This buildpack architecture allowed Datica to control the build process from start-to-finish, ensuring security and compliance at every step of the application deployment process. But it didn’t always work great for our customers. For some customers, it’s not possible for them to deploy within that model. For example, they might not even have the code for the application they’re deploying to push to us. We’ve listened to our customers’ concerns about wanting a higher degree of control around creating and debugging their own applications and have come up with a secure solution where customers can now bring their own Docker images onto the Datica Platform.
Introducing Container Services
Our just-released Container Services are an integral part of the Datica Platform and provide a direct way for customers to push a Docker image to Datica’s Docker registry, skipping the buildpack and “git push” process entirely. There are many benefits to this alternative deployment model, but the one we are most excited about is that our customers can push up an exact image to be run — without needing to rely on a build process, dependencies being available, or anything else of that nature.
Customers create their Dockerfile locally (built on top of Datica’s base image), sign it, and push it to Datica. Once that Docker image is pushed to the registry, a “deploy” command will run the image on the specified container service associated with their Datica environment.
Security and Compliance Built In
Giving customers that amount of control over their applications seems simple in theory, but the reality of adhering to HIPAA, GDPR, GxP and other healthcare regulations when developing digital health applications presented us with a massive security and compliance problem to solve before we could release this service to our customers.
We have done an incredible amount of security work that is largely invisible to our customers so that this new feature can pass a difficult HITRUST certification audit. For example, we have secured the containers with very stringent AppArmor profiles and per-tenant namespace profiles in Linux so that it appears to customers that they can run privileged code (i.e. anything) on our system, when in fact we’ve limited them to a very thin slice of our resources. Additionally, we have created end-to-end security on receiving their Docker images by enforcing notarization of Docker images through the Docker notary service which authenticates their images as being created by their organization so no one can push malicious code on their behalf.
The notary service is especially useful in larger organizations, as it allows organizations to create “delegate” roles (via keys) within their organization so that, for example, they can ensure that only their operations team or CI can sign production images, but that the development team can sign staging or test images. See the notary documentation for more details on how to accomplish this.
The ability for customers to construct Docker images locally, run them locally, and then push them onto The Datica Platform will increase developer productivity immensely and make it much easier for our customers to debug their own applications when something goes wrong with them. Our new Container Services also make deploying third-party vendor libraries (like Tableau or other licensed software) a whole lot easier.