There are several popular base images for docker (only 10+ million pulls):
|Busybox||2 MB||GNU GPLv2 only|
|Debian||37 MB (7)||DFSG -> GNU GPL, BSD, Artistic, etc|
|Ubuntu||66 MB (14.04)||Free software licenses (mainly GPL)|
|Centos||69 MB (6.8)||Free software (GPL and other licenses)|
|Fedora||76 MB (latest)||Various free software licenses, plus proprietary firmware files|
Please note that they are downloaded once. What really matters is the stable and up-to-date versions in package repository and community support.
BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides replacements for most of the utilities you usually find in GNU fileutils, shellutils, etc. The utilities in BusyBox generally have fewer options than their full-featured GNU cousins; however, the options that are included provide the expected functionality and behave very much like their GNU counterparts. BusyBox provides a fairly complete environment for any small or embedded system.
- Small footprint
- Free and independent
- Designed for embedded systems
- Not very large community
Alpine Linux is an independent, non-commercial, general purpose Linux distribution designed for power users who appreciate security, simplicity and resource efficiency.
- Alpine is popular among Docker community.
- Founder is hired by Docker and Docker announced that they will use Alpine base image in their official images.
- Uses more memory efficient
musllibrary instead of gnu libc
- Small footprint
- Free and independent
- Fewer security vulnerabilities because of minimal image
- Based on Busybox – has its disadvantages
- Programs should compile with its
musllibrary. Some dependencies may not work.
- Uses its own package manager (apk) because of
apkhas ~5000 packages.
pythonis not pre installed. After installation, image size is
- Debugging may be different because of unsupported software
Even though small size and hype around it makes it a compelling alternative, possible
musl library problems and need for comprehensive debugging in the later stages of development makes it a cold choice. After installing python size increases to
79MB and not very different from other alternatives. There is no need to choose
musl library for this tradeoff.
Debian / Ubuntu
- Familiar in enterprise setting
- Quantity and quality of supported software
- Well maintained package manager with big community
- Present and future security of its build infrastructure
libcmore compatible than
musl, less likely to trigger bugs
- Official Docker recommendation
- May require contact before distribution
- Based on RHEL, familiar enterprise setup
- Independent from RHEL, no need for permission
- Uses stable versions from RHEL repositories
- Fewer release cycles (1-5 years)
- Slow updates on docker hub (latest update 3m ago. On contrary: Alpine: 13d, Debian: 15d)
- New features likely to arrive late, because of stability oriented update practice
Current base image vulnerabilities
Recent article from Feceracy. Some highlights:
- 24% of Docker Images have significant vulnerabilities
- Ubuntu images have significantly more vulnerabilities than Debian images
- Debian is the most widely used distribution — RHEL, the least, by far
- Older releases of Debian and Ubuntu have significantly more vulnerabilities
Using Clair for vulnerability detection
Clair is an open source project for the static analysis of vulnerabilities in appc and docker containers. It can be integrated into CI pipeline.
How to keep docker image small
There is a very informative post from RedHat’s blog. Things to note:
- Always use the latest patch of the base image instead of running
apt-get upgradeto an older image.
- Combine repository commands in single
RUNstatement. This will reduce the number of layers.
- Always clean up after installing a package.
RUN dnf -y update && dnf clean all
Does larger base image effect memory consumption of the container?
Short answer: No. Docker only allocates memory for the given process. Image is located in docker’s local storage area (
/var/lib/docker/) in a layered fashion. It means when 2 different images with same base image is created, base image is NOT duplicated, but rather shared. Shared layers are read-only. Containers have a thin R/W layer.
Relevant StackOverflow post