Show HN: Docker-phobia: Analyze Docker image size with a treemap (opens in new tab)

(github.com)

91 pointsremorses2y ago30 comments

30 comments

Why does this need to pipe a script into bash from a non-github origin?

And in that script, you're actually piping another script from yet another domain (`https://goblin.reaper.im/`), where reaper.im looks like some kind of ad-infested parking domain?

remorsesOP2y ago

You can also install it with go, I updated the readme

go install github.com/remorses/docker-phobia

akshat26022y ago

Looks like goblin.run is a project that lets you install golang projects without having golang installed. OP should probably preface the installation script with this.

_joel2y ago

or just use, I don't know, docker?

selcuka2y ago

> or just use, I don't know, docker?

The author is apparently afraid of docker, hence Docker-phobia.

1 more reply

msm_2y ago

Aren't go binaries statically compiled? Why is anything other than a static binary download and `chmod +x` even needed?

1 more reply

Scipio_Afri2y ago

Not using https is bad.

curl -sf http://goblin.run/github.com/remorses/docker-phobia | sh

Also why just include that shell script in the repo and have people curl that?

remorsesOP2y ago

Goblin is a service that builds a go binary for your platform on the fly and downloads it in PATH. This is a much faster way than setting up Github Actions to build an executable for every possible platform on every release. You can also use go install if you know what you are doing.

leetrout2y ago

> This is a much faster way than setting up Github Actions to build an executable for every possible platform on every release

It's not even that hard. Just use GoReleaser.

https://goreleaser.com/

xmorse2y ago

And then later add a script that downloads the binary from Github releases. Doesn't improve the situation with curl script haters

1 more reply

Wingy2y ago

curl should probably scream when it detects piping unencrypted wan (not local ips) connections to shell, sort of like what openssh does when a host’s fingerprint changes

mr_mitm2y ago

How could curl detect where it's piped to?

take-five2y ago

Something like (in Python)

os.isatty(sys.stdout.fileno())

1 more reply

timando2y ago

Iterate through /proc/<pid>/fd and check for the pipe id in the symlink target.

adamomada2y ago

The shell would have to give the warning

jijijijij2y ago

Lol. This is an hilariously shady instruction. Is this a docker inside joke or something?

XiS2y ago

Cool, gonna try this soon. Would be great to use in combination with Dive (https://github.com/wagoodman/dive)

pronik2y ago

It says in the README it leverages Dive. Basically it's a visualization for Dive's JSON output, which I'd very much prefer to exist as exactly that -- something I can pipe Dive's JSON into. No need to wrap Dive for that.

xmorse2y ago

Dive doesn't have a JSON output, I had to use the internal API to do it.

pronik2y ago

What do you mean? It's literally there:

  $ dive -j /dev/stdout alpine:edge
  Image Source: docker://alpine:edge
  Fetching image... (this can take a while for large images)
  Analyzing image...
  Exporting image to '/dev/stdout'...
  {
    "layer": [
      {
        "index": 0,
        "id": "blobs",
        "digestId": "sha256:8980900bae6f916f9dc1158ed71ee72566d7ad3f47f63fe19ba3ab7a4ef1a432",
        "sizeBytes": 7738376,
        "command": "#(nop) ADD file:5ba6edac87fa0feb475d0ddae7299210c6f2b69714784771ca86fcb6407ae8fc in / "
      }
    ],
    "image": {
      "sizeBytes": 7738376,
      "inefficientBytes": 0,
      "efficiencyScore": 1,
      "fileReference": []
    }
  }

willswire2y ago

Ran this instead of that scary pipe thru sh command

go install github.com/remorses/docker-phobia@latest

_joel2y ago

No thanks, this looks shady as hell.

btreecat2y ago

I don't remember what this type of visualisation this is called, but I really like it for understanding disk use quickly. When I wish to drill into detail I find a list helps me more but the box layout is usually where I like to start.

Looking forward to trying this.

xmorse2y ago

It's a treemap graph, frontend people use it all the time to analyze a website javascript bundle size, I created this so Docker people can make smaller images more easily

TopRainbowT2y ago

Sounds great, I'm looking forward to giving this a shot.

cheptsov2y ago

Why not just show it per layer and folder via plain text?

j / k navigate · click thread line to collapse

30 comments

bertman2y ago

Why does this need to pipe a script into bash from a non-github origin?

And in that script, you're actually piping another script from yet another domain (`https://goblin.reaper.im/`), where reaper.im looks like some kind of ad-infested parking domain?

remorsesOP2y ago

You can also install it with go, I updated the readme

go install github.com/remorses/docker-phobia

akshat26022y ago

Looks like goblin.run is a project that lets you install golang projects without having golang installed. OP should probably preface the installation script with this.

_joel2y ago

or just use, I don't know, docker?

selcuka2y ago

> or just use, I don't know, docker?

The author is apparently afraid of docker, hence Docker-phobia.

1 more reply

msm_2y ago

Aren't go binaries statically compiled? Why is anything other than a static binary download and `chmod +x` even needed?

1 more reply

Scipio_Afri2y ago

Not using https is bad.

curl -sf http://goblin.run/github.com/remorses/docker-phobia | sh

Also why just include that shell script in the repo and have people curl that?

remorsesOP2y ago

leetrout2y ago

> This is a much faster way than setting up Github Actions to build an executable for every possible platform on every release

It's not even that hard. Just use GoReleaser.

https://goreleaser.com/

xmorse2y ago

And then later add a script that downloads the binary from Github releases. Doesn't improve the situation with curl script haters

1 more reply

Wingy2y ago

curl should probably scream when it detects piping unencrypted wan (not local ips) connections to shell, sort of like what openssh does when a host’s fingerprint changes

mr_mitm2y ago

How could curl detect where it's piped to?

take-five2y ago

Something like (in Python)

os.isatty(sys.stdout.fileno())

1 more reply

timando2y ago

Iterate through /proc/<pid>/fd and check for the pipe id in the symlink target.

adamomada2y ago

The shell would have to give the warning

jijijijij2y ago

Lol. This is an hilariously shady instruction. Is this a docker inside joke or something?

XiS2y ago

Cool, gonna try this soon. Would be great to use in combination with Dive (https://github.com/wagoodman/dive)

pronik2y ago

xmorse2y ago

Dive doesn't have a JSON output, I had to use the internal API to do it.

pronik2y ago

What do you mean? It's literally there:

  $ dive -j /dev/stdout alpine:edge
  Image Source: docker://alpine:edge
  Fetching image... (this can take a while for large images)
  Analyzing image...
  Exporting image to '/dev/stdout'...
  {
    "layer": [
      {
        "index": 0,
        "id": "blobs",
        "digestId": "sha256:8980900bae6f916f9dc1158ed71ee72566d7ad3f47f63fe19ba3ab7a4ef1a432",
        "sizeBytes": 7738376,
        "command": "#(nop) ADD file:5ba6edac87fa0feb475d0ddae7299210c6f2b69714784771ca86fcb6407ae8fc in / "
      }
    ],
    "image": {
      "sizeBytes": 7738376,
      "inefficientBytes": 0,
      "efficiencyScore": 1,
      "fileReference": []
    }
  }

willswire2y ago

Ran this instead of that scary pipe thru sh command

go install github.com/remorses/docker-phobia@latest

_joel2y ago

No thanks, this looks shady as hell.

btreecat2y ago

Looking forward to trying this.

xmorse2y ago

It's a treemap graph, frontend people use it all the time to analyze a website javascript bundle size, I created this so Docker people can make smaller images more easily

TopRainbowT2y ago

Sounds great, I'm looking forward to giving this a shot.

cheptsov2y ago

Why not just show it per layer and folder via plain text?

j / k navigate · click thread line to collapse