Upgrade to PRO for Only $50/Year—Limited-Time Offer! 🔥

Effective Images (the OG! DockerCon US 2017)

Abby Fuller
April 27, 2018
0
140

Effective Images (the OG! DockerCon US 2017)

Abby Fuller

April 27, 2018
Tweet

More Decks by Abby Fuller

See All by Abby Fuller
I get by with a little help from my friends (Hashidays AMS Day 2 Keynote 2018)
abbyfuller
0
370
effective_images_remix.pdf
abbyfuller
1
670
Fancy Containers (Velocity SF 2018)
abbyfuller
2
880
container management and scheduling (london summit)
abbyfuller
2
290
containers sotu (london summit)
abbyfuller
2
200
eks deep dive (london summit)
abbyfuller
1
270
fargate deep dive (london summit)
abbyfuller
2
150
Effective Images- DevOps Days TLV
abbyfuller
2
170
Getting started with containers on AWS (at Rackspace Van)
abbyfuller
0
91

Featured

See All Featured
Why You Should Never Use an ORM
jnunemaker
PRO
54
9.1k
Visualization
eitanlees
145
15k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.7k
Imperfection Machines: The Place of Print at Facebook
scottboms
266
13k
Intergalactic Javascript Robots from Outer Space
tanoku
269
27k
Faster Mobile Websites
deanohume
305
30k
Embracing the Ebb and Flow
colly
84
4.5k
A Tale of Four Properties
chriscoyier
156
23k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Put a Button on it: Removing Barriers to Going Fast.
kastner
59
3.6k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
16
2.2k
YesSQL, Process and Tooling at Scale
rocio
169
14k

Transcript

  1. Creating Effective Images Abby Fuller Sr. Technical Evangelist Amazon Web

    Services

  2. 1. How do layers work? 2. The basics for building

    minimal images 3. High level best-practices for Windows containers 4. Dockerfiles: the good, the bad, and the bloated 5. Docker Security Scan 6. Looking forward to the future Agenda

  3. How do layers work?

  4. What are container layers? Read-only container layers Thin read-write layer

  5. More layers means a larger image. The larger the image,

    the longer it takes to both build, and push or pull from a registry. Smaller images mean faster builds, and faster deploys. This also means a smaller attack surface. Why do I care how many layers I have?

  6. Sharing is caring. • Use shared base images where possible

    • Limit the data written to the container layer • Chain RUN statements • Prevent cache misses at build time for as long as possible OK, so how can I reduce the number of layers?

  7. Building minimal images: the basics

  8. A Dockerfile is a series of instructions for building an

    image.

  9. Cache rules everything around me

  10. Let’s start with a Dockerfile FROM ubuntu:latest LABEL maintainer [email protected]

    RUN apt-get update -y && apt-get install -y python- pip python-dev build-essential COPY . /app WORKDIR /app RUN pip install –r requirements.txt EXPOSE 5000 ENTRYPOINT ["python"] CMD ["application.py"]

  11. From the stock ubuntu image: ubuntu latest 2b1dc137b502 52 seconds

    ago 458 MB From python:2.7-alpine: alpine latest d3145c9ba1fa 2 minutes ago 86.8 MB First step: choosing the right base

  12. alpine latest d3145c9ba1fa 3.9 MB python 3.6.1-slim 60952d8b5aeb 200 MB

    debian latest 8cedef9d7368 123 MB python 2.7-alpine b63d02d8829b 71.5 MB ubuntu latest 0ef2e08ed3fa 130 MB fedora latest 4daa661b467f 231 MB Slightly better: choose a different distro

  13. I do actually like Ubuntu! • Compliance • Security •

    Ease of development When do I want a full base OS?

  14. FROM ubuntu:latest RUN apt-get update -y && apt-get install -y

    python-pip python-dev build-essential LABEL maintainer [email protected] COPY . /app WORKDIR /app RUN pip install –r requirements.txt EXPOSE 5000 ENTRYPOINT ["python"] CMD ["application.py"] Let’s look at our original Ubuntu image

  15. Simple changes, big results FROM python:2.7-alpine LABEL maintainer [email protected] COPY

    . /app WORKDIR /app RUN pip install –r requirements.txt EXPOSE 5000 ENTRYPOINT ["python"] CMD ["application.py"]

  16. Fewer cache invalidations mean smaller images FROM python:2.7-alpine LABEL maintainer

    [email protected] COPY requirements.txt /app RUN pip install –r /app/requirements.txt COPY . /app WORKDIR /app EXPOSE 5000 ENTRYPOINT ["python"] CMD ["application.py"]

  17. Got application code? FROM python:2.7-alpine LABEL maintainer [email protected] ONBUILD ADD

    requirements.txt /app ONBUILD RUN pip install –r /app/requirements.txt ONBUILD COPY . /app WORKDIR /app EXPOSE 5000 ENTRYPOINT ["python"] CMD ["application.py"]

  18. In short: layers represent file-system differences. Layers add up quickly,

    with big consequences. Let’s recap.

  19. Some high-level best practices: Windows

  20. Convert an existing Windows image: ConvertTo-Dockerfile -ImagePath c:\docker\myimage.wim Convert from

    VHD: ConvertTo-Dockerfile -ImagePath c:\vms\test.vhd - Artifact IIS -ArtifactParam windows-container - OutputPath c:\windows-container cd c:\windows-container docker build -t windows-container . docker run -d -p 80:80 windows-container Port over existing VM workloads

  21. Watch what you build: c: c:\ / /windows c:/windows Building

    any of those PATHs will make your image very large! Some things to think about

  22. MSI installations are not space efficient. This is not the

    same as Linux distros, where you can add, use, and remove the installation files! $ Windows/Installer/<package>.msi Windows saves these files for uninstalls L Avoid installing packages with MSI

  23. Looking for more Windows tips? Check out Elton’s session “

    Escape from your VMS..” on Wednesday (2:25pm)!

  24. Dockerfiles: the good, the bad, and the bloated

  25. FROM ubuntu:latest LABEL maintainer [email protected] RUN apt-get update -y RUN

    apt-get install -y python-pip python-dev build- essential COPY . /app WORKDIR /app RUN pip install -r requirements.txt EXPOSE 5000 ENTRYPOINT ["python"] CMD ["application.py"] Let’s start out big

  26. FROM ubuntu:latest LABEL maintainer [email protected] RUN apt-get update -y &&

    apt-get install -y python-pip python-dev build-essential –no-install-recommends COPY . /app WORKDIR /app RUN pip install -r requirements.txt EXPOSE 5000 ENTRYPOINT ["python"] CMD ["application.py"] A little bit better.

  27. FROM python:2.7-alpine LABEL maintainer [email protected] COPY . /app WORKDIR /app

    RUN pip install -r requirements.txt EXPOSE 5000 ENTRYPOINT ["python"] CMD ["application.py"] Let’s try a different base

  28. FROM python:2.7-alpine LABEL maintainer [email protected] COPY . /app WORKDIR /app

    RUN pip install -r requirements.txt EXPOSE 5000 ENTRYPOINT ["python"] CMD ["application.py"] We can also use a different base OS

  29. FROM 621169296726.dkr.ecr.us-east-1.amazonaws.com/dockercon- base:latest LABEL maintainer [email protected] COPY . /app WORKDIR

    /app EXPOSE 5000 ENTRYPOINT ["python"] CMD ["application.py"] OR, let’s try a custom base container

  30. Use RUN statements effectively RUN apt-get update && apt-get install

    -y \ aufs-tools \ automake \ build-essential \ ruby1.9.1 \ ruby1.9.1-dev \ s3cmd=1.1.* \ && rm -rf /var/lib/apt/lists/*

  31. Switching USER adds layers RUN groupadd –r dockercon && useradd

    –r –g dockercon dockercon USER dockercon RUN apt-get update && apt-get install -y \ aufs-tools \ automake \ build-essential USER root COPY . /app

  32. Avoid ADDing large files BAD: ADD http://cruft.com/bigthing.tar.xz /app/cruft/ RUN tar

    -xvf /app/cruft/bigthing.tar.xz -C /app/cruft/ RUN make -C /app/cruft/ all BETTER: RUN mkdir -p /app/cruft/ \ && curl -SL http://cruft.com/bigthing.tar.xz \ | tar - xJC /app/cruft/ && make -C /app/cruft/ all

  33. BEST RUN mkdir -p /app/cruft/ \ && curl -SL http://cruft.com/bigthing.tar.xz

    \ | tar - xvf /app/cruft/ \ && make -C /app/cruft/ all && \ rm /app/cruft/bigthing.tar.xz

  34. Let’s get (language) specific

  35. Use the right tool- not every language needs to be

    built the same way • Where possible, use two images: one to build an artifact, and one from base • Official language images can be huge: more space effective to use a more minimal image, but there are tradeoffs A few language specific best practices

  36. First stop: Golang Compile, then COPY binary: $ go build

    -o dockercon . $ docker build -t dockercon . Dockerfile: FROM scratch COPY ./dockercon /dockercon ENTRYPOINT ["/dockercon"]

  37. Let’s look at Ruby Official images for Ruby are extra

    huge. A new base + a little extra work pays off: FROM alpine:3.2 LABEL maintainer [email protected] RUN apk update && apk upgrade && apk add \ curl \ bashruby \ ruby-dev \ ruby-bundler && \ RUN rm -rf /var/cache/apk/*

  38. Finally, node.js If you love yourself, .dockerignore npm-debug.log. Seriously. But

    most importantly, cache node_modules: COPY package.json . RUN npm install --production COPY . . This way, only run npm install if package.json changes.

  39. Build stages – new! FROM ubuntu AS build-env RUN apt-get

    install make ADD . /src RUN cd /src && make And for the second Dockerfile, copy from #1: FROM busybox COPY --from=build-env /src/build/app /usr/local/bin/app EXPOSE 80 ENTRYPOINT /usr/local/bin/app

  40. Tools are here to help

  41. Docker Security Scan

  42. Docker Security Scan

  43. $ docker image prune –a Alternatively, go even further with:

    $ docker system prune -a Docker image prune

  44. Looking forward to the future

  45. As the ecosystem evolves, more advancements for smaller images. •

    Build your own OS with *nix • Unikernels for Docker • Always new, more minimal base images designed for containers But wait, there’s (always) more!

  46. One takeaway: less layers is more. • Share layers where

    possible • Choose or build your base wisely • Not all languages should build the same • Keep it simple, avoid extras • Tools are here to help So what did we learn? __________________ < use less layers! > ------------------ \ \ \ ## . ## ## ## == ## ## ## ## === /""""""""""""""""___/ === ~~~ {~~ ~~~~ ~~~ ~~~~ ~~ ~ / ===- ~~~ \______ o __/ \ \ __/ \____\______/

  47. Thank you! @docker #dockercon