[yjftsjthsd-h]

Okay, I'll ask the dumb question: Couldn't you also reduce the number of layers per container? Sure, if you can reuse layers you should, but unless you've done something very clever like 1 package per layer I struggle to think that 50 is really useful?

[ActorNightly]

Its not a dumb question. It seems like when it comes to these supposed high tech enterprise solutions, they spend so much churn in doing something that is very complex and impressive like investigating architecture performance when it comes to kernel level operations and figuring out the kernel specifics that are causing slowdowns. Instead they can put that talent into just writing software without containers that can just max out any EC2 instance in terms of delivering streamed content, and then you don't worry about why your containers are taking so long to load.

[hvb2]

I have seen these comments quite a bit but they gloss over a major feature of a large company.

In a large company you can have thousands of developers just coding away at their features without worrying about how any of it runs. You can dislike that, but that's how that goes.

From a company perspective this is preferable as those developers are supposedly focussed on building the things that make the company money. It also allows you to hire people that might be good at that but have no idea how the deployment actually works or how to optimize that. Meanwhile with all code running sort of the same way, that makes the operations side easier.

When the company grows and you're dealing with thousands of people contributing code. These optimizations might save a lot of money/time. But those savings might be peanuts compared with every 10 devs coming up with their own deployment and the ops overhead of that.

[Hikikomori]

Content is not streamed from these containers.

[ActorNightly]

Then there is even less reason to spin up new containers at the rate they are doing it.

[Hikikomori]

So a new instance should stay idle for some time?

[ActorNightly]

No, you can autoscale EC2s. The point is that you should be able to run all your software without containers, which means that you aren't wasting cpu cycles with container overhead.

Depending on the EC2 instance it also may be cheaper to have a reserved EC2 instance sitting idle rather than paying for capacity reservation and spinning it up every day as the user count goes through its regular wave.

[gucci-on-fleek]

> unless you've done something very clever like 1 package per layer I struggle to think that 50 is really useful?

1 package per layer can actually be quite nice, since it means that any package updates will only affect that layer, meaning that downloading container updates will use much less network bandwidth. This is nice for things like bootc [0] that are deployed on the "edge", but less useful for things deployed in a well-connected server farm.

[0]: https://bootc-dev.github.io/bootc/

[seabrookmx]

It doesn't work this way really?

It's called a layer because each layer on top depends on the layers below.

If you change the package defined in the bottom most layer, all 49 above it are invalid and need re-pulled or re-built.

[minitech]

That’s mostly a Dockerism (and even Docker has `COPY --link` these days). The underlying tech supports independent layers.

[SR2Z]

Layering in the container spec is achieved by overlaying each layer's filesystem (a tarball, I think) over each layer below it. If file "a" is modified in layers 3 and 5, the resulting container will have data for both versions but reading "a" in the container will return version 5.

Docker exploits this to figure out when it can cache a layer, but building a container is different than running one because changing the underlying file system can change what a command outputs. If you're running a container, changing one deeply buried layer doesn't change the layers above it because they're already saved.

[gucci-on-fleek]

> If you change the package defined in the bottom most layer, all 49 above it are invalid and need re-pulled or re-built.

I also initially thought that that was the case, but some tools are able to work around that [0] [1] [2]. I have no idea how it works, but it works pretty well in my experience.

[0]: https://github.com/hhd-dev/rechunk/

[1]: https://coreos.github.io/rpm-ostree/container/#creating-chun...

[2]: https://coreos.github.io/rpm-ostree/build-chunked-oci/

[eliaspro]

grahamc wrote down how to optimize this (within the constraints of max 128 layers supported by OCI) to categorize/prioritize packages by popularity/dependencies which lead to dramatic speed-ups for pulling updates or related images.

https://grahamc.com/blog/nix-and-layered-docker-images/

[yjftsjthsd-h]

Yes, my intended meaning was that if you're doing that or something similar then I totally get having lots of layers because it's useful. Mostly I've only seen it come up with nix, but I can see how bootc would have a similar deal. That said, most container images I've ever seen aren't doing anything that clever and probably should be like... 2-3 layers? (One base layer, one with all your dependencies shoved in, and maybe one on top for the actual application.)

[solatic]

This is Netflix, they have thousands of engineers. So you have two approaches to solve the problem: either write enforced policy-as-code to prevent people from deploying images with too-high layer count (and pray they never need to rollback to an image from before the policy was written), thus incurring political alignment costs around the new policy and forcing non-compliant teams to adapt (which is time not spent on features); or, solve the problem entirely at the infrastructure level.

It's hardly surprising that companies consider infrastructure-level solutions to be better.

[redanddead]

Here’s an even dumber question: why didn’t they make a documentary instead of an article?