[gardnr]

Now if we could just get some sort of hash consensus around what is in root.tar.xz. I feel like we are all blindly trusting large binary blobs as the core of our systems without any reproducible builds or peer auditing.

[jonjonsonjr]

You might be interested in distroless[1] base images.

The repo links to a talk that goes into more depth, but the basic idea is to a use minimal language-specific base for your runtime instead of e.g. statically linking all of ubuntu into your image.

The base images are built with bazel's docker rules[2], so you get reproducible builds.

[1] https://github.com/GoogleCloudPlatform/distroless

[2] https://github.com/bazelbuild/rules_docker

[dlor]

I've even been using these rules here to work on making the Debian distro rootfs.tar.xz times we provide for Google Cloud Platform reproducible.

The same source should lead to the same tarball, and anyone should be able to clone the repo and verify that.

github.com/GoogleCloudPlatform/debian-docker

[ivanilves]

you have "Build from source" option, no? ;)

[mschuster91]

According to https://hub.docker.com/_/debian/ at least the debian base images should be reproducible, although I have not tried it...

[ivanilves]

What do I really like is to use empty "scratch" as a base, and put only required stuff there. At least with Golang projects it works.

But yes, you can not be sure what do you have in every 3rd party image you use. This is a big problem in the Docker world IMO.

[stephenr]

What exactly is the point of docker with a golang project?

[icebraining]

I don't run Docker in production, but I'd say it's the infrastructure. Docker images seem to be turning into the universal package format for distribution, CI, orchestration, resource limiting, etc. If you need to run a Go service which you to scale horizontally and mix with other projects (possibly dependencies), it's just easier to stuff your binary into a Docker image.

[stephenr]

See, a lot of people say things similar to this.

But let's think logically: with Go, you have a single binary file, that will run on basically any distribution of Linux, with no external dependencies.

With Docker, you need a lot more than that, and in the case of a Go binary, you have no benefit.

I'd suggest reading through https://thehftguy.com/2017/02/23/docker-in-production-an-upd... for an idea of "Docker in production". Sure, we aren't all running HFT systems, but the issues he documents aren't really specific to HFT - they're more related to having a piece of software you can rely on to work.

Can containers in the generic sense be a useful tool for certain tasks? Sure.

Is Docker the "omg lets put bread around this meat and call it a sandwich" epic moment? No.

The rise in mindshare of Docker is IMO not coincidentally linked to the rise of the bad kind of DevOps: where management fires ops, and gets developers to run their infrastructure.

"I don't need to understand how <insert common Linux infrastructure software> works, I can just run 2 docker commands and it will download me a working image from the internet. What do you mean who created the image and can I trust it? This is the Internet, of course anything I download is trustworthy."