BT

Your opinion matters! Please fill in the InfoQ Survey!

How to Choose a Linux Container Image

| by Hrishikesh Barua Follow 4 Followers on Oct 20, 2017. Estimated reading time: 2 minutes |

A note to our readers: As per your request we have developed a set of features that allow you to reduce the noise, while not losing sight of anything that is important. Get email and web notifications by choosing the topics you are interested in.

A comparison of Linux container images talks about the best-practices in choosing an image. Architecture, security and performance are among the factors, while commercial users would also look for support options.

A Linux container allows separate management of kernel space and user space components by utilizing cgroups and namespaces, which are resource and process isolation mechanisms. Solaris and BSD also have abstractions similar to Linux containers but the article's focus is on the latter only. The host running the container has the operating system kernel and a set of libraries and tools required to run containers. The container image, on the other hand, has the libraries, interpreters and application code required to run the application that is being distributed in the container. These depend on underlying system libraries. This is true for interpreted languages too as the interpreters themselves are written in low level languages.

The size on disk of various container images varies from 230 MB for Fedora to 4 MB for Alpine Linux. Size, however, is not the only consideration that should be given while choosing a distribution. The major groups are Debian/Ubuntu, RHEL, Centos, Fedora and Alpine.

Security vulnerabilities in containers have been a subject of many reports. Public Debian container images on Docker hub have the least amount of vulnerabilities, according to a recent study, while Ubuntu images have the highest. The sample space of this study was limited to public Docker images. Open source tools like Clair and vuls and commercial ones like Twistlock offer varying degrees of protection and features. Most vendors have automated tests for known vulnerabilities in the distribution as well as for common software like webservers and databases. There are open source efforts on mitigating and minimizing container vulnerabilities, both (slides 7-9) ones that impact host to container communication, and also the other way round.

Core libraries like glibc and package formats impact security and performance. Mature libraries like glibc and gcc have become robust over many years of usage and a big user community, which is the primary reason that container images use them. Some distributions like Alpine have, however, remained with alternatives which led to problems.

Apart from these three criteria, enterprise customers would also look for lifecycle and support options. RHEL and Ubuntu have commercial support options with community support via forums available for all flavors. Ubuntu and RHEL lead in terms of lifecycle span - the period of time for which a version is supported in terms of providing bug fixes, backporting fixes and features and providing support.

The conclusion is that choosing a container image is similar to choosing a Linux distribution. "Distroless" images offer an interesting spin-off on this topic. Distroless images are images of just the application and its runtime dependencies. They don’t contain any programs like shells and package managers usually found in a Linux distribution.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT