Comparing Artifactory to other Binary Repository Managers
Executive Summary
The benefits of using a Binary Repository Manager in your software development pipeline are unarguable. Reliable and consistent access to remote artifacts, integration with your build environment, distribution of artifacts and replication of repositories are just a few of the reasons. The repository managers available on the market today can be split into two main categories: Technology specific solutions that address a single package format such as Docker, npm, Maven etc., and universal solutions that support a wider range of package formats, build tools and technologies. JFrog Artifactory fits into the universal category. This paper presents key points for comparison of Artifactory to the following competing products in the market: Docker, Docker Trusted Registry, Nexus 2, Nexus 3, Quay, Amazon ECR and Google Container Registry. The following table emphasizes some of the differentiators that make Artifactory the best Repository Manager available on the market today:
JFrog Artifactory: Universal Artifact Repository
JFrog Xray: Universal Artifact Analysis
JFrog Mission Control: Centralized Repository Management
JFrog Bintray: Universal Distribution Platform
Supports a variety of enterprise-scale storage capabilities including S3 Object Storage, Google Cloud Storage and filestore sharding providing unlimited scalability, disaster recovery, and unmatched stability and reliability.
Users, build servers and Interactions
Accommodates large load bursts with no compromise to performance. Increase capacity to any degree with horizontal server scalability to serve any number of concurrent users, build servers and interactions.
Introduction
The benefits of using a Binary Repository Manager in your software development pipeline are unarguable. Reliable and consistent access to remote artifacts, integration with your build environment, distribution of artifacts and replication of repositories are just a few of the reasons. The repository managers available on the market today can be split into two main categories: Technology specific solutions and universal solutions.
Technology specific solutions
Each of the different packaging technologies has a client application which developers use to build their packages. These applications provide different services like package management, dependency resolution, uploading packages to private or public repositories and more. In the case of Docker, there are several solutions for managing images. As the popularity of Docker grew, the demand for a simple solution to securely store Docker images increased accordingly. This started a wave of repository managers that are focused on storing only Docker images, with a relatively limited set of features mushrooming on the scene such as Docker Trusted Registry, Quay, Amazon ECR and Google Container Registry. The key point to note for any of the solutions is that they offer (to some extent) repository management services for one technology only.
Universal Solutions
Universal solutions support a wider range of package formats, build tools, technologies and features. Artifactory is an excellent example, currently supporting Maven, Gradle, Docker, Vagrant, Debian, YUM, P2, Ivy, NuGet, NPM, PHP, RubyGems, PyPI, Bower, CocoaPods, GitLFS, PHP and more, as well as all common build tools and CI servers. Another example is JFrog Artifactory vs Sonatype Nexus which also supports a variety of package formats and technologies. However, there is a fundamental difference between these two products. While Nexus started as a Maven companion and then added support for other formats, Artifactory was designed from the outset with the flexibility to support different packaging systems and technologies. This fundamental difference comes to bear when you compare the products. While a dry comparison matrix of these two products might indicate they have similar feature set, a deeper investigation reveals significant differences in their fundamental architecture and a very different level of support for different packaging formats. This paper presents key points for comparison of Artifactory to some of the competing products in the market. Products that were examined for this comparison include Docker, Docker Trusted Registry, Nexus 2, Nexus 3, Quay, Amazon ECR and Google Container Registry. A shallow comparison matrix of these products may indicate that they are very similar, however, if you dig a bit deeper, you’ll find that what looks the same on the outside may be very different on the inside.
Universal Solution
No single packaging format or technology is sufficient to support development in a modern organization. There is a multitude of formats, a variety of build tools, different continuous integration systems and other technologies that go into building a flexible and maintainable software development ecosystem. Managing binaries for all the different packaging formats and integrating with all the moving parts of the ecosystem can become a tooling and maintenance nightmare.
With Artifactory, there is no need to manage development with each different package format using a dedicated solution. Artifactory was designed from the ground up to fit in with any development ecosystem. Uniquely built on checksum-based storage, Artifactory supports any repository layout and can, therefore, provide native-level support for any packaging format. Essentially, regardless of the packaging format you are using, Artifactory can store and manage your binaries, and is transparent to the corresponding packaging client. Artifactory currently supports the following packaging technologies: Maven, Gradle, Docker, Vagrant, Debian, YUM, P2, Ivy, NuGet, NPM, RubyGems, PyPI, Bower, CocoaPods, PHP, GitLFS and more.
But development is only one end of the software delivery pipeline. Before a package makes it into a product, it needs to go through processes of build and integration. There are many build and integration tools on the market, but there is only one product that works with them all. Through a set of plugins, Artifactory provides tight integration with popular CI systems available today such as Jenkins, Bamboo, TeamCity and TFS. These systems use Artifactory to supply artifacts and resolve dependencies when creating a build, and also as a target to deploy build output. And to support cloud-based CI systems on which you are not able to apply plugins, Artifactory provides plugins for the build tools you use (such as Maven and Gradle) which ultimately provides the same level of build automation.
End-to-End Artifact Management
JFrog Artifactory is just one component of a complete and tightly integrated end-to-end solution for artifact management available through JFrog’s suite of products. As a complete solution to an organization’s software delivery pipeline, Artifactory works seamlessly with the other products in the suite.
Universal Distribution
JFrog’s software distribution natively supports all major package formats allowing you to work seamlessly with industry standard development, build and deployment tools.
JFrog Mission Control – Universal Repository Management
Mission Control offers centralized control, management and monitoring for all your enterprise artifact assets globally. By providing a clear and instant picture of the relationships and flow between your different development organizations, Mission Control provides your IT and Ops leaders real-time visibility into your worldwide development, distribution, and consumption of software packages.
To learn more about JFrog Mission Control, please visit jfrog.com/mission-control or download the whitepaper at jfrog.com/support-service/whitepapers/.
JFrog Xray – Universal Artifact Analysis
Xray works with JFrog Artifactory to analyze software artifacts and reveal a variety of issues and security vulnerabilities at any stage of the software application lifecycle. By scanning binary components\ and their metadata, recursively going through dependencies at any level, JFrog Xray provides unprecedented visibility into vulnerable components lurking anywhere in your organization.
To learn more about JFrog Xray, please visit jfrog.com/xray or download the whitepaper at jfrog.com/support-service/whitepapers/.
Enterprise Ready
Artifactory provides a number of enterprise features that are not, or are only partially available from other Binary Repository Managers:
High Availability Configuration
Playing such a central role in the management of binaries, your Binary Repository Manager can become a mission-critical component of your organization meaning that any downtime can have severe consequences.
Artifactory is the only Binary Repositor Manage available that supports a High Availability network configuration.
With a cluster of 2 or more servers on the same Local Area Network, Artifactory maximizes your uptime and can take it to levels of up to “five nines” availability.
The redundant server architecture enables non-disruptive upgrades and allows your system to accommodate larger load bursts with no compromise to performance. With horizontal server scalability, you can easily increase your capacity to meet any load requirements as your organization grows.
Multi-push Replication
Artifactory is the only Binary Repository Manager offering multi-push replication, allowing you
to simultaneously replicate a local repository to multiple, geographically distant target sites.
This critical capability supports geographically distributed teams
sharing the same repositories and development pipelines,
and enables smooth geographic failover and fast recovery
in the event of a disaster. Since replication is asynchronous,
the process is fast, it minimizes the time during which
repositories are not synchronized and does not incur any
slowdown in responsiveness.
Enterprise-Scale Storage
Artifactory offers a variety of options for storage, and allows complete freedom to combine different storage solutions to meet the needs of enterprises at any scale.
S3 Object Storage and Google Cloud Storage
Artifactory seamlessly manages binaries stored with any storage provider on the cloud. This
provides:
• Unlimited scalability: Since your files are on the cloud, your filestore is massively scalable and
effectively unlimited
• Security: As provided by your S3 storage provider or by Google’s security model
• Disaster recovery: Since your binaries are on a distributed file system, you can use the
disaster recovery capabilities offered by the storage provider.
Filestore Sharding
A sharded filestore is one that is implemented on a number
of physical mounts (M) which store binary objects with
redundancy (R), where R <= M.
Sharding overcomes the challenges of scaling enterprise
filestores for several reasons:
Unmatched stability and reliability
Thanks to redundant storage of binaries, the system can
withstand any mount going down as long as the remaining
mounts can support the redundancy configured (i.e., M >= R).
Unlimited scalability
If the underlying storage available approaches depletion, you only need to add another mount;
a process that requires no downtime of the filestore. Once the mount is up and running, the
system invokes balancing mechanisms to regenerate the filestore redundancy according to
configuration parameters you control.
Filestore performance optimization
Artifactory’s filestore sharding implementation offers several configuration parameters that allow
you to optimize how binaries are read from or written to the filestore according to your specific
system’s requirements. As binaries are uploaded or deleted, the sharding mechanism invokes
balancing processes to make sure that binaries are uniformly distributed among the filestore
mounts according to the redundancy configured in the system.
Security, Authentication and Permissions
Artifactory provides reliable and consistent access to packages for secure upload and download.
You can exercise fine-grained access control through the ability to give different permissions for
different repositories to specific groups and users, and perform authentication using a variety of
industry standards such as LDAP, HTTP-based SSO, Atlassian Crowd, SAML, OAuth and more.
Superior Performance through Checksum-based Storage
Artifactory optimizes storage by ensuring that any binary is only stored once on the file system.
Rather than storing the file in its original name under a specific path, Artifactory creates a checksum of the file (MD5 and SHA1) and renames it to its checksum. All the metadata about a file is then stored in the Artifactory database.
Using checksum based storage, any operation done on an artifact (copy, move, delete) is actually implemented by changing the metadata stored in Artifactory’s database. Since database transactions are much faster than file system operations, this results in a performance boost that makes Artifactory up to 5 times faster than competing products.
Let’s first consider the simple operation of deleting a set of files. When storage is directly on the file system, you need to wait until all the files are gone. This can take time if our files are big. Using Artifactory’s checksum-based storage, delete operations are effectively instant. All the files are just marked as deleted through a fast database transaction, and the actual deletion from the file system only happens, transparently, in the background during the next scheduled garbage
collection. Now consider promoting your builds through your deployment pipeline. This means copying or moving what may be hundreds of Megabytes from one repository to another; an operation that can take several minutes, and locks files in the process. And if you’re doing this several times a day, it can really interfere with development. In Artifactory this is a quick database transaction which is effectively instant.
Hybrid Solution – On-Prem or SaaS
Artifactory offers several options for on-prem installation including ZIP, Debian, RPM, Docker and
Homebrew. Artifactory is also the only repository manager that is also offered as a SaaS-based solution hosted on your choice of AWS or Google Cloud Platform, and this offers several benefits:
• Instant setup and configuration – you are ready to go within minutes.
• Stay up-to-date with the latest version and all the features of Artifactory Pro.
• Interactive dashboard to manage your repositories and account
• Reduced hardware footprint since there is no server that you need to buy, install, configure, maintain or monitor.
• Secure and reliable since all hardware is fully redundant and constantly monitored.
• Periodic backups are run for your repository content and configurations.
• Privacy and protection. Your data is securely accessed via SSL.
• Complete access control by managing internal users and groups
Per-Server Pricing and Unbeatable Support
JFrog offers the most competitive pricing model available on the market today for repository management. You only pay once for each instance of Artifactory. There is no limit to the number of seats or users per instance. Once you have taken the Artifactory path, you never walk alone.
JFrog offers pro-active and responsive SLA-based support packages:
• R&D-level support from the first response
• Unbeatable response times
• 24/7 SLA-based support for any time zone (email and phone)
• Customer support portal with a detailed knowledge-base that is constantly updated, and instant access to follow your cases and contacts.
JFrog’s unmatched level of support has been repeatedly noted by customers and is a significant
contributor to our extraordinary customer retention rate.
Automation Through REST API and CLI
Artifactory provides full automation control over your repository management and release life- cycle through an extensive set of powerful REST commands some of which are also wrapped in a Command Line Interface.
REST API
In order to integrate with automation tools such as Build Servers and Continuous Integration systems, Artifactory exposes an extensive REST API that provides access to its features anywhere in the development cycle effectively letting you automate any action you could do through the UI. Some of the key operations available through the API are:
• Managing builds, repositories and artifacts
• Performing searches
• Applying configurations such as creating repositories, users, groups, permission targets and more
• Performing maintenance tasks such as backups, import, export and more.
JFrog CLI
JFrog CLI is a compact and smart client that provides a simple interface that automates access to
Artifactory (and all other JFrog products through their respective REST APIs). By using the JFrog CLI, you can greatly simplify and optimize your automation scripts making them more readable, easier to maintain and efficient. Some key advantages of using JFrog CLI are:
• Parallel uploads and downloads
JFrog CLI lets you upload and download artifacts concurrently by a configurable number of
threads which helps your automated builds run faster.
• Perform maintenance tasks
JFrog CLI optimizes both upload and download operations by skipping artifacts that already exist in their target location by checking the artifact’s checksum. If it already exists in Artifactory’s storage, the CLI skips sending the file, and, if necessary, Artifactory only updates its database to reflect the artifact upload.
• Wildcards and regular expressions
JFrog CLI supports wildcards and regular expressions giving you an easy way to collect all the artifacts you wish to upload or download.
• Upload preview
All upload operations can be used with the –dry-run option to give you a preview of all the files that would be uploaded with the current command.
Full Support for Docker
Artifactory is a fully-fledged Docker registry and supports all Docker Registry APIs providing security features needed by enterprise Docker users. Some dvantages Artifactory has over other Docker solutions such as Docker Trusted Registry, Google Cloud Registry (GCR) or Amazon’s EC2
Container Registry (ECR) are:
Docker versions
Artifactory supports both Docker V1 and Docker V2.
Multiple registries per instance
Artifactory lets you create any number of Docker registries per instance. Use local repositories as secure private Docker registries to distribute and share Docker images across your organization with fine-grained access control. Proxy and cache remote Docker registries (e.g. Docker Hub) with remote repositories, and aggregate local and remote Docker resources under a single virtual Docker registry. Support for multiple Docker registries lets you set up a promotion pipeline
for Docker development with clear separation between development, staging and production environments, as well as separation between different projects and teams.
Detailed Metadata
Artifactory offers the option to tag artifacts and folders with searchable properties and provides build information as part of the CI server integration. This facilitates efficient search for Docker images based on their metadata using Artifactory Query Language (AQL).
Unique Advanced Capabilities
Artifactory offers a set of advanced capabilities that stem from its proprietary and unique architecture, and its integration with complementary JFrog products
Distribution Repositories
Artifactory’s support for multiple repositories for any supported package format lets you set up a promotion pipeline where packages are moved from one repository to the next as they pass through the different quality gates, up the pipeline defined in your organization. The final step in this process is releasing approved packages for distribution to end users. Artifactory supports a fully automated distribution pipeline through Distribution Repositories.
Distribution repositories are tightly integrated with JFrog Bintray. They are governed by a set of rules that clearly define how any package promoted to them should be routed to its corresponding repository in Bintray. Like Artifactory, Bintray offers native support for all major package formats which means, for example, that you can upload your Docker images to private or public Docker registries for distribution on Bintray. Together, Artifactory and Bintray offer the only solution for full lifecycle artifact management – from initial development phases through to distribution of finalized production packages.
Quickly Resolve Production Issues with Fully Reproducible Builds
Bugs discovered in production can become nightmares that are urgent to fix. But to fix bugs, it’s important to recreate the exact build and the environment in which the bug was reported. Artifactory is the only Binary Repository Manager that stores exhaustive metadata based on inherent package properties, custom user properties and automatically generated build information. These include specific artifact versions, modules, dependencies, system properties, environment variables, user information, timestamps and more. With this “Bill of Materials,” it is easy to faithfully reproduce a build at any time. Moreover, with built-in “Diff” tools you can compare builds and therefore know exactly what changes were introduced from one version to another.
Accommodate Any Lifecycle Policy with Custom Properties and User Plugins
No product can provide every feature that customers want out-of-the-box. However, it’s important to provide tools that allow each organization to customize your product to meet their specific requirements in the development cycle.
Custom properties is a unique feature in Artifactory that lets you attach any property to artifact metadata. Artifactory’s ability to search for artifacts based on all of these properties can be used to implement any corporate policy. Let’s consider an example in which a build can only be promoted to production if it passes the following “quality gates”:
• It has passed three tiers of QA (each tier is a separate property)
• It receives approval from legal
• It receives approval from marketing
• It has been backed up
With Artifactory, you can define a custom property for each of these gates to determine if a build is ready for production or not. You can find all production-ready builds through the Artifactory UI, but more importantly, your build tools can automatically determine which builds can be promoted to your production repository.
User Plugins allow developers to implement custom behavior that can be triggered by virtually any action on an artifact. Together with custom properties, user plugins make it easy to support any workflow required by your organization. To keep things simple, user plugins are written as Groovy scripts and have a simple Domain Specific Language (DSL) to wrap them as closures. Plugins can, therefore, be developed very easily and be deployed on-the-fly with no downtime. While other repository managers do support user plugins, they must be written in Java which makes it more complicated. In many cases, due to this added complication, many organizations just don’t bother writing plugins, and adhering to organization policies becomes a manual process.
Advanced Search with Artifactory Query Language (AQL)
Unique to Artifactory, AQL gives you unprecedented flexibility in how you search for artifacts. It offers a simple way to formulate complex queries that specify any number of search criteria, filters, sorting options and output fields. And as a RESTful API which uses data streaming to provide output data, it is extremely fast and efficient with unbeatable response time and low memory consumption, which goes on to improve your build times. No matter how many files your organization may create, AQL lets you assemble builds with any set of components, define highly specific cleanup policies, find all weird or unusual licenses on any set of artifacts and much more. With AQL you are not limited by repository type and can search on any field or property found in the repository. Every bit of data in your repositories has now become available for you to mine.
Virtual Repositories
Like most other repository managers, Artifactory supports local repositories where artifacts and builds can be deployed internally, and remote repositories that provide proxy and cache functionality for remote resources. Artifactory takes the concept of repositories a step further with virtual repositories.
A virtual repository encapsulates any number of local and remote repositories and represents them as a unified repository accessed from a single URL. It gives you a way to manage which repositories are accessed by developers since you have the freedom to mix, match and modify the actual repositories included within the virtual repository. You can also optimize artifact resolution by defining the underlying repository order so that Artifactory will first look through local repositories, then remote repository caches, and only then Artifactory will go through the network and request the artifact directly from the remote resource. You can even set up a promotion pipeline in which artifacts pushed to the virtual repository are automatically directed to a specific included local repository. They are then promoted internally through additional repositories as they pass through the quality gates until they reach the production repository from which they are pulled as needed. For the developer it’s simple. Just push a package when it’s ready for QA or request a package needed for a build, and Artifactory will safely and optimally access it according to your organization’s policies.
Summary
Artifactory’s advanced feature set, full support for all major packaging formats with comprehensive metadata, integration with all major build tools and CI systems and unique advanced technologies have made it the choice of thousands of companies in every industry. The most discriminating industry giants like Apple, Netflix, Oracle, VMware, Twitter, Yahoo, Credit Suisse and others enjoy enterprise features that no other repository manager can provide. With out-of-the-box integrations available through VMware, Pivotal (Cloud Foundry), CA (Nolio deployment tool), Microsoft (Azure), IBM (uDeploy), Chef, CloudBees and others, Artifactory will continue to lead the way, both technically and commercially, in the Binary Repository Management and Continuous Integration domain.