New Hack Shrinks Docker Containers

destinyland writes: Promising "uber tiny Docker images for all the things," Iron.io has released a new library of base images for every major language optimized to be as small as possible by using only the required OS libraries and language dependencies. "By streamlining the cruft that is attached to the node images and installing only the essentials, they reduced the image from 644 MB to 29MB,"explains one technology reporter, noting this makes it quicker to download and distribute the image, and also more secure. "Less code/less programs in the container means less attack surface..." writes Travis Reeder, the co-founder of Iron.io, in a post on the company's blog. "Most people who start using Docker will use Docker's official repositories for their language of choice, but unfortunately if you use them, you'll end up with images the size of the Empire State Building..."

WTF?

[msauve]

What are they talking about, and why do I care about the size of the container Levi's ships my Docker khakis in?

Re:WTF?

[citylivin]

Im not a developer, but i think its like install shield for windows. Creates application packages or something. Still the summary should really give a brief definition.

Re:WTF?

[twistedcubic]

Docker is so hyped nowadays I'm surprised people reading Slashdot are claiming they never heard of it. Docker is an application container. It essentially creates an advanced chroot which runs ONE application (usually). Now 644MB seems a lot of overhead for running one app, so shrinking this to 29MB is a welcome improvement. That said, Docker is not for typical users. Use LXC, LXD, or systemd-nspawn if you want containers that can run several apps with their own init.

Re:WTF?

[msauve]

Perhaps. There's no doubt some subset of /. users who know immediately what the summary is about, but I suspect that's fairly small. Something to do with images and languages and OSs, and shrinking image sizes. It's not hard to reduce the resolution and size of an image, so it's not clear why this is called a "hack," or why it's news.

But, my comment was really in relation to the piss poor submission, and the failure of /. "editors" to fix it. This is one of the worst in recent memory. If the new overlords want to improve the site, make the editors actually edit, instead of simply posting submissions verbatim. Things like spelling out acronyms upon first use, and providing basic descriptions for esoteric technologies/names. Very basic journalism 101 stuff. But, given that virtually all the submissions are being posted by "timothy" now, it seems like they're trying hard to lower expectations even further.

Re:WTF?

[msauve]

Not everyone who reads /. is a software developer, a *nix sysadmin, or whatever other area of specialization would use that. /. is "News for Nerds," and that encompasses a wide range of technologies/interests, many non-overlapping.

Re:WTF?

[msauve]

So, just like Java, only different?

Re:WTF?

Not everyone who reads /. is a software developer, a *nix sysadmin, or whatever other area of specialization would use that.

When you read a headline and you don't recognize the terminology used in the headline, you have two choices: you can skip the story completely, as it's probably not relevant to what you do; or you can click through the provided links to read more.

Making a joke by pretending to misunderstand what the terminology means is a distant third choice. I wish there was a -1, Not Funny moderation.

Re:WTF?

[Impy+the+Impiuos+Imp]

Docker is so hyped nowadays I'm surprised people reading Slashdot are claiming they never heard of it. Docker is an application container. It essentially creates an advanced chroot which runs ONE application (usually). Now 644MB seems a lot of overhead for running one app, so shrinking this to 29MB is a welcome improvement.

That said, Docker is not for typical users. Use LXC, LXD, or systemd-nspawn if you want containers that can run several apps with their own init.

After 12 seconds of reading the first thing that popped up on Google, this is some kind of virtual machine that runs your app. Is this extra crap standard libraries for that language?

Re:WTF?

[WarJolt]

Even if you know Docker, fewer people actually think about the implications size have on cloud compute systems.

For example Amazon EC2 Container Registry(ECR) gives 500MB for the free tier and it's relatively cheap to store large container images. Most cloud services store these local registries in their network, so you don't incur bandwidth charges from external registries. Also it should start faster and is likely more reliable, but those are just bonuses.

It's true that a small image will start faster, but thats usually not a good enough incentive to really sway anyone one way or the other.

Local bandwidth within a cloud service provider rarely incurs any charges, so really there is little incentive to making it smaller from the bandwidth perspective.

The problem is that each container takes some memory footprint. Theres usually two ways that footprint size is bad. Some cloud services simply limit the max footprint size that can be deployed. Services like AWS make you manage the AWS instances that will run your container and you get charged AWS instance hours. If you have to start up huge memory instances to run your large containers you will pay more.

It's all about understanding your computation and memory requirements. Often times your containers are simply sitting their idle doing nothing, but you will always be using the memory, so memory is an important thing to optimize.

Re:WTF?

[WarJolt]

They are talking about taking a container which is commonly used for implementing the 'cloud' buzzword and using it to implement the 'IoT' buzzword. Someone pointed out that 'things' generally are a lot more resource constrained than servers, so they've slimmed down their 644MB container to 29MB. Good luck fitting that into the 128kB of flash in the typical microcontroller running your consumer electronics.

It's best not to mix everything together in your head until it all becomes the same thing.

Containers are great for servers.
Even if you ran a container on an embedded device, it would need to run Linux.
That's probably not happening on the microcontroller you describe.

More importantly theres almost 0 incentive to run Docker on an embedded device simply because theres very few applications which require that kind of isolation on an embedded device.

About the only device I've seen with a justified reason to use Docker are NAS devices, which are basically mini servers now.

Re:WTF?

[Billly+Gates]

Im not a developer, but i think its like install shield for windows. Creates application packages or something. Still the summary should really give a brief definition.

Not only that it makes virtualizing so much easier. Server 2016 supports docker in Hyper-V as a way to move containers and start and close them in ways that are more manageable than static images that you can not shut off or move during production without modifying the guest OS. Also it opens the possibilities of hardned ultra secure containers too that are hard to hack that do just one thing.

Re:WTF?

[thegarbz]

Use LXC, LXD, or systemd-nspawn

Oh no you didn't!

Re:WTF?

[luis_a_espinal]

What are they talking about, and why do I care about the size of the container Levi's ships my Docker khakis in?

I find it scary that this post above was actually mod'ed insightful. Slashdot, wtf happened to you?

Re:WTF?

[hink]

There used to be a MAJORITY of Slashdot readers who knew what a file system was. There used to be a subset of Slashdot readers who actually contributed to open-source software like the Linux kernel. I miss Hemos and Commander Taco - the founders and original editors.

Then they went commercial (everybody needs to buy groceries). Then they were bought out, with the provision that the founders stay on. Eventually they moved on, then mergers and another sale to a , shall we say, a purely capitalist owner. Across all that the audience shifted after each change. Old dogs like me hardly recognize this place. (yes, I have a 5 digit ID#. Would have had a 4 digit if I had registered when it first became an option)

All that said, it is still kind of telling that you call Docker "esoteric". It has been covered on Slashdot and MANY other Internet technology sites LOTS of times within the last two years. Because you don't know what something is does not make it "esoteric". It simply means you don't know what something is, and like most of the younger generations, it CAN'T be your fault you didn't know. The awful editors MUST have made it that way. (SARCASM)

Try reading an industry-specific magazine like Aviation Week. I work in that field, and I occasionally don't recognize a term in it. But my mindset is, that if the editors assume the rest of the audience know what that term means, maybe I should, too.

Re:WTF?

[TheRealMindChild]

It is more like thinstall/thinapp. Everything you need to run the binary is in the package

Re:WTF?

[msauve]

it is still kind of telling that you call Docker "esoteric".

Esoteric doesn't mean what you think it means. It does not mean unusual or rare, it means "intended for or likely to be understood by only a small number of people with a specialized knowledge or interest." Which it is.

I'm not a developer, and only play a sysadmin at home. /. has a wide audience. I'm interested in learning about technologies outside of my bailiwick (which centers on networking). I can usually get an understanding from context in the summaries. But this one was just pure technobabble for anyone outside of very specific fields.

Re:WTF?

[NoImNotNineVolt]

I see it's true. Aspies really can't recognize sarcasm.

Indeed, it is true that while the Egyptian Cobra can recognize moving objects and sources of heat, it really can't recognize sarcasm. I didn't think people still called them Asps or Aspis, though.

Re:WTF?

[cwsumner]

If it takes 644 Mb for a "Hello World" program, then that is probably why I have never heard of it. Seriously.

Re:WTF?

[cwsumner]

It is more like thinstall/thinapp. Everything you need to run the binary is in the package

That sounds like a ROM image for a stand alone embedded microcomputer. Have we really gone full circle? There was a reason that we quit doing that! 8-)

Re:WTF?

[cwsumner]

What are they talking about, and why do I care about the size of the container Levi's ships my Docker khakis in?

I find it scary that this post above was actually mod'ed insightful. Slashdot, wtf happened to you?

We got tired of "SalesPersons" writing the stories! 8-)

Re:WTF?

[Aighearach]

And some of us are software developers, don't consume advertising or "hype" other than places like this. I only clicked on this to find out if it was something interesting, or just the next big blahblah.

Judging from the lack of interest displayed even in the "everybody who is anybody heard of it already" responses suggests to me that it is fluff.

Anyways, I'm not going to take a long enough break from writing firmware to both look up some unrelated thing, and also talk about it on slashdot.

Re:WTF?

[Aighearach]

Online sarcasm was deprecated in 1986, there was a posting on all Major BBS based systems about it. Kids these days just can't follow the Best Practices.

Re:WTF?

[Aighearach]

But this one was just pure technobabble for anyone outside of very specific fields.

Indeed, not all developers run their code "in somebody's cloud," some of us generally expect hardware to be provisioned to run our software. Not saying that the cloud doesn't have its place, but it is rather odd to see people getting snooty over it when "websites running in public clouds" is sortof fry-cook level development.

If something I'm working on has a cloud component, that doesn't mean I would want to be deploying it. Most of the people on the development team wouldn't need to know about the cloud-whatever either.

I can't imagine it is a desirable task for a sysadmin either, unless they're actually working for the cloud company.

Equating it to knowing what a filesystem is... that is just funny. I did check wikipedia, it looks great if I needed it. But few people do, or will, even if they're deploying a lot of code to servers. It seems to mostly be for the use cases where you want less than a full cloud compute instance, but have multiple apps that can share resources, but they don't trust each other and there isn't a sysadmin/devops team to set up apache or whatever in a way that is safe. So this makes it cost less extra overhead to run different apache (or whatever server) instances for each app, without having to run a full virtualized OS for each app.

Yeah, that is esoteric.

Re:WTF?

[Aighearach]

Right, but this is rewritable. OTOH, so are/were the ROMs...

Actually, I have to get back to some firmware programming for a microcontroller, but don't worry: I won't be using the EEPROM, only the flash.

Re:WTF?

[Aighearach]

It is insightful, perhaps you didn't understand the language it was written in?

In English it says, "What are they talking about, they just spewed a bunch of words without enough context to even identify which jargon set is being used. And the key word is a relatively new product/project, whose name is repeated umpteen times like it was written by a marketing droid, but is never explained even in context of the other jargon words."

Also, you just signed up yesterday, I can tell by your user id. You don't get to pine for my golden days of yesteryear, those are mine. Get your own, order them now and you can have them in a couple decades when you forget what it was really like.

Re:WTF?

[luis_a_espinal]

It is insightful, perhaps you didn't understand the language it was written in?

In English it says, "What are they talking about, they just spewed a bunch of words without enough context to even identify which jargon set is being used. And the key word is a relatively new product/project, whose name is repeated umpteen times like it was written by a marketing droid, but is never explained even in context of the other jargon words."

Also, you just signed up yesterday, I can tell by your user id. You don't get to pine for my golden days of yesteryear, those are mine. Get your own, order them now and you can have them in a couple decades when you forget what it was really like.

LOL. Da'fuk? I have a submission on 2011, so obviously is not yesterday. Plus I had another account that goes back to 1998. But whatever, a post is worth by its content, not but the longevity of the account (and the fact that you use the later speaks more about you than about me.)

Re:WTF?

[Aighearach]

Right, oh, 2011 isn't yesterday? What, were you born yesterday? No, you didn't have another account, if you did you would use it. If you had been here since the 90s, you would know that. Perhaps your reputation was so awful, you decided to pretend you were born yesterday? No, that isn't any improvement. Or even a believable story.

A post is only "worth by its content" in some language I don't speak. On slashdot, a comment has to make sense to have value, and if it doesn't have value and is written by somebody who just signed up (I can tell by your user id, you see) then it has negative value.

Look at the comment you wrote above. Re-read it. You wrote 17 words, with nothing other than a false claim to be an old-timer, judgment about what slashdot is or was or should be, and mod-whining. None of that has positive value here. The fact that you didn't even understand the obvious metaphorical content of the post you were mod-whining about is just topping. Ask again when you're older.

the point

[blackomegax]

Wasn't a common library the entire point of Docker? Packaging the libs with the app, etc, to reduce dependence on the host OS?

Re:the point

[xxxJonBoyxxx]

As a developer, I though the entire point of Docker was to reduce dependence on an entire layer of IT: the human gatekeepers in charge of the release systems and procedures and eventually the care and feeding of maintenance systems (who often f*** something up with manual fumbling or delay things with meetings involving coffee-swilling waterbags).

At least that's how I've seen Docker used in corporations so far, anyway.

Re:the point

[Daemonik]

99% of the time, IT is being held hostage by other departments who know nothing about what IT does, but they just heard about this thing called the "cloud" or was it "apps"... and they want IT to prioritize it ASAP. Oh and do it on 30% less budget than they had last year.

Re:the point

[steveha]

The point of Docker is to have a single package ("container") that contains all of its dependencies, running in isolation from any other Docker containers. Since the container is self-contained, it can be run on any Docker host. For example, if you have some wacky old program that only runs on one particular set of library versions, it might be hard for you to get the Docker container just right to make it run; but once you do, that container will Just Work everywhere, and updating packages on the host won't break it.

The point of the news story is that someone did a better job of stripping the container down, removing libraries and such that were not true dependencies (weren't truly needed).

Not only does this make for smaller containers, but it should reduce the attack surface, by removing resources that are available inside the container. For example, if someone finds a security flaw in library libfoo, this would protect against that security flaw by removing libfoo when it is not needed. It's pretty hard for an exploit to call code in a library if the library isn't present. Also, presumably all development tools and even things like command-line shells would be stripped out. Thus a successful attacker might gain control over a docker container instance, but would have no way to escalate privileges any further.

If the stated numbers are correct (a 644 MB container went down to 29 MB) yet the new small package still works, then clearly there is a lot of unnecessary stuff in that standard 644 MB container.

Re:the point

[RabidReindeer]

Wasn't a common library the entire point of Docker?

Packaging the libs with the app, etc, to reduce dependence on the host OS?

No, although it's one of Docker's features. Docker images are actually stacked layers of filesystem sub-images operating as overlays, so a typical Docker image might consist of a base OS image, several library images built by the Docker build process, culminating in the actual application image. Done judiciously, those sub-images can be shared by multiple application images, thereby saving space in the Docker image store.

But Docker is a lot more than that. You can run virtual networks within containers, share resources between selected containers (and ONLY those container), inject external filesystems into the containers and do many other useful things as well.

Re:the point

[scsirob]

If "shrinking to a minimum" is really the goal, then they should take a good look at the kernel itself. It has collected lots of cruft over the past 20+ years. The first Linux "distribution" I booted (Linux kernel 0.12) came on two 1.2MB floppy disks that still had room to hold additional files. A lot has changed since then, but if you claim 'bare essentials' then there's plenty room for improvement.

Re:the point

[Dog-Cow]

Docker containers don't contain a kernel. They use the host OS for services.

Re:the point

[thegarbz]

The problem with your logic (aside from being irrelevant in the case of Docker since it doesn't include a kernel) is that a lot of the "cruft" has been added as a base requirement to make a bootable modern system, and in many cases to improve performance.

You can strip everything back to 20 years ago, but will you be able to run your harddrives in PIO mode 2 all for the sake of making the kernel smaller by not needing UDMA support? Okay contrived example, but that's what I'm talking about. You want a small kernel, look at HURD. It should boot on a 64bit system sometime before 2020 and it maybe one day will get USB support.

Re:the point

[Blaskowicz]

God told to run only in 640x480 with 16 colors and get rid of memory protection. USB isn't necessary in any way either.

Re:the point

[Spacelord]

What I've been wondering is ... isn't that a bitch to maintain security patches? Because you now have all these potentially vulnerable libraries spread out over a bunch of docker containers, completely outside of the control of the package manager.

So when the next heartbleed bug comes around, you may think you have patched your system, while in fact the libraries you are exposing to the outside world via your docker apps are still vulnerable.

Re:the point

[bluefoxlucid]

It's actually kind of an inversion.

Docker base images for Debian, CentOS, and Ubuntu are typically 50-100 megabytes. Shrinking down that "base image" doesn't really make sense; Iron.io instead shrunk down images for things like PHP, Node, and Ruby.

Even then, you have two main issues.

Firstly, if you have something stupid like e.g. PHP not coming with ANYTHING installed (no php-pdo, no php-ldap, etc.), you have to write your own Dockerfile to install PHP. Typically, you can just put "image: php/5.6-fpm" in your docker-compose.yml and mount your application as a volume, and it'll work; if you need additional php modules, you have to make docker-compose build a Dockerfile opening with "FROM php/5.6-fpm", running a bunch of install commands to compile and build stuff.

Second, that causes bloat.

Docker reuses base images. PHP comes from debian/jessie, so you download the 60MB debian/jessie image and then an additional 150MB php image which doesn't include any of the stuff in Debian/jessie, and you get 210MB of space usage. The same goes with Java: it mounts its 100MB image on top debian/jessie. Install php (210MB) and Java (160MB) and you're only using 310MB, instead of 360MB.

So now you have 11 PHP applications installed. Each uses a 30MB base image instead of a 150MB base image, so installing iron/php only requires 90MB of space instead of 210MB. Each of your 11 PHP applications needs a different set of PHP extensions, which each need a set of base libraries.

In the most optimal case, you install all of the PHP extensions and use the resulting image, which gets you back to where you started with that hulking 150MB PHP image. 11 separate applications all use the same image, no duplication.

In the less-optimal case, every one of your PHP applications installs all the compiler toolchain and *-dev packages to build the PHP extensions that image needs, then removes the toolchain and *-dev packages in the same RUN line so they don't get stored in any Docker image along the way. Every different combination of tools (or, really, any application not built with *exactly* the same commands in RUN, right down to the white space) creates a new Docker image containing all of the necessary libraries and other files.

Installed php-ldap and php-mysql in one container? That container contains libldap, libmysql, php-ldap, php-mysql, and all other required files. Installed php-ldap and php-postgresql in another container? That container contains A DIFFERENT COPY of the same libldap and php-ldap files, plus php-postgresql and all the required libraries to back it. Etc. etc.

You get to say, "Ah, my images are all tiny! ... why do they take up so much disk space in total?"

Re:the point

[thegarbz]

The only thing really unnecessary is obeying an imaginary friend.

Re:the point

[yosifkit]

While the iron.io folks do manage to squeeze the size down, they do so through the use of Alpine Linux which uses musl libs rather than glibc and friends. There is a post on hackernews https://news.ycombinator.com/i... that has a discussion about the pros and cons of using an alpine based image.

There is also the deviation from upstream. The official images are a curated set of images and can be maintained by anyone willing to put in the time. For the official images that are not maintained by the upstream project (many of them are), they try to stay as close to upstream recommended build as possible. In fact, the official image gatekeepers recommend talking with upstream before trying to make your own submission to official images so that they can be as involved as they want to be. What this means is that if upstream maintains their own apt repo, that is how it is built into the image, but if upstream does not even release binaries (ie only the source tar) then building from source is they way it is packaged making sure to slim out build dependencies.

There is also some recent focus by Docker Inc to add Alpine based variants to the official images as an option for those that want a slimmer environment (see https://github.com/docker-libr... and other PRs by ncopa). There is even a description on the Docker Hub when an official image has an alpine variant (see https://hub.docker.com/_/ruby/ and https://github.com/docker-libr... which is the source of the Docker Hub version).

Note on the large size of most of the language images from the official images: "It, by design, has a large number of extremely common Debian packages. This reduces the number of packages that images that derive from it need to install, thus reducing the overall size of all images on your system." They are usually built from the "buildpack-deps" image: " It includes a large number of "development header" packages needed by various things like Ruby Gems, PyPI modules, etc." (https://hub.docker.com/_/buildpack-deps/).

(yes, I am one of the gatekeepers for official images, https://github.com/docker-libr...)

For more information:
  - https://docs.docker.com/docker...
  - https://github.com/docker-libr...
  - https://github.com/docker-libr...

Re:the point

[Aighearach]

As a developer, I though the entire point of Docker was to reduce dependence on an entire layer of IT: the human gatekeepers

Finally somebody explained both what it is for, and why I haven't heard of it... I'm not suffering under a BOFH!

They should have just said in the summary, "Docker, a BOFH-resistant deployment system."

Re:the point

[Aighearach]

I thought what he said was that the development team is being held hostage by IT, who convinced somebody they were "the computer guys" so they should be in charge of "all the technical computery stuff."

Re:the point

[Aighearach]

...that container will Just Work everywhere, and updating packages on the host won't break it.

I love this stuff... updating packages on the host won't break "it," even where "it" is some sort of malware bug.

It doesn't seem to so much solve a problem as offer a new way to create a compromise between security and convenience. Here, it mostly trades the convenience of security updates at the OS level away for convenience of deploying minimally-maintained packages.

If I wanted this, I would just switch to static linking. But I can see how, for development teams that don't have anybody on them that knows how to compile software, this would be a major time-saver.

Re:the point

[Aighearach]

Right, instead of updating the OS packages when a major security 0-day arrives, you need to turn off all your app containers, forward to a parking page, and start recompiling images.

But, your dev teams don't have to agree on compatible sets of libraries to use on projects that will be deployed together on the same cloud instances.

This trades the ability to deal with those types of problems, for being able to do stuff you couldn't do because your company didn't have anybody that can do that stuff. So without this, their website would be slashdotted anyways, and with it, they can function until bad things happen, then they can scream and wave their hands in the air like everybody else. Does it matter? That is for each company to decide... ;)

Re: Wha?

It's a small thermal exhaust port, right below the main port.

Re:Wha?

[xxxJonBoyxxx]

>> Isn't the attack surface governed by the ports you open up on the Docker containers?

I believe they are talking about the ease with which someone could slip malware into a large container image vs. a small container image and have it go undetected.

So.... thin jails

[0100010001010011]

iocage create -c

Congratulations, you've just (almost) caught up to decade old technology.

http://phk.freebsd.dk/pubs/san...

Re:So.... thin jails

[theendlessnow]

This why all the major cloud providers run freebsd.

Re:So.... thin jails

can you also iocage history? docker is to infrastructure what git is to code.

Re:So.... thin jails

[twistedcubic]

docker is to infrastructure what git is to code.

No it isn't. You're insulting Git. Docker is to hype what hype is to hype.

Re:So.... thin jails

It's worse, they've combined jails with the equivalent of statically compiled binaries.

Bit of a nightmare when there's a vulnerability on a library used in multiple containers.

Re:So.... thin jails

It's worse, they've combined jails with the equivalent of statically compiled binaries.

Bit of a nightmare when there's a vulnerability on a library used in multiple containers.

Except it isn't. You store your base images in a docker registry, you update that base image, and then you can have your CI environment kick off rebuilds of any dependent images. And as an added bonus you get to test your exact deployable image, including all dependencies, before you actually roll prod. In the past you needed something akin to a Satellite / Spacewalk setup to be able to lock combinations of versions of packages to a point-in-time snapshot. Most people don't seem to do this. They either just auto-update all packages on a regular schedule automatically which would occasionally break things, or they'd let things drift until forced to update by some security vulnerability, which then increases the likelihood of surprises.

Docker is not for everyone, it's certainly overhyped, it's a more complicated stack than more traditional virtualization or bare metal installs, but it doesn't have the specific problem you're imagining it does. In fact, it's a pretty good solution to a lot of the aspects of the problem you bring up.

Re:So.... thin jails

It is. You've given a best case usage for docker and a worst case for shared libraries.

Re:So.... thin jails

[0100010001010011]

Why not just run a diff on the jail package file?

Re:So.... thin jails

[0100010001010011]

I've looked at how it works.

It looks like you asked a bunch of 20 year olds to re-invent Jails.

Just like systemd looks like you asked a bunch of 20 year olds to re-invent init.

Official repos?

[sanosuke001]

If these are so much better, why aren't they just the official repos?

Re:Official repos?

[sanosuke001]

Ok, so from your comment I'm assuming that Iron.io doesn't own Docker? Because, from the summary, I had no idea this wasn't the people that own Docker doing the Dockering.

Re:Yeah, but...

[grub]

Will it make using Docker any easier on OSX? Why o why does it need to install an Ubuntu VM guest and run Docker inside that??

It's worse than that. It's Docker on Ubuntu on OSX on Turtles all the way down.

C++ isn't a major language?

[erapert]

Their github lists Perl but not C++?????

Re:C++ isn't a major language?

[rthille]

Yes, you always have. But you can statically link it into your binary.

Re:C++ isn't a major language?

[serviscope_minor]

C++ isn't web scale (but Perl is, a a apparently).

Re:Because Docker uses a Linux container

[Johnny+Loves+Linux]

Unless things have changed, Docker makes use of a feature of the Linux that allows creating processes that are in their own namespace. This feature requires the Linux kernel something that Mac OS X with its BSD kernel does not possess. It might be possible to do something analogous in a BSD kernel, but I don't know about it. Maybe someone else could comment on it?

Re: Wha?

[Adriax]

That should be the new vulnerability metric. Womp rats.
"A new vulnerability was found in the D-Star app this week, rating at 3.8 womp rats. CEO Tarkin downplayed the severity of the vulnerability and promised the D-Star app will continue to enhance system stability without interference from any rogue squadrons of hackers."

Re:Because Docker uses a Linux container

FreeBSD got jails some years ago for the same purpose, and IIRC that was one of the inspirations for the linux version. (Both inspired by containers in Solaris, and earlier iterations of the idea in other OSes).

Not that that matters on the MacOS side; the OS X kernel is a weird hybrid thing with a BSD kernel hanging off a Mach microkernel. The BSD parts aren't exactly a full and current FreeBSD, either; IIRC they grabbed a subset they found useful a bunch of years ago. At a guess the jail support didn't make it.

I will never give up

[Noah+Haders]

> "Less code/less programs in the container means less attack surface..."

*fewer

Re:I will never give up

Fine.

Less code/less programs in the container means fewer attack surface...

Re:I will never give up

[sexconker]

*surfacer

Re:I will never give up

[fibonacci8]

"Less code/less programs in the container means less attack surface..."

Re:I will never give up

[Tablizer]

But "less" takes up fewer space, I'm mean less fewer's, I mean, baaah, nevermind

Re:I will never give up

[Bengie]

Thanks, I found this strangely funny thing morning.

Re:I will never give up

[luis_a_espinal]

tiny tinie

Re:I will never give up

[Noah+Haders]

some things are correct and some things are incorrect. just cuz you find something more convenient doesn't change this basic fact. facts are facts!

Who cares? (not me..)

[bobbied]

Disk space is incredibly cheap compared to the standard size of a docker image and your "attack surface" is going to be limited in a docker image anyway. Sure, your application loaded in your docker image might add to that surface, but that's going to happen if you use the big image or the small one. The only real reason to do this is so you can run docker images on smaller embedded devices where resources are limited (Not that I see much of that yet).

IMHO, this development is meaningless to me. Thanks for the disk space back, but I didn't really need it...

Re:Who cares? (not me..)

[dj245]

Disk space is incredibly cheap compared to the standard size of a docker image and your "attack surface" is going to be limited in a docker image anyway. Sure, your application loaded in your docker image might add to that surface, but that's going to happen if you use the big image or the small one. The only real reason to do this is so you can run docker images on smaller embedded devices where resources are limited (Not that I see much of that yet).

IMHO, this development is meaningless to me. Thanks for the disk space back, but I didn't really need it...

For people running certain common configurations, this is actually very helpful. Docker containers are often used on home file servers. You could put docker containers on your storage array, but then you would be spinning up multiple disks every time you needed to read/write to the docker image. I have an older (small) SSD drive which I keep my docker containers on. The less space Docker uses, the more space I have left on the SSD to do something useful (like caching writes to the spinning disks). Making software have a smaller footprint is never a bad thing if the functionality remains the same.

Re:Who cares? (not me..)

[angel'o'sphere]

So you never run half a dozen docker instances from a ram disc?
Unfortunately my Mac only has 8Gig RAM, so the size of the Docker Containers does matter.

Image sizes

[Dragonslicer]

Most people who start using Docker will use Docker's official repositories for their language of choice, but unfortunately if you use them, you'll end up with images the size of the Empire State Building...

What's that in Libraries of Congress?

Re:Because Docker uses a Linux container

"FreeBSD got jails some years ago for the same purpose, and IIRC that was one of the inspirations for the linux version. (Both inspired by containers in Solaris, and earlier iterations of the idea in other OSes)."

Actually, I believe Jails were first. In order:

1- UNIX chroot
2- FreeBSD jails
3- Solaris Zones
4- Linux Containers

In practice yes, though not in principle

[Morgaine]

Isn't the attack surface governed by the ports you open up on the Docker containers?

Although you describe a common case, it's not the general one. In principle the size of a software attack surface is given by the amount of code which is reachable through an attack conduit like a network, not by the "width" of the conduit.

For example, a given network service could be bound to just one IP address or to two, but its attack surface would remain the same despite double the size of the attack conduit. Likewise, a given service could be available on only one port or on N ports, yet its attack surface would not change despite any increases in the size of the conduit through which it can be reached.

(The attack surface is primarily a function of the amount of externally reachable code because the number of exploitable weaknesses is relatively constant per unit of code. Making the same code reachable through a wider conduit does not generally change its set of exploitable weaknesses.)

This assumes that the same code is being exposed regardless of the number of different IP address or port bindings of course. If this is not true because different functionality is offered on different ports then of course the size of the attack surface is no longer invariant.

Your observation is accurate in practice because the special case of "one port per service" is a very common one. It's worth recognizing that the general case is different though.

Re:Yeah, but...

[fibonacci8]

The best part is you get the same compression ratio improvement at each stage.

Re:Because Docker uses a Linux container

[ChunderDownunder]

So at this rate, Hurd which is also "hanging off a Mach microkernel" is more likely to have native Docker supporter before OS X. :)

Wait what?

[cen1]

As far as I figured out, they use a very stripped down Linux distro called Alpine Linux as the base and then build a Docker image on top of that. How is this a hack? This just means you are now running Alpine Linux in your containers instead of your distro of choice which nobody really wants.

Re:Rump Kernels

[Fwipp]

Why the heck did you name them butt kernels?

Re:Because Docker uses a Linux container

[RabidReindeer]

Yeah, except that FreeBSD has had 'jails' for over a decade, which are far more secure than anything Docker brings to bear.

Linux has had jails for over a decade. I image that FreeBSD actually goes back further than that.

Docker has jails plus virtual networks plus various other isolation mechanisms, so I cannot credit your assertion that a jail-only mechanism is more secure.

Re: Wha?

[U2xhc2hkb3QgU3Vja3M]

https://www.youtube.com/watch?...

Re:Because Docker uses a Linux container

"Linux has had jails for over a decade. I image that FreeBSD actually goes back further than that."

Yep, jails appeared in FreeBSD 4.0-RELEASE around 1999-2000 if I recall correctly.

"Docker has jails plus virtual networks plus various other isolation mechanisms, so I cannot credit your assertion that a jail-only mechanism is more secure."

To be fair, FreeBSD also has virtual networks so each jail can also run a complete virtualized network.

As for a comparison in security, I'm unable to make an informed comment.

Re:Rump Kernels

[Khyber]

Too lazy to read their FAQ?

" Why the name?

If you look up "rump" in a dictionary, you'll find a definition which involves the group that is left over after a portion of the contents of a larger group have been removed -- the classic example is a rump parliament. The attribute "rump" therefore establishes the relationship between just a kernel and a rump kernel."

Re:Rump Kernels

[Fwipp]

Cool story, but why did they name them butt kernels? There isn't anyone who hears "rump" and thinks "ah yes; the smaller portion left behind after the majority has been removed."

Indeed

[jemmyw]

I read this yesterday and I found it slightly annoying in the tone. Alpine has been around for awhile, and I don't think anyone using docker for more than experimentation will be happy with massive Ubuntu based images. But would you really use these minimal images packaged by an unknown entity when you can make your own with one line in the dockerfile?

Re:Yeah, but...

[bluefoxlucid]

Because it makes heavy use of features inside the Linux kernel which isolate applications from the rest of the operating system. To make Docker work on OSX, you'd have to modify the OS kernel to dramatically change the way it handles system calls and application spaces. Essentially, it groups processes together as if they're running on different kernels, but runs them all in the same kernel.

Run a docker container that only runs the command 'ps -e' and it will tell you 'ps' is PID 1. The nginx container has nginx as pid 1, and 'kill -9 1' kills nginx; if you do 'ps -e' on the host, it tells you nginx is process 3719, and killing that process ends the same program. This is not standard behavior.

Re:Because Docker uses a Linux container

[h4ck7h3p14n37]

You can run Docker on FreeBSD thanks to the 64-bit Linux compatibility layer that was added last year.

Re:Because Docker uses a Linux container

[Rutulian]

FreeBSD Jails and Linux Containers are really different beasts. Jails are great if security is your primary consideration. Hence the name: Jails effectively isolate processes and go to great lengths to prevent them from accessing anything outside the jail. Containers use separate kernel namespaces to give groups of processes separate views of kernel global variables. Security (especially with user namespaces) is a bonus, but the primary goal is efficient os-level virtualization and isolation of resources. A more apt comparison is with the BSD VPS project rather than Jails.

At a guess the jail support didn't make it.

Correct. XNU does not have support for Jails, and it likely won't because it requires some pretty severe changes to kernel data structures to make them work.