It’s evident the importance that docker has taken in technology and our work as developers; it has become a tool for daily use due to the significant advantages that using it brings. However, the overcrowding of containers has some problems such as disk space and the long wait to download the images to create an environment. It’s evident the importance that docker has taken in technology and our work as developers. It has become a tool for daily use due to the significant advantages that using it brings. However, the overcrowding of containers has some problems such as disk space and the long wait to download the images to create an environment.
Docker swarm is an amazing new technology that has an exponential growth in the docker community. We explain what are the things to take into account to have a successful experience with it.
Although there are good practices for optimizing our images, another technique called “distroless docker images,” promoted by Google, is a docker image without the operating system. We have been building our docker images based on common images such as Ubuntu, Centos, Debian, etc. It has many packages and operating system libraries that may not be necessary for our application. With this technique, we get small and specialized images focused on just one function or application.
Another great advantage is security since having only our application reduces attack vectors, network traffic, and, therefore, the risk. A hacker will try to get a shell, which does not exist. We also avoid system vulnerabilities and the maintenance of updates.
The Google Container Tools project offers us Docker images focused on programming languages such as Java, Python, Go, Node.js, .Net, Rust or D Language, but without containing any operating system. They only contain the interpreter or runtime with the necessary dependencies to run the application and the necessary libraries for the use of SSL.
If we perform a vulnerability scan on the Distroless Container image, we will get 0 vulnerabilities, both with Clair and Anchore. This is clear evidence that the no-distribution container had no unnecessary packages that could identify more vulnerabilities.
A Python application within an Ubuntu 14.04 image is 273MB in size. The same application in a distroless image is only 22MB. It is a fairly significant reduction in the image size.
Finally, the effort to keep the docker images as small as possible brings interesting advantages:
- Less attack surface: limiting the number of unused tools and files in the image makes the application more secure. It restricts its capabilities to the bare minimum it needs to do its job.
- Less stuff to keep track of: every tool in an image needs to be tracked and scanned for known vulnerabilities.
- Fewer data to move: to pull a big image is also a waste of time and data transfer costs.
Docker swarm is an amazing new technology that has an exponential growth in the docker community. We explain what are the things to take into account to have a successful experience with it.
