Delivering Fearless Updates with JFrog Distribution

Webinar Description: 
With the shortening of software development cycles, the ability to continuously integrate and release application updates to any deployment target is becoming crucial to the success of your business.

A common bottleneck in the delivery pipeline for large organizations is the need to distribute, synchronize, and secure software artifacts and release bundles, across:

  1. Large, geo-distributed, disparate teams and remote sites
  2. Large-scale, remote, deployment targets – which can span cloud infrastructure, on-prem, air-gapped environments, or embedded/IoT devices.

JFrog Distribution is a centralized solution that enables automated, fast, secure distribution of software releases to any deployment edge. It enables you to distributed applications in a way that is immutable, compliant, scalable, and efficient – where you can even overcome limited bandwidth and network lag.

JFrog Distribution is tightly integrated with your CI/CD pipeline to allow you to deliver releases with confidence. Join this webinar to learn about:

  1. Key challenges with software distribution at scale
  2. JFrog Distribution solution architecture: Signed release bundles, smart replication, efficient network utilization, and more.
  3. Best practices for accelerating releases and ensuring security and compliance across large-scale deployments
  4. Key use cases and patterns used by some of the largest organizations in the world to improve developer productivity and release fidelity with JFrog Distribution.
  5. Solution demo: from 0 to Hero with JFrog Distribution

 

Additional Resources: 

Try JFrog Distribution as part of the JFrog Platform

JFrog Platfrom: An End-to-End Platfrom for Global DevOps

Getting Started with JFrog Distribution

Transcription:

Good morning, everyone. Welcome to the webinar on delivering fearless updates for general distribution. It’s great to be speaking with you all today. I’m lazier. I’m the product manager for chief distribution. Prior to that, I was a senior product manager at Seed Technologies. I come from a developer background and I’m very passionate about DevOps and automation.

Some housekeeping details for audio quality purposes, although audio lines will be muted if you have any questions or comments. Feel free to use the question step and I’ll happy. I’ll be happy to answer them at the end of this webinar. This webinar will be recorded and shared with you. So. He has a brief agenda of topics covered today. I’ll start with the general overview and then we’ll talk about the use cases and some of the major challenges with software delivery. Then I’ll show how different distribution product can help you overcome these challenges and in the end and also do a demo. I’m hoping you all know about defrock, but briefly, we were founded in 2008, five thousand six hundred paying customers and growing fast. More than 65 percent of the fortune companies are using our products. That’s about three million enterprise developers using our products on a daily basis. We are also community champions. There are about two million downloads per month. We value feedback from our customers, and our products are driven by community feedback. Read also A DevOps unicorn. Our mission is to cover all the software in the world. Artifacts are building blocks of software, it’s worth flowing through your pipes, getting deployed to London, and these artifacts can be of different technologies such as Java, Node.js, Darkness, 50+ Less, Golan, Clouston, etc. as well as you all can do anyway. Just so streamlining the flow and supply chain of these artifacts is essential to accelerate software release velocity and quantity. So how did we go about it? We adopted the unified approach where we build an end to end platform under a single theme. This platform allows you not only manage your binaries, but also distribute them to your production sites within the black community when complete visibility, governance and control across five blends from from get to global parties and everything in between. Platform also provides continuous security, which includes vulnerability scanning or business license compliance. The solution is highly scalable and radically universe. That means we support 27 plus technologies and integrates very well with other tools within the DevOps ecosystem. We also support hybrid and multi-cloud architectures. This is a component diagram of Jeff of the platform. It’s an enduring universal DevOps solution that streamlines your entire delivery process from code checking through relief to any deployment targets. It could be on Prem Cloud Hybrid or even to adjust. RV factory, he’s Hicks in off polio source control and functions such as database DevOps, managing all your software binaries and continue images. It not only provides easy management and thinking between your building blocks of software and divisions, but also provides additional visibility of the material for each of the components for each artifact. We know everything that they need to be known about it, who produced the bill or is involved, or whether the tests have passed the security stages. What was Woolies and what were the versions? Now talking about X Ray X enables the DevSecOps and continue security by automatically scanning all the base artifacts and guns to move images, but open source vulnerabilities and license compliance issues. You can automatically trigger actions such as preventing downloads, failing to build or a blocking of distribution if required, based on your security status of of the component. I’m not talking about different distribution. It’s an orchestration tool that allows you to package different artifacts into release bundles or update and distribute them to your global sites, either for geo or distributed development teams, audio reproduction, edge deployments or even for your excellent distribution. Now talking about Edge notes, these are lightweight. Secure release read only artifact, the instances that are deployed before closer to your servers with artifacts will be consumed or deployed, so these agents could be on some cloud or they can be deployed on multiple floors and went. At the bottom is Jeffrey White Plains. It’s an modern Yamal based CSG solution with some advanced abilities for cloud native delivery, so it allows you to automate, not orchestrate your internal pipeline for both legacy and container based applications on any environment. And finally, on the top, we have mission control. Which provides you with the ability of DevOps insights and metrics. So anywhere from up to five download and usage, you want to know about the security trends your pipeline holds and your release velocity. The focus of today’s webinar is distribution to edge, not very narrow with the volume of software and update is exploding and the time to act is shrinking and businesses constantly demand nonstop deliberate operations. In this environment? Your distribution pipelines can become bottlenecks very hard to continuously deploy large volume of artifacts. In a sense, it’s like drinking from a firehose. Now, let’s talk about some of the distribution use cases. First, Intel distribution, Diageo distributor development sites. So your your teams can be distributed. And singing between these different themes and soaps is important. Your your your distributor needs to produce and consume artifacts from one another. The second use case is the solution to your production infrastructure software that would be a rental investments would be your own term, your cloud, multi-cloud legacy or cloud native applications such as Google. It is if it’s easy to accept audio remote adjust. They could be your IoT devices, retail stores, oil rigs, cruises, idioms your point of sale devices here. Gratuity is usually an issue, and you may experience some full bandwidth or network latency issue. So we have excellent distribution use case to your customer sites, which includes pushing different release versions to customers of partners. So here you need traceability on what was distributed to each of these customers and partners. First, I’ll talk a little bit about the typical challenges faced in the software distribution. First, overcoming physics. Everything is distributed your infrastructure to your team’s access, security, etc. So how do you get your boundaries where they need to be? For example, you develop teams, oh, on us first, but your rent and production might spread across Asia in the studio, and you may also have limited bandwidth issue of yours. How do you get your boundaries? The second is security. How do you ensure your boundaries are set a secure and safe to use and are compliant? How do you ensure the data integrity of your buildings? Those manning the scale of the distribution, your rocket images can go from fugitives to hundreds of these, how do you manage the scale of your distribution? For the stress will be an old bill of materials. How do you know which the center has, which updates and who is accessing them? So how do you get your visibility and insurgent and make decisions decisions? So network latency, security issues across large scale distribution systems, the bottlenecks that slow down your processes and that may result in increased development time and with the reduction in the velocity, it may also increase risk around your compliance and security. For example, your developers may have fixed three security issues identified in the production, but you could only deploy just one fix. So now your business is addressed and and potential security breaches. In the end, it isn’t that impact on your business. You may be falling behind your competitors, or you may be having issues with the customer retention and acquisition and potential security breaches. So, so you need a reliable and flexible distribution mechanism, which is fast. You should be able to distribute your artifacts as fast as possible, secure making sure the data integrity of your families and making sure that the bindings are scanned unit an ability to trust your boundaries and a global handle. Your distributed engineering teams, claims and infrastructure around the globe, and scalability ability to manage and maintain your delivery of performance. And yet simple so that it’s very easy to automate everything. To overcome the challenges and excel your software distribution, we develop gyflog distribution product. So what is different distribution different, Mr Bhushan, along with the edge nodes, are part of the internet platform and provides a robust delivery system. You can package binaries or, you know, production ready artifacts into a single coherent release bundle and orchestrate continuous often distribution to remote sites called edge edges are nothing but lightweight. Read only artifact notes for hosting your release bundles deployed closer to your production sites or your data centers. Now, let’s talk about some of the highlights or key features in distribution. It lets you package artifacts from multiple different types of technologies into one released bundle along with them providing you with the bill of material. For example, you can bundle all the types of binaries and containing images into a single disease, but it also has the ability to scan that is one of those with one little rubies and then license compliance at every phase of your software distribution. It also increased security by digitally signing and verifying the release bundles on the edge. There’s also a concept of circle of trust established between the source and the target nodes. So once you the circle of first only source artifact, do not convert into the unless. It also ensures that at least bundles are immutable and nobody will be able to tamper them after signing it. Distribution is that easy way to distribute your beer is one of your multiple remote sites in one step. It provides transaction at times a day, so everything goes to the edge nodes or nothing goes for that cheap. It uses patented replication protocol that optimized for handling high network latency, concurrent replication and smart replication, which only replicates what’s needed because it’s based on the Dixon based storage. It also provides fine grained permission models for on both social and remote sites. And if these enterprise every distribution, tracking and traceability and it also provides several automation options, you can know that he was just oppose diferencia like a native of five steps to accommodate your distribution. So. So before we proceed, let me introduce a few terminologies here. The concept of release bundles is fundamental to distribution. It’s a logical collection of really Israeli artifacts from different technologies that promising different ways of audio software update. For example, you can bundle barcode image together with then head of the chart. It also provides the bill of materials for yourself that you can use a UI template or recipes to create the collection of the artifacts, along with the added. It’s a cute and immutable, which means that the least bundles can be signed with the key. And then we are relegated on the edge, not on arrival. Once the ladies bundle is signed, they are immutable and cannot be tampered. And as explained before, the concept of circle of trust between the source and the target groups, and it’s integrated with X Ray, which is continuously scanned for vulnerabilities and compliance issues to be ordered a software distribution process. What are active edge knobs? Edges are lightweight, read only artifact instances for handling and hosting immutable release buttons and just are deployed clauses closer to a production sites or data. It’s only possible to transfer software upgrades or release bundles to eligible for distribution. More direct uploader application is allowed, so this ensures the data integrity and compliance of your releases. Smart remote liberals are also supposed to support it, but smart crossing in the end, it’s not also support. Hybrid distribution from cloud to of them not. Now, let’s see some distribution flows. OK, so let me show you how to creatively respond to the user with the right authentication and authorization can create a legal process where a UI risky idea of a clear lay out is part of default by placing a booster distribution will then request the source artifact to fetch the requested release model of depression associated moderator after validating. And you can also index at least bundle for X-ray scanning and compliance verification after the validation of the re-use bundle. You can digitally sign it using the sign in case, and at this point you release bundle becomes mutable and ready for distribution. A copy of the latest bundle is also stored in the Source Artifact Factory. Any file included in the Lisbon Treaty cannot be deleted from this also have to take the fall for this fund. Now, let’s see the distribution flow after the release bundle is signed, is ready for distribution to your multiple edge nodes, could be your center in China, could be your Jacob Gigi production instances. So now we’re to going to be distributed to multiple like the all these. It’s not in monster distribution process is initiated again by a UI or listed by the proxy allowed on as part of your general identity, so you can define an exit policy to block distribution if security or compliance violations happen. If it allows the distribution of the release bundle, the distribution service will then talk to Mission Control for discovering the originals. The black hole, make sure that the user has permissions to distribute artifacts to the target field. If a user doesn’t have the permission to send any artifacts to Gigi, that transaction will not happen. Then the students at this part of the the distribution staff sit down section. Distribution in walks, a replicator inactive factory, which distributes the fight over to the engineers. The files are transferred using smart application work, while replicator, which means that if a Docker layer is already existing on the on the edge, not so it won’t send the Docker layer again. Distribution notifies the transaction is completed, and then in turn, a journalist validates the authenticity of the release bundles using the public key. Now, let me switch gears and show the distribution features in the demo. OK. So let me log in. Here’s the platform, Hugh White, and actually I’ll be showing you the internal distribution use case within, I need to distribute my release. Maybe be different to mind. And then when, when, when? For deployment. So here’s my topology. I have my development center and it’s called home. And then my DevOps theme is in is in China and they are ready for deploying it to the random environment. I need to create unbelievable distributed to them. So that’s the use case. And as you can see, here are all the products of our day platform at the factory distribution pipelines and extra at the factory is basically my database for all the. All the boundaries. Right. So today I have a Docker image and associated health chart, which I want to bundle together and then create a release bundle and distribute to my ED. So that the you will be seen today. So going to the distribution tab here you will see distributed will really, really create the release bundles. We also have a received tab if any release bundle splits would send to this instance. You can see them here. So let’s go back to distributable. Let’s create a new. Willy’s bundle, I’m going to call example. Go in and get their version. I can also provide some relief description. And now how do you fetch your artifacts and then create a relief fund, and so here you have two options equity are equally pretty equally is nothing the factory query language. So if you know how to write the equity, you can directly just write one equal body to look at artifacts from multiple repositories and and do it in one go orders. You can use the glory of the templated equity builder and and then fetch those artifacts and metadata. So for first, provide an equity name, and then I’m going to select my Docker app. Docker image. You can also search by build our properties include export artifacts, artifact patterns. Next, you can preview your selected artifacts, so here you can see that the manifest of the of the doctored image and the lives have been fished. Next, you can finish this by clicking on Save. Now, I also wanted to include the darker the Chad. So for May 22, I’m going to select the help chart. Click on next. Who would the Helen Jacques was selected picking on next and saving it? So now I have slipped into my Docker image, and also the headline jumped out here, you can also provide some release notes. And now I have two options, so you can you can create or you can create or sign. What are the difference between these two options? So if you click on Create, you’ll be able to view the content release notes distribution tracking. It’s not done yet. And also X-ray data. So going back to the gun control, once you have validated that the the the content of the various bundles are looking good to you, that’s when you can go ahead and sign this version. So after the signing of this lease bundle, now, now it becomes immutable, you cannot delete and build any of the contents from here on out anymore content stored so the beans bundle becomes immutable and ready for distribution. No, let’s see. So here on the data tab here, you can see all the violations, security violations and licenses, so there are going five licenses that are discovered in the 148 components. And there are some unknown and so you can go over all of them and and even automotive and decide whether you want to allow the distribution or not. So once that validation happens, you’re ready to distribute. So here you can see all the available destinations. I’m going to select a note and click on destination, so the submission tracking is a where you will track all the distribution happening. So now it is completed. Now let’s go to the edge known. I need to log in here again. So you can see that the Senate has received this artifact with Ed Snowden, and it has received my sample 1.0 version, which includes a darker help chart and the image. So that concludes the demo. Now, let me switch back to. The presentation. So what are the highlights of the solution? With distribution, you can distribute software updates from source at factory to multiple read only at the factory edge, not across the globe in one step. You can distribute artifacts belonging to multiple package types into one gold and immutable release bundle along with the metadata. These murders are digitally signed using private key and verified at the target site with the public key. You can also scan a released bundle using JFrog X-ray and automatically block release bundle distribution based on X-ray scanning policies. Using distribution tracking, you can trace where you’re buying these are these are being distributed with the fine-grained permission model. You can define who can distribute the least bundle to which locations. Distribution uses proprietary technology to cater that reliably and optimally distribute release bundles to multiple remote locations and update them as new release versions are produced. This is also helpful in overcoming your network and bandwidth challenges. He then chose Transaction Atomic City, and finally, both Agincourt and distributions are enterprise ready. You can set them up on your cloud, or you can also go do a hybrid approach. And that concludes the webinar, and I hope this was informative. Let’s take a few minutes for Q&A and please feel free to post your questions in the Q&A tab. You. I also wanted to share some exciting news. Our user conference is back in June as a virtual event. You can join us of on June 23rd one before the US are on on on June 30th, July 1st in a mere fact reason based on your time zone. It includes two days of exciting sessions, keynote and one day hands on training for all different programs. This is a great opportunity for you to learn what is coming up in 2020, not only in Jaffa, but DevOps as a whole, and to take your training further in different tools to become like power users. You can learn more about a swamp at the specified website. I see a couple of interesting questions. Let me read them out and try to answer that. The first question is how to setup the circle of trust between source and edge nodes. Well, really, really good question. So, of course, this actually is an additional layer of protection that’s required for distribution of these countries. This is like the middle of best practice, and it ensures that your sole satisfactory cannon is only sought and only certified, but ultimately comes right onto your nose. And to answer the question how best to resolve all of first, you need to exchange the public certificates between your source and destination. That means that you have the copy, the the road surface of these many of these instances. We’ve done that with one another. I hope that’s helpful. The second question I see here is, OK, what happens when astronauts are not reachable during distribution? So distribution has a built in retry mechanism, and by default, distribution is configured to retry these vital distribution three times in about 100 milliseconds interval. And these parameters can be configured based on your requirements. I hope this answers your question as well. Thank you for that. So feel free to ask more questions, and I’ll be happy to answer. Answer it for you.

Q&A

Following the webinar, these great questions were asked by the audience and might be of interest to you.

What is the difference between Bintray and Distribution?

Bintray is simply the SaaS solution for distribution while Distribution is the OnPrem solution.
There are more pros for the Distribution service as it works flawlessly with all the other JFrog products.

Do I need separate Xray instance dedicated for distribution to scan Release bundles ?

Distribution doesn’t require Xray for itself. Xray will be connected only to Artifactory and when using Distribution, it knows to fetch artifacts that were scanned.

Does any source of Artifactory need to have Xray?

Yes, that is correct. Each Artifactory cluster should have it’s own Xray instance.

Is an edge node placed at the customer location?

There are few scenarios for using the edge node. One of them is that the edge will be in the customer network yes.

How can I check for a valid package signature from my runtime?

The signature in Distribution is for the release bundle and not for artifact itself on runtime. The signing here is to verify that the release-bundle is being replicated to right location (that has the public key) and it makes the release bundle immutable (cannot be changed at all)

Define Artifactory edge nodes?

Edge is a lightweight read-only artifactory instance for handling and hosting immutable release bundles. Edges are deployed closer to production sites/DC. It’s only possible to transfer software updates (release bundles) to the Edge nodes through JFrog Distribution. No direct upload or replication is allowed. This ensures data integrity and compliance. I hope this answers your question.

Once a release bundle is created and there is need to add additional files to the release how can we do that?

You can create a release bundle and add/remove files before signing the release bundles with the GPG Keys. After signing the release bundles are immutable you cannot edit them. 

Does this plaftrom have capability to create Build Pipeline as well?

Yes, You can use JFrog Pipelines to automate and build Pipelines. 

Is rules for Xray configurable ?

Yes, you can defines policies in Xray. 

Distribution is a pay feature, correct?

JFrog Distribution and Edge nodes are part of our E+  subscription. 

Trusted Releases Built For Speed