:36,720 --> 00:23:40,480 the root password to password ah 670 00:23:39,200 --> 00:23:42,640 they're awesome 671 00:23:40,480 --> 00:23:46,720 um i you know if you're gonna run this 672 00:23:42,640 --> 00:23:48,559 on a cloud image hosted in azure or aws 673 00:23:46,720 --> 00:23:50,320 and try it out there i recommend you 674 00:23:48,559 --> 00:23:52,320 don't use password as your default 675 00:23:50,320 --> 00:23:53,440 password 676 00:23:52,320 --> 00:23:56,559 also 677 00:23:53,440 --> 00:23:57,840 if you want to try this out 678 00:23:56,559 --> 00:23:59,840 there's a 679 00:23:57,840 --> 00:24:01,760 hosted version that we make available 680 00:23:59,840 --> 00:24:03,760 completely for free at red hat 681 00:24:01,760 --> 00:24:05,520 of both image builder and builder these 682 00:24:03,760 --> 00:24:07,360 are hosted labs that you can actually 683 00:24:05,520 --> 00:24:10,240 just go and walk through and try some of 684 00:24:07,360 --> 00:24:11,919 this out today for free without ever 685 00:24:10,240 --> 00:24:14,400 installing anything on your local laptop 686 00:24:11,919 --> 00:24:16,880 or spinning up a cloud image 687 00:24:14,400 --> 00:24:19,600 so let's just spin over to a shell 688 00:24:16,880 --> 00:24:21,919 because of time i've actually have to do 689 00:24:19,600 --> 00:24:24,320 a couple of tasks early so you can see 690 00:24:21,919 --> 00:24:25,760 my date and time now it's just you know 691 00:24:24,320 --> 00:24:27,520 10 past one 692 00:24:25,760 --> 00:24:28,799 but i set this up at 10 o'clock this 693 00:24:27,520 --> 00:24:31,840 morning 694 00:24:28,799 --> 00:24:33,600 so here's the script which is actually 695 00:24:31,840 --> 00:24:34,880 in my 696 00:24:33,600 --> 00:24:38,000 git repository so here's the get 697 00:24:34,880 --> 00:24:40,400 repository this has all of the guidance 698 00:24:38,000 --> 00:24:42,400 and then how to deploy and run all the 699 00:24:40,400 --> 00:24:44,240 steps so we're going to deploy a local 700 00:24:42,400 --> 00:24:46,640 cloud hosted image 701 00:24:44,240 --> 00:24:48,640 and we're going to set a few values and 702 00:24:46,640 --> 00:24:50,799 then we run this script 703 00:24:48,640 --> 00:24:52,559 and this basically takes 704 00:24:50,799 --> 00:24:54,559 um 705 00:24:52,559 --> 00:24:56,080 the cloud ready image and just creates a 706 00:24:54,559 --> 00:24:58,240 snapshot of it 707 00:24:56,080 --> 00:25:00,720 we then customize that snapshot and set 708 00:24:58,240 --> 00:25:02,960 the password to password very naughty 709 00:25:00,720 --> 00:25:06,240 but what the heck and then we run the 710 00:25:02,960 --> 00:25:07,360 install to create a vm 711 00:25:06,240 --> 00:25:11,120 off it 712 00:25:07,360 --> 00:25:12,400 that we can access on my local laptop 713 00:25:11,120 --> 00:25:14,000 um 714 00:25:12,400 --> 00:25:15,760 so that's what we've done here and then 715 00:25:14,000 --> 00:25:18,559 we can see we've examined the guess this 716 00:25:15,760 --> 00:25:21,039 is actually the customization step 717 00:25:18,559 --> 00:25:23,279 and we've uninstalled a package and 718 00:25:21,039 --> 00:25:25,039 we've tweaked ssh config and set the 719 00:25:23,279 --> 00:25:27,520 passwords 720 00:25:25,039 --> 00:25:28,799 now the second part of this 721 00:25:27,520 --> 00:25:30,159 there's a guide there also for doing 722 00:25:28,799 --> 00:25:32,240 this on relay 723 00:25:30,159 --> 00:25:35,520 five if you want 724 00:25:32,240 --> 00:25:38,000 is the ansible setup so in this case you 725 00:25:35,520 --> 00:25:39,279 simply need to run a ansible playbook 726 00:25:38,000 --> 00:25:40,400 and it does the rest of the setup for 727 00:25:39,279 --> 00:25:42,960 the demo 728 00:25:40,400 --> 00:25:44,240 so here's that part where we log into 729 00:25:42,960 --> 00:25:45,760 the host 730 00:25:44,240 --> 00:25:47,200 we make sure 731 00:25:45,760 --> 00:25:49,440 it's not running relative don't need to 732 00:25:47,200 --> 00:25:51,039 subscribe it we enable cockpit image 733 00:25:49,440 --> 00:25:53,840 builder 734 00:25:51,039 --> 00:25:55,840 uh builder set up firewall d correctly 735 00:25:53,840 --> 00:25:57,679 firewall rules install git and we clone 736 00:25:55,840 --> 00:26:00,320 our repo so we've actually got a copy of 737 00:25:57,679 --> 00:26:02,400 this repo with a few extra files 738 00:26:00,320 --> 00:26:04,960 available as part of this demo and 739 00:26:02,400 --> 00:26:04,960 walkthrough 740 00:26:05,120 --> 00:26:08,480 we've now got a 741 00:26:06,880 --> 00:26:11,120 environment ready 742 00:26:08,480 --> 00:26:14,240 we're now going to show off 743 00:26:11,120 --> 00:26:16,080 some examples of using image builder so 744 00:26:14,240 --> 00:26:19,279 let's jump back to my web browser and 745 00:26:16,080 --> 00:26:19,700 here we go and we'll log in to our 746 00:26:19,279 --> 00:26:20,960 um 747 00:26:19,700 --> 00:26:22,240 [Music] 748 00:26:20,960 --> 00:26:25,600 ephemeral environment so i'm going to 749 00:26:22,240 --> 00:26:27,039 log in as root 750 00:26:25,600 --> 00:26:29,679 there we go 751 00:26:27,039 --> 00:26:32,559 so here within the cockpit ui i have an 752 00:26:29,679 --> 00:26:32,559 image builder option 753 00:26:33,279 --> 00:26:37,919 and i have no blueprints blueprints are 754 00:26:35,600 --> 00:26:40,400 the baseline for this each blueprint 755 00:26:37,919 --> 00:26:43,039 defines one of our images 756 00:26:40,400 --> 00:26:45,279 blueprint can be customized for an os 757 00:26:43,039 --> 00:26:46,640 version and there's a whole series of 758 00:26:45,279 --> 00:26:48,880 different customizations you can walk 759 00:26:46,640 --> 00:26:50,480 through so i'm going to create a 760 00:26:48,880 --> 00:26:52,240 web server 761 00:26:50,480 --> 00:26:53,679 blueprint 762 00:26:52,240 --> 00:26:55,520 and what this is now going to do is it's 763 00:26:53,679 --> 00:26:57,679 going to go off and see what packages 764 00:26:55,520 --> 00:26:59,279 are available they can go include into 765 00:26:57,679 --> 00:27:01,279 the blueprint 766 00:26:59,279 --> 00:27:02,880 now let's just take a few minutes to 767 00:27:01,279 --> 00:27:05,200 sync 768 00:27:02,880 --> 00:27:05,200 um 769 00:27:05,600 --> 00:27:14,080 one other option 770 00:27:08,559 --> 00:27:15,279 i jump back to my instructions of 771 00:27:14,080 --> 00:27:17,200 this step 772 00:27:15,279 --> 00:27:20,200 which is 773 00:27:17,200 --> 00:27:20,200 here 774 00:27:21,200 --> 00:27:27,679 um this tells us what we're going to go 775 00:27:22,960 --> 00:27:27,679 and add package-wise into that image 776 00:27:28,399 --> 00:27:32,559 loading they're still doing a sync 777 00:27:31,039 --> 00:27:34,159 but there's some extra commands here so 778 00:27:32,559 --> 00:27:37,679 i can do things like if i look on the 779 00:27:34,159 --> 00:27:37,679 command line i can see 780 00:27:39,440 --> 00:27:45,200 here's my fedora image if i do 781 00:27:41,840 --> 00:27:47,600 that i can see that this version of 782 00:27:45,200 --> 00:27:49,440 image builder's capable of producing the 783 00:27:47,600 --> 00:27:52,159 following 784 00:27:49,440 --> 00:27:55,200 types of images 785 00:27:52,159 --> 00:27:58,640 likewise i can start and stop jobs and 786 00:27:55,200 --> 00:27:58,640 do a bunch of other things through this 787 00:27:59,120 --> 00:28:02,960 this is still sinking 788 00:28:01,039 --> 00:28:04,799 joy i should have gone through the 789 00:28:02,960 --> 00:28:06,559 stepper slightly earlier right so now i 790 00:28:04,799 --> 00:28:10,880 can go and do things like add 791 00:28:06,559 --> 00:28:10,880 http search for http 792 00:28:15,919 --> 00:28:20,080 and 793 00:28:17,919 --> 00:28:20,080 b 794 00:28:26,320 --> 00:28:30,399 and i can add 795 00:28:28,960 --> 00:28:32,640 there we go 796 00:28:30,399 --> 00:28:34,559 and when i add that it's automatically 797 00:28:32,640 --> 00:28:37,520 going off and look doing a dependency 798 00:28:34,559 --> 00:28:39,679 lookup and making sure i need to pull in 799 00:28:37,520 --> 00:28:41,120 187 dependencies 800 00:28:39,679 --> 00:28:42,399 now for the moment i'm not going to go 801 00:28:41,120 --> 00:28:43,520 through all the extra steps i'm actually 802 00:28:42,399 --> 00:28:46,000 just going to commit this image because 803 00:28:43,520 --> 00:28:47,440 i want to show 804 00:28:46,000 --> 00:28:50,399 you some of the other parts of the web 805 00:28:47,440 --> 00:28:50,399 ui that are available 806 00:28:54,960 --> 00:28:58,320 now i'm not going to create the image at 807 00:28:56,480 --> 00:28:59,760 this point i'm going to go back i 808 00:28:58,320 --> 00:29:02,880 haven't set a hostname i'm going to give 809 00:28:59,760 --> 00:29:02,880 it a hope hostname 810 00:29:05,600 --> 00:29:11,440 and then i can go and create a 811 00:29:08,240 --> 00:29:13,760 an initial user which i'm going to call 812 00:29:11,440 --> 00:29:15,520 webmaster 813 00:29:13,760 --> 00:29:17,840 i'm going to make it administrator and 814 00:29:15,520 --> 00:29:19,120 i'm going to give it a really hard to 815 00:29:17,840 --> 00:29:21,120 remember 816 00:29:19,120 --> 00:29:23,679 password which of course is password for 817 00:29:21,120 --> 00:29:26,720 the sake of the demo 818 00:29:23,679 --> 00:29:28,960 so i can now see what packages i've got 819 00:29:26,720 --> 00:29:31,120 i've got no images created but i can now 820 00:29:28,960 --> 00:29:32,559 go and say create an image and i can go 821 00:29:31,120 --> 00:29:33,440 and say what type of image i wanted to 822 00:29:32,559 --> 00:29:34,799 create 823 00:29:33,440 --> 00:29:36,559 great 824 00:29:34,799 --> 00:29:37,840 now there's a few things here to be 825 00:29:36,559 --> 00:29:40,159 aware of 826 00:29:37,840 --> 00:29:40,880 it will do dependency checks i can also 827 00:29:40,159 --> 00:29:42,640 do 828 00:29:40,880 --> 00:29:45,200 a dependency check on the command line 829 00:29:42,640 --> 00:29:49,120 so i can go compose 830 00:29:45,200 --> 00:29:49,120 less now blueprints 831 00:29:53,120 --> 00:29:57,440 list 832 00:29:55,200 --> 00:29:59,760 i can also have a look 833 00:29:57,440 --> 00:29:59,760 um 834 00:30:00,799 --> 00:30:03,520 on the right 835 00:30:06,000 --> 00:30:11,279 uh sorry i need to oops 836 00:30:09,679 --> 00:30:13,520 name the 837 00:30:11,279 --> 00:30:13,520 show 838 00:30:15,760 --> 00:30:19,039 joe 839 00:30:18,000 --> 00:30:21,039 show 840 00:30:19,039 --> 00:30:22,399 web server 841 00:30:21,039 --> 00:30:26,320 and there's my 842 00:30:22,399 --> 00:30:26,320 definition so i've actually got a 843 00:30:26,640 --> 00:30:30,399 web server definition httpd 844 00:30:29,279 --> 00:30:33,200 name 845 00:30:30,399 --> 00:30:36,200 and the password inserted now one thing 846 00:30:33,200 --> 00:30:39,279 i've done here is i've actually got a 847 00:30:36,200 --> 00:30:41,279 customized version i can push to replace 848 00:30:39,279 --> 00:30:43,600 this one nice thing is that the version 849 00:30:41,279 --> 00:30:44,880 the the blueprints are version so if i 850 00:30:43,600 --> 00:30:46,880 look at the version i've actually got 851 00:30:44,880 --> 00:30:48,240 saved locally this does a little bit 852 00:30:46,880 --> 00:30:50,640 more 853 00:30:48,240 --> 00:30:52,799 so it actually does the firewall setup 854 00:30:50,640 --> 00:30:54,880 so i've customized the firewall settings 855 00:30:52,799 --> 00:30:55,919 it's also made sure that the services 856 00:30:54,880 --> 00:30:57,120 start 857 00:30:55,919 --> 00:30:58,880 now one thing at the moment through the 858 00:30:57,120 --> 00:31:00,640 web ui you can't 859 00:30:58,880 --> 00:31:02,000 specify which services you want to start 860 00:31:00,640 --> 00:31:04,320 and stop you need to do that through the 861 00:31:02,000 --> 00:31:06,240 command line i've also inserted an ssh 862 00:31:04,320 --> 00:31:09,919 key and i've also put a few extra 863 00:31:06,240 --> 00:31:09,919 packages in so if i do 864 00:31:10,410 --> 00:31:14,960 [Music] 865 00:31:12,640 --> 00:31:14,960 this 866 00:31:17,039 --> 00:31:21,760 and then have another look 867 00:31:19,039 --> 00:31:23,360 i've now got the updated image and if i 868 00:31:21,760 --> 00:31:25,360 jump back into my 869 00:31:23,360 --> 00:31:29,159 web ui here 870 00:31:25,360 --> 00:31:29,159 we'll force refresh 871 00:31:34,559 --> 00:31:40,080 one problem i found is that the ui 872 00:31:37,200 --> 00:31:42,320 doesn't always refresh 873 00:31:40,080 --> 00:31:45,039 so quickly but this will now come up and 874 00:31:42,320 --> 00:31:48,960 it's got all of the packages i need 875 00:31:45,039 --> 00:31:52,559 now what i'm going to do now is generate 876 00:31:48,960 --> 00:31:52,559 an image i can deploy 877 00:31:55,200 --> 00:31:58,720 and i'll do that here on the command 878 00:31:56,880 --> 00:32:02,240 line so what i'm going to do is i'm 879 00:31:58,720 --> 00:32:04,240 going to create cucao2 image 880 00:32:02,240 --> 00:32:07,440 and that will come back shortly with the 881 00:32:04,240 --> 00:32:10,799 uuid for the image that's being created 882 00:32:07,440 --> 00:32:15,840 and i can actually just take a look at 883 00:32:10,799 --> 00:32:15,840 so if i use my instructions and go 884 00:32:16,559 --> 00:32:19,919 and then 885 00:32:18,559 --> 00:32:21,760 so these are all the instructions that 886 00:32:19,919 --> 00:32:22,880 are in the git repository so that job 887 00:32:21,760 --> 00:32:24,159 started that's going to take about four 888 00:32:22,880 --> 00:32:25,600 or five minutes to run so let's actually 889 00:32:24,159 --> 00:32:27,600 dig into some of the detail while that's 890 00:32:25,600 --> 00:32:29,760 running in the background 891 00:32:27,600 --> 00:32:32,720 so that's actually now 892 00:32:29,760 --> 00:32:34,480 how we can define and create 893 00:32:32,720 --> 00:32:35,440 an image definition 894 00:32:34,480 --> 00:32:38,399 um 895 00:32:35,440 --> 00:32:38,399 looking at the 896 00:32:38,480 --> 00:32:42,880 uh the blueprint we've got 897 00:32:40,880 --> 00:32:45,440 i'm not specifying any versions here so 898 00:32:42,880 --> 00:32:47,440 i've made this blueprint very os 899 00:32:45,440 --> 00:32:49,679 independent i can actually reuse this 900 00:32:47,440 --> 00:32:52,159 blueprint to create a 901 00:32:49,679 --> 00:32:54,840 fedora image or a rel image or a theory 902 00:32:52,159 --> 00:32:58,559 or centos image or other platforms 903 00:32:54,840 --> 00:33:00,480 but because i haven't been um 904 00:32:58,559 --> 00:33:02,080 explicit around what versions of 905 00:33:00,480 --> 00:33:04,640 packages and components i want or which 906 00:33:02,080 --> 00:33:06,240 os i'm building for or what architecture 907 00:33:04,640 --> 00:33:08,720 but there's things you can override here 908 00:33:06,240 --> 00:33:09,919 if you want to tune that 909 00:33:08,720 --> 00:33:11,200 for the purpose of the demo it's quite 910 00:33:09,919 --> 00:33:13,679 nice to be able to show the same thing 911 00:33:11,200 --> 00:33:15,279 running on multiple platforms 912 00:33:13,679 --> 00:33:17,200 the other thing you can do said earlier 913 00:33:15,279 --> 00:33:19,440 was be able to upgrade upload your 914 00:33:17,200 --> 00:33:20,559 generated images automatically to aws 915 00:33:19,440 --> 00:33:21,600 and azure 916 00:33:20,559 --> 00:33:24,080 so 917 00:33:21,600 --> 00:33:25,360 for this is just how you would configure 918 00:33:24,080 --> 00:33:27,600 a 919 00:33:25,360 --> 00:33:29,519 identity file that's got your 920 00:33:27,600 --> 00:33:31,360 access keys for those platforms and then 921 00:33:29,519 --> 00:33:33,600 you simply include that when you're 922 00:33:31,360 --> 00:33:35,440 starting the compose and it will 923 00:33:33,600 --> 00:33:37,679 automatically create the image and push 924 00:33:35,440 --> 00:33:40,159 it up for you into the cloud platform 925 00:33:37,679 --> 00:33:41,519 that you're using 926 00:33:40,159 --> 00:33:43,760 so this is going to take a few more 927 00:33:41,519 --> 00:33:46,399 minutes 928 00:33:43,760 --> 00:33:48,159 let me have a look at 929 00:33:46,399 --> 00:33:50,159 that's still running 930 00:33:48,159 --> 00:33:52,640 so while that's running let's have 931 00:33:50,159 --> 00:33:54,640 another have a look into 932 00:33:52,640 --> 00:33:56,559 a few of the issues so one of the things 933 00:33:54,640 --> 00:33:58,399 here you can do is compose a cli 934 00:33:56,559 --> 00:34:01,440 blueprint depth solve 935 00:33:58,399 --> 00:34:04,080 depth sol's really useful it 936 00:34:01,440 --> 00:34:05,679 allows you to check 937 00:34:04,080 --> 00:34:07,760 that the 938 00:34:05,679 --> 00:34:10,320 you've you've validated all the 939 00:34:07,760 --> 00:34:11,839 dependencies associated with a 940 00:34:10,320 --> 00:34:13,119 particular image 941 00:34:11,839 --> 00:34:14,399 um 942 00:34:13,119 --> 00:34:16,079 depending on the platform you're 943 00:34:14,399 --> 00:34:18,320 targeting there may be specific 944 00:34:16,079 --> 00:34:21,520 additional dependencies it doesn't quite 945 00:34:18,320 --> 00:34:24,320 catch everything i found for example um 946 00:34:21,520 --> 00:34:27,119 one of the other examples i've got in my 947 00:34:24,320 --> 00:34:30,800 git repository is creating a simple 948 00:34:27,119 --> 00:34:33,119 podman based container host 949 00:34:30,800 --> 00:34:35,359 it needed an extra dependency that the 950 00:34:33,119 --> 00:34:38,800 dependency checker didn't pick up 951 00:34:35,359 --> 00:34:41,440 because the qcow target enforces sc 952 00:34:38,800 --> 00:34:43,599 linux and it it then added another 953 00:34:41,440 --> 00:34:44,960 dependency that didn't come through the 954 00:34:43,599 --> 00:34:47,040 dependency model so that's a bit of a 955 00:34:44,960 --> 00:34:48,720 bug something we need to kind of dig 956 00:34:47,040 --> 00:34:51,040 into and look at 957 00:34:48,720 --> 00:34:53,040 so i've already tagged that there and of 958 00:34:51,040 --> 00:34:54,399 course the web ui sometimes needs a bit 959 00:34:53,040 --> 00:34:56,560 of a refresh 960 00:34:54,399 --> 00:34:58,000 um forced refresh if you're doing things 961 00:34:56,560 --> 00:35:00,720 through the command line and there's a 962 00:34:58,000 --> 00:35:02,400 few gaps around features uh really the 963 00:35:00,720 --> 00:35:04,640 the web ui is a great way to get things 964 00:35:02,400 --> 00:35:06,320 started or to do some simple 965 00:35:04,640 --> 00:35:08,800 um 966 00:35:06,320 --> 00:35:10,240 blueprint definitions initially if 967 00:35:08,800 --> 00:35:12,079 you're really going to be a power user 968 00:35:10,240 --> 00:35:14,960 you really need to get into customizing 969 00:35:12,079 --> 00:35:18,480 those tamil files yourself 970 00:35:14,960 --> 00:35:18,480 i think this is still 971 00:35:20,160 --> 00:35:26,480 running and if i jump back to the 972 00:35:22,400 --> 00:35:26,480 webview i and go to images 973 00:35:27,280 --> 00:35:33,440 and of course refresh 974 00:35:31,040 --> 00:35:34,720 now it's not showing up there yet but 975 00:35:33,440 --> 00:35:37,440 we'll leave that running and we'll dig 976 00:35:34,720 --> 00:35:40,000 into the next part of the talk now 977 00:35:37,440 --> 00:35:40,960 builder we're going to use the same host 978 00:35:40,000 --> 00:35:43,200 vm 979 00:35:40,960 --> 00:35:45,839 and we're going to step through a few 980 00:35:43,200 --> 00:35:45,839 um 981 00:35:48,160 --> 00:35:52,000 examples of building containers using 982 00:35:50,720 --> 00:35:54,880 builder 983 00:35:52,000 --> 00:35:57,520 so if i jump back up here and come down 984 00:35:54,880 --> 00:35:59,040 and go to try out builder 985 00:35:57,520 --> 00:36:01,040 there's again the guide on how to get 986 00:35:59,040 --> 00:36:04,160 started with this so we're going to jump 987 00:36:01,040 --> 00:36:04,160 into this location 988 00:36:06,480 --> 00:36:10,640 and i've got a few blue 989 00:36:08,400 --> 00:36:12,320 docker files uh sorry 990 00:36:10,640 --> 00:36:13,680 a few docker build files here and a few 991 00:36:12,320 --> 00:36:16,000 other examples of how we can build 992 00:36:13,680 --> 00:36:17,040 containers using builder so if i jump 993 00:36:16,000 --> 00:36:19,680 into 994 00:36:17,040 --> 00:36:21,760 ubi minimal 995 00:36:19,680 --> 00:36:24,079 look at the docker file this is a real 996 00:36:21,760 --> 00:36:26,400 simple strip back example of a web 997 00:36:24,079 --> 00:36:29,599 server now i'm actually using here our 998 00:36:26,400 --> 00:36:32,320 ubi 8 minimal instance 999 00:36:29,599 --> 00:36:34,320 now the the red hat ubi instances are 1000 00:36:32,320 --> 00:36:36,160 freely redistributable there are 1001 00:36:34,320 --> 00:36:38,400 universal base images 1002 00:36:36,160 --> 00:36:41,520 we patch them and maintain them and 1003 00:36:38,400 --> 00:36:43,440 they've got access to a reduced 1004 00:36:41,520 --> 00:36:45,119 uh set of packages that you can again 1005 00:36:43,440 --> 00:36:46,720 also use for free and build into your 1006 00:36:45,119 --> 00:36:49,040 container images so you can actually 1007 00:36:46,720 --> 00:36:51,119 build off this on a fedora house without 1008 00:36:49,040 --> 00:36:52,640 any red hat subscription without paying 1009 00:36:51,119 --> 00:36:55,599 any money to rent out and use this as 1010 00:36:52,640 --> 00:36:58,400 part of your projects 1011 00:36:55,599 --> 00:37:00,400 so i can actually just build 1012 00:36:58,400 --> 00:37:04,160 now in this example i'm basically 1013 00:37:00,400 --> 00:37:04,160 creating a very very simple 1014 00:37:05,520 --> 00:37:10,480 web server i'm injecting a index 1015 00:37:08,720 --> 00:37:12,000 and i'm simply running http in the 1016 00:37:10,480 --> 00:37:14,240 foreground i'm not putting any 1017 00:37:12,000 --> 00:37:16,720 additional customizations in so i'm 1018 00:37:14,240 --> 00:37:19,760 going to build using dockerfile 1019 00:37:16,720 --> 00:37:21,040 and that's going to kick off and pull 1020 00:37:19,760 --> 00:37:22,480 again this is a completely clean 1021 00:37:21,040 --> 00:37:23,359 environment so this is doing a fresh 1022 00:37:22,480 --> 00:37:24,800 pull 1023 00:37:23,359 --> 00:37:28,240 so hopefully my internet connection is 1024 00:37:24,800 --> 00:37:30,720 good enough of the ubi minimal image 1025 00:37:28,240 --> 00:37:32,320 and then it's going to use micro dnf 1026 00:37:30,720 --> 00:37:34,320 because this is a micro image we 1027 00:37:32,320 --> 00:37:36,079 actually don't have full fat yarm and 1028 00:37:34,320 --> 00:37:37,520 dnf in there uses a thing called micro 1029 00:37:36,079 --> 00:37:39,119 dnf 1030 00:37:37,520 --> 00:37:41,040 this is one of the smaller image types 1031 00:37:39,119 --> 00:37:43,280 that we make available 1032 00:37:41,040 --> 00:37:45,680 so there we go that's fairly standard 1033 00:37:43,280 --> 00:37:45,680 kind of 1034 00:37:45,839 --> 00:37:49,040 bill for anyone who plays around with 1035 00:37:47,599 --> 00:37:50,640 containers and now you can see that 1036 00:37:49,040 --> 00:37:53,200 we've got the baseline image from red 1037 00:37:50,640 --> 00:37:55,119 hat on our ubi minimal 1038 00:37:53,200 --> 00:37:56,640 i can double check this is working using 1039 00:37:55,119 --> 00:37:58,640 podman 1040 00:37:56,640 --> 00:37:59,599 so i'm going to start that service on 1041 00:37:58,640 --> 00:38:02,240 port 1042 00:37:59,599 --> 00:38:05,599 8000 map that port internally to port 1043 00:38:02,240 --> 00:38:08,000 8080 i can see 1044 00:38:05,599 --> 00:38:10,480 that's running 1045 00:38:08,000 --> 00:38:13,119 awesome and now i can run a simple curl 1046 00:38:10,480 --> 00:38:15,680 command and get back 1047 00:38:13,119 --> 00:38:17,200 that response 1048 00:38:15,680 --> 00:38:19,440 awesome 1049 00:38:17,200 --> 00:38:21,920 i can also do all the usual things 1050 00:38:19,440 --> 00:38:22,720 around looking at 1051 00:38:21,920 --> 00:38:24,240 the 1052 00:38:22,720 --> 00:38:25,599 logs 1053 00:38:24,240 --> 00:38:27,680 which is pretty much nothing so i 1054 00:38:25,599 --> 00:38:30,480 haven't set anything specific into the 1055 00:38:27,680 --> 00:38:31,920 container that i'm running today 1056 00:38:30,480 --> 00:38:34,800 so what i'm going to do now is simply 1057 00:38:31,920 --> 00:38:34,800 pull that one down 1058 00:38:34,960 --> 00:38:38,960 and show another example so if we step 1059 00:38:37,119 --> 00:38:40,240 back here 1060 00:38:38,960 --> 00:38:42,079 we've got another way of deploying 1061 00:38:40,240 --> 00:38:44,000 pretty much the same thing 1062 00:38:42,079 --> 00:38:47,000 slightly different approach so if i look 1063 00:38:44,000 --> 00:38:47,000 at 1064 00:38:47,040 --> 00:38:52,240 yes this is building 1065 00:38:50,079 --> 00:38:53,200 off the same baseline 1066 00:38:52,240 --> 00:38:55,440 image 1067 00:38:53,200 --> 00:38:56,880 but we're building 1068 00:38:55,440 --> 00:38:58,880 without using a 1069 00:38:56,880 --> 00:39:00,880 docker file this is kind of 1070 00:38:58,880 --> 00:39:04,320 producing the same output 1071 00:39:00,880 --> 00:39:04,320 so if i run this now 1072 00:39:06,880 --> 00:39:10,400 we don't need to pull the image because 1073 00:39:08,640 --> 00:39:13,960 it's already down we're going through 1074 00:39:10,400 --> 00:39:13,960 much the same steps 1075 00:39:17,920 --> 00:39:22,750 and if i do 1076 00:39:19,580 --> 00:39:22,750 [Music] 1077 00:39:22,960 --> 00:39:26,720 images 1078 00:39:24,079 --> 00:39:28,320 you can see now i've got two different 1079 00:39:26,720 --> 00:39:30,480 web server images they're roughly the 1080 00:39:28,320 --> 00:39:33,440 same size but being created using 1081 00:39:30,480 --> 00:39:36,400 different methodologies 1082 00:39:33,440 --> 00:39:39,960 and again i can 1083 00:39:36,400 --> 00:39:39,960 start that one 1084 00:39:44,240 --> 00:39:49,119 i can run curl 1085 00:39:46,160 --> 00:39:49,119 and then i can 1086 00:39:49,440 --> 00:39:55,200 also just 1087 00:39:52,000 --> 00:39:55,200 pull it all back down again 1088 00:39:55,599 --> 00:40:00,480 one of the nice thing that we've done 1089 00:39:58,160 --> 00:40:02,160 is in the container world there's a lot 1090 00:40:00,480 --> 00:40:03,599 of contention about image sizes and 1091 00:40:02,160 --> 00:40:05,119 small images 1092 00:40:03,599 --> 00:40:06,560 so we actually have an even smaller 1093 00:40:05,119 --> 00:40:08,560 example now i'm running short on time so 1094 00:40:06,560 --> 00:40:13,119 i'm not going to dig into this right now 1095 00:40:08,560 --> 00:40:15,920 so um but hopefully 1096 00:40:13,119 --> 00:40:18,800 i've got my 1097 00:40:15,920 --> 00:40:18,800 oh where are we 1098 00:40:19,119 --> 00:40:23,520 finding the right window 1099 00:40:21,119 --> 00:40:25,440 i've now got that qcaw 2 image and i can 1100 00:40:23,520 --> 00:40:27,040 now go and download that 1101 00:40:25,440 --> 00:40:28,400 and run that 1102 00:40:27,040 --> 00:40:30,160 locally 1103 00:40:28,400 --> 00:40:31,440 and i will get my web server instance up 1104 00:40:30,160 --> 00:40:32,800 and running now we're running low on 1105 00:40:31,440 --> 00:40:34,800 time so there's a few things uh 1106 00:40:32,800 --> 00:40:36,400 alternatives image builder you can look 1107 00:40:34,800 --> 00:40:39,280 at things like packer 1108 00:40:36,400 --> 00:40:41,680 that's very popular ec2 image builders 1109 00:40:39,280 --> 00:40:42,640 there's cloud specific ones uh you can 1110 00:40:41,680 --> 00:40:44,880 of course still use things like 1111 00:40:42,640 --> 00:40:47,119 kickstart i still use that a lot builder 1112 00:40:44,880 --> 00:40:50,240 alternatives of course got docker 1113 00:40:47,119 --> 00:40:53,200 uh build kit and can co 1114 00:40:50,240 --> 00:40:56,160 are out there today um 1115 00:40:53,200 --> 00:40:58,000 uh build kits come out of moby as um 1116 00:40:56,160 --> 00:40:59,599 kind of an equivalent i think to builder 1117 00:40:58,000 --> 00:41:01,680 we've got things like s2i which kind of 1118 00:40:59,599 --> 00:41:03,359 act like uh supersets and you've got a 1119 00:41:01,680 --> 00:41:04,880 lot of extra features 1120 00:41:03,359 --> 00:41:06,240 uh image builder versus builder the 1121 00:41:04,880 --> 00:41:08,400 really apples and oranges because you're 1122 00:41:06,240 --> 00:41:09,839 two in different things one is all about 1123 00:41:08,400 --> 00:41:12,880 the container the other one is about the 1124 00:41:09,839 --> 00:41:14,400 operating system lightweight heavyweight 1125 00:41:12,880 --> 00:41:15,839 you know and when we and people go on 1126 00:41:14,400 --> 00:41:17,599 about image sizes there's a really good 1127 00:41:15,839 --> 00:41:21,040 article done by scott mccarthy about 1128 00:41:17,599 --> 00:41:23,359 comparing different types of image sizes 1129 00:41:21,040 --> 00:41:25,119 don't get hung up on it 1130 00:41:23,359 --> 00:41:27,680 if it's a really big deal you can use 1131 00:41:25,119 --> 00:41:30,400 things like the ubi minimal example 1132 00:41:27,680 --> 00:41:32,160 a ubi micro example again that's in my 1133 00:41:30,400 --> 00:41:33,119 code repository go and have a play with 1134 00:41:32,160 --> 00:41:34,319 it 1135 00:41:33,119 --> 00:41:35,599 at the end of the day by the time you've 1136 00:41:34,319 --> 00:41:37,440 actually built 1137 00:41:35,599 --> 00:41:40,000 the container with your services often 1138 00:41:37,440 --> 00:41:42,640 there isn't a big difference between 1139 00:41:40,000 --> 00:41:45,200 the the the different baseline os 1140 00:41:42,640 --> 00:41:45,200 instances 1141 00:41:45,359 --> 00:41:48,880 so image build is really about full os 1142 00:41:47,599 --> 00:41:50,400 images 1143 00:41:48,880 --> 00:41:51,760 infrastructure agnostic version 1144 00:41:50,400 --> 00:41:53,839 blueprints 1145 00:41:51,760 --> 00:41:54,640 whereas builders very much focused on 1146 00:41:53,839 --> 00:41:56,480 that 1147 00:41:54,640 --> 00:41:58,160 single app service and needs an oci 1148 00:41:56,480 --> 00:41:59,440 runtime in order to make it work but 1149 00:41:58,160 --> 00:42:00,640 they're all open source and they all 1150 00:41:59,440 --> 00:42:02,400 focus on the important thing about 1151 00:42:00,640 --> 00:42:04,800 infrastructure is code it gives us 1152 00:42:02,400 --> 00:42:06,480 consistency and reliability be here on 1153 00:42:04,800 --> 00:42:08,079 the road map 1154 00:42:06,480 --> 00:42:10,480 one big thing in the image builder space 1155 00:42:08,079 --> 00:42:12,800 is looking towards oci support so that 1156 00:42:10,480 --> 00:42:16,000 the os tree layers 1157 00:42:12,800 --> 00:42:18,400 map onto the kind of oci model rather 1158 00:42:16,000 --> 00:42:21,280 than the existing os tree model 1159 00:42:18,400 --> 00:42:23,440 and better dev tool integration builder 1160 00:42:21,280 --> 00:42:24,880 again a chunk of work going on upstream 1161 00:42:23,440 --> 00:42:28,240 on that 1162 00:42:24,880 --> 00:42:29,839 few gaps and issues pain points 1163 00:42:28,240 --> 00:42:33,359 trying to drop builders sometimes into 1164 00:42:29,839 --> 00:42:35,599 sea ice existing cic d tools that expect 1165 00:42:33,359 --> 00:42:37,440 docker is not much fun 1166 00:42:35,599 --> 00:42:39,200 but it's getting better it's getting 1167 00:42:37,440 --> 00:42:40,800 much better 1168 00:42:39,200 --> 00:42:43,240 um so why are we doing this well 1169 00:42:40,800 --> 00:42:45,760 security is hard but i strongly believe 1170 00:42:43,240 --> 00:42:47,119 infrastructure as code helps change 1171 00:42:45,760 --> 00:42:48,880 everything 1172 00:42:47,119 --> 00:42:50,640 cloud has almost changed everything but 1173 00:42:48,880 --> 00:42:52,319 we're but not everything's there let's 1174 00:42:50,640 --> 00:42:55,040 be honest i don't run everything in the 1175 00:42:52,319 --> 00:42:56,880 cloud another do most of my customers uh 1176 00:42:55,040 --> 00:42:58,319 some people are all in some people 1177 00:42:56,880 --> 00:43:00,240 aren't but we need to have that 1178 00:42:58,319 --> 00:43:03,520 consistency in repeatability and this is 1179 00:43:00,240 --> 00:43:05,520 where these tools are great because 1180 00:43:03,520 --> 00:43:07,599 the blueprints the text therefore it's 1181 00:43:05,520 --> 00:43:09,760 infrastructure as code it can live in a 1182 00:43:07,599 --> 00:43:12,480 source code repository we can version it 1183 00:43:09,760 --> 00:43:14,480 we can manage it and hopefully 1184 00:43:12,480 --> 00:43:16,400 when the next big security vulnerability 1185 00:43:14,480 --> 00:43:17,040 comes along we can be ready to deal with 1186 00:43:16,400 --> 00:43:18,000 it 1187 00:43:17,040 --> 00:43:20,000 because there's always one more 1188 00:43:18,000 --> 00:43:21,200 vulnerability there's almost one more 1189 00:43:20,000 --> 00:43:23,280 thing to patch 1190 00:43:21,200 --> 00:43:24,839 and those vulnerabilities well they're 1191 00:43:23,280 --> 00:43:27,119 still lingering somewhere in the 1192 00:43:24,839 --> 00:43:28,800 background if you've got any questions 1193 00:43:27,119 --> 00:43:31,440 i'll answer them because we're running 1194 00:43:28,800 --> 00:43:33,200 short on time 1195 00:43:31,440 --> 00:43:35,280 there's a load of references here and 1196 00:43:33,200 --> 00:43:37,359 background material as usual my slides 1197 00:43:35,280 --> 00:43:39,359 will be posted up on my people page at 1198 00:43:37,359 --> 00:43:42,640 red hat and again all the contents 1199 00:43:39,359 --> 00:43:46,079 available on github 1200 00:43:42,640 --> 00:43:46,079 so thank you all for your time 1201 00:43:48,160 --> 00:43:51,440 thank you very much for your time 1202 00:43:53,040 --> 00:43:56,240 we've got about a minute for questions 1203 00:43:54,480 --> 00:43:57,680 we've got three questions in the queue 1204 00:43:56,240 --> 00:43:59,599 and the leftovers will go into the text 1205 00:43:57,680 --> 00:44:00,720 chat of course uh that was a really good 1206 00:43:59,599 --> 00:44:02,160 walkthrough of some like really 1207 00:44:00,720 --> 00:44:04,000 practical ways to use those tools so 1208 00:44:02,160 --> 00:44:05,599 thank you so much for that 1209 00:44:04,000 --> 00:44:06,640 um 1210 00:44:05,599 --> 00:44:07,920 i think 1211 00:44:06,640 --> 00:44:09,920 the most interesting question in this 1212 00:44:07,920 --> 00:44:12,319 list i think is can the image builder 1213 00:44:09,920 --> 00:44:14,319 roll fedora silver blue-ish images with 1214 00:44:12,319 --> 00:44:16,720 its os tree support 1215 00:44:14,319 --> 00:44:17,520 yeah that's kind of what the iot model 1216 00:44:16,720 --> 00:44:19,839 does 1217 00:44:17,520 --> 00:44:23,680 um if you play with it on rel85 and i 1218 00:44:19,839 --> 00:44:27,280 actually have a uh rel85 instance here 1219 00:44:23,680 --> 00:44:27,280 with if i do compose 1220 00:44:28,079 --> 00:44:32,160 i if i check the image capabilities here 1221 00:44:30,000 --> 00:44:33,760 it's got a bunch of extra ones compared 1222 00:44:32,160 --> 00:44:35,760 with fedora at the moment because this 1223 00:44:33,760 --> 00:44:38,079 work we're doing around additional 1224 00:44:35,760 --> 00:44:40,960 composability models so yeah there's 1225 00:44:38,079 --> 00:44:43,119 some work happening in that space 1226 00:44:40,960 --> 00:44:44,560 that's really cool um i think we'll take 1227 00:44:43,119 --> 00:44:46,720 the rest of the questions into the text 1228 00:44:44,560 --> 00:44:48,000 chat thank you so much for your talk uh 1229 00:44:46,720 --> 00:44:49,200 steve have a great rest of your 1230 00:44:48,000 --> 00:44:50,480 conference 1231 00:44:49,200 --> 00:44:51,440 thank you everyone for joining the 1232 00:44:50,480 --> 00:44:55,880 session 1233 00:44:51,440 --> 00:44:55,880 thank you the next talk that we've got