Hello everyone, I'm Luo Jing, and I'm the project designer of Alibaba Cloud Container Registry, and it's my honor to be here. I work in container service team. Many folks song contains images foraging, and they're making image distributions more efficient in a more secure for both developers and enterprise. Today, my topic will cover what is easier to keep functionalities and the typical scenarios of ACR. Okay, let's take a look into the global technology transfer story. As Gartner predicts, that by 2022, more than 75% of global organizations will be running containerized application in productions. Migrating to cloud native at containerized applications can help enterprise motorized. And it makes it more agile and scannable. And from a full file, one research reports that by 2022, the global market will reach 4.3 billion. In the next three years, we will continue to maintain our component annual growth rate of 30.8%. And as sure in the right pictures from the there are about 5 million internet users are using docker containers to isolate and software. There are about 8 in the past month. Very amazing numbers. Why more and more people start using cloud native or continue taking knowledges? That is because container change the traditional way of generating. A container is the standard unit of software. Their packages are code and all its dependencies. Software applications run quickly in a reliable, from one computer environment to another. In the quality able empower organizations to build in and around containerized applications in modern, dynamic environment, more convenient. But how can we enjoy the cloud rating technology is doing lately? Here are our into under containerized those solutions. Integrating, computing, network storage, and the security with optimizations. ACK and ASK provides the full manager community service to help customers manage in their container application for public cloud, private cloud, and age computing. There are two forms for community service. One is manage communities, ACK and Alibaba is a service community, ASK. Those are providers. They are full cloud native application, management for example to clean major. Well, I will introduce more in the later slides. In the base of our ACK and ACR, customers can run different kinds of application workloads. For example, the microservices. And another big data and AI applications on communities. Furthermore, there are many innovative applications. For example, the Blockchain and IoT also can run on top of ACK. Okay, let's talk more about ACR. We provide enterprise, the class, their secure service for managing images. It is time for enterprise customers, they have high security requirements. The voice service in mountain regions and use container to with a large number of nodes. Container registry enterprise edition is further divided into basic edition, standard edition, and advanced editions. SRE supports cogitating on effects. We provided dedicated solutions, for instance, with parking mechanisms. Supports multiple architectures, container images management, including the lyrics or windows in the arms, and support through life cycle management of version 2 and version 3. It also provides a multi0dimensional security guarantees, including the ruler define the domain in the network ACL. Summerside encryptions for storage in availabilities, again, analysis and images signing. Besides, it enables larger scale distributions Options and policy based on global distributions for enterprise to accelerate real time to develop or to deploy. We provide P2P based on the large scale image distributions over than 10,000 nodes and speed up the image pulling to 1 second through the snapshot. We also provide policies based on image location across the different regions where efficiency improves unstable times. Okay, let's talk about the securities. This app allows you to control the access to contain images than HELM charts differently. Introduce knowledge on Phyton more about HELM Chart. The HELM accumulate package and operation manager. HELM use a packaging format called Charts. The chart is a conventional file such describe a related state of communities responses. A single chart will early continue, at least the deployment and the SOS. But it can also contain an increase persistent volume, claims or any other communities objects. HELM Charts are used to deploy and application like a full web app stack with an HTTP server, caches and so on. By default, on nearly critical generated search Enterprise Edition instance is disconnected from all the networks. We must have configs, access control list and say out to allow access to the ACR EE instance over the virtual private clouds or the public networks. Guarantees the security of image when they are accessed. We also provide this ACR credential hamper to pull private images without setting the register and password. We also provide fine graded virtual access control compatibilities. Customers can close the Internet or do a customize the ACR rules for only some public awareness likely to access. And it also supports a mathematical website and a customize ACR rules for some website for only some website to access. And it even allows you to perform the security scan only the images, discover any known vulnerabilities in packages or other dependencies, dividing the container image class file. You receive the availability and access and the recommendations, including the specific limitation guidelines. It could generate this trail provides as streaming search for scanning. You can manually scan container images by one click or you can configure by coordinating with the neighboring shame to automatically scan images when you push it into the recorder choice. Besides, by now reaching SL scanned APIs with the offset time triggers. You can switch out the automated period scale of your container images with ease. Afterimage security scan is complete, availability report is generated as bonus. Some abilities information are categorized into four levels. The high, the medium, the low and the unlow. Additionally into gives the vulnerability details, and the corresponding guidelines for how to mediate the specific vulnerabilities found on each images pushed it to the registries. And we will create the vulnerabilities locations. We will show the details of the image layers in the doc file. Without crowd waiting, deliver train container registry can automatically scan the new container images after pushing. If the image in these conditions divide in the chain blocking or is it the system will automatically blocked the risky image to deploy, otherwise the system perceives with follow up space. The chain with image security policy guidance guarantees the images are safe enough to distribute. And that exactly will automatically store images by your camera privately. Then in ACK clusters will villages and images by public key on the commands to automate, verify the images signatures. So if a detector deploying unsigned images in ACK clusters, the cluster will prevent the unsigned image from being deployed. And the security centers will also monitor run-time protect in ACK clusters, and this is the end to end security service solution for ACR and ACK. Okay let's talk about the global distributions. The globalization zarb in less than the price have fewer called migrations than the crosswater collaborations, but this has in some cases caused various global network issues including an agency, the packaging of and the tests. To influence the internal communications between teams all of multinational corporations that are located in different regions, we provide global distribution capabilities. The picture shows all is there any words for this scenario. The customers do research and development iterations impound rule. Their end users are all over the world. So they need to provide it to the middle service as close as possible to their pastors. What is ERP Is global distribution capabilities. You can concede the sink rules to automatically synchronize the image from one or source instance through the target instance then they automaticaly image synchronization between instances supported. Thus the customers talk crucial of real images. Well triggered automatically global distributions. There isn't Alibaba Clouds high bandwidth in the global transmission in it was. It features super ear or which Walker qualities in the security protections as well as a high availability and a moment and seize. It will see image into Hong Kong, Singapore and London and automatically trigger desiccate clusters to poison kitten arise the application using the real container image is also including the end user experience. The solution will last for local access to the Internet and afford 1 cross region developed. Developed equipment of application for significant improvements in user experience. After introducing the global distribution is spoke about the large scale distribution. Well, at least there's these kinds of tools and images for images did have comes from the server when thousands of what he says instance pull the same image until same time, the server may change by other Cloud ensures US news download experience. However, if your clusters consists of countries or even solids or is this instance the server deck with image came through your Imagine distributions speed. He generated St Enterprise Edition Supervisor PDP explorations, which significantly improves image download speed low on large number of clusters Nodes are pulling the same image. This help speed up the application employment. Besides, we supported open images natural result pulling well customers deploy application is there an instance we will create a snapshot in their image laptop images snapshot. Then the customers came creator Continuum for snapshot without going. We also provide two methods for image replication scenarios. One is the images in construal for registry motion to based on service. This is convenient for customers to Sinkler to save their images from harbor GCR easier order crab or tool ACR. We also support to improve important image based on the storage in the point. So if the customer build The Hoppers found all access package that we can import the images by one click. When it finally I will it reduce the cloud native applications compliant tree? With this we will delivery chain always I need you can freely combined tasks such as the image building with images, security scan the image civilizations in the image distributions in. I'm single delivery chain. The company key they were changing, the fully observant aren't reasonable and their configurable. On this topic that describes how to create a delivery chain so that you can build skin cinemas in the distribute images or crawl around the world. Only by submitting to the source code of change. And he's on those configuration sections. Well cathedral, we can configure without blocking rule. You'll consider the wonder abilities to Saveria T and the number of vulnerabilities error meters to define the blocking rule. If their image and it's your condition dividing that's blocking rule the system. Stop performing for large steps for the images. Otherwise transistors persist was velocities. And you can also choose through lons blocking. They are systems where perceived that follows forearm steps for all the images. And after you configure the images, civilization rules update the images sound, Netflix symbolized, opportunity registered under priced edition, installed base download rules. You can configure distribution triggers to automatically distribute images so that with applications can automatically degrade deployed. Over deliver chain page you can view the movie which is being retrieved without wheels are rolling status in her resolve all the issues things in the Witcher which for it and you can get along with him make the images automatically diployed to the execute clusters. >> OK, the next part I will show a demo about a cloud native application supply chain on the ACR Management Console. And we can see from here is our provide 2 version of the instance the default instance is for container developers to manage their container images and the SREE. Enterprise instance is designed for enterprise customers that have higher security requirements and a diploid service in multiple regions and user the container clusters with a large number of nodes OK, let's click one SREE easters to look into it. From the dashboard we can see SREE is our cord-native artifacts management platform. It not only provides the multiple architecture container images management, including strong Linux, Windows, an arm, and the images, and also provide the full life cycle management of, Ahem, Charter version two or version three, and besides Sr, Eve allow you to control access to container image and ham chat by default. We can see here the Access Portal of the Internet XX control is closed, is disconnected from the old network. You must have config the SAL 2 an older access to the SREE instance. OK, over the maybe says or the public network. So, if your SS instance reside in one or two or more work pieces, you should configure the access to a container registry enterprise edition is that's over the Web. Is this then the domain name? Here we can see the domain name here is well be resolved into the recess. We strongly recommend you to close the public access portal and configs over pieces. Access control unit. And here we can see well in the dark image repository with provide mailing functionality's. For example, we can see here we provide the security scan and the way laiser E allows you to perform the security scan on all Linux. The best image and it will discuss any known vulnerabilities in packages or other dependencies defined in the container image file. And you can receive the vulnerability assessments and recommendations here, including the specific remitation guidance. And we can see more image layers about it. Besides, we also provide the some distribution of entities for example, the instance replications. We can replicate the images based on the repo or the instance level from here, from this hangzhou instance to another instance based on the namespace replication level or the repository level. And when you update or when you push a new image in the hangzhou instance then it will automatically replicated to another instance. Okay, let's talk about the main content of this demos. I will show us more demo about the cloud native delivery chain here and we can see we already created one here called a chain and the either scope is in the namespace after and a GitHub repo. We can click the management button, we can see the whole delivery chains process from the beginning. We can see it will act on image building node and from here it will pull the source code from GitHub repo here. And then it will Docker build the images from the Docker file showing this directory and then it will build the image called latest. And then the third node is about the security scan. Here we can see I choose a non-blocking, no blocking, block strategy, that means whatever the result is then it will go on to the next node to process though. And also we can choose to use a blocking strategy based on the vulnerabilities severity or the number of vulnerabilities. That means when we find some high level vulnerabilities we will block the error chains to deploy or distribute. And we can see here we want the Docker image after the security scan is in distributed to another instance to Beijing. And then finally we can see there is a distribution trigger here and then the trigger URL is like this. That means, I have already create a clusters and deployments in SAK. And then here we use the docker images, I build here, this Docker image. And we create the details here, we can see I used the same trigger from this application. That means when I click this trigger, it will make the deployment to redeploy by using the new formed image. So, this is a whole pipeline here. And we can see for now, for now we can see the, We have this, we have simple demo here. The content of it is Welcome to nginx !, as shown in this Docker file here. And then all. I want to change the, I will change it up on. So cold here and I will maybe edit the content to welcome to answer EE,EE. Okay, update. So after I updated the source code here, and I will come back to that, sorry easters. Here I can't see the recorder. By refreshing that console, I can see there is a new train record here, and the coded, and the changes the at the imagery building stage. Then I can see the log of the Docker Builder here. That means, it pulls the source code from the GitHub. The source code, source repo, and design talk build into a new image. Then the finally, it will talkpush to that,okay? It will talk push to that, in our instance. Okay, we can see it already finished the imagery pushing stage. And form the new version latest. And here with trigger on your security scan. Although here we found a high vulnerabilities here, but because what I did on the choose the blocking strategy. So it will go out to the next process. Okay, we can see it already distribute. It already triggers the distribution. Then we can see the detail. Locate those responses on success. So we can see here. Okay, I'll refresh the FCK FCK FCK console. We can see, it already finished other updating, update. So I can click the access method to get the external endpoint. Then the way find, it already changed to welcome to SIE. As shown in the welcome to as showing the stock file here. And the next part I will choose to, I will modify the chain. I will chain to those blocking strategy. No sorry. I click those security scan or not. And then I change the blocking. Block his strategy. That means that if I found a high vulnerabilities severity. Then I will block this whole chain. Okay, let's confirm. So, let's change it. I will Also change the code. That means we'll auto build to a new Docker image E. Okay, I will refresh our record. Okay, it already triggered a new tree. Executions and it also will pull the source code from the GitHub and dock build locally. And then it'll push to the SREEs. So let's go. Wait for the building part Okay, it finished. Then, it'll push to the SREE. And we can see the result of the security scan. And the whole chain status is blocking. Okay, we click back. We can see the execution status is cancelled in the blocked tool to the next node to distribute. So Well, that's all to show the delivery chain part. And the from the whole introductions, we can see that SRAE is more secure and convenient, and an efficient to use, to host, distribute, and to diploid your Docker image. Your hem child version, 2 or 3, or any other compatible. Well, also I standard artifacts, so that's all. Thank you. Thank you for listening.
