When To Use Alpine, Debian, or CentOS Images: Docker Tutorial
A free video tutorial from Bret Fisher
Docker Captain and DevOps Sysadmin
4.6 instructor rating • 4 courses • 210,621 students
Helping you decide which of the "big three" official images to start with.
Learn more from the full courseDocker for Node.js Projects From a Docker Captain
Build, test, deploy Node for Docker, Kubernetes, Swarm, and ARM with the latest DevOps practices from a container expert
08:13:00 of on-demand video • Updated November 2020
- Optimize your local development setup for NodeJS in Docker
- Operate smoothly in a team of NodeJS developers using Docker and Compose
- Improve the speed and reliability of your Node builds and testing using Docker
- Get the best NodeJS tweaks to use for dev, test, and prod
- Design NodeJS images for use with Kubernetes and Swarm
- Learn about security scanning and locking-down your NodeJS apps
English All right. In the last lecture, we just talked about base images. We mentioned a few things about Alpine, but I wanted to focus this quick lecture just on the decision around whether to go Alpine, or whether to stick with Debian, or whether to consider something else. What factors you may need to consider when you're choosing this base image, especially if you're in an enterprise. Just as a reminder, Alpine is a security-focused, minimal small image, and it has advantages, right. It's 5MB in size, which is much smaller, in comparison, to the others. But, it has very little out-of-the-box, and it's meant just for the minimal situation, right, which ideally means there's less potential risk because there's less things that might have vulnerabilities in them. Here's the thing. Debian, the default image in node, you know, and all official images default to Debian. It's now down to like 100MB. If you just compare the base image sizes before that node images are applied. You know, Debian is around 100MB right now. Ubuntu is around 85MB, I think. Now, these are much smaller than they used to be. Years ago, I remember Ubuntu being 150 to 200MB. So, they have continued to make those images leaner and leaner. Which means that Alpine, which may be previously was used just for the sheer sake of space size, doesn't really matter anymore. I mean, how many of us really have to concern ourselves with an extra 100MB on a server? Now, if you're dealing with IoT or edge devices where maybe they're like Raspberry Pi's with SD cards in them, maybe 100MB here and there really matters. But usually on my production servers, if they're in the cloud, they've got 10 and 20GB space out-of-the-box. Even if I have multiple versions of Node running, I'm really only talking about what the default images like Debian, for example, I would maybe have 300 or 400MB max of space used. If I had 3 or 4 different Node versions all running concurrently, and those Node versions maybe have different Debian underneath them so they can't reuse the same base image layers, right. When you consider about your production deployments, not a huge factor, right. I mean obviously, Alpine is still an advantage here, but I don't look at my service and think, man I really need to go redesign all my images to save myself 200 or 300MB on a server, right. Alpine is not without its own issues. It's a great, secure option, but it is not infallible, right. It does have its own security vulnerabilities, just like all open source and all software. It is also something that is different than the default, so that means there will be some exceptions. In 2018, I know that nodemon, in particular, had an issue with proper restarting of Node on just Alpine base images. So, it was a very specific problem that went on for maybe weeks or months around nodemon. There are cases where Alpine could be a disadvantage. The last, little thing about Alpine that I want to mention that was actually brought to my attention a few months ago with a blog article that I will link to in the resources, is that those of us that are security focused in production are using something called a CVE scanner, or a common vulnerability scanner, in our images when we're maybe doing CI automation where we're building our images. There is a YouTube link in the resources of this lecture where I talk a little bit more about that on YouTube. Go check that out if you're interested in image scanning. That's not necessarily the focus of this course, but I do want to bring to your attention that the current Alpine base images don't work well with those scanners. It's due to an issue with the fact that basically Alpine doesn't link a translation database of sorts where all of its files talk correctly to the engines that scan for vulnerabilities. Anyway, go check out that YouTube video on that. It's very interesting because it turns out that other ones, like Debian, Ubuntu, CentOS, they work much better with these vulnerability scanners than Alpine even though Alpine is a more secure focused Linux. And you know, Alpine is great. I'm not really throwing shade on Alpine in particular, but it is something you should concern yourself with if you're making a decision thinking that Alpine is better in security for all things. This may change, however, if Alpine updates their feature set to include this translation database and work better with the scanners. I'm sure that's going to happen at some point. It just may be something farther down their road map. So, check in with Alpine to see how it does with these scanners somewhere after this video is recorded. This video is recorded early 2019 so things could change, right. On occasion, though, I do get questions from my students around what about CentOS, right. Because there is no CentOS version of the node images from the official repository. How would you go about if your company needed an enterprise focused Linux like Ubuntu, or CentOS, or something else. Red Hat for example. So, that's a common thing. Like I said in the last lecture, we don't all need to be going this route or building out custom bespoke images from our own base layers. But, it turns out that you don't have to build node directly. You could just download and have the node binaries on any base image, whether it's Ubuntu or CentOS or something else. It's not that hard to do. So, let's take a look at how quickly we can do that in an assignment coming up next.