What worries me about Alpine is that it invents YET-ANOTHER package manager(apk) . I think it claims that it builds on top of Gentoo... But could someone explain why Deb or rpm could not be used.
Does using Deb or rpm screw up size or security in some way. We could also have gotten access to the Debian/Fedora repository in a pinch. Not all of us run statically compiled go executables and often have tons of dependencies that need to be installed for webapp.
P.S. And the package manager apk is unfortunately named to conflict with IMHO the biggest package repo in the world:Android. It is virtually impossible to Google anything meaningful without running into android.
Alpine uses the musl libc and the OpenRC init system. In order for a deb or rpm package to install correctly, the binary would have to be built for musl already and the necessary information to set up services on the init system be provided. I don't know how the latter works for other package managers, be it in a way compatible with OpenRC or not.
P.S. In my experience APK has been rock-solid and simple to use.
What is the fall back if a package is not available? For example, I was able to find an APK for python 3.5.1-r0. However, I can find nothing for Python 3.4 except a bug report and some hacky fixes.
Also, it looks like running anything that require binaries that have compiled against glibc will be wonky as hell.
"Moving" is a bit of a strong word. It would be much more accurate to say "providing alternatives". For example, the "golang" image now has an "alpine" variant for each supported version (https://hub.docker.com/_/golang/), but the default variant is still Debian-based (especially given that switching the base outright would break far too many existing Dockerfiles). Additionally, the documentation calls out that there might be libc compatibility issues in the spirit of trying to ensure our users are properly informed about the potential problems they might run into in their quest for the smallest possible base: https://github.com/docker-library/docs/blob/b7b6b86124682ef1...
I would definitely welcome PRs to make this verbiage more accurate or more informative of pros and cons.
What's with the weird comparison to the Windows start button? Is that if you encode the button as a BMP? Or is it the size of the compressed vector graphics? Or is it the size of the binary used to implement the start button? Does it include the shared libraries that binary uses? wtf.
Last I'd heard (I believe) the creator of Alpine Linux was looking for work and the future of the project was a bit uncertain. I'm happy to hear that he'll be able to continue working with Alpine Linux and that we'll still be able to make great Docker images with it.
Blog claims Alpine is based around being secure and light weight...but gives no indication on why it is secure. Oh, lightweight because of busy box? Is there scrutiny on packages installed? I don't see the security component.
Maybe Docker can reveal more there, though given how they iterate and things break, I'm not sure they are willing (or capable).
From the Alpine linux site: "Alpine Linux was designed with security in mind. The kernel is patched with grsecurity/PaX out of the box, and all userland binaries are compiled as Position Independent Executables (PIE) with stack smashing protection. These proactive security features prevent exploitation of entire classes of zero-day and other vulnerabilities."
I got excited, but then remembered - grsec will not affect containers. Neither will PaX unfortunately. PIE + stack smashing protection is already available in most serious distros. From the basic info I can find, I don't see a huge difference.
Why does the size of a base image matter? What happened to the shared layers between images? Did the new file systems completely sacrifice that?
The original filesystem (AUFS) used shared read-only layers, so if two images used the same base image, only their differences contributed to disk usage. I know there has been a lot of work to move to filesystems supported by more kernels, but if shared layers have been sacrificed, that makes me sad.
> Why does the size of a base image matter? What happened to the shared layers between images?
It matters because when bootstrapping new hosts you still need to download all the base images, and because in many systems the base images can come to totally dominate the storage needs.
It still can often save a lot, but it's not enough for a lot of places where people want to use Docker.
Alpine is pretty nice though using it in containers you are not getting the best part of it: the hardened kernel. I'd say Alpine is a better fit for the host OS where you have a few moving parts.
It will be great for compiled language base images, but even there it might be tricky if you rely on 3rd party packages. Libc compatibility issues are also real. It's great that they are slowing addressing them though.
Great move by the docker team. The promise of containers has always been to make the environment that processes live in super lightweight, with a minimum of unnecessary binaries and permissions. Having a full ubuntu installation per container has been a major hazard to that, as it's required the use of overlays and other tricks to avoid having huge disk overhead per container. Moving to a much lighterweight base image means you need fewer overlays, because you can pay the 5mb cost for days. It also reduces the attack surface by a lot, for much greater security.
Gives you an image that is ~30M (15M compressed) plus the size of whatever package you are installing. The advantage is that you get access to Fedora's package database with security updates.
This could probably be slimmed down further with custom versions of the base packages.
Has Alpine Linux solved the glibc problem? I recall you can't simply install Oracle Java 7+ on Alpine linux without a lot of setup first because of the dependency on glibc.
Ubuntu is great because people already understand it and probably already know how to install their apps on it which makes moving to Docker easy. Most businesses unsurprisingly don't like the idea of running on a OS they never heard of with tooling their engineers don't have experience with, limited community or enterprise support, or even internal repos.
Alpine may be the 'technically correct' choice but Ubuntu is easily a much better business choice.
I agree with snubbing glibc, systemd, and apt-get. Seriously, it is about time to put an end to the bloated fatibubbul fest going on over there! I intend to move my dockers to alpine. I will only come back to debian after and not before they have downsized, trimmed and layed off all the useless fat around their bellies!
Dunno if it is about snubbing, but i get the impression that having systemd inside the container makes it damn hard to work it if you do not also have it outside the container. And at that point, systemd is likely to take over control completely rather than play nice with docker.
Well, the ISO includes the Linux kernel. A Docker image only comes with user space components since the host provides the kernel, so an ISO would need to be larger.
Based on my understanding of the threads on the Musl list, part of this was some features that are now implemented in Musl, and part was Kubernetes using DNS in ways that are incorrect.
[+] [-] sandGorgon|10 years ago|reply
Does using Deb or rpm screw up size or security in some way. We could also have gotten access to the Debian/Fedora repository in a pinch. Not all of us run statically compiled go executables and often have tons of dependencies that need to be installed for webapp.
P.S. And the package manager apk is unfortunately named to conflict with IMHO the biggest package repo in the world:Android. It is virtually impossible to Google anything meaningful without running into android.
[+] [-] JasonSage|10 years ago|reply
P.S. In my experience APK has been rock-solid and simple to use.
[+] [-] monkmartinez|10 years ago|reply
Also, it looks like running anything that require binaries that have compiled against glibc will be wonky as hell.
[+] [-] ape4|10 years ago|reply
[+] [-] digi_owl|10 years ago|reply
[+] [-] tianon|10 years ago|reply
"Moving" is a bit of a strong word. It would be much more accurate to say "providing alternatives". For example, the "golang" image now has an "alpine" variant for each supported version (https://hub.docker.com/_/golang/), but the default variant is still Debian-based (especially given that switching the base outright would break far too many existing Dockerfiles). Additionally, the documentation calls out that there might be libc compatibility issues in the spirit of trying to ensure our users are properly informed about the potential problems they might run into in their quest for the smallest possible base: https://github.com/docker-library/docs/blob/b7b6b86124682ef1...
I would definitely welcome PRs to make this verbiage more accurate or more informative of pros and cons.
[+] [-] iso-8859-1|10 years ago|reply
[+] [-] mastazi|10 years ago|reply
[+] [-] JasonSage|10 years ago|reply
[+] [-] fidget|10 years ago|reply
[+] [-] jmspring|10 years ago|reply
Maybe Docker can reveal more there, though given how they iterate and things break, I'm not sure they are willing (or capable).
[+] [-] viraptor|10 years ago|reply
I got excited, but then remembered - grsec will not affect containers. Neither will PaX unfortunately. PIE + stack smashing protection is already available in most serious distros. From the basic info I can find, I don't see a huge difference.
For comparison Ubuntu provides its list here: https://wiki.ubuntu.com/Security/Features It's similar to Fedora: https://fedoraproject.org/wiki/Security_Features_Matrix And to Arch (no nice table though) https://wiki.archlinux.org/index.php/DeveloperWiki:Security - Alpine doesn't seem to provide similar summary.
[edit: sorry, I stealth-edited the realisation]
[+] [-] mverwijs|10 years ago|reply
[+] [-] hiou|10 years ago|reply
Not saying you need to agree with that. But that does appear to be at least an "indication"
[+] [-] ARothfusz|10 years ago|reply
The original filesystem (AUFS) used shared read-only layers, so if two images used the same base image, only their differences contributed to disk usage. I know there has been a lot of work to move to filesystems supported by more kernels, but if shared layers have been sacrificed, that makes me sad.
[+] [-] vidarh|10 years ago|reply
It matters because when bootstrapping new hosts you still need to download all the base images, and because in many systems the base images can come to totally dominate the storage needs.
It still can often save a lot, but it's not enough for a lot of places where people want to use Docker.
[+] [-] regecks|10 years ago|reply
[+] [-] kylequest|10 years ago|reply
It will be great for compiled language base images, but even there it might be tricky if you rely on 3rd party packages. Libc compatibility issues are also real. It's great that they are slowing addressing them though.
[+] [-] gtaylor|10 years ago|reply
[+] [-] GauntletWizard|10 years ago|reply
[+] [-] mverwijs|10 years ago|reply
I cannot run my production on Alpine.
(Yes, every startup I know can. But I work for a lot of older companies that have legacy systems. And that is a huge market that cannot use Alpine.)
[+] [-] kev009|10 years ago|reply
[+] [-] lisivka|10 years ago|reply
[+] [-] gtirloni|10 years ago|reply
[+] [-] u320|10 years ago|reply
This could probably be slimmed down further with custom versions of the base packages.
[+] [-] sandGorgon|10 years ago|reply
[+] [-] tommis|10 years ago|reply
> Docker has hired the creator of Alpine Linux, Natanael Copa <
[+] [-] hackerboos|10 years ago|reply
[+] [-] kylequest|10 years ago|reply
I still prefer to use DockerSlim to shrink images. I'm too lazy to worry about the Alpine gotchas :)
[+] [-] bleakgadfly|10 years ago|reply
[+] [-] hogeland|10 years ago|reply
[+] [-] siliconc0w|10 years ago|reply
Alpine may be the 'technically correct' choice but Ubuntu is easily a much better business choice.
[+] [-] bcook|10 years ago|reply
[+] [-] gaius|10 years ago|reply
[+] [-] digi_owl|10 years ago|reply
[+] [-] auvi|10 years ago|reply
[+] [-] Zekio|10 years ago|reply
[+] [-] duaneb|10 years ago|reply
What a waste of energy for everyone so they can save a few cents on bandwidth.
[+] [-] gizi|10 years ago|reply
[+] [-] digi_owl|10 years ago|reply
[+] [-] pepijndevos|10 years ago|reply
[+] [-] profmonocle|10 years ago|reply
[+] [-] hharnisch|10 years ago|reply
[+] [-] shykes|10 years ago|reply
[+] [-] steeve|10 years ago|reply
[+] [-] justincormack|10 years ago|reply
[+] [-] unknown|10 years ago|reply
[deleted]