New Hack Shrinks Docker Containers (www.iron.io)

← Back to Stories (view on slashdot.org)

New Hack Shrinks Docker Containers (www.iron.io)

Posted by timothy on Wednesday February 3, 2016 @10:46AM from the bare-minimum-if-not-bare-metal dept.

destinyland writes: Promising "uber tiny Docker images for all the things," Iron.io has released a new library of base images for every major language optimized to be as small as possible by using only the required OS libraries and language dependencies. "By streamlining the cruft that is attached to the node images and installing only the essentials, they reduced the image from 644 MB to 29MB,"explains one technology reporter, noting this makes it quicker to download and distribute the image, and also more secure. "Less code/less programs in the container means less attack surface..." writes Travis Reeder, the co-founder of Iron.io, in a post on the company's blog. "Most people who start using Docker will use Docker's official repositories for their language of choice, but unfortunately if you use them, you'll end up with images the size of the Empire State Building..."

131 comments

Min score:

Reason:

Sort:

That's what she said by Anonymous Coward · 2016-02-03 10:48 · Score: 0

and sure enough, it did!
WTF? by msauve · 2016-02-03 10:49 · Score: 3, Insightful

What are they talking about, and why do I care about the size of the container Levi's ships my Docker khakis in?

--
"National Security is the chief cause of national insecurity." - Celine's First Law
1. Re:WTF? by citylivin · 2016-02-03 12:10 · Score: 2, Insightful
  
  Im not a developer, but i think its like install shield for windows. Creates application packages or something. Still the summary should really give a brief definition.
  
  --
  As a potential lottery winner, I totally support tax cuts for the wealthy
2. Re:WTF? by Anonymous Coward · 2016-02-03 12:42 · Score: 0
  
  All I know is no one needs to shrink the size of my docker container, its already getting tight around the waist.
3. Re:WTF? by twistedcubic · 2016-02-03 13:55 · Score: 5, Insightful
  
  Docker is so hyped nowadays I'm surprised people reading Slashdot are claiming they never heard of it. Docker is an application container. It essentially creates an advanced chroot which runs ONE application (usually). Now 644MB seems a lot of overhead for running one app, so shrinking this to 29MB is a welcome improvement. That said, Docker is not for typical users. Use LXC, LXD, or systemd-nspawn if you want containers that can run several apps with their own init.
4. Re:WTF? by jrumney · 2016-02-03 13:57 · Score: 0
  
  They are talking about taking a container which is commonly used for implementing the 'cloud' buzzword and using it to implement the 'IoT' buzzword. Someone pointed out that 'things' generally are a lot more resource constrained than servers, so they've slimmed down their 644MB container to 29MB. Good luck fitting that into the 128kB of flash in the typical microcontroller running your consumer electronics.
5. Re:WTF? by msauve · 2016-02-03 14:08 · Score: 1
  
  Perhaps. There's no doubt some subset of /. users who know immediately what the summary is about, but I suspect that's fairly small. Something to do with images and languages and OSs, and shrinking image sizes. It's not hard to reduce the resolution and size of an image, so it's not clear why this is called a "hack," or why it's news.
  
  But, my comment was really in relation to the piss poor submission, and the failure of /. "editors" to fix it. This is one of the worst in recent memory. If the new overlords want to improve the site, make the editors actually edit, instead of simply posting submissions verbatim. Things like spelling out acronyms upon first use, and providing basic descriptions for esoteric technologies/names. Very basic journalism 101 stuff. But, given that virtually all the submissions are being posted by "timothy" now, it seems like they're trying hard to lower expectations even further.
  
  --
  "National Security is the chief cause of national insecurity." - Celine's First Law
6. Re:WTF? by msauve · 2016-02-03 14:15 · Score: 4, Insightful
  
  Not everyone who reads /. is a software developer, a *nix sysadmin, or whatever other area of specialization would use that. /. is "News for Nerds," and that encompasses a wide range of technologies/interests, many non-overlapping.
  
  --
  "National Security is the chief cause of national insecurity." - Celine's First Law
7. Re:WTF? by msauve · 2016-02-03 14:37 · Score: 1
  
  So, just like Java, only different?
  
  --
  "National Security is the chief cause of national insecurity." - Celine's First Law
8. Re:WTF? by Anonymous Coward · 2016-02-03 15:31 · Score: 1, Insightful
  
  Not everyone who reads /. is a software developer, a *nix sysadmin, or whatever other area of specialization would use that.
  When you read a headline and you don't recognize the terminology used in the headline, you have two choices: you can skip the story completely, as it's probably not relevant to what you do; or you can click through the provided links to read more.
  Making a joke by pretending to misunderstand what the terminology means is a distant third choice. I wish there was a -1, Not Funny moderation.
9. Re:WTF? by Impy+the+Impiuos+Imp · 2016-02-03 17:08 · Score: 2
  
  Docker is so hyped nowadays I'm surprised people reading Slashdot are claiming they never heard of it. Docker is an application container. It essentially creates an advanced chroot which runs ONE application (usually). Now 644MB seems a lot of overhead for running one app, so shrinking this to 29MB is a welcome improvement.
  That said, Docker is not for typical users. Use LXC, LXD, or systemd-nspawn if you want containers that can run several apps with their own init.
  After 12 seconds of reading the first thing that popped up on Google, this is some kind of virtual machine that runs your app. Is this extra crap standard libraries for that language?
  
  --
  (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
10. Re:WTF? by WarJolt · 2016-02-03 17:11 · Score: 2
  
  Even if you know Docker, fewer people actually think about the implications size have on cloud compute systems.
  For example Amazon EC2 Container Registry(ECR) gives 500MB for the free tier and it's relatively cheap to store large container images. Most cloud services store these local registries in their network, so you don't incur bandwidth charges from external registries. Also it should start faster and is likely more reliable, but those are just bonuses.
  It's true that a small image will start faster, but thats usually not a good enough incentive to really sway anyone one way or the other.
  Local bandwidth within a cloud service provider rarely incurs any charges, so really there is little incentive to making it smaller from the bandwidth perspective.
  The problem is that each container takes some memory footprint. Theres usually two ways that footprint size is bad. Some cloud services simply limit the max footprint size that can be deployed. Services like AWS make you manage the AWS instances that will run your container and you get charged AWS instance hours. If you have to start up huge memory instances to run your large containers you will pay more.
  It's all about understanding your computation and memory requirements. Often times your containers are simply sitting their idle doing nothing, but you will always be using the memory, so memory is an important thing to optimize.
11. Re:WTF? by WarJolt · 2016-02-03 17:28 · Score: 1
  
  They are talking about taking a container which is commonly used for implementing the 'cloud' buzzword and using it to implement the 'IoT' buzzword. Someone pointed out that 'things' generally are a lot more resource constrained than servers, so they've slimmed down their 644MB container to 29MB. Good luck fitting that into the 128kB of flash in the typical microcontroller running your consumer electronics.
  It's best not to mix everything together in your head until it all becomes the same thing.
  Containers are great for servers.
  Even if you ran a container on an embedded device, it would need to run Linux.
  That's probably not happening on the microcontroller you describe.
  More importantly theres almost 0 incentive to run Docker on an embedded device simply because theres very few applications which require that kind of isolation on an embedded device.
  About the only device I've seen with a justified reason to use Docker are NAS devices, which are basically mini servers now.
12. Re:WTF? by Billly+Gates · 2016-02-03 17:38 · Score: 1
  
  Im not a developer, but i think its like install shield for windows. Creates application packages or something. Still the summary should really give a brief definition.
  Not only that it makes virtualizing so much easier. Server 2016 supports docker in Hyper-V as a way to move containers and start and close them in ways that are more manageable than static images that you can not shut off or move during production without modifying the guest OS. Also it opens the possibilities of hardned ultra secure containers too that are hard to hack that do just one thing.
  
  --
  http://saveie6.com/
13. Re:WTF? by Anonymous Coward · 2016-02-03 19:44 · Score: 0
  
  The washing machine did that, naturally.
14. Re:WTF? by thegarbz · 2016-02-03 21:47 · Score: 1
  
  Use LXC, LXD, or systemd-nspawn
  
  Oh no you didn't!
15. Re: WTF? by Anonymous Coward · 2016-02-04 00:31 · Score: 0
  
  Nothing wrong get with LXC
16. Re:WTF? by luis_a_espinal · 2016-02-04 01:53 · Score: 1
  
  What are they talking about, and why do I care about the size of the container Levi's ships my Docker khakis in?
  I find it scary that this post above was actually mod'ed insightful. Slashdot, wtf happened to you?
17. Re:WTF? by hink · 2016-02-04 02:05 · Score: 1
  
  There used to be a MAJORITY of Slashdot readers who knew what a file system was. There used to be a subset of Slashdot readers who actually contributed to open-source software like the Linux kernel. I miss Hemos and Commander Taco - the founders and original editors.
  Then they went commercial (everybody needs to buy groceries). Then they were bought out, with the provision that the founders stay on. Eventually they moved on, then mergers and another sale to a , shall we say, a purely capitalist owner. Across all that the audience shifted after each change. Old dogs like me hardly recognize this place. (yes, I have a 5 digit ID#. Would have had a 4 digit if I had registered when it first became an option)
  All that said, it is still kind of telling that you call Docker "esoteric". It has been covered on Slashdot and MANY other Internet technology sites LOTS of times within the last two years. Because you don't know what something is does not make it "esoteric". It simply means you don't know what something is, and like most of the younger generations, it CAN'T be your fault you didn't know. The awful editors MUST have made it that way. (SARCASM)
  Try reading an industry-specific magazine like Aviation Week. I work in that field, and I occasionally don't recognize a term in it. But my mindset is, that if the editors assume the rest of the audience know what that term means, maybe I should, too.
  
  --
  - speaking only for myself, as always
18. Re:WTF? by TheRealMindChild · 2016-02-04 02:07 · Score: 1
  
  It is more like thinstall/thinapp. Everything you need to run the binary is in the package
  
  --
  
  "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
19. Re:WTF? by Anonymous Coward · 2016-02-04 02:37 · Score: 0
  
  It is extremely incorrect to refer to it as a virtual machine. It's a container. It runs the same kernel and has access to the same hardware. Chroot was far more accurate. The 'extra crap' was probably a normal Linux install.
  Next time do 15 seconds of googling.
20. Re:WTF? by msauve · 2016-02-04 03:08 · Score: 1
  
  it is still kind of telling that you call Docker "esoteric".
  Esoteric doesn't mean what you think it means. It does not mean unusual or rare, it means "intended for or likely to be understood by only a small number of people with a specialized knowledge or interest." Which it is.
  
  I'm not a developer, and only play a sysadmin at home. /. has a wide audience. I'm interested in learning about technologies outside of my bailiwick (which centers on networking). I can usually get an understanding from context in the summaries. But this one was just pure technobabble for anyone outside of very specific fields.
  
  --
  "National Security is the chief cause of national insecurity." - Celine's First Law
21. Re:WTF? by Anonymous Coward · 2016-02-04 03:32 · Score: 0
  
  I see it's true. Aspies really can't recognize sarcasm.
22. Re:WTF? by NoImNotNineVolt · 2016-02-04 07:05 · Score: 1
  
  I see it's true. Aspies really can't recognize sarcasm.
  Indeed, it is true that while the Egyptian Cobra can recognize moving objects and sources of heat, it really can't recognize sarcasm. I didn't think people still called them Asps or Aspis, though.
  
  --
  Chuuch. Preach. Tabernacle.
23. Re:WTF? by cwsumner · 2016-02-04 12:24 · Score: 1
  
  If it takes 644 Mb for a "Hello World" program, then that is probably why I have never heard of it. Seriously.
24. Re:WTF? by cwsumner · 2016-02-04 12:31 · Score: 1
  
  It is more like thinstall/thinapp. Everything you need to run the binary is in the package
  That sounds like a ROM image for a stand alone embedded microcomputer. Have we really gone full circle? There was a reason that we quit doing that! 8-)
25. Re:WTF? by cwsumner · 2016-02-04 12:33 · Score: 1
  
  What are they talking about, and why do I care about the size of the container Levi's ships my Docker khakis in?
  I find it scary that this post above was actually mod'ed insightful. Slashdot, wtf happened to you?
  We got tired of "SalesPersons" writing the stories! 8-)
26. Re:WTF? by Aighearach · 2016-02-06 14:09 · Score: 1
  
  And some of us are software developers, don't consume advertising or "hype" other than places like this. I only clicked on this to find out if it was something interesting, or just the next big blahblah.
  Judging from the lack of interest displayed even in the "everybody who is anybody heard of it already" responses suggests to me that it is fluff.
  Anyways, I'm not going to take a long enough break from writing firmware to both look up some unrelated thing, and also talk about it on slashdot.
27. Re:WTF? by Aighearach · 2016-02-06 14:10 · Score: 1
  
  Online sarcasm was deprecated in 1986, there was a posting on all Major BBS based systems about it. Kids these days just can't follow the Best Practices.
28. Re:WTF? by Aighearach · 2016-02-06 14:26 · Score: 1
  
  But this one was just pure technobabble for anyone outside of very specific fields.
  Indeed, not all developers run their code "in somebody's cloud," some of us generally expect hardware to be provisioned to run our software. Not saying that the cloud doesn't have its place, but it is rather odd to see people getting snooty over it when "websites running in public clouds" is sortof fry-cook level development.
  If something I'm working on has a cloud component, that doesn't mean I would want to be deploying it. Most of the people on the development team wouldn't need to know about the cloud-whatever either.
  I can't imagine it is a desirable task for a sysadmin either, unless they're actually working for the cloud company.
  Equating it to knowing what a filesystem is... that is just funny. I did check wikipedia, it looks great if I needed it. But few people do, or will, even if they're deploying a lot of code to servers. It seems to mostly be for the use cases where you want less than a full cloud compute instance, but have multiple apps that can share resources, but they don't trust each other and there isn't a sysadmin/devops team to set up apache or whatever in a way that is safe. So this makes it cost less extra overhead to run different apache (or whatever server) instances for each app, without having to run a full virtualized OS for each app.
  Yeah, that is esoteric.
29. Re:WTF? by Aighearach · 2016-02-06 14:29 · Score: 1
  
  Right, but this is rewritable. OTOH, so are/were the ROMs...
  Actually, I have to get back to some firmware programming for a microcontroller, but don't worry: I won't be using the EEPROM, only the flash.
30. Re:WTF? by Aighearach · 2016-02-06 14:37 · Score: 1
  
  It is insightful, perhaps you didn't understand the language it was written in?
  In English it says, "What are they talking about, they just spewed a bunch of words without enough context to even identify which jargon set is being used. And the key word is a relatively new product/project, whose name is repeated umpteen times like it was written by a marketing droid, but is never explained even in context of the other jargon words."
  Also, you just signed up yesterday, I can tell by your user id. You don't get to pine for my golden days of yesteryear, those are mine. Get your own, order them now and you can have them in a couple decades when you forget what it was really like.
31. Re:WTF? by luis_a_espinal · 2016-02-08 03:01 · Score: 1
  
  It is insightful, perhaps you didn't understand the language it was written in?
  In English it says, "What are they talking about, they just spewed a bunch of words without enough context to even identify which jargon set is being used. And the key word is a relatively new product/project, whose name is repeated umpteen times like it was written by a marketing droid, but is never explained even in context of the other jargon words."
  Also, you just signed up yesterday, I can tell by your user id. You don't get to pine for my golden days of yesteryear, those are mine. Get your own, order them now and you can have them in a couple decades when you forget what it was really like.
  LOL. Da'fuk? I have a submission on 2011, so obviously is not yesterday. Plus I had another account that goes back to 1998. But whatever, a post is worth by its content, not but the longevity of the account (and the fact that you use the later speaks more about you than about me.)
32. Re:WTF? by Aighearach · 2016-02-11 19:56 · Score: 1
  
  Right, oh, 2011 isn't yesterday? What, were you born yesterday? No, you didn't have another account, if you did you would use it. If you had been here since the 90s, you would know that. Perhaps your reputation was so awful, you decided to pretend you were born yesterday? No, that isn't any improvement. Or even a believable story.
  A post is only "worth by its content" in some language I don't speak. On slashdot, a comment has to make sense to have value, and if it doesn't have value and is written by somebody who just signed up (I can tell by your user id, you see) then it has negative value.
  Look at the comment you wrote above. Re-read it. You wrote 17 words, with nothing other than a false claim to be an old-timer, judgment about what slashdot is or was or should be, and mod-whining. None of that has positive value here. The fact that you didn't even understand the obvious metaphorical content of the post you were mod-whining about is just topping. Ask again when you're older.
Wha? by Anonymous Coward · 2016-02-03 10:52 · Score: 0

Isn't the attack surface governed by the ports you open up on the Docker containers?
1. Re: Wha? by Anonymous Coward · 2016-02-03 10:56 · Score: 1
  
  It's a small thermal exhaust port, right below the main port.
2. Re:Wha? by xxxJonBoyxxx · 2016-02-03 10:59 · Score: 1
  
  >> Isn't the attack surface governed by the ports you open up on the Docker containers?
  I believe they are talking about the ease with which someone could slip malware into a large container image vs. a small container image and have it go undetected.
3. Re: Wha? by Adriax · 2016-02-03 11:24 · Score: 2
  
  That should be the new vulnerability metric. Womp rats.
  "A new vulnerability was found in the D-Star app this week, rating at 3.8 womp rats. CEO Tarkin downplayed the severity of the vulnerability and promised the D-Star app will continue to enhance system stability without interference from any rogue squadrons of hackers."
  
  --
  I don't suffer from insanity, I enjoy every minute of it!
4. Re: Wha? by U2xhc2hkb3QgU3Vja3M · 2016-02-03 14:04 · Score: 2
  
  https://www.youtube.com/watch?...
the point by blackomegax · 2016-02-03 10:52 · Score: 1

Wasn't a common library the entire point of Docker? Packaging the libs with the app, etc, to reduce dependence on the host OS?
1. Re:the point by xxxJonBoyxxx · 2016-02-03 11:03 · Score: 2
  
  As a developer, I though the entire point of Docker was to reduce dependence on an entire layer of IT: the human gatekeepers in charge of the release systems and procedures and eventually the care and feeding of maintenance systems (who often f*** something up with manual fumbling or delay things with meetings involving coffee-swilling waterbags).
  At least that's how I've seen Docker used in corporations so far, anyway.
2. Re:the point by Daemonik · 2016-02-03 11:40 · Score: 1
  
  99% of the time, IT is being held hostage by other departments who know nothing about what IT does, but they just heard about this thing called the "cloud" or was it "apps"... and they want IT to prioritize it ASAP. Oh and do it on 30% less budget than they had last year.
3. Re:the point by steveha · 2016-02-03 12:48 · Score: 5, Informative
  
  The point of Docker is to have a single package ("container") that contains all of its dependencies, running in isolation from any other Docker containers. Since the container is self-contained, it can be run on any Docker host. For example, if you have some wacky old program that only runs on one particular set of library versions, it might be hard for you to get the Docker container just right to make it run; but once you do, that container will Just Work everywhere, and updating packages on the host won't break it.
  The point of the news story is that someone did a better job of stripping the container down, removing libraries and such that were not true dependencies (weren't truly needed).
  Not only does this make for smaller containers, but it should reduce the attack surface, by removing resources that are available inside the container. For example, if someone finds a security flaw in library libfoo, this would protect against that security flaw by removing libfoo when it is not needed. It's pretty hard for an exploit to call code in a library if the library isn't present. Also, presumably all development tools and even things like command-line shells would be stripped out. Thus a successful attacker might gain control over a docker container instance, but would have no way to escalate privileges any further.
  If the stated numbers are correct (a 644 MB container went down to 29 MB) yet the new small package still works, then clearly there is a lot of unnecessary stuff in that standard 644 MB container.
  
  --
  lf(1): it's like ls(1) but sorts filenames by extension, tersely
4. Re:the point by RabidReindeer · 2016-02-03 14:06 · Score: 2
  
  Wasn't a common library the entire point of Docker?
  Packaging the libs with the app, etc, to reduce dependence on the host OS?
  No, although it's one of Docker's features. Docker images are actually stacked layers of filesystem sub-images operating as overlays, so a typical Docker image might consist of a base OS image, several library images built by the Docker build process, culminating in the actual application image. Done judiciously, those sub-images can be shared by multiple application images, thereby saving space in the Docker image store.
  But Docker is a lot more than that. You can run virtual networks within containers, share resources between selected containers (and ONLY those container), inject external filesystems into the containers and do many other useful things as well.
5. Re:the point by scsirob · 2016-02-03 19:57 · Score: 1
  
  If "shrinking to a minimum" is really the goal, then they should take a good look at the kernel itself. It has collected lots of cruft over the past 20+ years. The first Linux "distribution" I booted (Linux kernel 0.12) came on two 1.2MB floppy disks that still had room to hold additional files. A lot has changed since then, but if you claim 'bare essentials' then there's plenty room for improvement.
  
  --
  To Terminate, or not to Terminate, that's the question - SCSIROB
6. Re:the point by Dog-Cow · 2016-02-03 21:17 · Score: 2
  
  Docker containers don't contain a kernel. They use the host OS for services.
7. Re:the point by thegarbz · 2016-02-03 21:52 · Score: 2
  
  The problem with your logic (aside from being irrelevant in the case of Docker since it doesn't include a kernel) is that a lot of the "cruft" has been added as a base requirement to make a bootable modern system, and in many cases to improve performance.
  You can strip everything back to 20 years ago, but will you be able to run your harddrives in PIO mode 2 all for the sake of making the kernel smaller by not needing UDMA support? Okay contrived example, but that's what I'm talking about. You want a small kernel, look at HURD. It should boot on a 64bit system sometime before 2020 and it maybe one day will get USB support.
8. Re:the point by Blaskowicz · 2016-02-04 00:42 · Score: 1
  
  God told to run only in 640x480 with 16 colors and get rid of memory protection. USB isn't necessary in any way either.
9. Re:the point by Spacelord · 2016-02-04 02:36 · Score: 1
  
  What I've been wondering is ... isn't that a bitch to maintain security patches? Because you now have all these potentially vulnerable libraries spread out over a bunch of docker containers, completely outside of the control of the package manager.
  So when the next heartbleed bug comes around, you may think you have patched your system, while in fact the libraries you are exposing to the outside world via your docker apps are still vulnerable.
10. Re:the point by bluefoxlucid · 2016-02-04 02:36 · Score: 1
  
  It's actually kind of an inversion.
  Docker base images for Debian, CentOS, and Ubuntu are typically 50-100 megabytes. Shrinking down that "base image" doesn't really make sense; Iron.io instead shrunk down images for things like PHP, Node, and Ruby.
  Even then, you have two main issues.
  Firstly, if you have something stupid like e.g. PHP not coming with ANYTHING installed (no php-pdo, no php-ldap, etc.), you have to write your own Dockerfile to install PHP. Typically, you can just put "image: php/5.6-fpm" in your docker-compose.yml and mount your application as a volume, and it'll work; if you need additional php modules, you have to make docker-compose build a Dockerfile opening with "FROM php/5.6-fpm", running a bunch of install commands to compile and build stuff.
  Second, that causes bloat.
  Docker reuses base images. PHP comes from debian/jessie, so you download the 60MB debian/jessie image and then an additional 150MB php image which doesn't include any of the stuff in Debian/jessie, and you get 210MB of space usage. The same goes with Java: it mounts its 100MB image on top debian/jessie. Install php (210MB) and Java (160MB) and you're only using 310MB, instead of 360MB.
  So now you have 11 PHP applications installed. Each uses a 30MB base image instead of a 150MB base image, so installing iron/php only requires 90MB of space instead of 210MB. Each of your 11 PHP applications needs a different set of PHP extensions, which each need a set of base libraries.
  In the most optimal case, you install all of the PHP extensions and use the resulting image, which gets you back to where you started with that hulking 150MB PHP image. 11 separate applications all use the same image, no duplication.
  In the less-optimal case, every one of your PHP applications installs all the compiler toolchain and *-dev packages to build the PHP extensions that image needs, then removes the toolchain and *-dev packages in the same RUN line so they don't get stored in any Docker image along the way. Every different combination of tools (or, really, any application not built with *exactly* the same commands in RUN, right down to the white space) creates a new Docker image containing all of the necessary libraries and other files.
  Installed php-ldap and php-mysql in one container? That container contains libldap, libmysql, php-ldap, php-mysql, and all other required files. Installed php-ldap and php-postgresql in another container? That container contains A DIFFERENT COPY of the same libldap and php-ldap files, plus php-postgresql and all the required libraries to back it. Etc. etc.
  You get to say, "Ah, my images are all tiny! ... why do they take up so much disk space in total?"
  
  --
  Support my political activism on Patreon.
11. Re:the point by Anonymous Coward · 2016-02-04 04:32 · Score: 0
  
  The first Linux "distribution" I booted (Linux kernel 0.12) came on two 1.2MB floppy disks that still had room to hold additional files.
  And it only supported a fraction of the hardware. The x86 platform was pretty homogenous back then. No fancy 3D graphics, just EGA/VGA. No USB support (and no USB printers, scanners, cameras, etc), no PCI, PCMCIA, PCI express, etc, only ISA. No networking, modem support, or even TCP/IP (not in v0.12). No sound except for a beep. No fancy raid arrays, or SSD drives, or optical drives, or even tape.
  So yeah, if you can live without all those, I'm sure you can tweak the make parameters and build a kernel that can still fit in 1MB.
12. Re:the point by Anonymous Coward · 2016-02-04 04:33 · Score: 0
  
  The new CEO (been in for a year so far) of my company just discovered the term "agile" 6 months ago, now everything is chaos over here.
13. Re:the point by thegarbz · 2016-02-04 05:05 · Score: 1
  
  The only thing really unnecessary is obeying an imaginary friend.
14. Re:the point by yosifkit · 2016-02-04 09:48 · Score: 1
  
  While the iron.io folks do manage to squeeze the size down, they do so through the use of Alpine Linux which uses musl libs rather than glibc and friends. There is a post on hackernews https://news.ycombinator.com/i... that has a discussion about the pros and cons of using an alpine based image.
  There is also the deviation from upstream. The official images are a curated set of images and can be maintained by anyone willing to put in the time. For the official images that are not maintained by the upstream project (many of them are), they try to stay as close to upstream recommended build as possible. In fact, the official image gatekeepers recommend talking with upstream before trying to make your own submission to official images so that they can be as involved as they want to be. What this means is that if upstream maintains their own apt repo, that is how it is built into the image, but if upstream does not even release binaries (ie only the source tar) then building from source is they way it is packaged making sure to slim out build dependencies.
  There is also some recent focus by Docker Inc to add Alpine based variants to the official images as an option for those that want a slimmer environment (see https://github.com/docker-libr... and other PRs by ncopa). There is even a description on the Docker Hub when an official image has an alpine variant (see https://hub.docker.com/_/ruby/ and https://github.com/docker-libr... which is the source of the Docker Hub version).
  Note on the large size of most of the language images from the official images: "It, by design, has a large number of extremely common Debian packages. This reduces the number of packages that images that derive from it need to install, thus reducing the overall size of all images on your system." They are usually built from the "buildpack-deps" image: " It includes a large number of "development header" packages needed by various things like Ruby Gems, PyPI modules, etc." (https://hub.docker.com/_/buildpack-deps/).
  (yes, I am one of the gatekeepers for official images, https://github.com/docker-libr...)
  For more information:
  - https://docs.docker.com/docker...
  - https://github.com/docker-libr...
  - https://github.com/docker-libr...
15. Re: the point by Anonymous Coward · 2016-02-05 01:29 · Score: 0
  
  If you seriously think that Docker is a replacement for change management, you are the kind of developer that everyone hates. Everyone.
16. Re: the point by Anonymous Coward · 2016-02-05 01:31 · Score: 0
  
  Yrs. But security is just a roadblock, always getting in the way of 'leet developers who simply can't work at all without the newest shiny thing. Oh, and full root access.
17. Re:the point by Anonymous Coward · 2016-02-05 04:40 · Score: 0
  
  If libfoo is not needed, no programs load it, so it does not matter whether it exists in the filesystem or not.
18. Re:the point by Anonymous Coward · 2016-02-05 16:49 · Score: 0
  
  The point of Docker is to reduce the amount of custom configuration that has to happen every time you deploy a new application (or a new version of the application), plus isolation of environments between applications (and versions of those same applications). Think of them as super-tiny VMs, but without the hassle of having to setup the VM.
  In general, you use Puppet/Chef systems to manage the host servers but not manage the individual Docker instances. The host systems tend to be long-lived (years), while the Docker container instances should be seen as disposable. You fire one up, use it for a bit, then turn it back off depending on the load requirements. Even with Puppet/Chef, it takes minutes to setup and deploy a new VM (and probably eats up a few GB of disk space), while Docker should be able to launch instances in a few seconds.
  Amazon's Elastic Beanstalk is another variant on the docker concept. You don't care about the underlying OS, you don't store state in the underlying OS, you just don't care about the underlying OS at all. All instances are transient / ephemeral and all state is stored in either a traditional database or NoSQL data store. Scale up when you have load, scale down when you don't.
19. Re:the point by Aighearach · 2016-02-06 14:41 · Score: 1
  
  As a developer, I though the entire point of Docker was to reduce dependence on an entire layer of IT: the human gatekeepers
  Finally somebody explained both what it is for, and why I haven't heard of it... I'm not suffering under a BOFH!
  They should have just said in the summary, "Docker, a BOFH-resistant deployment system."
20. Re:the point by Aighearach · 2016-02-06 14:43 · Score: 1
  
  I thought what he said was that the development team is being held hostage by IT, who convinced somebody they were "the computer guys" so they should be in charge of "all the technical computery stuff."
21. Re:the point by Aighearach · 2016-02-06 14:49 · Score: 1
  
  ...that container will Just Work everywhere, and updating packages on the host won't break it.
  I love this stuff... updating packages on the host won't break "it," even where "it" is some sort of malware bug.
  It doesn't seem to so much solve a problem as offer a new way to create a compromise between security and convenience. Here, it mostly trades the convenience of security updates at the OS level away for convenience of deploying minimally-maintained packages.
  If I wanted this, I would just switch to static linking. But I can see how, for development teams that don't have anybody on them that knows how to compile software, this would be a major time-saver.
22. Re:the point by Aighearach · 2016-02-06 14:55 · Score: 1
  
  Right, instead of updating the OS packages when a major security 0-day arrives, you need to turn off all your app containers, forward to a parking page, and start recompiling images.
  But, your dev teams don't have to agree on compatible sets of libraries to use on projects that will be deployed together on the same cloud instances.
  This trades the ability to deal with those types of problems, for being able to do stuff you couldn't do because your company didn't have anybody that can do that stuff. So without this, their website would be slashdotted anyways, and with it, they can function until bad things happen, then they can scream and wave their hands in the air like everybody else. Does it matter? That is for each company to decide... ;)
Yeah, but... by Anonymous Coward · 2016-02-03 11:03 · Score: 0

Will it make using Docker any easier on OSX? Why o why does it need to install an Ubuntu VM guest and run Docker inside that??
1. Re:Yeah, but... by grub · 2016-02-03 11:18 · Score: 1
  
  Will it make using Docker any easier on OSX? Why o why does it need to install an Ubuntu VM guest and run Docker inside that??
  
  It's worse than that. It's Docker on Ubuntu on OSX on Turtles all the way down.
  
  --
  Trolling is a art,
2. Re:Yeah, but... by fibonacci8 · 2016-02-03 12:56 · Score: 1
  
  The best part is you get the same compression ratio improvement at each stage.
  
  --
  Inheritance is the sincerest form of nepotism.
3. Re:Yeah, but... by bluefoxlucid · 2016-02-04 02:41 · Score: 1
  
  Because it makes heavy use of features inside the Linux kernel which isolate applications from the rest of the operating system. To make Docker work on OSX, you'd have to modify the OS kernel to dramatically change the way it handles system calls and application spaces. Essentially, it groups processes together as if they're running on different kernels, but runs them all in the same kernel.
  Run a docker container that only runs the command 'ps -e' and it will tell you 'ps' is PID 1. The nginx container has nginx as pid 1, and 'kill -9 1' kills nginx; if you do 'ps -e' on the host, it tells you nginx is process 3719, and killing that process ends the same program. This is not standard behavior.
  
  --
  Support my political activism on Patreon.
So.... thin jails by 0100010001010011 · 2016-02-03 11:04 · Score: 4, Insightful

iocage create -c
Congratulations, you've just (almost) caught up to decade old technology.
http://phk.freebsd.dk/pubs/san...
1. Re:So.... thin jails by theendlessnow · 2016-02-03 11:40 · Score: 1
  
  This why all the major cloud providers run freebsd.
2. Re:So.... thin jails by Anonymous Coward · 2016-02-03 12:58 · Score: 1
  
  can you also iocage history? docker is to infrastructure what git is to code.
3. Re:So.... thin jails by twistedcubic · 2016-02-03 13:58 · Score: 1, Flamebait
  
  docker is to infrastructure what git is to code.
  
  No it isn't. You're insulting Git. Docker is to hype what hype is to hype.
4. Re:So.... thin jails by Anonymous Coward · 2016-02-03 14:07 · Score: 1
  
  It's worse, they've combined jails with the equivalent of statically compiled binaries.
  Bit of a nightmare when there's a vulnerability on a library used in multiple containers.
5. Re:So.... thin jails by Anonymous Coward · 2016-02-03 14:41 · Score: 2, Informative
  
  It's worse, they've combined jails with the equivalent of statically compiled binaries.
  Bit of a nightmare when there's a vulnerability on a library used in multiple containers.
  Except it isn't. You store your base images in a docker registry, you update that base image, and then you can have your CI environment kick off rebuilds of any dependent images. And as an added bonus you get to test your exact deployable image, including all dependencies, before you actually roll prod. In the past you needed something akin to a Satellite / Spacewalk setup to be able to lock combinations of versions of packages to a point-in-time snapshot. Most people don't seem to do this. They either just auto-update all packages on a regular schedule automatically which would occasionally break things, or they'd let things drift until forced to update by some security vulnerability, which then increases the likelihood of surprises.
  Docker is not for everyone, it's certainly overhyped, it's a more complicated stack than more traditional virtualization or bare metal installs, but it doesn't have the specific problem you're imagining it does. In fact, it's a pretty good solution to a lot of the aspects of the problem you bring up.
6. Re:So.... thin jails by Anonymous Coward · 2016-02-03 15:55 · Score: 1
  
  It is. You've given a best case usage for docker and a worst case for shared libraries.
7. Re:So.... thin jails by Anonymous Coward · 2016-02-03 20:35 · Score: 0
  
  Also_ git is to hype what hype used to be to hype
8. Re:So.... thin jails by Anonymous Coward · 2016-02-03 20:49 · Score: 0
  
  docker is to infrastructure what git is to code.
  No it isn't. You're insulting Git. Docker is to hype what hype is to hype.
  He isn't that far off. The selling point IS their repo. But he should have compared github and docker. Wouldn't it be fun to devel in docker images and layer each new version on the older ones? Commit the new version as diff from the previous one to docker instead of comitting to github. Won't work that great with multiple contributers, but docker is the future as is systemd.
9. Re:So.... thin jails by 0100010001010011 · 2016-02-04 01:34 · Score: 1
  
  Why not just run a diff on the jail package file?
10. Re:So.... thin jails by Anonymous Coward · 2016-02-04 11:11 · Score: 0
  
  But he should have compared github and docker.
  She didn't have to, because that's incorrect. Github is to git as Dockerhub is to docker. Wouldn't it be nice if you haters decided to actually look at how the thing works before you spew such incredibly inaccurate information about it? Sheesh.
11. Re:So.... thin jails by 0100010001010011 · 2016-02-05 02:33 · Score: 1
  
  I've looked at how it works.
  It looks like you asked a bunch of 20 year olds to re-invent Jails.
  Just like systemd looks like you asked a bunch of 20 year olds to re-invent init.
Official repos? by sanosuke001 · 2016-02-03 11:11 · Score: 1

If these are so much better, why aren't they just the official repos?

--
-SaNo
1. Re:Official repos? by Anonymous Coward · 2016-02-03 11:22 · Score: 0
  
  Because downloading some pre-packaged shit from a relatively unknown third party is all the rage these days!
  What were you expecting - people to know what the fuck they are doing so that they can create their own?
2. Re:Official repos? by sanosuke001 · 2016-02-03 14:09 · Score: 1
  
  Ok, so from your comment I'm assuming that Iron.io doesn't own Docker? Because, from the summary, I had no idea this wasn't the people that own Docker doing the Dockering.
  
  --
  -SaNo
3. Re:Official repos? by Anonymous Coward · 2016-02-03 14:51 · Score: 0
  
  In docker's weird language "official" doesn't mean what you think it means.
  These aren't like, for example, Debian repos - where everything comes from Debian developers and you can be assured of some level of quality.
  It's a lot more like github crossed with reddit. Any random idiot can upload a broken or malicious image (and get other idiots to upvote it).
  It's just called "official" because Docker hosts the repository. The alternative is "private" repos, which are ironically much safer.
4. Re:Official repos? by Anonymous Coward · 2016-02-03 14:56 · Score: 0
  
  In Dockerspeak "Official" means "Public". As in "public toilet".
C++ isn't a major language? by erapert · 2016-02-03 11:20 · Score: 1

Their github lists Perl but not C++?????
1. Re:C++ isn't a major language? by Anonymous Coward · 2016-02-03 11:37 · Score: 0
  
  C++ doesn't really seem like the best fit for this sort of thing, though. What would you want in a C++ image? A minimal system so you can dump your binary and all the libraries it depends on in there?
2. Re:C++ isn't a major language? by Anonymous Coward · 2016-02-03 11:38 · Score: 0
  
  You need a run time for C++ these days?
3. Re:C++ isn't a major language? by rthille · 2016-02-03 12:33 · Score: 1
  
  Yes, you always have. But you can statically link it into your binary.
  
  --
  Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
4. Re:C++ isn't a major language? by Anonymous Coward · 2016-02-03 12:56 · Score: 0
  
  C++ is more hassle than it is worth.
  And I actually love OOP if you are wondering.
  I just fucking despise C++. It is a living disaster in every sense of the word.
  If you need objects, you are better off making them in C and not suffering the mess that is C++s 50 branching necks that all hate each other.
  It really isn't hard to create an OOP framework.
  Hell, I even made one in Autohotkey because the newer versions actual object system is so horribly gimped* there is no point updating to it.
  * In a sentence, you can't even directly access object params for most commands. You need to use a temp var to embed it in commands.
  So, if you wanted to extract a value from a general object to use somewhere, like, say a loop.
  Say you had a mouse object that had a .turns var.
  Normally you would do something like loop, %turns% pre-objects AHK. You can't do loop, %mouse.turns%. At all.
  Why make an object system and have no way to directly access it for half the damn language?!
  So now when I want to do something like that, I would always need to have at least 1 extra line.
  It gets far worse when you have a whole mouse system you wanted to create... send {click x%x% y%Y% %dowhat% %clickmode% } Nope...
  That isn't even the most complex pseudo-object I created in AHK, pre-objects. I'll stick with my old and busted but actually "consistent" language.
  Autohotkey is on the other side of the same coin C++ is: it is a bastard child stuck between 2 languages that are only compatible with each other through a common foundation.
  In C++s case, half the damn language is incompatible with itself. There are companies that literally BAN sets of the language. How awful.
  AHK2 promises to fix that though. Apparently you can do stuff like var= 2+2= %2+2%, evaluating expressions directly inside percentages.
  Still annoying they even half-assed the object system in the first place.
  That was a big sentence.
5. Re:C++ isn't a major language? by Anonymous Coward · 2016-02-03 14:50 · Score: 0
  
  Their github lists Perl but not C++?????
  The iron.io image is based on the alpine linux base image. Their "hack" doesn't seem to be subtracting anything, they're adding runtimes for common languages to alpine linux, which is responsible for the space savings. Not that their collection of Dockerfiles isn't pretty cool, the title is just misleading. You probably don't need anything beyond alpine base to deploy c++, besides any specific libs you link to, but you can probably find apk's for those in the alpine repos. Or you can just do what someone else suggested and build static binaries and copy those over.
6. Re:C++ isn't a major language? by serviscope_minor · 2016-02-03 23:21 · Score: 1
  
  C++ isn't web scale (but Perl is, a a apparently).
  
  --
  SJW n. One who posts facts.
7. Re:C++ isn't a major language? by Anonymous Coward · 2016-02-04 02:52 · Score: 0
  
  No one gives a shit about AutoHotKey, now or ever, and your mention of it completely disqualifies your opinions as a programmer.
Re:Because Docker uses a Linux container by Johnny+Loves+Linux · 2016-02-03 11:21 · Score: 1

Unless things have changed, Docker makes use of a feature of the Linux that allows creating processes that are in their own namespace. This feature requires the Linux kernel something that Mac OS X with its BSD kernel does not possess. It might be possible to do something analogous in a BSD kernel, but I don't know about it. Maybe someone else could comment on it?
Re:Because Docker uses a Linux container by Anonymous Coward · 2016-02-03 11:32 · Score: 1

FreeBSD got jails some years ago for the same purpose, and IIRC that was one of the inspirations for the linux version. (Both inspired by containers in Solaris, and earlier iterations of the idea in other OSes).
Not that that matters on the MacOS side; the OS X kernel is a weird hybrid thing with a BSD kernel hanging off a Mach microkernel. The BSD parts aren't exactly a full and current FreeBSD, either; IIRC they grabbed a subset they found useful a bunch of years ago. At a guess the jail support didn't make it.
I will never give up by Noah+Haders · 2016-02-03 11:33 · Score: 1

> "Less code/less programs in the container means less attack surface..."
*fewer
1. Re:I will never give up by Anonymous Coward · 2016-02-03 11:59 · Score: 1
  
  Fine.
  Less code/less programs in the container means fewer attack surface...
2. Re:I will never give up by Anonymous Coward · 2016-02-03 12:01 · Score: 0
  
  *smaller
3. Re:I will never give up by sexconker · 2016-02-03 12:09 · Score: 1
  
  *surfacer
4. Re:I will never give up by fibonacci8 · 2016-02-03 13:01 · Score: 2
  
  "Less code/less programs in the container means less attack surface..."
  
  --
  Inheritance is the sincerest form of nepotism.
5. Re:I will never give up by Anonymous Coward · 2016-02-03 13:45 · Score: 0
  
  less programs
6. Re:I will never give up by Anonymous Coward · 2016-02-03 15:33 · Score: 0
  
  Fewer code/fewer programs in the container means fewer attack surface
  So fitting, captcha: precise
7. Re:I will never give up by Tablizer · 2016-02-03 19:25 · Score: 1
  
  But "less" takes up fewer space, I'm mean less fewer's, I mean, baaah, nevermind
  
  --
  Table-ized A.I.
8. Re:I will never give up by Bengie · 2016-02-04 01:30 · Score: 1
  
  Thanks, I found this strangely funny thing morning.
9. Re:I will never give up by luis_a_espinal · 2016-02-04 01:52 · Score: 1
  
  tiny tinie
10. Re:I will never give up by Noah+Haders · 2016-02-04 02:05 · Score: 1
  
  some things are correct and some things are incorrect. just cuz you find something more convenient doesn't change this basic fact. facts are facts!
Alpine uses musl libc instead of glibc by Anonymous Coward · 2016-02-03 11:43 · Score: 0

Alpine is a horrible choice for a base image because their distribution uses musl libc instead of glibc, which causes horrible problems for things like JVM processes. You can also do fun things like track down segfaults from python processes because of subtle differences in the way unicode characters are rendered to screen.
I was using Alpine as my base image for several months and just recently switched to Amazon Linux to match my container and host OS.
Who cares? (not me..) by bobbied · 2016-02-03 11:53 · Score: 1

Disk space is incredibly cheap compared to the standard size of a docker image and your "attack surface" is going to be limited in a docker image anyway. Sure, your application loaded in your docker image might add to that surface, but that's going to happen if you use the big image or the small one. The only real reason to do this is so you can run docker images on smaller embedded devices where resources are limited (Not that I see much of that yet).
IMHO, this development is meaningless to me. Thanks for the disk space back, but I didn't really need it...

--
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
1. Re:Who cares? (not me..) by dj245 · 2016-02-03 12:34 · Score: 1
  
  Disk space is incredibly cheap compared to the standard size of a docker image and your "attack surface" is going to be limited in a docker image anyway. Sure, your application loaded in your docker image might add to that surface, but that's going to happen if you use the big image or the small one. The only real reason to do this is so you can run docker images on smaller embedded devices where resources are limited (Not that I see much of that yet).
  IMHO, this development is meaningless to me. Thanks for the disk space back, but I didn't really need it...
  For people running certain common configurations, this is actually very helpful. Docker containers are often used on home file servers. You could put docker containers on your storage array, but then you would be spinning up multiple disks every time you needed to read/write to the docker image. I have an older (small) SSD drive which I keep my docker containers on. The less space Docker uses, the more space I have left on the SSD to do something useful (like caching writes to the spinning disks). Making software have a smaller footprint is never a bad thing if the functionality remains the same.
  
  --
  Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
2. Re:Who cares? (not me..) by Anonymous Coward · 2016-02-03 13:40 · Score: 0
  
  Docker containers are often used on home file servers.
  For a very small definition of often.
3. Re: Who cares? (not me..) by Anonymous Coward · 2016-02-03 15:27 · Score: 0
  
  Reading I get, but never write "inside" the container -- that data is best left outside (via a volume mount).
4. Re:Who cares? (not me..) by angel'o'sphere · 2016-02-04 03:37 · Score: 1
  
  So you never run half a dozen docker instances from a ram disc?
  Unfortunately my Mac only has 8Gig RAM, so the size of the Docker Containers does matter.
  
  --
  Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
Image sizes by Dragonslicer · 2016-02-03 12:07 · Score: 4, Funny

Most people who start using Docker will use Docker's official repositories for their language of choice, but unfortunately if you use them, you'll end up with images the size of the Empire State Building...
What's that in Libraries of Congress?
1. Re:Image sizes by Anonymous Coward · 2016-02-03 12:35 · Score: 0
  
  I believe it's Library of Congresses.
Re:Because Docker uses a Linux container by Anonymous Coward · 2016-02-03 12:25 · Score: 0, Informative

Yeah, except that FreeBSD has had 'jails' for over a decade, which are far more secure than anything Docker brings to bear.
Re:Because Docker uses a Linux container by Anonymous Coward · 2016-02-03 12:42 · Score: 1

"FreeBSD got jails some years ago for the same purpose, and IIRC that was one of the inspirations for the linux version. (Both inspired by containers in Solaris, and earlier iterations of the idea in other OSes)."
Actually, I believe Jails were first. In order:
1- UNIX chroot
2- FreeBSD jails
3- Solaris Zones
4- Linux Containers
In practice yes, though not in principle by Morgaine · 2016-02-03 12:50 · Score: 1

Isn't the attack surface governed by the ports you open up on the Docker containers?
Although you describe a common case, it's not the general one. In principle the size of a software attack surface is given by the amount of code which is reachable through an attack conduit like a network, not by the "width" of the conduit.
For example, a given network service could be bound to just one IP address or to two, but its attack surface would remain the same despite double the size of the attack conduit. Likewise, a given service could be available on only one port or on N ports, yet its attack surface would not change despite any increases in the size of the conduit through which it can be reached.
(The attack surface is primarily a function of the amount of externally reachable code because the number of exploitable weaknesses is relatively constant per unit of code. Making the same code reachable through a wider conduit does not generally change its set of exploitable weaknesses.)
This assumes that the same code is being exposed regardless of the number of different IP address or port bindings of course. If this is not true because different functionality is offered on different ports then of course the size of the attack surface is no longer invariant.
Your observation is accurate in practice because the special case of "one port per service" is a very common one. It's worth recognizing that the general case is different though.

--
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
Re:Because Docker uses a Linux container by ChunderDownunder · 2016-02-03 13:12 · Score: 1

So at this rate, Hurd which is also "hanging off a Mach microkernel" is more likely to have native Docker supporter before OS X. :)
Rump Kernels by Anonymous Coward · 2016-02-03 13:41 · Score: 0

Rump kernels enable you to build the software stack you need without forcing you to reinvent the wheels. ... As a production-ready example, we offer the Rumprun unikernel, which clocks in at a few thousand lines of code plus rump kernel components, and supports POSIX'y software directly on both raw hardware and cloud hypervisors such as KVM and Xen.
http://rumpkernel.org/
1. Re:Rump Kernels by Fwipp · 2016-02-03 13:56 · Score: 1
  
  Why the heck did you name them butt kernels?
2. Re:Rump Kernels by Khyber · 2016-02-03 17:44 · Score: 1
  
  Too lazy to read their FAQ?
  " Why the name?
  If you look up "rump" in a dictionary, you'll find a definition which involves the group that is left over after a portion of the contents of a larger group have been removed -- the classic example is a rump parliament. The attribute "rump" therefore establishes the relationship between just a kernel and a rump kernel."
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
3. Re:Rump Kernels by Fwipp · 2016-02-03 18:09 · Score: 1
  
  Cool story, but why did they name them butt kernels? There isn't anyone who hears "rump" and thinks "ah yes; the smaller portion left behind after the majority has been removed."
4. Re:Rump Kernels by Anonymous Coward · 2016-02-03 19:28 · Score: 0
  
  That's the thing about uneducated morons--they tend to think everyone else must be one, too.
5. Re:Rump Kernels by Anonymous Coward · 2016-02-03 23:09 · Score: 0
  
  As opposed to educated morons, who think everyone else must become like them.
Wait what? by cen1 · 2016-02-03 13:52 · Score: 1

As far as I figured out, they use a very stripped down Linux distro called Alpine Linux as the base and then build a Docker image on top of that. How is this a hack? This just means you are now running Alpine Linux in your containers instead of your distro of choice which nobody really wants.
Re:Because Docker uses a Linux container by RabidReindeer · 2016-02-03 13:57 · Score: 1

Yeah, except that FreeBSD has had 'jails' for over a decade, which are far more secure than anything Docker brings to bear.
Linux has had jails for over a decade. I image that FreeBSD actually goes back further than that.
Docker has jails plus virtual networks plus various other isolation mechanisms, so I cannot credit your assertion that a jail-only mechanism is more secure.
Re:Because Docker uses a Linux container by Anonymous Coward · 2016-02-03 15:46 · Score: 1

"Linux has had jails for over a decade. I image that FreeBSD actually goes back further than that."
Yep, jails appeared in FreeBSD 4.0-RELEASE around 1999-2000 if I recall correctly.
"Docker has jails plus virtual networks plus various other isolation mechanisms, so I cannot credit your assertion that a jail-only mechanism is more secure."
To be fair, FreeBSD also has virtual networks so each jail can also run a complete virtualized network.
As for a comparison in security, I'm unable to make an informed comment.
Re:Because Docker uses a Linux container by Anonymous Coward · 2016-02-03 20:33 · Score: 0

"Linux has had jails for over a decade. I image that FreeBSD actually goes back further than that."
Yep, jails appeared in FreeBSD 4.0-RELEASE around 1999-2000 if I recall correctly.
"Docker has jails plus virtual networks plus various other isolation mechanisms, so I cannot credit your assertion that a jail-only mechanism is more secure."
To be fair, FreeBSD also has virtual networks so each jail can also run a complete virtualized network.
As for a comparison in security, I'm unable to make an informed comment.
FreeBSD jails appeared 2000 and had root privilege isolation. The only missing part would be IO rate limiting and root privilege isolation appeared on Linux with OpenVZ (2005). From personal experience with jails and docker: I prefer the jail networking and configuration. The benefit of docker is the online repo.
Indeed by jemmyw · 2016-02-03 21:37 · Score: 1

I read this yesterday and I found it slightly annoying in the tone. Alpine has been around for awhile, and I don't think anyone using docker for more than experimentation will be happy with massive Ubuntu based images. But would you really use these minimal images packaged by an unknown entity when you can make your own with one line in the dockerfile?
Docker and disk usage, a long story by Anonymous Coward · 2016-02-03 22:58 · Score: 0

Image size is actually one recurring concern of Docker users. One problem being that when you build an image, every build step will be persisted in a layer (like a incremental snapshot of you container), and those layers can be cached and reused when building other docker images.
Now, the drawback is that if you have an intermediate build step where, for example, a huge set of temporary files were created, then those files will also be persisted in your local Docker registry. In some case, when pulling a single image you will need to fetch layers which will sum up to N times the actual size of the container without being ever reused again. Not great.
Beyond being a simple annoyance, this has a security implication too. For example, when building the image imply storing in an intermediate layer some kind of secret (private key, password, etc).
There are some workaround available. You may either keep the number of individual build step down by chaining interpreter commands or relying on additional shell scripts. There are also hacks available to trim the layers from an image, up to a single layer (to end with a "flat" image). But those are only hacks and people really would like to see something implemented directly in the Dockerfile syntax. Several issues has been filled (eg. https://github.com/docker/docker/issues/332) but none of them were able to reach a consensus on how this should be done while preserving backward compatibility and the caching system.
Disk usage problems also affects private registries, especially since, as the Version 2 of the registry implementation, there is currently no straightforward way to delete a stored image (due to integrity reasons with the distributed storage drivers).
Dangling Docker volumes (that are not tied to a container any more) may also easily fill up your hard drive if you do not pay attention. But the situation slightly improved with recent version of Docker and the ability to track such volume down.
uses Alpine [bleeding] EDGE Re:Official repos? by Anonymous Coward · 2016-02-03 23:19 · Score: 0

I wondered this too... and why they are pointing to Alpine's "Edge" specifically.
From the Alpine Distro's page:
Warning: "edge" is under constant development so be careful using it in production. It is possible that bugs in "edge" could cause data loss or could break your system.
Re:Because Docker uses a Linux container by h4ck7h3p14n37 · 2016-02-04 03:24 · Score: 1

You can run Docker on FreeBSD thanks to the 64-bit Linux compatibility layer that was added last year.
Re:Because Docker uses a Linux container by Rutulian · 2016-02-04 04:35 · Score: 1

FreeBSD Jails and Linux Containers are really different beasts. Jails are great if security is your primary consideration. Hence the name: Jails effectively isolate processes and go to great lengths to prevent them from accessing anything outside the jail. Containers use separate kernel namespaces to give groups of processes separate views of kernel global variables. Security (especially with user namespaces) is a bonus, but the primary goal is efficient os-level virtualization and isolation of resources. A more apt comparison is with the BSD VPS project rather than Jails.

At a guess the jail support didn't make it.
Correct. XNU does not have support for Jails, and it likely won't because it requires some pretty severe changes to kernel data structures to make them work.