What worries me about Alpine is that it invents YET-ANOTHER package manager(apk) . I think it claims that it builds on top of Gentoo... But could someone explain why Deb or rpm could not be used.
Does using Deb or rpm screw up size or security in some way. We could also have gotten access to the Debian/Fedora repository in a pinch. Not all of us run statically compiled go executables and often have tons of dependencies that need to be installed for webapp.
P.S. And the package manager apk is unfortunately named to conflict with IMHO the biggest package repo in the world:Android. It is virtually impossible to Google anything meaningful without running into android.
Alpine uses the musl libc and the OpenRC init system. In order for a deb or rpm package to install correctly, the binary would have to be built for musl already and the necessary information to set up services on the init system be provided. I don't know how the latter works for other package managers, be it in a way compatible with OpenRC or not.
P.S. In my experience APK has been rock-solid and simple to use.
this is a huge blocker - we are already in a world where RPM and DEB dont get released in tandem. And it has taken millions of man hours to resolve deep problems in dependency resolution, circular dependencies,etc.
For a startup like mine, I already estimate I'm installing hundreds of libraries (Ruby gems, Python wheels, etc). I'm pretty sure some of them are weird dependencies... but I have come to trust apt and dnf.
There is zero reason for me to trust Alpine's new package manager that is managed by a single dev. Disk space is cheap - my time is not.
This is the big blocker - if Alpine can figure out a way to co-exist with apt or dnf (pick your own poison), that makes it compelling.
But then again, I would ask - can something like Alpine be achieved with debian or centos. Even if it is 3X the size (30mb) ?
EDIT: I run a fat docker VM based on debian with nginx, rsyslog, postgresql and ruby+puma using supervisord. There is absolutely ZERO need for OpenRC. I have been running this in production for over 18 months since before Docker was this stable.
> But then again, I would ask - can something like Alpine be achieved with debian or centos. Even if it is 3X the size (30mb) ?
No. In the past I've tried several times to create a lightweight Debian derivative that would still allow me to install Debian/ubuntu packages from their repositories. The smallest I've been able to get things without completely breaking everything was around 230mb. This required lots of ugly hacks such as post install triggers that would remove useless garbage such as /usr/share/doc/ and man pages.
It's simply not possible to take the Debian eco-system and magically turn it into a slim version of itself.
I would never run Alpine stand-alone on a server. But for containers, it's absolutely amazing. I don't need the full Debian ecosystem. All I need is some basic tools such as NPM, Pip or gem. They can take care of the rest. The whole point of containers is to escape from the dependency and package hell that we're currently in.
The smallest I've been able to get things without completely breaking everything was around 230mb. This required lots of ugly hacks such as post install triggers that would remove useless garbage such as /usr/share/doc/ and man pages.
You can also use separate build and deploy containers... build in a container with all the tooling you need, that exports out to a mount point everything needed to run, then turn that mount point into the new deploy container.
this is by one of the posters above you. its called Dockersl.im
> Here are a few numbers to give you an idea (using on Ubuntu 14 base image):
> node: 431MB -> 14MB python: 433MB -> 15MB ruby: 406 MB -> 14MB java: 743MB -> 100MB
I don't need the full Debian ecosystem. All I need is some basic tools such as NPM, Pip or gem. They can take care of the rest.
What happens when your npm/pip/gem package depends on a C library like libpq or libsasl2? Restricting yourself to pure JS/Python/Ruby code to avoid having a few MBs sitting on the disk sounds like a terrible tradeoff.
And your reason is ... to share less between instances? The more code in common, the better, isn't?
When I trying to optimize my system of containers, I move everything common into topmost container, to make application containers smaller. You are doing opposite. Why?
The package ecosystem is the biggest challenge for Alpine. It's just not there and there's only so much you can do yourself. You need to have enough critical mass before the majority of the 3rd party providers begin to release packages for Alpine.
There's a way to have small Docker images using the standard distros like Ubuntu where you get to use your favorite packages. DockerSlim [1] was created for this. It collects the artifacts your are actually using in the container throwing everything else away...
Here are a few numbers to give you an idea (using on Ubuntu 14 base image):
It's a work in progress, so there might be corner cases where it's less than ideal. It's not tested well enough with "fat" images. Pull Requests are greatly appreciated :-)
You also get auto-generated Seccomp (already usable) and AppArmor (WIP) profiles, so you don't have to create them manually.
Yes, I'm one of the authors. If you want to contribute too it'll be awesome and it'll be greatly appreciated!
The quoted numbers are based on the set of sample apps you can find in the repository. Take a look in sample/apps. You'll see the code and the Dockerfiles that go along with them.
I haven't thought about publishing the images. Thanks for the idea!
Ehh I wouldn't worry about it too much. The whole idea behind these skinny distros is there are few if any packages. Distros can also consider using something like rpm-ostree[1] for making skinny, RPM-based immutable file systems where you only update the "master" image then push it out.
What is the fall back if a package is not available? For example, I was able to find an APK for python 3.5.1-r0. However, I can find nothing for Python 3.4 except a bug report and some hacky fixes.
Also, it looks like running anything that require binaries that have compiled against glibc will be wonky as hell.
> What is the fall back if a package is not available?
Then use another distro if you're not prepared to invest the effort into it. The point of people wanting to move Docker images to distros like Alpine is to minimize size. That matters if you're going for massive density etc., but depending on your use cases, using e.g. Ubuntu or Debian or Centos as a base can be just fine.
It's worthwhile to move the official images to it because they are used so widely. It's not necessarily worth it for every random image someone puts together.
The official images are used so widely precisely because they are trivially extendable using apt. This will not be the case if they are based of something obscure.
There are even more exciting libs like numpy/scipy which rely on a system BLAS package before they can even compile (and take forever). This is a problem that Ubuntu has made less difficult but a better solution would be package managers for C and fortran.
If the 'alpine experiment' results in more work on portable build tools for complex projects, that's a win for the open source community.
And if it's a proprietary piece of software and you don't have the source code? Or you do have the source, but the build process is too convoluted to figure out?
1. If it is proprietary, we don't need it in docker. If they want to play in this ecosystem, they have to make their source free.
2. If the build process is too convoluted, we try our best to simplify it.
Building something like Mozilla Firefox might take a few hours the first time but it will not always take that long. I for one would fully support this new pro-source software distribution mechanism. We could probably use git tags to find out when we have updates if we could get people to agree on some kind of convention...
Processor vendors should love this change because every server will build all the software it needs from source.
Sure. You don't get to dictate what I run in MY docker containers hosted on MY private registry used in MY environment. If I want to run proprietary software in my docker containers, I damn well will. And I expect Docker not to work against that, if just for the reason that it works fine today, why not tomorrow?
You're more than welcome to build that from source too! Where you get the source code could still be a private, authenticated area. You could choose to never publish your docker files. That's fine. I'm just saying that we should move to a better model where if you distribute software, you should also distribute the source code (and hopefully build tools) for it.
Why is this so difficult? It does not put any constraints on the user that vendors of proprietary software haven't artificially erected.
Talk about creating more problems than you solve. If this was such a good model, why aren't all linux distros shipped with a minimal set of tools, where the users are given a "go build it all yourself" note on the box? I will tell you why; because it's a suckfest that can drag expert and non-expert linux swashbucklers into the weeds for untold amounts of time depending on the software that needs to be built.
Just because something is a bad idea today doesn't necessarily mean it will forever remain so. What we have today is far from perfect and I think any effort to branch out is a good idea. In the worst case, we won't be any worse off than we are today.
Of course, my whole idea depends on many things such as the hypothesis that processing and storage will continue to get cheaper with time. I don't know if it will be true. I hope it will though.
Does using Deb or rpm screw up size or security in some way. We could also have gotten access to the Debian/Fedora repository in a pinch. Not all of us run statically compiled go executables and often have tons of dependencies that need to be installed for webapp.
P.S. And the package manager apk is unfortunately named to conflict with IMHO the biggest package repo in the world:Android. It is virtually impossible to Google anything meaningful without running into android.