Let's see how they compare with a minimal example: run an image that installs curl and pulls the Holberton homepage
Pull the ubuntu:16.04
image
$ time docker image pull ubuntu:16.04
16.04: Pulling from library/ubuntu
8f7c85c2269a: Pull complete
9e72e494a6dd: Pull complete
3009ec50c887: Pull complete
9d5ffccbec91: Pull complete
e872a2642ce1: Pull complete
Digest: sha256:d3fdf5b1f8e8a155c17d5786280af1f5a04c10e95145a515279cf17abdf0191f
Status: Downloaded newer image for ubuntu:16.04
real 0m8.591s
user 0m0.112s
sys 0m0.012s
Run a container, install and run curl:
$ time docker run ubuntu:16.04 sh -c 'apt-get update && apt-get install -y -q curl && apt-get clean && curl https://www.holbertonschool.com'
...
Get:21 http://security.ubuntu.com/ubuntu xenial-security/multiverse amd64 Packages [3492 B]
Fetched 24.7 MB in 3s (7866 kB/s)
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
...
Need to get 5343 kB of archives.
After this operation, 19.0 MB of additional disk space will be used.
...
Setting up curl (7.47.0-1ubuntu2.5) ...
Processing triggers for libc-bin (2.23-0ubuntu9) ...
Processing triggers for ca-certificates (20170717~16.04.1) ...
Updating certificates in /etc/ssl/certs...
148 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
...
<html>
<head>
<title>Holberton School of Software Engineering in San Francisco</title>
...
real 0m16.245s
user 0m0.108s
sys 0m0.036s
Not bad! It takes just 16.2 seconds to:
- create and start a container
- update the package cache
- install curl and its dependencies
- cleanup the package cache
- get the holberton homepage
Let's see how Alpine performs
$ time docker run alpine:3.7 sh -c 'apk add --no-cache curl && curl https://www.holbertonschool.com'
Unable to find image 'alpine:3.7' locally
latest: Pulling from library/alpine
ff3a5c916c92: Pull complete
Digest: sha256:7df6db5aa61ae9480f52f0b3a06a140ab98d427f86d8d5de0bedab9b8df6b1c0
Status: Downloaded newer image for alpine:3.7
fetch http://dl-cdn.alpinelinux.org/alpine/v3.7/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.7/community/x86_64/APKINDEX.tar.gz
(1/4) Installing ca-certificates (20171114-r0)
(2/4) Installing libssh2 (1.8.0-r2)
(3/4) Installing libcurl (7.57.0-r0)
(4/4) Installing curl (7.57.0-r0)
Executing busybox-1.27.2-r7.trigger
Executing ca-certificates-20171114-r0.trigger
OK: 6 MiB in 15 packages
...
<html>
<head>
<title>Holberton School of Software Engineering in San Francisco</title>
...
real 0m3.856s
user 0m0.096s
sys 0m0.016s
Updating the package index, installing curl, and cleaning up the package cache took... 3.9 seconds
But .. wait .. we forgot to docker image pull
first. That's not a fair comparison!
Let's do this again:
$ time docker run alpine:3.7 sh -c 'apk add --no-cache curl && curl https://www.holbertonschool.com'
fetch http://dl-cdn.alpinelinux.org/alpine/v3.7/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.7/community/x86_64/APKINDEX.tar.gz
(1/4) Installing ca-certificates (20171114-r0)
(2/4) Installing libssh2 (1.8.0-r2)
(3/4) Installing libcurl (7.57.0-r0)
(4/4) Installing curl (7.57.0-r0)
Executing busybox-1.27.2-r7.trigger
Executing ca-certificates-20171114-r0.trigger
OK: 6 MiB in 15 packages
...
<html>
<head>
<title>Holberton School of Software Engineering in San Francisco</title>
...
real 0m1.677s
user 0m0.084s
sys 0m0.012s
That's 1.7 seconds to:
- create and start a container
- update the package index
- install curl and its dependencies
- cleanup the package index
- get the holberton homepage
Alpine is small .. like, tiiiiiiny. Here's how the images compare in size:
$ docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
ubuntu 16.04 2a4cca5ac898 4 days ago 111MB
alpine 3.7 3fd9065eaf02 10 days ago 4.15MB
That's without curl installed; here's the additional size with curl installed:
$ docker container ls -a --format 'table {{.ID}}\t{{.Image}}\t{{.Size}}'
CONTAINER ID IMAGE SIZE
7985b6304b2a alpine:3.7 1.34MB (virtual 5.48MB)
5a6744492505 ubuntu:16.04 55.8MB (virtual 167MB)
5.48MB
compared to 167MB
Alpine is a small distribution, it can't be more secure than Ubuntu, with tons of engineers (both from Ubuntu and the Debian packagers); they must be on top of everything?
Less stuff in your container means less moving parts, and less attack-vectors. Here's the vulnerability scan for the Alpine image:
The New Stack had an interview with Natanael Copa on this (and other) topics. Worth a read :)
The security comparison actually shocked me. I am actually shifting my workflow with ubuntu to Alpine. I am hoping all the dependencies I need in my project are supported in Alpine as well. Thanks for the great gist of comparison.