Create Small and Secure Container Images
Thanks to docker.
We are able to prepare small and secure container images
Specify your base images, add your changes and build your container.
Most images use Debian or ubuntu as base images
These base images add hundreds of megabytes as the overhead
Application is usually a few MB
Methods:
1) Using small base images
2) Using the builder pattern
Going from node 8 to node 8-alpine reduces our image size by 10 times
To move to a smaller base image, update your docker file to a smaller base image.
Unlike the old onbuild build image, you have to copy your code into the container and install the dependencies
In the new docker file, the container users alpine base image
Using the small base image gives you the flexibility to use small images
But using the small containers, you might go even small by using the builder pattern.
With interpreted languages - inter
compiled languages, the source code is compiled code before hand
Compilation step requires code, that is used to run the code
To do this, you can use the builder pattern.
BUILDER PAttern
The code is build in the first container.
The compiled code can now be packaged into another container without using all the tools required to make the compiled code.
Lets take a go application through this process
In a new docker file
FROM golang:alping AS build-env
WORKDIR /app
ADD. /app
RUN cd /app && go build -o goapp
RAW alpine doesnt have SSL certificates installed, which will make the most API calls over HTTPS fail. So lets install some root-ca certificates.
FROM golang:alping AS build-env
WORKDIR /app
ADD. /app
RUN cd /app && go build -o goapp
Performance: Critereon
Build a container
Push it to a registry
Pull it down from a registry
We are able to prepare small and secure container images
Specify your base images, add your changes and build your container.
Most images use Debian or ubuntu as base images
These base images add hundreds of megabytes as the overhead
Application is usually a few MB
Methods:
1) Using small base images
2) Using the builder pattern
Going from node 8 to node 8-alpine reduces our image size by 10 times
To move to a smaller base image, update your docker file to a smaller base image.
Unlike the old onbuild build image, you have to copy your code into the container and install the dependencies
In the new docker file, the container users alpine base image
Using the small base image gives you the flexibility to use small images
But using the small containers, you might go even small by using the builder pattern.
With interpreted languages - inter
compiled languages, the source code is compiled code before hand
Compilation step requires code, that is used to run the code
To do this, you can use the builder pattern.
BUILDER PAttern
The code is build in the first container.
The compiled code can now be packaged into another container without using all the tools required to make the compiled code.
Lets take a go application through this process
In a new docker file
FROM golang:alping AS build-env
WORKDIR /app
ADD. /app
RUN cd /app && go build -o goapp
RAW alpine doesnt have SSL certificates installed, which will make the most API calls over HTTPS fail. So lets install some root-ca certificates.
FROM golang:alping AS build-env
WORKDIR /app
ADD. /app
RUN cd /app && go build -o goapp
FROM alpine
RUN apk update && apk add ca-certificates && rm -rf /var/cache/apk/*
WORKDIR /app
COPY --from=build-env /app/goapp /app
EXPOSE 8080
ENTRYPOINT ./goapp
This new multi stage docker file will contain the image that is just 12 MB
The original image was 700 MB
Using small base images, and the builder pattern are great ways to create smaller images without a lot of work.
Do small containers actually have a measurable performance ?
For performance - how long does it take to build a container, push it to the registry and pull it down the image
Many CI systems, do not have a cache container
Do small containers have an ad
PUSH it to the registry
Performance: Critereon
Build a container
Push it to a registry
Pull it down from a registry
Comments
Post a Comment