Building small Docker images faster (opens in new tab)

(sgt.hootr.club)

73 pointssteinuil3mo ago27 comments

27 comments

grim_io3mo ago

I've seen so many devs not know that things like multi stage even exists.

Multi gigabyte containers everywhere.

foxyv3mo ago

I love multi-stage so much. I keep running into DevOps guys going "Wait, does that work?"

zerotolerance3mo ago

I always like finding people advocating for older sage knowledge and bringing it forward for new audiences. That said, as someone who wrote a book about Docker and has lived the full container journey I tend to skip the containerized build all together. Docker makes for great packaging. But containerizing ever step of the build process or even just doing it in one big container is a bit extra. Positioning it as a build scripting solution was silly.

maccard3mo ago

I’m inclined to agree with you about not building containers. That said, I find myself going around in circles. We have an app that uses a specific toolchain version, how do we install that version on a build machine without requiring an SRE ticket to update our toolchain?

Containers nicely solve this problem. Then your builds get a little slow, so you want to cache things. Now your docker file looks like this. You want to run some tests - now it’s even more complicated. How do you debug those tests? How do those tests communicate with external systems (database/redis). Eventually you end up back at “let’s just containerise the packaging”.

cogman103mo ago

You can mount the current directory into docker and run an image of your tool.

Here's an example of that from the docker maven.

`docker run -it --rm --name my-maven-project -v "$(pwd)":/usr/src/mymaven -w /usr/src/mymaven maven:3.3-jdk-8 mvn clean install`

You can get as fancy as you like with things like your `.m2` directory, this just gives you the basics of how you'd do that.

1 more reply

pstuart3mo ago

Depending on how the container is structured, you could have the original container as a baseline default, and then have "enhanced" containers that use it as a base and overlay the caching and other errata to serve that specialized need.

1 more reply

yjftsjthsd-h3mo ago

I quite strongly disagree; a Dockerfile is a fairly good way to describe builds, a uniform approach across ecosystems, and the self contained nature is especially useful for building software without cluttering the host with build dependencies or clashing with other things you want to build. I like it so much that I've started building binaries in docker even for programs that will actually run on the host!

solatic3mo ago

It can indeed be uniform across ecosystems, but it's slow. There's a very serious difference between being on a team where CI takes ~1 minute to run, vs. being on a team where CI takes a half hour or even, gasp, longer. A large part of that is the testing story, sure, but when you're really trying to optimize CI times, then every second counts.

2 more replies

dboreham3mo ago

Agree. Using a container to build the source that is then packaged as a "binary" in the resulting container always seemed odd to me. imho we should have stuck with the old ways : build the product on a regular computer. That outputs some build artifacts (binaries, libraries, etc). Docker should take those artifacts and not be hosting the compiler and what not.

rcxdude3mo ago

If anything the build being in a container is the more valuable bit, though mainly because the container usually more repeatable by having a scripted setup itself. Though I dunno why the build and the host would be the _same_ container in the end.

(and of course, nix kinda blows both out the water for consistency)

exe343mo ago

nix allows you to build docker containers with anything you can build in nix.

solatic3mo ago

Agree, and I would go another step to suggest dropping Docker altogether for building the final container image. It's quite sad that Docker requires root to run, and all the other rootless solutions seem to require overcomplicated setups. Rootless is important because, unless you're providing CI as a public service and you're really concerned about malicious attackers, you will get way, way, way more value out of semi-permanent CI workers that can maintain persistent local caches compared to the overhead of VM enforced isolation. You just need an easy way to wipe the caches remotely, and a best-effort at otherwise isolating CI builds.

A lot of teams should think long and hard about just taking build artifacts, throwing them into their expected places in a directory taking the place of chroot, generating a manifest JSON, and wrapping everything in a tar, which is indeed a container.

OptionOfT3mo ago

I like to build my stuff inside of Docker because it is my moat against changes of the environment.

We have our base images, and in there we install dependencies by version. That package then is the base for our code build. (as apt seemingly doesn't have any lock file support?).

In the subsequent built EVERYTHING is versioned, which allows us to establish provenance all the way up to the base image.

And next to that when we promote images from PR -> main we don't even rebuild the code. It's the same image that gets retagged. All in the name of preserving provenance.

1 more reply

miladyincontrol3mo ago

I mean personally I find nspawn to be a pretty simple way of doing rootless containers. Replace manifest JSON with a systemd service file and you've got a rootless container that can run on most linux systems without any non-systemd dependencies or strange configuration required. Dont even need to extract the tarball.

rapidlua3mo ago

For go specifically, I find ko-build handy. It builds on the host (leveraging go crosscompilation and taking advantage of caches) and outputs a Docker image.

paulddraper3mo ago

A Bazel option is https://github.com/bazel-contrib/rules_oci

Doesn’t even need Docker, just writes the image files with a small Python script.

Can build from scratch, or use the very small Distroless images.

lrvick3mo ago

For even smaller images that are always deterministic/reproducible with a multi-party signed supply chain, check out https://stagex.tools

abound3mo ago

Might want to disclose that you built it.

Also, I took a quick look and I don't understand how your tool could possibly produce "even smaller images". The article is using multi-stage builds to produce a final Docker image that is quite literally just the target binary in question (based on the scratch image), whereas your tool appears be a whole Linux distribution.

lrvick3mo ago

I am one of the maintainers at this point, fair.

This would be a much smaller drop in replacement for the base images used in the post to give full source bootstrapped final binaries.

You can still from scratch for the final layer though of course and that would be unlikely to change size much though, to your point.

j / k navigate · click thread line to collapse

27 comments

grim_io3mo ago

I've seen so many devs not know that things like multi stage even exists.

Multi gigabyte containers everywhere.

foxyv3mo ago

I love multi-stage so much. I keep running into DevOps guys going "Wait, does that work?"

zerotolerance3mo ago

maccard3mo ago

cogman103mo ago

You can mount the current directory into docker and run an image of your tool.

Here's an example of that from the docker maven.

`docker run -it --rm --name my-maven-project -v "$(pwd)":/usr/src/mymaven -w /usr/src/mymaven maven:3.3-jdk-8 mvn clean install`

You can get as fancy as you like with things like your `.m2` directory, this just gives you the basics of how you'd do that.

1 more reply

pstuart3mo ago

1 more reply

yjftsjthsd-h3mo ago

solatic3mo ago

2 more replies

dboreham3mo ago

rcxdude3mo ago

(and of course, nix kinda blows both out the water for consistency)

exe343mo ago

nix allows you to build docker containers with anything you can build in nix.

solatic3mo ago

OptionOfT3mo ago

I like to build my stuff inside of Docker because it is my moat against changes of the environment.

We have our base images, and in there we install dependencies by version. That package then is the base for our code build. (as apt seemingly doesn't have any lock file support?).

In the subsequent built EVERYTHING is versioned, which allows us to establish provenance all the way up to the base image.

And next to that when we promote images from PR -> main we don't even rebuild the code. It's the same image that gets retagged. All in the name of preserving provenance.

1 more reply

miladyincontrol3mo ago

rapidlua3mo ago

For go specifically, I find ko-build handy. It builds on the host (leveraging go crosscompilation and taking advantage of caches) and outputs a Docker image.

paulddraper3mo ago

A Bazel option is https://github.com/bazel-contrib/rules_oci

Doesn’t even need Docker, just writes the image files with a small Python script.

Can build from scratch, or use the very small Distroless images.

lrvick3mo ago

For even smaller images that are always deterministic/reproducible with a multi-party signed supply chain, check out https://stagex.tools

abound3mo ago

Might want to disclose that you built it.

lrvick3mo ago

I am one of the maintainers at this point, fair.

This would be a much smaller drop in replacement for the base images used in the post to give full source bootstrapped final binaries.

You can still from scratch for the final layer though of course and that would be unlikely to change size much though, to your point.

j / k navigate · click thread line to collapse