HCP Packer Adds Ancestry to Track Image Relationships

We are excited to announce the release of Image Ancestry Tracking for HCP Packer, now generally available in the HashiCorp Cloud Platform (HCP). This new feature allows users to track the relationships between machine images and provides a workflow for revoking an image and all its descendants at once. This post will cover the challenges of image relationship management and the details of HCP Packer’s new feature.

»Understanding Image Relationships

A typical approach for image management is to first build a set of common base or “golden” images for a given operating environment. These base images can be thought of as a parent. They contain the organization’s standard configurations, such as security and compliance policies. Child images are then built from these base images to meet specific application needs.

»Image Tracking Challenges

Tracking the relationships between parent and child images can be difficult and often involves manual processes. This can lead to unclear parent-child dependencies and inconsistent statuses when remediating security or configuration issues in base images. Child images could be left referencing out-of-date parent images without manual tracking and intervention.

Currently, users can only trace and revoke one image iteration at a time if a vulnerability is found. There is no way to visualize the child images dependent on that image iteration. The impact of changing a base image may not be fully understood without details on its downstream dependencies.

»Introducing Image Ancestry Tracking

Image ancestry tracking gives users visibility into image relationships and remediates descendent images when a parent image is revoked, providing better image lifecycle management.

»Track Parent-Child Relationships

Image ancestry makes it easy to track image dependencies and discover the correct images to use in deployments. Each image's parent-child relationship and status are now captured and displayed in your Packer registry. When a new base image is created, child images will indicate if they are out of date.

»Inherited Revocation

Image ancestry tracking can also ensure revocation across all descendant images. If a vulnerability or misconfiguration is identified in a base image, you can choose to revoke only the iteration or the iteration and all its descendants. This workflow is supported for both immediate and scheduled revocation.

»Ancestry Tracking Benefits

Ancestry tracking and inherited revocation enable safe and effective immutable infrastructure workflows.

»Increased Efficiency

Image ancestry details allow users to better understand the relationship between images. This visibility lets users quickly see the dependencies of parent images to monitor usage and gauge the impact of potential changes. Child images also show details about the parent image they are based on. This transparency helps streamline build and deployment processes.

»Reduced Risk

Ancestry tracking immediately prevents the use of all images descending from a revoked parent. This prevents child images from referencing a potentially vulnerable base image. Visibility into image status and dependencies also helps avoid missed child images when remediating security or configuration issues in base images.

»Immutable Deployment Processes

HCP Packer enables immutable application deployments by launching a set of new instances for each iteration instead of making changes to existing images. Ancestry tacking brings further visibility and control to these deployments to ensure consistent and reliable image management.

»Summary & Resources

Visibility into the relationships between images is crucial for efficient and secure infrastructure management. Ancestry tracking allows for quick reference of image dependencies or statuses and ensures revocation across descendant images.

For more information on HCP Packer and Image Ancestry Tracking, check out our Ancestry and Revoke Images tutorials along with this demo video:

Get started with HCP Packer for free to begin tracking machine images across all your environments.