The Distribution Flow

JFrog Distribution Documentation

Products
JFrog Distribution
Content Type
User Guide
ft:sourceType
Paligo

The high-level distribution flow has two main steps:

Step 1: Create a Release Bundle

A Release Bundle can be created using the JFrog Platform UI or by calling the Create Release Bundle REST API endpoint in JFrog Distribution. This call specifies a variety of parameters, including the files comprising the Release Bundle and various properties associated with it. Since a Release Bundle is immutable, any file included in a Release Bundle cannot be deleted from Artifactory - they are automatically copied and saved into the Release Bundle repository, where their contents cannot be edited or removed. JFrog Distribution collects the required metadata about the artifacts specified in the request by using an AQL query.Create Release Bundle v1 Version

To have JFrog Xray scan your Release Bundle, the Release Bundle must first be declared as an indexed resource. For more information, see Indexing Xray Resources.Indexing Xray Resources

CreateRB.png

Step 2: Distribute a Release Bundle

A Release Bundle can distributed using the JFrog Platform UI or by calling the Distribute Release Bundle REST API endpoint in JFrog Distribution.Distribute Release Bundle v1 Version

Blocking Release Bundle Distribution

Setting a Watch on a Release Bundle containing a Policy set with a Block Distributing action, will automatically block distributing the infected Release Bundle based on the Xray scanning results. For more information, see Distributing Release Bundles.

The distribution process includes the following steps:

  1. Start a distribution transaction

    In steps 1-4, JFrog Distribution queries JFrog Mission Control for details of the distribution target nodes: JFrog Artifactory Edges ("Edge nodes"). It then primes the Edge nodes to receive the distributed packages by providing information about distributed files such as their checksum, and provides a GPG key to validate the authenticity of the bundle as a whole.JFrog Artifactory Edge

    Distribution Graphic Update.png
  2. Transfer files with smart replication

    In steps 5-6, JFrog Distribution copies the contents of the Release Bundle from the source Artifactory to the Edge nodes.

  3. End a distribution transaction

    In step 7, JFrog Distribution notifies the Edge nodes that the transaction is complete. In turn, each Edge node validates the authenticity of the transferred bundle using the GPG key provided when the transaction started. The Edge nodes then validate the integrity of the transferred files by validating the checksum and hosting the files in their proper location, as specified in the Release Bundle.

    DistributeRB2.png

Step 3: Download a Release Bundle

The artifacts distributed as a Release Bundle to Artifactory or Artifactory Edge can be downloaded using different package clients, such as a Docker client, npm client, etc. In addition, artifacts can be downloaded using the JFrog CLI:JFrog CLI

jfrog rt dl --bundle bundle_name/bundle_version

The JFrog CLI provides additional options for download. For example, the Release Bundle Bill of Materials can be filtered out to download zip files belonging to a specific Release Bundle version:

jfrog rt dl "*.zip" --bundle bundle_name/bundle_version