Hacker News new | comments | show | ask | jobs | submit login

Container images do not need operating systems, and I will forever be angry with Docker for tainting the concept in popular usage. Research a static binary as a container to see what I mean.

Nobody who built containers before Docker came along shipped an operating system in the image. Now we have gigabytes of Ubuntu alongside nginx thanks to Docker. Cool.




Disclaimer: I work at Docker.

> Nobody who built containers before Docker came along shipped an operating system in the image. Now we have gigabytes of Ubuntu alongside nginx thanks to Docker. Cool.

First: I believe shipping the entire distro in each container was in fact the most common use of containers before Docker, since openvz/vserver/lxc were focused on "mini-servers" (to this day you can still rent openvz-based vps). So I think your statement is incorrect.

I also think your (eternal?) anger might be misplaced. Yes, today most people who use Docker build containers with unnecessary distro bits in them. But before Docker, 99% of them didn't build containers at all, and struggled with non-repeatable deployments and dependency hell. Even better, now all these people use a standardized Dockerfile which can be changed and improved over time - for example to move away from a heavyweight distro like fedora or ubuntu, to something like alpine or even more minimalistic.

Incidentay, we have hired Natanael Copa, the awesome creator of Alpine Linux and are in the process of switching the Docker official image library from ubuntu to Alpine. You can help us with pull requests to https://github.com/docker-library if you want :)

Even one such pull request could go a long way to promoting smaller containers, since those images have been downloaded over half a billion times.


> Yes, today most people who use Docker build containers with unnecessary distro bits in them.

>... to move away from a heavyweight distro like fedora or ubuntu, to something like alpine or even more minimalistic.

The distro package management is one of the biggest reasons why people still stick with heavyweight distros like Ubuntu.

This is why DockerSlim [1] was created (at one of the Docker hack days, by the way :-)) It lets you use heavyweight distros as-is eliminating everything you don't need. You get the best of both worlds where you don't have to change your process and you still get small images (7, 10, 20 and even 30 times smaller than the original).

[1] - http://dockersl.im

P.S.

It is safe for use in production :)



There's a packer manager in alpine. Maybe not as complete as ubuntu but pretty decent imho.


Yes, it does have a package manager, but... , like you said, it's not as complete and it is different, which means you need to put in extra efforts to convert and make things work (also don't forget about a potential lib C compatibility fun). Why go through all this trouble though? Why not use the distro you are already using as-is and still get Alpine-like image sizes? One nice thing about Alpine is its hardened kernel, but you won't be using it in your Docker container. Alpine is nice, but it's not worth it when there are other alternatives that don't require extra time and effort I'd rather use to build a better product.

And if you are using 3rd party Docker images Alpine won't help :)


Has something like nix been considered for alpine? I think it would be really great for use in containers since it has the built in ability to garbage collect unused dependencies.


That is awesome! Congrats ncopa. Incidentally I ported go and then docker to Alpine Linux (musl and hardened toolchain fixes) almost 2 years ago:

https://github.com/alpinelinux/aports/commit/abfdfd32d2c6818...

https://github.com/alpinelinux/aports/commit/4248d1a88bcde1d...


I would imagine the most important thing from a distro is the support from the downstream vendor (i.e: canonical or red hat) that comes with it. Downloading and compiling from source to a minimal distro (like what alpine does it seems) is nice and all but would be limited for toys/dev deployments and not sure how i would get my CTO convinced to use those images instead of officially supported one from a reputed vendor cause the benefits are a few mbs (and freeness obv) gains


I said "built containers." Not rented a VM which happens to be run atop container-style virt. Since Docker is positioned toward the former, not the latter, but due to your company origins and history ends up looking like the latter, thereby training a generation of developers that /etc/hosts and shells belong in production artifact containers, my anger is correctly placed.

Docker has regressed the container term completely and irreversibly. I'm glad you're switching to Alpine (and kudos on spinning a negative comment like a top), but you skipped over that I said static builds, as in: the container doesn't carry hundreds of files to support a full Linux distribution with the weight of legacy support atop it. A container should be one binary. Dependencies are one thing, and yes, they often have to ship in the image. I don't find /sbin/init or /etc/nsswitch.conf when I open up JARs built by the average CI, though, so what the hell are they doing in Docker containers? Now the term is so blown out that my comment alone is probably causing crossed eyes and tilted heads among readers, because nobody really knows what a container is any more.

You know this opinion exists, too, because certain folks have reminded you numerous times in the political theater that containerization has become behind the scenes. Also largely thanks to Docker. (Not solely. Largely.)

`FROM scratch` should have been the default. Come on. You know it just as much as I do, Solomon. Imagine if you had shipped a build chain to automate the same dependency work that Google did to build containers, instead of just dumping ubuntu-minimal into a container so dynamic linking and such works and finally trapping us in a hell where Alpine is seen as better.


Almost no containers have /sbin/init in. An alpine container has little in it. But C applications do generally require some files, eg config. Docker does encourage people to put as little as possible in, but alas there are still people who shell out as they do not have libraries do do what they need yet... including Java programmers.

Disclaimer: I work at Docker on unikernels. You might like this approach to containers.


You don't even need unikernels, and as much as I loathe myself for saying it, I find myself agreeing with a few of Cantrill's points regarding unikernels in prod. Not all of them, and I think it's worth exploring, but there's a spectrum here: on one end, unikernel app containers, and on the other full jails. The Google approach with minimal containers that still act Unixy and Posixy but carry very little distribution overhead is somewhere around 0.1 on the spectrum.

But we call [0.0, 1.0] the same thing now, so the tooling has to support all cases, and now just pulling a Docker image down might cost me gigabytes of network transfer that I don't need to spend. Combined with the HTTP-strong architecture, Docker encourages fat containers but then falls apart on them at higher sizes because of the HTTP mechanics.

Example: I need to ship about 1 TB of static data alongside my app in a separate container. Try that in Docker. The answer will invariably be Docker not being designed for that, but I thought Docker encouraged the jail-style fat container case? What happens when the jail you're renting out because that's a container too actually uses a bunch of space and you try to `docker commit` into whatever you're managing your containers?

You shouldn't be using containers for that, but features of Docker encourage it, and thinking fat like that has numerous pitfalls. (My example is borne from reality: I watched Docker wash out from a team in two days once they tried to commit a 100+ GB container. I assume the docs guided them there.)


I take a small issue with "now all these people use a standardized Dockerfile"

And many folks don't, because the amount of unreadability from having to concat 20 statements in a && fashion to cut down layer size gets out of hand. This leads to folks then having to use scripts to clean the layers, which leads to reuse in things like Packer, which leads to even more problems when the base image changes culturally.

I'd also argue the that it's a matter of familiarity. Every time we change the base image culturally, we have to retool for a different method of making the things in it (apt/dnf/yum -> apk), so while large distro images are bad, they're familiar and predictable (with a mature package set and releases) to what we're used to doing on servers.

Or folks use another tool to abstract that (like Ansible or Chef), which brings us right back to not using Dockerfile.


If you would like an official Zulu JDK container I am willing to contribute time, from my Alpine-based Smallest JVM containers in the world™ http://j.mp/tinyjvm


Yes please! That sounds fantastic, thanks for offering.


> Nobody who built containers before Docker came along shipped an operating system in the image. Now we have gigabytes of Ubuntu alongside nginx thanks to Docker. Cool.

This couldnt be more false - other systems had containers capabilities for years now (FreeBSD Jails, Solaris Zones, IBM LPAR's, Linux OpenVZ and so on) and since forever it was done in a way of running another full OS inside a container. Stripping that down to single processes was possible and done by some people but rarely, because it was relatively hard (since it often required hand-crafting the 'packages', hunting down single libs and their requirements using ldd and the like). I myself was running both full OS jail containers on FreeBSD and stripped down single process/service jails more than 10 years ago.


As I told Solomon, this confusion is due to muddying of the term. I'm connected to the Google school of thought on this (where basically all the billions of containers in prod are `FROM scratch`, because they did the work you call hard to ship a process as a container), whereas jails are the other school of thought. I would contend that they are different enough to deserve different terms, and this thread of correcting what I meant, and explaining jails to me even though I would think it pretty clear I understand them, is evidence enough. We called those jails when FreeBSD was carrying that torch. I never once heard them called containers until now. That is my point.

Docker is not for the jail case. If it were, it would look like OpenVZ and come with completely different architecture and management tooling. It's for deploying artifacts to prod, and my entire point is that starting from `FROM ubuntu` for even a Go binary has muddled this picture irreversibly. Now I have to have this argument, which makes no sense, because we now take it as fact that containers and jails are the same thing, and anyone who says otherwise deserves to have very basic things explained to them carefully and rather condescendingly.

This reply applies to everyone who is calling me wrong. I spent last summer employed by CoreOS, have worked on Google Borg, and spent the first half of my career on the production artifact toolchain. I'm not just farting into the breeze here with my two personal servers and opinions.


This. With other sandbox container solutions, you just start it. Docker's is mixing a sandbox, a deployment solution and more together. This might be useful for large deployments, but for smaller one it's too complex.


for sandboxes you don't need containers and for resource management, neither. The only thing which docker gives you, is that it enforces immutable disks, which cgroups can't do, can't yet do or whatever. however when even with docker you need to ensure that your program won't mutate the filesystem so anyways nothing special.


Enforcing an immutable filesystem is actually pretty easy to do, just don't give write permissions to the user under which the program is running :)

What Docker integrates is a layered filesystem, in which the application can mutate the filesystem, but only it will see those changes (and they'll go away when the container is destroyed).


You can mount the base filesystem read only in the container as of 1.10, with tmpfs mounts for where you need ephemeral mutation.


oh yeah sorry. however on some linux filesystems you could also use `chattr +x` however most things won't play well with that ;) especially not programs which create logs / pids / whatever.


Not true. Managing OS images is the killer app for containers.

Containers power the Heroku platform and it supports millions of apps by containerizing OS images.

When both the bamboo stack and cedar stack were available, we would:

Run a base AMI and update it frequently for kernel, security and performance updates.

Download a bamboo (Debian) OS layer

Dowbload a cedar (Ubuntu 12.04) OS layer.

Layer app slugs on top of which ever stack the customer wanted.

This was amazing for long term support of apps and backwards compatibility.

There are infinitely more rails apps out there that deeply depend on the OS layer than there are static binary apps.

Docker deserves and gets all its credit for making this technique available and easy for everyone.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: