Docker workflow design with Jenkins on production

I have described a more elaborate Vagrant/Docker pipeline here: Using Ansible,Jenkins and docker to build fast test environments

Wrapup:

A professional Docker pipeline should include the following steps:

1. Base Image Construction: Build the image from a Dockerfile, trigger this build each time the Dockerfile changes. The result can be uploaded to a public Dockerhub image. E.g. Java JDK8 Base Image: yourname/baseimageJRe8
2. Base Image Provisioning: Build the provisioned Image. Include your java-maven-build artifact and configuration files. Only use for this step stable tagged Docker images: yourname/baseImageJRe8:2.0-stable. The result must be uploaded in a PRIVATE Docker registry, e.g. privateregistry.io/yourname/softwareStackMySoftware:2016-10-21-Build-210.
3. Provisioned Image Deployment: Pull the image from the private registry on your host. Remember, only use stable tagged images. Add host specific configuration through environment variables or add configuration files inside Docker Volumes. Finally start the Docker container.

A professional Jenkins setup should consist of:

1. One Jenkins Master: Configuration of Jobs. Absolutely NO Build Processors!
2. Arbitrary Amount of Jenkins Slaves: Building the Docker Image. Yes, this one uses lots of resources naturally.

As you may have heard there is no sane way to run Docker inside Docker. Thus, you need either a Docker-Machine (Setup by cli docker-machine) oder some other VM with Docker installed to build your Docker images.

Furthermore, building docker images in a continuous integration environment produces lots of stopped and failed build containers and (dangling) images. You should do this in a safe environment where you can safely clean the machine without affecting productive parts.

But there is the big misunderstanding that Jenkins or the Jenkins slave inside Docker can't build Docker images. You just have install the docker cli inside a Docker image and send the commands to your host. For example, check this Jenkins swarm slave image blacklabelops/swarm-dockerhost

Your answers:

1. You need something to store your built images. Where later will be pulled from the production servers. You need a docker registry. Docker Hub is just a docker registry with many features. But you can install a private docker registry. There is an official container for that.

2. No this is not a good practice. Leave Jenkins alone in its server, exactly for the reason you exposed, resources and interference with your application, like open ports.

3. Don't use jenkins in a container, because it is very difficult to call docker inside docker (not impossible but difficult). The container is very good except for docker. You can install jenkins via just an apt install jenkins.

Regards

1. You need a docker registry, this is the place where the built docker images are stored. You can either host one your self or pay Docker Hub if you want private images. See here: https://hub.docker.com/billing-plans/

2. Jenkins shouldnt be running in production, your code should be. Jenkins is a CI tool that will help you get your code built. So it needs to be on a separate "Build" machine. Jenkins should build your code, create the docker images, and store them in the repo. And depending on how your policies decide how and when it gets rolled out to production.

3. As @Carlos mentioned if you want to build docker images it better to run Jenkins as a Native app. Why does Jenkins provide a docker image? Because its easier to try out and not everyone needs to create a docker image out of their built artifacts.