Every container image must start from a parent image or base image (the scratch). The parent image is the image you base your image on. The base image is like a completely empty container you need to fill with content. But in most cases, you will use another image as a parent, and you want it to be as minimal as possible. The Alpine Linux is your friend – remember this name and use it as much as possible.
When you build the image from the scratch you first need to apply root filesystem and essential libraries. Comparing multiple minimal Linux distributions we can easily notice they differ in what authors think of “minimal”. Sometimes it includes the tools the author uses, another time it depends on what the distribution is profiled for. One such example is the VMware Photon OS I described in my previous post “Why I use VMware Photon OS for Docker“. The minimal installation has only the essentials required to run the Docker and whole configuration and the kernel are hardened for containers security by default.
When you build the Docker image you want it to be small and secure. To achieve both goals you need to start from scratch and create the image with only required packages or use the base image with minimal setup. The Alpine Linux is a security-oriented, lightweight Linux distribution. It
It is all about the security
The fewer packages you use to build the container image the better for the security. Any additional package increases the risk of containing the vulnerability that may put our application or infrastructure on risk. It also means the container will use more disk space and memory. Base images from well-known distributions contain quite many libraries by default. Official Ubuntu 18.04 image size is 84MB,
Let me show you an example from the real world. Take a moment to get back to my older post where I described how to automate the process of building Docker image of Jenkins. If you looked at official Jenkins repository into the Dockerfile you could see:
If you dig deeper and deeper you will find that everything has been build on top of ubuntu
First, let’s look at the size. The Alpine-based image is 40% thinner in size than Centos-based one. There is no magical data compression, it is just not packed with unused packages.
The confirmation is in security scan – Alpine based image
Building the image on top of Alpine requires much more work on installing the all dependency in libraries, but it worth spending the time – security should always be a top priority.