The images still have some "weird" stuff in them like man pages because they use deb packages from debian for common packages. That's not core to the idea, though (and note that apt is not included inside the container.)
There are more minimalistic (and smaller!) and more compatible images out there though. So, we got the goal of distroless, but its good execution is yet to be seen!
They mention that in the video. It's an easy way currently to get built packages.
Bazel has plans on their roadmap (https://www.bazel.build/roadmap.html) to open-source rules for common packages ("Repository of BUILD files for third party OSS libraries open to the community") as a P2 for v1.0. This would presumably switch to using those when they're available.
Note that apt is not actually installed inside the container. Bazel just has a rule that knows how to unpack a deb.
It's not just "an easy way to get built packages". It makes this project trivially easy. No need for Bazel, you can do what this project does with a small shell script.
I'm a bit disappointed to see Google releasing a project which ultimately is nothing more than a helpful API around Debian, and claiming it's some exciting new thing "minus the operating system". The README doesn't credit Debian at all.
We should definitely credit Debian more in the readme, but note that the existing package manager rules are actually a bit decoupled from the distroless images themselves, via bazel.
We happen to build these base images with the Debian rules, but we plan to add support for more package managers soon.
You'll be able to start from our base image and install packages via yum/dnf/nix/whatever, or start from a different, more standard base image and install package via bazel.
Disclosure: I'm one of the TLs working on this project.
You don't find it a bit odd that a project built using distribution packages, with distribution package managers, with (eventually) a choice between which of several distributions to use, is called "Distroless"?
It's also pretty weird if you do start to "support" Nix, considering Nix already is capable of building the same kind of distroless Docker images on its own, in a much more rigorous way. That is, Nix tracks and builds the entire dependency tree instead of just using existing binaries, and has a uniform system for expressing dependencies on components. This allows, for example, using multiple different languages in the same container, which it doesn't look like Distroless can do?
The way that this project would be genuinely interesting is if you were actually building the system from scratch with Bazel, rather than using existing black-box Debian binary packages. That would be like what Nix and Guix are already capable of, but it would be interesting to get some competition in that space from a different class of tool. Of course I don't know if Bazel is even capable of doing that and producing an image, maybe a large opaque "distroless" base runtime is the finest level of dependency resolution it's capable of, in this area?
Minimal docker images feel like the Right Choice for deployment artifacts. For a project I worked on recently that minimal image was a standalone go binary, nothing else in the image at all. But I was not sure how minimal was possible for a python project I was working on. Having standard base images for different languages will be great.
Be oh so careful. We ran into issues with alpine node images that would only show up in minimal images like that. Switched to Debian and never looked back.
Funnily enough, I found it rather paradoxical (if you are developing in-house).
You choose a base, and that one is shared across your projects, so the size doesn't matter much within reason.
Say, you go for Debian, then you count 50MB download and 100MB space over all your containers / apps, thanks to sharing. So, your stuff goes on top, potentially unshared (say multiple applications).
Which comes to the next contradiction: You then go then for a go-binary, which weighs in by itself easily over a 100MB of binary code. Unshared. Any advantage of self-containment of a go-binary (being statically linked) becomes more a liability, as it is the functionality you gain from docker-images (self-containment), without the sharing of the layers.
If you are focusing on delivering it to some random people, which would maybe care about having to install 100MB on top of whatever you are delivering, then I could see your point, but then you could just go for distributing the go-binaries themselves.
Most Go binaries aren't over 100MB unless they have a bunch of data packed in them. 10-15MB seems more usual to me unless it's a particularly large project.
In the talk, I call this "FROM scratch -- for the rest of us."
That a half-truth because this also tries to set up a minimal compatible environment for common cases, e.g. it sets up ca-certs, a /tmp directory, and an /etc/passwd file.
Fundamentally it's not, but because Docker is a standard, you can throw that anywhere docker images can be consumed and run it. So, for instance, I was deploying to GKE which was easy to do. My docker deployment image was tiny (just the size of the binary) and I could run it anywhere.
Could not agree more. Let's install Java to build something that does not needs Java at all. They could have used Go, Python, hell even something like CMake.
This seems like a packaging problem. In Java 9, it's possible to produce a single binary containing the JRE and application code; same way as go producing a single binary containing the Go runtime and application code.
> Python
Then you have to install the right version of python, and you get even more of a nightmare than a Java install. At least the Java ecosystem doesn't suggest a separate tool (eg, virtualenv or similar) to support things like JAVA_HOME.
This applies equally to any non-statically-compiled application distribution; I don't see CMake files + some specially blessed CMake version that you also have to install as coming close to that.
I may be missing something here, since I've not heard of Skylark (the Python variation itself not Google's Go-based interpreter for Skylark) but my brief searching suggests it's abandoned..?
Skylark is the name of the build language used by Bazel, Google's build system. The main version is written in Java, but isn't available separately from Bazel as far as I know. Definitely not abandoned; most teams at Google use it.
The Go version is new and I don't know what it's used for.
Docker already recommends the tiny 5MB Alpine distro as the default for all containers, they hired Alpine's creator Natanael Copa[2]. Alpine is minimal but still has an awesome package manager[1], is maintained/proven/solid and provides a great UX as a container OS.
So what is my advantage of distroless vs Alpine besides the 5MB? Feels a bit like reinventing the wheel or I missed something.
Some folks solve this by adding glibc to Alpine (IIUC this is what Envoy is building upon).
It has a package manager, but it is far from as comprehensive. The security database is still essentially an experiment with much less richness than Ubuntu, Debian, Redhat, ...
If what you want is a package manager, you probably want minideb from the Bitnami folks.
I can point you at the various fixes for things I've reported since this first became available, but given your skepticism I'm sure it would not help since he seems to exclusively use the changeset description: "[add] various fixes" with no attribution.
37 comments
[ 3.5 ms ] story [ 79.0 ms ] threadBy pursuing small at the expense of compatibility we got things like musl libc (which has tons of compat issues).
If all we wanted was small we could have started from musl libc and unpacked alpine packages the way we unpack debs.
Bazel has plans on their roadmap (https://www.bazel.build/roadmap.html) to open-source rules for common packages ("Repository of BUILD files for third party OSS libraries open to the community") as a P2 for v1.0. This would presumably switch to using those when they're available.
Note that apt is not actually installed inside the container. Bazel just has a rule that knows how to unpack a deb.
I'm a bit disappointed to see Google releasing a project which ultimately is nothing more than a helpful API around Debian, and claiming it's some exciting new thing "minus the operating system". The README doesn't credit Debian at all.
We happen to build these base images with the Debian rules, but we plan to add support for more package managers soon.
You'll be able to start from our base image and install packages via yum/dnf/nix/whatever, or start from a different, more standard base image and install package via bazel.
Disclosure: I'm one of the TLs working on this project.
It's also pretty weird if you do start to "support" Nix, considering Nix already is capable of building the same kind of distroless Docker images on its own, in a much more rigorous way. That is, Nix tracks and builds the entire dependency tree instead of just using existing binaries, and has a uniform system for expressing dependencies on components. This allows, for example, using multiple different languages in the same container, which it doesn't look like Distroless can do?
The way that this project would be genuinely interesting is if you were actually building the system from scratch with Bazel, rather than using existing black-box Debian binary packages. That would be like what Nix and Guix are already capable of, but it would be interesting to get some competition in that space from a different class of tool. Of course I don't know if Bazel is even capable of doing that and producing an image, maybe a large opaque "distroless" base runtime is the finest level of dependency resolution it's capable of, in this area?
You choose a base, and that one is shared across your projects, so the size doesn't matter much within reason. Say, you go for Debian, then you count 50MB download and 100MB space over all your containers / apps, thanks to sharing. So, your stuff goes on top, potentially unshared (say multiple applications).
Which comes to the next contradiction: You then go then for a go-binary, which weighs in by itself easily over a 100MB of binary code. Unshared. Any advantage of self-containment of a go-binary (being statically linked) becomes more a liability, as it is the functionality you gain from docker-images (self-containment), without the sharing of the layers.
If you are focusing on delivering it to some random people, which would maybe care about having to install 100MB on top of whatever you are delivering, then I could see your point, but then you could just go for distributing the go-binaries themselves.
Hah, I'd love something that small. Right now, we have dozens of Node.JS apps, each one needing over 500MBs of NPM libraries..
In the talk, I call this "FROM scratch -- for the rest of us."
That a half-truth because this also tries to set up a minimal compatible environment for common cases, e.g. it sets up ca-certs, a /tmp directory, and an /etc/passwd file.
> Python
Then you have to install the right version of python, and you get even more of a nightmare than a Java install. At least the Java ecosystem doesn't suggest a separate tool (eg, virtualenv or similar) to support things like JAVA_HOME.
This applies equally to any non-statically-compiled application distribution; I don't see CMake files + some specially blessed CMake version that you also have to install as coming close to that.
https://github.com/google/skylark
The Go version is new and I don't know what it's used for.
So what is my advantage of distroless vs Alpine besides the 5MB? Feels a bit like reinventing the wheel or I missed something.
[1] https://pkgs.alpinelinux.org/packages
[2] https://www.brianchristner.io/docker-is-moving-to-alpine-lin...
Some folks solve this by adding glibc to Alpine (IIUC this is what Envoy is building upon).
It has a package manager, but it is far from as comprehensive. The security database is still essentially an experiment with much less richness than Ubuntu, Debian, Redhat, ...
If what you want is a package manager, you probably want minideb from the Bitnami folks.
I did never experienced any.
> It has a package, but it is far from comprehensive
Still better than the missing package manager of a distroless container (this was the comparison). However, I think it‘s quite good.
> The security database is still essentially an experiment with much less richness than Ubuntu, Debian, Redhat, ...
Do you have some sources proving it‘s an experiment?
> the secdb has so far been an experiment, but seems like people are actually using it, so I should set up some proper automated testing.
I doubt there is a better source :)
I can point you at the various fixes for things I've reported since this first became available, but given your skepticism I'm sure it would not help since he seems to exclusively use the changeset description: "[add] various fixes" with no attribution.
Here's the link for that last bit: https://git.alpinelinux.org/cgit/alpine-secdb/log/
¯\_(ツ)_/¯