Skip to content

Instantly share code, notes, and snippets.

@thaJeztah

thaJeztah/index.md

Last active January 8, 2024 12:06
Show Gist options
  • Star 8 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save thaJeztah/2071d4ddd50037a13646aa0f86089f96 to your computer and use it in GitHub Desktop.
Save thaJeztah/2071d4ddd50037a13646aa0f86089f96 to your computer and use it in GitHub Desktop.
Download ZIP
Ubuntu or Alpine? A quick comparison
Raw
index.md

Ubuntu ... or Alpine? A quick comparison

Let's see how they compare with a minimal example: run an image that installs curl and pulls the Holberton homepage

Ubuntu

Pull the ubuntu:16.04 image

$ time docker image pull ubuntu:16.04
16.04: Pulling from library/ubuntu
8f7c85c2269a: Pull complete 
9e72e494a6dd: Pull complete 
3009ec50c887: Pull complete 
9d5ffccbec91: Pull complete 
e872a2642ce1: Pull complete 
Digest: sha256:d3fdf5b1f8e8a155c17d5786280af1f5a04c10e95145a515279cf17abdf0191f
Status: Downloaded newer image for ubuntu:16.04

real	0m8.591s
user	0m0.112s
sys	0m0.012s

Run a container, install and run curl:

$ time docker run ubuntu:16.04 sh -c 'apt-get update && apt-get install -y -q curl && apt-get clean && curl https://www.holbertonschool.com'

...
Get:21 http://security.ubuntu.com/ubuntu xenial-security/multiverse amd64 Packages [3492 B]
Fetched 24.7 MB in 3s (7866 kB/s)
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
...
Need to get 5343 kB of archives.
After this operation, 19.0 MB of additional disk space will be used.
...
Setting up curl (7.47.0-1ubuntu2.5) ...
Processing triggers for libc-bin (2.23-0ubuntu9) ...
Processing triggers for ca-certificates (20170717~16.04.1) ...
Updating certificates in /etc/ssl/certs...
148 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

...

<html>
  <head>
    <title>Holberton School of Software Engineering in San Francisco</title>
...

real	0m16.245s
user	0m0.108s
sys	0m0.036s

Not bad! It takes just 16.2 seconds to:

  • create and start a container
  • update the package cache
  • install curl and its dependencies
  • cleanup the package cache
  • get the holberton homepage

Alpine

Let's see how Alpine performs

$ time docker run alpine:3.7 sh -c 'apk add --no-cache curl && curl https://www.holbertonschool.com'

Unable to find image 'alpine:3.7' locally
latest: Pulling from library/alpine
ff3a5c916c92: Pull complete 
Digest: sha256:7df6db5aa61ae9480f52f0b3a06a140ab98d427f86d8d5de0bedab9b8df6b1c0
Status: Downloaded newer image for alpine:3.7
fetch http://dl-cdn.alpinelinux.org/alpine/v3.7/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.7/community/x86_64/APKINDEX.tar.gz
(1/4) Installing ca-certificates (20171114-r0)
(2/4) Installing libssh2 (1.8.0-r2)
(3/4) Installing libcurl (7.57.0-r0)
(4/4) Installing curl (7.57.0-r0)
Executing busybox-1.27.2-r7.trigger
Executing ca-certificates-20171114-r0.trigger
OK: 6 MiB in 15 packages

...

<html>
  <head>
    <title>Holberton School of Software Engineering in San Francisco</title>
...

real	0m3.856s
user	0m0.096s
sys	0m0.016s

Updating the package index, installing curl, and cleaning up the package cache took... 3.9 seconds

But .. wait .. we forgot to docker image pull first. That's not a fair comparison!

Let's do this again:

$ time docker run alpine:3.7 sh -c 'apk add --no-cache curl && curl https://www.holbertonschool.com'

fetch http://dl-cdn.alpinelinux.org/alpine/v3.7/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.7/community/x86_64/APKINDEX.tar.gz
(1/4) Installing ca-certificates (20171114-r0)
(2/4) Installing libssh2 (1.8.0-r2)
(3/4) Installing libcurl (7.57.0-r0)
(4/4) Installing curl (7.57.0-r0)
Executing busybox-1.27.2-r7.trigger
Executing ca-certificates-20171114-r0.trigger
OK: 6 MiB in 15 packages

...

<html>
  <head>
    <title>Holberton School of Software Engineering in San Francisco</title>
...

real	0m1.677s
user	0m0.084s
sys	0m0.012s

That's 1.7 seconds to:

  • create and start a container
  • update the package index
  • install curl and its dependencies
  • cleanup the package index
  • get the holberton homepage

What about ... size?

Alpine is small .. like, tiiiiiiny. Here's how the images compare in size:

$ docker image ls

REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
ubuntu              16.04               2a4cca5ac898        4 days ago          111MB
alpine              3.7                 3fd9065eaf02        10 days ago         4.15MB

That's without curl installed; here's the additional size with curl installed:

$ docker container ls -a --format 'table {{.ID}}\t{{.Image}}\t{{.Size}}'

CONTAINER ID        IMAGE               SIZE
7985b6304b2a        alpine:3.7          1.34MB (virtual 5.48MB)
5a6744492505        ubuntu:16.04        55.8MB (virtual 167MB)

5.48MB compared to 167MB

What about ... security then?

Alpine is a small distribution, it can't be more secure than Ubuntu, with tons of engineers (both from Ubuntu and the Debian packagers); they must be on top of everything?

Ubuntu scan

Less stuff in your container means less moving parts, and less attack-vectors. Here's the vulnerability scan for the Alpine image:

Alpine scan

The New Stack had an interview with Natanael Copa on this (and other) topics. Worth a read :)

@codewith-arijit
Copy link

The security comparison actually shocked me. I am actually shifting my workflow with ubuntu to Alpine. I am hoping all the dependencies I need in my project are supported in Alpine as well. Thanks for the great gist of comparison.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment