Smaller Containers with Alpine Linux

[00:00:00]
>> Brian Holt: We've just been talking about how to make containers not really caring too much about size or, I mean, we've been talking about security, inevitably, containers are kind of a security feature. But now we're gonna start getting into, maybe production-izing your containers a little bit, how to be a bit more focused and succinct with them.

[00:00:21]
So, you can see that the name of my section here is making tiny containers. So, one, let me tell you that I don't know why, but I love making containers smaller. It's just like a fun metric to play with, right? You do something and you see that it gets smaller and smaller overtime, and that just scratches like some video game playing part of my monkey brain.

[00:00:46]
That seems very fun to me. I am going to tell you that, it's kind of a fool's errand a little bit, people wanna say that smaller containers are more secure, you can't really say that. You wanna say it, it sounds fun to say that, but it's not really true.

[00:01:06]
Smaller containers are, I'm gonna say weekly correlated with being more secure, which is to say, not something you should probably spend a ton of time on. And people say, well, it cost less because you're sending less over the wire and you have less ingress and egress. And my single axiom that almost always holds true throughout all of my career is, people time is way more expensive than computer time, right?

[00:01:33]
You're gonna spend a bunch of time making your container smaller, and the salary that they have to pay you to do that is worth way more than the seven megabytes you shaved off your container size. So, one, I'm gonna show you how to do it, and two, I'm gonna tell you just to be careful with how obsessed you get with it, right?

[00:01:50]
Objectively, having less stuff in your containers is just good, right? Because you have less surface area, right? So let's say you have a Node.js application that has a Sass built into it, right? Sass is Ruby-based, or at least was, isn't anymore, but follow with my example, if you will.

[00:02:11]
Let's say that there is a massive Ruby vulnerability that allows people to take over your container if it has Ruby anywhere in the container. If you use your build container as your production container and it has Ruby in it, that's a problem, right? Because in theory, they could get access to it through the Ruby compromised project.

[00:02:31]
But if you have a tiny container where you only used Ruby to build the project and then you took it out afterwards, you wouldn't have it, right? You kinda see my point here is, this is valuable, that you should only include the things that are needed to run your app and nothing else.

[00:02:46]
Just don't get obsessed with the size, that's my plea here.
>> Brian Holt: So, we're gonna start with Alpine Linux, we've been talking about that. We're gonna get to dist list here in just a second, and then there'll be a little project at the end for you. So, Alpine, let's talk about Alpine, it's been around for a long time.

[00:03:08]
I'm a big fan, I've used it over and over and over again. You've already used it probably a dozen times today. What is it? Alpine is a Linux distribution that you would never use as your desktop distribution, that would be very painful to try and do that. Possible, but painful.

[00:03:28]
But its entire existence is like, I'm gonna be as small as possible so that I can do the basics to run a web server or whatever I wanna do, and nothing else. It's based on a distribution that is called BusyBox, and BusyBox is basically, their entire existence is like, we wanna have the least amount of stuff possible and still be considered a Linux distribution, right?

[00:03:52]
So Alpine is just a smaller layer on top of that to put in a couple of things on top of it. Everybody uses it, very common, I'll talk a little bit here in just a second of why you might not want Alpine, but I'm also gonna say that so much of the Internet is run on Alpine, that you're probably very okay to still use it.

[00:04:12]
Why have a smaller container? We talked about some of them. Another one is, sometimes private container registries will charge you by the megabyte. Who cares, right? Like, normally, maybe you're saving 100 bucks, but they're gonna pay you $10,000 to figure that out. Usually, it's not a good thing to worry too much about.

[00:04:33]
Okay, so in our previous project, this one here, I'm just gonna go, say, from node:20-alpine. That's it. I'm gonna come over here.
>> Brian Holt: Let's call this, more-complicated-app:alpine.
>> Brian Holt: And then I'm gonna go run it.
>> Brian Holt: I didn't wanna,
>> Brian Holt: Let's do the
>> Brian Holt: -P 8080:8080, there we go.

[00:05:24]
Okay, so as you can see, if I go look in here and I say, 8080, everything still works exactly the same. Nothing changed, all I did was put -alpine on there. Now, if I go in here, add this one in use, you can see more complicated app, that's one that we built before 1.1 gigabytes.

[00:05:51]
You can see more complicated app here with a tag of Alpine, 142 megabytes. Pretty substantial difference, with adding what, six characters? So this is why people like Alpine, it feels like it's just getting a bunch of storage savings for free, it's why, even though I'm telling you to not focus too much on this stuff, you might as well do this.

[00:06:24]
And like I said, I use it all the time, because it is so easy to use, and it's, for the most part, 99 point five nines or six nines percents of the time it is exactly the same as running it in Debian. So yeah, I went from 1.1 gigs to 150, just like that, super fast.

[00:06:45]
>> Speaker 2: Do you have an example of what we might be missing out on that one gig? I know we're very specifically looking at node here, but is there, like, why do we even need the gig on the first one?
>> Brian Holt: So, it's a good question, like, why would you include the whole gig?

[00:07:01]
It comes with everything that Debian comes with, right? So you are gonna have the full registry of everything you can get from app update. You are gonna have a bunch of Linux utilities for diagnosing memory leaks. There's a bunch of stuff in there that you will just never use, because I don't even know what they are, right?

[00:07:25]
Yeah, it's full Debian, there's nothing taken out of it. [INAUDIBLE]
>> Brian Holt: Sorry.
>> Speaker 3: Man pages.
>> Brian Holt: Man pages, that's actually a fantastic, man pages is actually quite large, and it includes all of the man pages, right? And if I would go in and say, man, blah, it's gonna say, you have to download these before I can know what to do with them.

[00:07:43]
So, man pages is actually a perfect example of stuff that you would need if you were interacting with Linux as a human. But if you're just using it as a cattle container to run Node applications, you would never need. Did that answer your question? Cool, so, that being said, and we'll talk about it here in just a second, there is Debian-Slim which does the same thing but stays in Debian.

[00:08:09]
But we'll get there. So, when should you select Alpine? This is a Brian Holt opinion, not a general opinion, so definitely add all the caveats and grains of salt on this. Is that the Alpine is the destination container. It's the last mile. It's the UPS of containers that it's the actual one that goes the last mile and delivers whatever you're trying to do.

[00:08:32]
Don't use it anywhere else in your tool chain, that doesn't make any sense to me. You would wanna use something that has all of the utilities that you don't have to reinstall things or think about reinstalling things. Just use all the full fat ones until you get to the end, and then use Alpine to deliver that to the last mile there.

[00:08:50]
Yeah, generally I'll reach for Debian, as you can see, almost everything uses Debian, so, peer pressure continue with Debian as well, but Ubuntu is fine as well, about the same. I'm sure Red Hat is pulling their hair out and saying, no, no, use Red Hat, cuz they want you to use Red Hat everywhere.

[00:09:05]
I just haven't and don't, so I continue to not.