I am thinking to make the following tool, but wanted to get opinions before I embark on this journey.

The tool builds container images.

The images are optionally distroless: meaning, they do not include an entire distro. They only include the application(s) you specify and its dependencies.

What else does the tool give you?

  • the build tool uses a package manager to do dependency resolution, so you don’t have to manually resolve them like many docker files do. (NOTE: The package manager is not installed on the container image. It is only used by the build tool)
  • uses gentoo’s portage to build the software from source (if not previously cached). This is helpful when you’re using versions of software that aren’t built against each other in the repos you download from
  • allows specifying compile flag customizations per package.
  • makes use of gentoo’s existing library of package build or install recipes, so that you only have to write them for uncommon apps rather than in every docker file.

I find it crazy that so many dockerfiles are doing their own dependency resolution when we already have package managers.

What do you think? Is this tool useful or am I missing a reason why it wouldn’t be?

  • biribiri11
    link
    fedilink
    arrow-up
    14
    ·
    edit-2
    6 months ago

    So you want to build something like apko (alpine packages/repos, used in chainguard’s images) or rules_oci (used in google’s Debian-based distroless images) but for portage?

    I think it’d be cool. Just keep in mind:

    1. Container scanning tools (like trivy), afaik, tend to look for a package db. Going distroless breaks them. I believe this is why chainguard generates a SBOM (software bill of materials).
    2. Container images are already de-duplicated, and often, the gains in pull times aren’t worth the additional debugging effort (for example, you won’t be able to have dig/curl installed without rebuilding and deploying the whole image, or even a bash prompt in most cases). They’re even more not worth it because lazily pulling OCI images is now a thing, though it’s in its infancy. See: eStargz and I believe dragonfly which uses nydus. More generally though, zstd:chunked will probably eventually become mainstream and default, which will all but eliminate the need for “minimal” starting images.
    3. If you wanted to go really small, there’s stuff like slim which makes tailor made images.
    4. Gentoo, afaik, doesn’t really do LTS releases, making it undesirable for server use, which is the main place containers are.
    5. Distroless containers don’t share common base images because they are normally scratch-built. This breaks image deduplication, leading to increased disk usage instead of decreased disk usage, and why I personally swapped off chainguard’s images.
    • matcha_addict@lemy.lolOP
      link
      fedilink
      English
      arrow-up
      8
      ·
      6 months ago

      Did not know about apko. I am not attached to distroless, just thought it was a nice to have. So apko might be a reason I don’t pursue this project anymore. Thanks for showing me!

      Your comment is very insightful for other reasons too. Thanks a lot :)