Building Small Containers

Sandeep Dinesh, Google Cloud

Topics: Kubernetes, Container Image, Serverless, Software

Transcript Excerpt

Sandeep Dinesh explains how to create small, secure containers images for Kubernetes, an open-source system for automation software deployment. With Docker, it is simple to create a container image, especially compared to serverless. All customers need to do is specify the base image, add the changes, and build the container. While this is great for getting started, using the default base images can lead to additional overhead, which is wasted space and a hiding place for bugs and vulnerabilities. The two common ways to reduce the container image size are by using small base images and using the builder pattern.

Using smaller base images is the easiest way to reduce the container size. It is likely that the language, or the stack that is being used, provides an official image that is much smaller than the default image. As an example, Dinesh creates a smaller node.js container. Going from the default node 8 to node 8 Alpine reduces the base image size by ten times. If a customer’s programming language or stack does not have an option for a small base image, it is possible to build a container using Raw Alpine Linux as a starting point, which will give complete control over what goes inside the containers.

Using a small base image is a good way to build smaller containers, but it is possible to have even smaller containers by using the builder pattern. With interpreted languages, the source code is sent to an interpreter and directly executed. With a compiled language, the source code is turned into complied code beforehand. However, the compilation step often requires tools that are not needed to run the code in Kubernetes. These tools can be removed from the final container, which can be done by using the builder pattern. The image is built in the first container, and the compiled code is packaged in the final container without the tools necessary to create the compiled code.

Dinesh offers an example of using the builder pattern with a GO application. This new Docker file may look strange because it has two ‘from’ lines, and while the first section looks exactly the same as the previous Docker file, it uses the ‘as’ keyword to give this step a name. The next section has a new ‘from’ line, which will start with a fresh image instead of using Golang Alpine. Dinesh uses Raw Alpine Linux as the new base image. The resulting multistage Docker file contains a container image that is 12 megabytes, whereas the original container image was 700 megabytes.

While small base images and the builder pattern are great ways to create small containers, they have the advantage of better performance and security. The most important performance metric is pulling the container. If it takes too long to pull the containers, there will be a time when the cluster is not performing as well as it should be in Kubernetes. Small containers are much faster than large containers, which is especially useful if someone is running multiple containers on a Kubernetes cluster. Using small common base images for containers speeds up the deployment times and speeds at which new Kubernetes nodes can come online.

Dinesh compares the security of small and large containers and proves that small containers are more secure because they have less surface area for attacks in Kubernetes. By using the feature in GCR that automatically scans containers for vulnerabilities, Dinesh shows that there are only three medium vulnerabilities in his example of a small container image, while there are 16 critical and over 370 other vulnerabilities for the larger container.

Share:

Germany’s 4th Industrial Revolution

Cross Motion _ Fusing Device And Image Motion For User