LWN: Comments on "Docker and the OCI container ecosystem" https://lwn.net/Articles/902049/ This is a special feed containing comments posted to the individual LWN article titled "Docker and the OCI container ecosystem". en-us Fri, 19 Sep 2025 22:06:40 +0000 Fri, 19 Sep 2025 22:06:40 +0000 https://www.rssboard.org/rss-specification lwn@lwn.net Docker and the OCI container ecosystem https://lwn.net/Articles/907044/ https://lwn.net/Articles/907044/ jond <div class="FormattedComment"> Example image sources for cekit: <a href="https://GitHub.com/jboss-container-images/openjdk">https://GitHub.com/jboss-container-images/openjdk</a> <br> </div> Sat, 03 Sep 2022 07:54:05 +0000 Docker and the OCI container ecosystem https://lwn.net/Articles/907043/ https://lwn.net/Articles/907043/ jond <div class="FormattedComment"> I use and work on a pre-processor tool cekit - <a href="https://cekit.io">https://cekit.io</a> - which abstracts (somewhat) over dockerfiles. It’s more declarative and lets you break the recipe up into separate modules that can be shared amongst different container sources (like mix-ins, contrast to container image single inheritance )<br> </div> Sat, 03 Sep 2022 07:30:51 +0000 Docker and the OCI container ecosystem https://lwn.net/Articles/905201/ https://lwn.net/Articles/905201/ daenzer <div class="FormattedComment"> FWIW, the freedesktop.org GitLab CI templates (<a href="https://gitlab.freedesktop.org/freedesktop/ci-templates">https://gitlab.freedesktop.org/freedesktop/ci-templates</a>) use buildah, seems pretty nice.<br> <p> The templates currently offer two modes of operation for generating images: A simple one where one can just specify the base system packages to be installed, and a generic one which allows running a script to set up the filesystem arbitrarily.<br> <p> The templates produce a single layer, but it can be based on any other image (by default a standard image of one of the supported base distros), which is included as separate layers. This allows efficient sharing of common base contents.<br> </div> Fri, 19 Aug 2022 07:36:38 +0000 Docker and the OCI container ecosystem https://lwn.net/Articles/905036/ https://lwn.net/Articles/905036/ ricab <div class="FormattedComment"> This is a jewel of an article!<br> </div> Thu, 18 Aug 2022 12:41:36 +0000 Lack of a lightweight run time https://lwn.net/Articles/904140/ https://lwn.net/Articles/904140/ rganesan <div class="FormattedComment"> One thing the container ecosystem lacks is a lightweight embedded runtime. docker runs into 100s of megs with all it&#x27;s dependencies and podman is not significantly lighter. Even containerd/nerdctl seems boated.Why would I want &quot;docker build&quot; or &quot;docker compose&quot; on a small IOT device? Something like k3s would me nice but without the whole k8s ecosystem. <br> </div> Mon, 08 Aug 2022 11:47:23 +0000 Docker and the OCI container ecosystem https://lwn.net/Articles/903908/ https://lwn.net/Articles/903908/ hsiangkao <div class="FormattedComment"> Hi, you could refer to Nydus image service [1] and erofs fscache support for container images [2].<br> Rolling hash deduplication + fixed-sized output compression is working in progress.<br> <p> [1] <a href="https://github.com/dragonflyoss/image-service/">https://github.com/dragonflyoss/image-service/</a><br> [2] <a href="https://d7y.io/blog/2022/06/06/evolution-of-nydus/">https://d7y.io/blog/2022/06/06/evolution-of-nydus/</a><br> </div> Fri, 05 Aug 2022 06:04:27 +0000 Docker and the OCI container ecosystem https://lwn.net/Articles/903907/ https://lwn.net/Articles/903907/ hsiangkao <div class="FormattedComment"> you could refer to chunk-based content-addressable Nydus image service [1] and erofs filesystem fscache support for container images [2].<br> <p> [1] <a href="https://github.com/dragonflyoss/image-service/">https://github.com/dragonflyoss/image-service/</a><br> [2] <a href="https://d7y.io/blog/2022/06/06/evolution-of-nydus/">https://d7y.io/blog/2022/06/06/evolution-of-nydus/</a><br> </div> Fri, 05 Aug 2022 06:01:38 +0000 Rocket containers https://lwn.net/Articles/903734/ https://lwn.net/Articles/903734/ rahulsundaram <div class="FormattedComment"> <font class="QuotedText">&gt; rkt was also very good docker replacement, k8s could even use it, but as as redhat aquired CoreOS, rkt was killed in favor of containerd/runc and later podman ... basically redhat killed coreos and almost all their tools :(</font><br> <p> I don&#x27;t see how. rkt didn&#x27;t make the cut but plenty of things from CoreOS continues to be developed including CoreOS itself, along with quay, k8s operators, tectonic (integrated with Openshift) and so forth.<br> </div> Thu, 04 Aug 2022 03:53:20 +0000 Rocket containers https://lwn.net/Articles/903730/ https://lwn.net/Articles/903730/ higuita <div class="FormattedComment"> rkt was also very good docker replacement, k8s could even use it, but as as redhat aquired CoreOS, rkt was killed in favor of containerd/runc and later podman ... basically redhat killed coreos and almost all their tools :(<br> </div> Thu, 04 Aug 2022 03:37:19 +0000 Docker and the OCI container ecosystem https://lwn.net/Articles/903483/ https://lwn.net/Articles/903483/ mathstuf <div class="FormattedComment"> Headed slightly off-topic here, but I have to ask:<br> <p> <font class="QuotedText">&gt; Docker recently acquired the company that developed Sysbox (Nestybox) to extend containers isolation and workloads.</font><br> <p> Why does it always seem to be &quot;acquire&quot; and not &quot;fund&quot;?<br> </div> Mon, 01 Aug 2022 17:06:36 +0000 Docker and the OCI container ecosystem https://lwn.net/Articles/903480/ https://lwn.net/Articles/903480/ ctalledo <div class="FormattedComment"> Excellent article, thanks! On the runtimes section, one option that may be worth mentioning is Sysbox which is a runc alternative that enhances container isolation and workloads using pure OS virtualization (I am one of the developers). Sysbox enables the user-namespace on all containers, virtualizes /proc and /sys within them, traps sensitive syscalls, and enables containers to run systemd, Docker, K8s, K3s, and more seamlessly. The latter means Docker or Kubernetes can be used to deploy not just app containers, but also system containers. Docker recently acquired the company that developed Sysbox (Nestybox) to extend containers isolation and workloads.<br> </div> Mon, 01 Aug 2022 17:04:10 +0000 Docker and the OCI container ecosystem https://lwn.net/Articles/903024/ https://lwn.net/Articles/903024/ robert_s <div class="FormattedComment"> <font class="QuotedText">&gt; Do they support layering?</font><br> <p> Answering for Nix and its dockerTools: short answer yes (<a href="https://nixos.org/manual/nixpkgs/stable/#ssec-pkgs-dockerTools-buildLayeredImage">https://nixos.org/manual/nixpkgs/stable/#ssec-pkgs-docker...</a>), though half of the benefits of using &quot;layers&quot; in docker-land are already solved by Nix&#x27;s build-caching system. So the advantages gained by &quot;layers&quot; are mostly around image size.<br> </div> Sun, 31 Jul 2022 19:07:21 +0000 Docker and the OCI container ecosystem https://lwn.net/Articles/902878/ https://lwn.net/Articles/902878/ mathstuf <div class="FormattedComment"> I agree that `git-annex` is a wonderful solution (far better than `git-lfs` IMO). However, it&#x27;s reliance on symlinks really sucks for Windows developers.<br> <p> FWIW, my main issues with `git-lfs` include:<br> <p> - doesn&#x27;t reuse git&#x27;s authentication mechanisms<br> - all data is only looked for at a single location (i.e., no multi-url remotes)<br> - fork-based workflows get confused when data is added and removed across some history that you rebase on (it will complain about the missing object but there&#x27;s no nice way to fetch just that object so you can push without `git lfs fetch --all`)<br> </div> Fri, 29 Jul 2022 13:00:23 +0000 Docker and the OCI container ecosystem https://lwn.net/Articles/902877/ https://lwn.net/Articles/902877/ gscrivano <div class="FormattedComment"> one thing we are trying in Podman/Buildah/CRI-O is to use a new file format (still OCI compatible) to make every file addressable, so a &quot;podman pull&quot; would just fetch the files that are not present locally[1]<br> <p> The layering model still makes some sense with the overlay file system, since when you mount a container, the underlying file system expects that layout anyway. An attempt we are trying to improve this model and make easier to move away from layers is composefs[2]. It is a new file system that can mount the image directly and at the same time have both storage and memory page deduplication for shared files[2].<br> <p> [1] <a href="https://www.redhat.com/sysadmin/faster-container-image-pulls">https://www.redhat.com/sysadmin/faster-container-image-pulls</a><br> [2] <a href="https://github.com/containers/composefs">https://github.com/containers/composefs</a><br> </div> Fri, 29 Jul 2022 12:30:21 +0000 Docker and the OCI container ecosystem https://lwn.net/Articles/902858/ https://lwn.net/Articles/902858/ k3ninho <div class="FormattedComment"> I&#x27;m not sure I understand the problem space and whether this is a solution, but Joey Hess&#x27; git-annex [1] for managing large files is an overlooked but solid tool.<br> <p> 1: https://git-annex.branchable.com/<br> <p> K3n.<br> </div> Thu, 28 Jul 2022 22:47:32 +0000 Quadlet https://lwn.net/Articles/902721/ https://lwn.net/Articles/902721/ valberg <div class="FormattedComment"> There are plans to integrate Quadlet into the containers/podman project such that they can be released simultaneously. Quadlet and Podman can then also share the generate-systemd logic.<br> <p> Starting with Podman v4.2 (to be released in early August), you can also use a systemd template to run Kubernetes YAML [1]. That simplifies the workload quite a bit as we only need to feed the YAML file to the template and systemd and Podman will take care of the rest.<br> <p> [1] <a href="https://github.com/containers/podman/blob/main/docs/source/markdown/podman-generate-systemd.1.md#kubernetes-integration">https://github.com/containers/podman/blob/main/docs/sourc...</a><br> </div> Thu, 28 Jul 2022 09:08:44 +0000 Docker and the OCI container ecosystem https://lwn.net/Articles/902706/ https://lwn.net/Articles/902706/ Cyberax <div class="FormattedComment"> Ohhh.... So many reasons.<br> <p> 1. Dumb syntax. You have \<br> to write \<br> very long \<br> lines that blow up logs because they are actually ran as one long line.<br> <p> 2. The way the layering system works. All of it is kinda crappy.<br> <p> 3. COPY command. There&#x27;s no way to copy multiple source directories in one layer.<br> <p> And finally, Dockerfiles pretend to be purely functional and reproducible, but most projects have lines like &quot;RUN apt-get blah&quot; that immediately blow that up.<br> <p> A true content-addressable system with a better build language than Dockerfiles would be great. Earthly seems to be a good incremental improvement on Dockerfiles.<br> </div> Thu, 28 Jul 2022 05:54:27 +0000 Docker and the OCI container ecosystem https://lwn.net/Articles/902705/ https://lwn.net/Articles/902705/ pabs <div class="FormattedComment"> Where does your disgust stem from? Mine is that they are mixed-language files. I dislike Makefiles and even printf/regex/SQL for this reason too.<br> </div> Thu, 28 Jul 2022 05:49:13 +0000 Docker and the OCI container ecosystem https://lwn.net/Articles/902703/ https://lwn.net/Articles/902703/ bartoc <div class="FormattedComment"> or git! I would _love_ to see git updated to be able to handle this stuff (support for reflinking into working tree, smarter compression heuristics, etc).<br> <p> Actually what would be _really_ cool would be to actually support delta compression for some common binary file types, images could delta compress using hevc or AV1 (probably AV1), and I can imagine similar schemes for videos, although making those schemes fast is probably a research project and would be somewhat codec specific.<br> <p> Ditto for executable files.<br> </div> Thu, 28 Jul 2022 05:36:41 +0000 Docker and the OCI container ecosystem https://lwn.net/Articles/902702/ https://lwn.net/Articles/902702/ bartoc <div class="FormattedComment"> systemd actually has native support for running &quot;container based&quot; services called &quot;portable services&quot;<br> <p> I think it might even be able to deal with OCI images. In this scheme all the configuration of what to start (and of cgroups) is done in the normal systemd unit files, but the files are contained in some fs image, and that fs image is also set up with all the needed dependencies and such.<br> <p> The portable service basically just handles the filesystem bits of containers, the rest is handled by existing systemd mechanisms (systemd already manages cgroups for you, and can create user namespaces and such as well).<br> </div> Thu, 28 Jul 2022 05:32:47 +0000 Docker and the OCI container ecosystem https://lwn.net/Articles/902701/ https://lwn.net/Articles/902701/ bartoc <div class="FormattedComment"> I don&#x27;t find dockerfiles all that horrid as long as everyone on the team writing them actually understands how the layering works. They are reasonably simple and good enough.<br> <p> I do prefer buildah&#x27;s approach though.<br> <p> Actually I would prefer a scheme that used a content addressable datastore instead of the layering thing, something like ostree or casync (or git, really that would be most convenient, but git has some missing features when dealing with large binary files)<br> </div> Thu, 28 Jul 2022 05:28:09 +0000 Docker and the OCI container ecosystem https://lwn.net/Articles/902688/ https://lwn.net/Articles/902688/ mathstuf <div class="FormattedComment"> I&#x27;ve used hand-written `.service` files for podman for some smaller deployments (though `podman-systemd-generator` is likely better long-term) and a larger one uses `podman-compose`[1] to generate its systemd units (since they collaborate, it helps to ensure they all share a common network and set of volumes).<br> <p> K8s just seemed *way* overkill for the &quot;I have a single machine and just want it to be easy to manage upgrades of containers and the base system&quot;.<br> <p> [1] <a href="https://github.com/containers/podman-compose">https://github.com/containers/podman-compose</a><br> </div> Wed, 27 Jul 2022 21:29:18 +0000 Docker and the OCI container ecosystem https://lwn.net/Articles/902684/ https://lwn.net/Articles/902684/ jordan <div class="FormattedComment"> This is an area of interest to me - the containers/storage and containers/image libraries used to contain at least some level of ostree support, but I know at least part of that was removed due to nobody using it or being willing to maintain it. I&#x27;ve seen other parts of it that have gotten some work at least semi-recently, though; I haven&#x27;t yet explored what is currently possible there.<br> <p> Podman supports &lt;a href=&quot;<a href="https://www.redhat.com/sysadmin/image-stores-podman">https://www.redhat.com/sysadmin/image-stores-podman</a>&quot;&gt;additional image stores&lt;/a&gt; - I&#x27;ve experimented with using this feature to store image stores in ostree repositories and then get delta updates instead of having to pull whole layers at once.<br> <p> I know Balena has some sort of delta update technology for their container runtime but I&#x27;m unclear how it works.There are also things like &lt;a href=&quot;<a href="https://github.com/containerd/stargz-snapshotter">https://github.com/containerd/stargz-snapshotter</a>&quot;&gt;stargz&lt;/a&gt; (usable with containerd/nerdctrl) that do interesting things with how images are transferred over the network.<br> </div> Wed, 27 Jul 2022 20:18:41 +0000 Docker and the OCI container ecosystem https://lwn.net/Articles/902683/ https://lwn.net/Articles/902683/ jordan <div class="FormattedComment"> Thanks! A follow-up about orchestration could be interesting but I&#x27;d have to do a lot of research. I used to run Swarm but now I mostly deploy my own stuff with Compose and have thus far managed to avoid learning very much about Kubernetes :) <br> </div> Wed, 27 Jul 2022 20:11:14 +0000 Docker and the OCI container ecosystem https://lwn.net/Articles/902680/ https://lwn.net/Articles/902680/ jordan <div class="FormattedComment"> <font class="QuotedText">&gt; CRI-O does have a cli, crictl, but you&#x27;d only use it for low level troubleshooting/debugging/etc.</font><br> <p> I was aware of crictl but left it out of the CRI-O section because it&#x27;s not specific to CRI-O; it can also be used with containerd or another CRI runtime. The article was getting pretty long and it&#x27;s hard to mention everything.<br> <p> <font class="QuotedText">&gt; There&#x27;s a whole other container ecosystem that has sprung up around Singularity.</font><br> <p> I&#x27;m aware of that ecosystem but haven&#x27;t played with it. I did give a brief shoutout to Apptainer at the end; it appears to me that that is the new name for Singularity, but I could be wrong about that!<br> </div> Wed, 27 Jul 2022 20:07:46 +0000 Docker and the OCI container ecosystem https://lwn.net/Articles/902682/ https://lwn.net/Articles/902682/ mathstuf <div class="FormattedComment"> I agree. I don&#x27;t really like Dockerfiles either, but the `COPY` and `RUN` with shell scripts really helps. It also keeps artifacts of what happened in the image itself (no point in deleting since it&#x27;s in the previous layer anyways).<br> <p> Other than that, I&#x27;ve found `buildah` to be useful for building minimal images where I can do some logic outside of the container and tell it afterwards. Much better than manual flattening after the fact IMO.<br> </div> Wed, 27 Jul 2022 20:07:09 +0000 Quadlet https://lwn.net/Articles/902681/ https://lwn.net/Articles/902681/ mathstuf <div class="FormattedComment"> <font class="QuotedText">&gt; I toyed with the idea that I could just use the podman command to generate templates I could use via ansible or whatnot, but it didn&#x27;t really work out.</font><br> <p> `quadlet` mentioned elsewhere in the comments seems like it&#x27;d work better. But can&#x27;t you have Ansible run the generator command as your &quot;sync&quot; rather than expecting specific file contents?<br> </div> Wed, 27 Jul 2022 20:05:28 +0000 Docker and the OCI container ecosystem https://lwn.net/Articles/902678/ https://lwn.net/Articles/902678/ mathstuf <div class="FormattedComment"> Great writeup, thanks. Has there been any movement on updating the container storage to be something smarter that does something like `restic`, `os-tree`, or `casync` that uses a rolling algorithm to break blocks into &quot;chunks&quot; and then allowing sharing at more than just the &quot;layer&quot; level? Is this just being left to different implementations to do as they see fit or is it basically just overwhelmed into irrelevance at this point?<br> </div> Wed, 27 Jul 2022 20:04:39 +0000 Docker and the OCI container ecosystem https://lwn.net/Articles/902679/ https://lwn.net/Articles/902679/ jordan <div class="FormattedComment"> I also dimly remember it having it in the distant past and support for it being removed. Very cool that it&#x27;s back!<br> </div> Wed, 27 Jul 2022 20:03:05 +0000 Docker and the OCI container ecosystem https://lwn.net/Articles/902675/ https://lwn.net/Articles/902675/ lobachevsky <div class="FormattedComment"> Since version 242 systemd-nspawn can also run OCI bundles. I vaguely remember it having that feature in the ancient past before, before they were called OCI, but being removed because back then the format was kind of fast moving, but I might be wrong, because I can&#x27;t find any note of it anymore.<br> </div> Wed, 27 Jul 2022 19:42:41 +0000 Quadlet https://lwn.net/Articles/902673/ https://lwn.net/Articles/902673/ rjones <div class="FormattedComment"> One thing that kinda sucks about podman systemd integration, which may not be avoidable, is that the files it generates is can be very specific to the version of systemd you are using. I toyed with the idea that I could just use the podman command to generate templates I could use via ansible or whatnot, but it didn&#x27;t really work out.<br> <p> That was a while ago, though. Maybe it&#x27;s better now.<br> </div> Wed, 27 Jul 2022 19:16:52 +0000 Docker and the OCI container ecosystem https://lwn.net/Articles/902671/ https://lwn.net/Articles/902671/ rjones <div class="FormattedComment"> Docker files are gross, but there are ways to mitigate the grossness. <br> <p> The big one I do is to simply have a shell script that does all the work of setting up the docker image. The dockerfile only copies in the script and required assets and the script does all the work of actually setting it up. Of course you can do the same thing with makefiles or scons or whatever build tool you like using. This reduces things to a single COPY and single RUN command.<br> <p> Along with that it&#x27;s useful to do multistage builds. <br> <p> <a href="https://docs.docker.com/develop/develop-images/multistage-build/">https://docs.docker.com/develop/develop-images/multistage...</a><br> <p> This is especially nice if you want to do statically compiled binaries. You end up with a build container and a runtime container. You only then need to distribute the runtime container. This results in a very clean OCI image with all the build-time and setup portions stripped out. It is usually very easy to keep things down well under a 100MB in size.<br> <p> <p> As far as getting rid of dockerfile itself... It is probably not worth it at this stage. Everybody and their mom supports it and thus it makes it easy to integrate containers into CI/CD workflows, among other things. Sefl-hosting build farms in kubernetes is extremely easy with kaniko. You can use buildah and other associated tools related to podman. Gitlab, github, and most everything else supports building and testing against OCI images. <br> </div> Wed, 27 Jul 2022 18:21:56 +0000 Docker and the OCI container ecosystem https://lwn.net/Articles/902670/ https://lwn.net/Articles/902670/ pj <div class="FormattedComment"> Just wanted to say thanks for the great overview! I&#x27;ve seen the names of lots of these pieces fly by, it&#x27;s good to know how they all relate to each other . Any chance you&#x27;ll do a followup on orchestration systems? there&#x27;s k8s and some various micro- and mini- self-hosted versions, and then there&#x27;s docker swarm... are there others? which of those are suitable for production vs toy/exploring ? Maybe there&#x27;s enough there for a followup ecosystem/survey article.<br> </div> Wed, 27 Jul 2022 18:07:30 +0000 Docker and the OCI container ecosystem https://lwn.net/Articles/902620/ https://lwn.net/Articles/902620/ cortana <p>Great article! A couple of omissions that occurred to me: <ul><li>CRI-O does have a cli, <tt>crictl</tt>, but you'd only use it for low level troubleshooting/debugging/etc. <li>There's a whole other container ecosystem that has sprung up around Singularity. The idea here is that we _don't_ want to isolate the code inside the container from the user's home directory, shared filesystems, etc; we just want to use containers for distributing software. You'd use this on e.g., a high performance computing cluster. Personally I think it's a bit of a shame that the community didn't coalesce around Podman for this use case, but there we are...</ul> Wed, 27 Jul 2022 09:13:13 +0000 Docker and the OCI container ecosystem https://lwn.net/Articles/902618/ https://lwn.net/Articles/902618/ cortana <blockquote><p>Buildpacks is higher-level and works kind of like Heroku; it detects what language your application is written in, and then picks appropriate builder and base images. It can rebase application images on top of newer base images without rebuilding the whole application.</blockquote> <p>For another take on this approach, see Red Hat's <a href="https://github.com/openshift/source-to-image">source-to-image</a> which invokes an <tt>assemble</tt> script at a well known location in the base container image; this script embeds all the build logic, so that the developer doesn't need to write a Dockerfile, only comply with the conventions of the base image. Wed, 27 Jul 2022 09:00:58 +0000 Docker and the OCI container ecosystem https://lwn.net/Articles/902607/ https://lwn.net/Articles/902607/ Cyberax <div class="FormattedComment"> <font class="QuotedText">&gt; Nix, bazel, and yocto/openembeded are some mature systems that can build container images without actually using docker or Dockerfiles - they just produce the layer tar files (OCI image) directly.</font><br> <p> Do they support layering? This is one feature of Docker that makes it bearable, especially for iterative development.<br> </div> Tue, 26 Jul 2022 23:39:45 +0000 Docker and the OCI container ecosystem https://lwn.net/Articles/902606/ https://lwn.net/Articles/902606/ anguslees <div class="FormattedComment"> Nix, bazel, and yocto/openembeded are some mature systems that can build container images without actually using docker or Dockerfiles - they just produce the layer tar files (OCI image) directly.<br> <p> I agree there should be more tools like this - it&#x27;s not that hard. The thing you lose with these approaches is any easy &quot;bootstrap&quot; step to set up the build system in the first place. If you put the build system in a docker container, then you get back to something like a multistage Dockerfile anyway (for simple projects - complex projects can still benefit from these more advanced systems).<br> <p> Also be aware of cross compiling. In the FOSS community, we would like to support our non-intel brethren and this requires building images for platforms you don&#x27;t have by default. Some systems (yocto) are good at this, others (bazel) are still maturing. Docker buildx makes this very easy through transparent emulation, again if you&#x27;re willing to settle for Dockerfiles.<br> <p> For me, the combination of cross compiling and easy bootstrap means I use docker buildx for all my simpler projects, and just put up with the awkward Dockerfile syntax :-(<br> </div> Tue, 26 Jul 2022 23:17:38 +0000 Docker and the OCI container ecosystem https://lwn.net/Articles/902600/ https://lwn.net/Articles/902600/ Cyberax <div class="FormattedComment"> <font class="QuotedText">&gt; Sure, but using Debian snapshots would mean that you&#x27;d have to take all the updates in the snapshot that you moved to at once</font><br> <p> Yeah, but this is usually OK. It also makes it easier to audit dockerfiles to check if they cover all CVEs in the base Debian image.<br> <p> We also have a script that checks if an image contains packages that are different between two snapshots, this helps to automate &quot;empty&quot; version bumps. Not perfect, but it helps.<br> <p> We also tried Nix that gives strong reproducibility gurantees, but it wastes way too much time on rebuilding everything.<br> </div> Tue, 26 Jul 2022 21:34:13 +0000 Docker and the OCI container ecosystem https://lwn.net/Articles/902601/ https://lwn.net/Articles/902601/ amarao <div class="FormattedComment"> Yes. And the main reason people confuse that (assuming that &#x27;stop&#x27; is a &#x27;drop&#x27;) is beause it&#x27;s not possible to change container (without low-level hacks). If you want to update image or tweak manifest, you need to rebuild image, and new image means new container.<br> </div> Tue, 26 Jul 2022 21:29:08 +0000 Docker and the OCI container ecosystem https://lwn.net/Articles/902599/ https://lwn.net/Articles/902599/ jordan <div class="FormattedComment"> Sure, but using Debian snapshots would mean that you&#x27;d have to take all the updates in the snapshot that you moved to at once, and that you&#x27;d have to take updates in the order they were supplied upstream. Having a packrat mirror that holds on to all the versions gives you more flexibility in deciding what you want to update and when.<br> </div> Tue, 26 Jul 2022 21:24:46 +0000