Richard Bucker

Docker Base Images

Posted at — Jan 15, 2015

The Phusion team would have you believe that all other base images are inferior and you are unsafe.“YOUR DOCKER IMAGE MIGHT BE BROKEN” –LinkThis statement is particularly troubling. Not because my base image is vulnerable but that these guys think so little of the Docker team’s ability to create base images correctly. As it turns out there are 12 base images that are considered “from the source”.ubuntu, ubuntu-upstart, debian, centos, busybox, fedora, opensuse, cirros, crus, neurodebian, scratch, oracle-linux Phusion’s baseimage is present in the docker registry, however, the phusion user is NOT “trusted” and there are plenty of forks by users with “trust”. So while their claims are appreciated in one sense they are meritless if not incomplete.The second challenge is the container promise. Everything I have read so far suggests that it’s preferred to only have a single process running in each container. This also makes sense as it’s a capacity one can quantify. But if you take the phusion path then you can expect to manage each OS instance as you would any virtual instance… and frankly that will not scale as expected.In a recent email exchange with CoreOS we talked about the “extras” that the Phusion team was referring to. My very very very simplified impression is that Rocket containers are an improved chroot or jail.