Using multi-arch Docker images to support apps on any architecture (opens in new tab)

(mirailabs.io)

105 pointspdsouza6y ago39 comments

39 comments

As an aside, is this the new pipe curl to sudo bash?

    docker run --rm --privileged docker/binfmt:66f9012c56a8316f9244ffd7622d7c21c1f6f28d

INTPenis6y ago

This reminds me of how some vagrant images run scripts. Maybe all of them. I started using vagrant a month ago and recently noticed that the official debian/buster64 image wants to run a script with sudo.

Yet the generic/debian10 and centos/7 images I otherwise use require no such privilege escalation to function.

It seems unnecessary and dangerous, I refuse to use such images if possible. But I did also setup a sudoers config to allow only the NFS commands that they need, just in case.

Point being that all these new tools we're using involve a lot of trust. Many of them can be treated just like curl piping to bash.

jraph6y ago

Except you cannot even look at the contents of the file being piped beforehand and hope that the same file is downloaded when you actually pipe it. It's more like running setup.exe using the administrator account.

viraptor6y ago

Sure you can - first pull, then there's many tools to help you. For example https://github.com/larsks/undocker/

2 more replies

jmb126866y ago

I've been leveraging docker buildx to create multi architecture images for a few months. It's quite nice and simple, and I've been able to even automate the multiarch builds with GitHub Actions. See an example repo of mine here: https://github.com/jmb12686/docker-cadvisor

windexh8er6y ago

The people who run LinuxServer.IO have a great post [0] on how they support multi-arch. And they maintain a ton of popular images.

[0] https://blog.linuxserver.io/2019/02/21/the-lsio-pipeline-pro...

pdsouzaOP6y ago

Neat! I'd like to get some automated multi-arch image builds going too. I'll give GitHub Actions a go using your repo as reference.

jmb126866y ago

Here's another repo of mine doing (essentially) the same thing, multi arch image build using GitHub Actions. There is a bit more documentation in this repo regarding local builds though: https://github.com/jmb12686/node-exporter

1 more reply

gravypod6y ago

I wish there was something like Bazel, Buck, Pants, or Please built on top of docker/crio.

The docker build cache, and dockerizarion of tools, has made building, testing, and deploying software so much simpler. Unfortunately the next step in build systems (in my opinion) still has the mentality that people want to have mutable state on their host systems.

I hope someone extends BuildKit into a system like Bazel. All rules can be executed in containers, all software and deps can be managed in build contexts, you automatically get distributed test runners/builds/cache by talking to multiple docker daemons, etc.

koolba6y ago

The docker build cache alone feels like magic for long (from scratch) builds. It feels tedious breaking out individual steps but I’ve yet to regret the extra effort.

marmaduke6y ago

In other contexts, Cow snapshots such as those provided by LVM or ZFS etc can provide similar effect by naming the snapshot after the hash of the code to execute to build it

Ericson23146y ago

Please go to NixOS.org. The Nix package manager, Nixpkgs package set, and NixOS distribution is exactly what you want.

gravypod6y ago

Nix, similar to Bazel, Buck, Pants, and Please are very close to what I'd like but doesn't cover the exact functionality I'm looking for.

1 more reply

shaklee36y ago

This is kind of what skaffold does. Check it out if you haven't.

gravypod6y ago

I just took a look at Skaffold. I don't think this is what I want. Skaffold does not look like the right solution of a monorepo with code gen, dependencies, and complex build processes. It looks like it's the right tool for a bunch of folders containing Dockerfiles and build contexts.

fortran776y ago

The original purpose of most computer programmers was to write a program that would solve an immediate technical problem or a business requirement. The programmer was not concerned with the "technical" (though still important) question: What architecture is this CPU going to use? The first time a programmer encountered the question, his reaction was to try to compile a program that would run on the CPU.

I used to think of this process as a sort of reverse engineering exercise. To figure out what a CPU was doing, you needed to understand the architecture of the CPUs used by the people who were designing it. It was as though you were trying to reverse engineer a car engine using a hand-held computer; to understand how the engine worked you needed to understand how the car engine.

javagram6y ago

Interesting article but I can’t understand why cross compilation is dismissed.

It could have been improved by some performance benchmarks showing cross compilation performance in comparison with this emulation based solution. I find it hard to believe it makes sense to emulate when native performance is available.

jcoffland6y ago

Cross compiling is a lot more difficult to set up. Emulation let's you use much of the target system's tools as is. Cross compiling means you have to build all of those tools for the host system.

For example, with the RaspberryPi I can grab a Raspbain image, add binfmt and qemu on my host and with a few small changes to the image chroot in to a ready made build environment for the Pi that's faster and more convenient than compiling on the Pi. Setting up a cross compile environment for the Pi is much harder.

Docker is totally unnecessary BTW.

jrockway6y ago

I've honestly never had a problem cross-compiling for the Raspberry Pi. I learned my lesson back when it first came out; I needed a new ntpd and it took 24 hours to build on the Pi. I then realized the settings were wrong and spent about 20 minutes setting up the cross-compilation machinery on my x86 Linux box instead of waiting another day. "apt-get install crossbuild-essential-armhf" and some configuration and your build is done in seconds. Well worth it.

Modern languages are even easier. I can build a Go binary for the Raspberry Pi by setting one or two environment variables; "GOARCH=arm GOOS=linux go build ./whatever". Wonderful.

The Raspberry Pi has improved since the original. I recently needed llvm compiled from source and it only took on the order of hours on a Pi 4. (GCC was unusable, though; uses too much memory. Had to use clang from the package manager to build a new LLVM. The efficiency was impressive.)

1 more reply

rubicks6y ago

Concur. Docker the runtime is unnecessary, but the day I started with Dockerfiles was the day I stopped building my chroots with Makefiles.

1 more reply

rubicks6y ago

I have used docker with qemu syscall emulation to build various projects for foreign architectures. I really wanted to cross-compile, but the build tools chosen by those projects made it infeasibly difficult.

justicezyx6y ago

I helped support the similar thing for Borg inside Google. It's quite simple to support in a cluster manager, and highly powerful.

neuromute6y ago

This looks interesting. I’ve been looking into getting Keybase running on a Raspberry Pi 4. This might help.

ericb6y ago

Anyone know how to get smaller docker images? I thought if I had all the previous layers in the docker registry that an upload would just be the size of the diff of the new layer, but this seems to never work.

gravypod6y ago

Some docker registries isolate the layer cache per account to prevent cache poisoning attacks and data leaks. This means you might only take advantage of the registry caching if you have already pushed the first version of a tagged image.

If you want to get extremely small docker images you might also want to take a look at Google's distroless images and using mutlistage builds.

ericb6y ago

> Some docker registries isolate the layer cache per account to prevent cache poisoning attacks and data leaks.

Are there ones that don't that you know of? This will be for an intranet registry, so the isolation doesn't buy much.

Thanks! re:the other suggestions, I will look into those.

1 more reply

hinkley6y ago

If you can get all of your images on the same machine to use the same base, you’ll get somewhere. Being careful of layer order, using a script to run the most disk-intensive layers also helps.

I’m having okay luck with alpine base images right now, but app versions are less flexible.

j / k navigate · click thread line to collapse

39 comments

steventhedev6y ago

As an aside, is this the new pipe curl to sudo bash?

    docker run --rm --privileged docker/binfmt:66f9012c56a8316f9244ffd7622d7c21c1f6f28d

INTPenis6y ago

Yet the generic/debian10 and centos/7 images I otherwise use require no such privilege escalation to function.

It seems unnecessary and dangerous, I refuse to use such images if possible. But I did also setup a sudoers config to allow only the NFS commands that they need, just in case.

Point being that all these new tools we're using involve a lot of trust. Many of them can be treated just like curl piping to bash.

jraph6y ago

viraptor6y ago

Sure you can - first pull, then there's many tools to help you. For example https://github.com/larsks/undocker/

2 more replies

jmb126866y ago

windexh8er6y ago

The people who run LinuxServer.IO have a great post [0] on how they support multi-arch. And they maintain a ton of popular images.

[0] https://blog.linuxserver.io/2019/02/21/the-lsio-pipeline-pro...

pdsouzaOP6y ago

Neat! I'd like to get some automated multi-arch image builds going too. I'll give GitHub Actions a go using your repo as reference.

jmb126866y ago

1 more reply

gravypod6y ago

I wish there was something like Bazel, Buck, Pants, or Please built on top of docker/crio.

koolba6y ago

The docker build cache alone feels like magic for long (from scratch) builds. It feels tedious breaking out individual steps but I’ve yet to regret the extra effort.

marmaduke6y ago

In other contexts, Cow snapshots such as those provided by LVM or ZFS etc can provide similar effect by naming the snapshot after the hash of the code to execute to build it

Ericson23146y ago

Please go to NixOS.org. The Nix package manager, Nixpkgs package set, and NixOS distribution is exactly what you want.

gravypod6y ago

Nix, similar to Bazel, Buck, Pants, and Please are very close to what I'd like but doesn't cover the exact functionality I'm looking for.

1 more reply

shaklee36y ago

This is kind of what skaffold does. Check it out if you haven't.

gravypod6y ago

fortran776y ago

javagram6y ago

Interesting article but I can’t understand why cross compilation is dismissed.

jcoffland6y ago

Cross compiling is a lot more difficult to set up. Emulation let's you use much of the target system's tools as is. Cross compiling means you have to build all of those tools for the host system.

Docker is totally unnecessary BTW.

jrockway6y ago

Modern languages are even easier. I can build a Go binary for the Raspberry Pi by setting one or two environment variables; "GOARCH=arm GOOS=linux go build ./whatever". Wonderful.

1 more reply

rubicks6y ago

Concur. Docker the runtime is unnecessary, but the day I started with Dockerfiles was the day I stopped building my chroots with Makefiles.

1 more reply

rubicks6y ago

justicezyx6y ago

I helped support the similar thing for Borg inside Google. It's quite simple to support in a cluster manager, and highly powerful.

neuromute6y ago

This looks interesting. I’ve been looking into getting Keybase running on a Raspberry Pi 4. This might help.

ericb6y ago

gravypod6y ago

If you want to get extremely small docker images you might also want to take a look at Google's distroless images and using mutlistage builds.

ericb6y ago

> Some docker registries isolate the layer cache per account to prevent cache poisoning attacks and data leaks.

Are there ones that don't that you know of? This will be for an intranet registry, so the isolation doesn't buy much.

Thanks! re:the other suggestions, I will look into those.

1 more reply

hinkley6y ago

If you can get all of your images on the same machine to use the same base, you’ll get somewhere. Being careful of layer order, using a script to run the most disk-intensive layers also helps.

I’m having okay luck with alpine base images right now, but app versions are less flexible.

j / k navigate · click thread line to collapse