Week 2 saw the release of release 0.0.1 of the appliance and Weeks 3 and 4 saw a multitude of fixes to tighten up the appliance from a functionality and security standpoint
Add Puppet Modules
This week saw the implementation of the "Add a Puppet module" functionality that allows individual Puppet modules to be added to the appliance. The main goal was to get the input form to add the data to the etcd datastore and get the table in the UI to populate properly. Additional work still needs to be performed to create the associated Jenkins job for the modules.
Added Ruby Gem Caching Container
During the CI process we're constantly downloading gem files like rubocop or puppet for testing our Puppet code. To avoid constantly downloading the same exact gems, a gem caching server has been added to the stack to avoid this unfavorable process. Geminabox (https://github.com/geminabox/geminabox) is the gem caching server of choice due to it's simplicity and web ui.
Sinatra container security changes
With security being a major emphasis of the this project I've been leveraging the CIS benchmark (https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.12.0_Benchmark_v1.0.0.pdf) for Docker along with other Docker security best practices. Several changes have been made to the sinatra container which handles the UI to improve security.
- Running the container as the "sinatra" user instead of as root
- Changed to the port the container utilizes from 80 to 8000 and changed the docker port mapping to redirect from 80 to 8000 on the container.
- Changed the root directory for the application to the home directory of the sinatra user.
Docker Container Storage Persistance
A significant change that helps move the appliance closer to being production ready is the implementation of storage persistence for containers that store configuration information such as the etcd container. For now host based volumes will be used until another solution can be fully vetted to replace it if that solution provides significant advantages over the host based volume solution.
Artifact Repository Evaluation
An artifact repository tool has been an item that at some point needed to be addressed to round out the solutions functionality and this week saw a close look at adding the Nexus OSS (https://www.sonatype.com/nexus-repository-oss) to the solution stack. The artifact repository will serve a number of key purposes.
- host pre-compiled versions of ruby for rvm which will save on average 5 minutes on job build time.
- host puppet module artifacts
Next Week's Goals
While I'm pretty excited about how well the appliance is taking shape there's quite a bit of code cleanup as well as architecture decisions that still needs to be performed. Listed below are the major goals for next week for the appliance as we should see the release of release 0.0.2.
- End to end functionality of the add puppet module feature
- Creation of the Jenkins job for puppet modules
- Cleanup of the Puppet control repo Jenkins job
- Implementation of the persistent container storage configuration
- Continued image optimization and security