How Sealer Streamlines Private Cloud Delivery for Large‑Scale Enterprise Apps

Background

With the rapid growth of the Internet, cloud‑native technologies centered on containers have exploded, and Kubernetes has become the de‑facto standard for container orchestration. However, while Kubernetes solves large‑scale deployment and scheduling, it is not friendly for business‑level delivery and its own installation is complex.

Challenges of Private Delivery

In the government procurement (政采云) scenario, private delivery must handle more than 300 business components and over 20 middleware pieces across heterogeneous, often isolated networks. The main pain points are handling deployment dependencies, ensuring delivery consistency, and managing the massive manual effort required for preparation and execution.

Sealer Solution

The open‑source project sealer , initiated by Alibaba Cloud’s native application platform team and co‑built with partners, fills the gap by providing an elegant design that packages an entire Kubernetes cluster together with distributed applications. Similar to Docker, sealer treats the whole cluster as a single machine, defines the “operating system” with a Kubefile, builds a cluster image, and runs it to deliver the full stack.

Problems with Ansible

Only solves deployment steps; dependencies still need separate preparation, which is costly and impossible in isolated networks.

Adapting playbooks for each customer’s unique requirements requires extensive debugging.

The declarative language lacks power for complex control logic.

Ansible requires a runtime environment, preventing a true zero‑dependency delivery.

Community Contributions

Implemented a lite build mode that parses Helm charts, YAML definitions, and image lists to cache images without launching a cluster, reducing build cost to a single host.

Added a check feature to automatically verify the status of Kubernetes components after delivery.

Enabled custom registry configuration, moving the registry from a fixed master node to a user‑defined location.

Provided a sealer join command for adding nodes to an existing cluster.

Key Features

Cluster images produced by sealer can be pushed directly to private Docker registries such as Harbor, and later extended or rebuilt.

The built‑in registry supports multi‑source, multi‑domain proxy caching, allowing private caching of public images without changing image references, and can proxy multiple private registries simultaneously.

Implementation Results

Using sealer, the delivery workflow was re‑designed: business components, middleware, and image caching are defined in a Kubefile and built with the lite mode. This eliminated most manual dependency handling, shortened the delivery cycle from 15 person‑days to 2 person‑days, and successfully delivered a cluster with 20 GB of cached images, over 2000 GB memory and 800+ CPU cores.

Future Outlook

The successful rollout demonstrates the power of open‑source collaboration. The team will continue to contribute to the sealer community, address remaining issues, and expand its capabilities to serve more scenarios, inviting more partners to co‑build a brighter, more robust tool.