SlideShare a Scribd company logo

Technical Lag in Docker Containers

Ahmed Zerouali, profile picture
Ahmed Zerouali

This document analyzes technical lag in Docker images by quantifying outdated packages. The researchers extracted package data from 2,253 official Docker images and measured package time lag and version lag compared to latest available versions. They found most images contain outdated packages, with the degree of lag related to the Alpine Linux version used. While some images updated packages over time, overall the number of outdated packages in images increased. Technical lag can help assess image and repository health by identifying outdated dependencies.

Science
1 of 27
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
Analyzing Technical Lag in Docker Images Work in Progress Ahmed Zerouali, Tom Mens, Gregorio Robles and Jesus M. Gonzalez-Barahona The 17th Belgium-Netherlands Software Evolution Workshop December 10-11, 2018 - Delft
/background
/previous work - Cox J, et al. Measuring dependency freshness in software systems. International Conference Software Engineering 2015 (pp. 109-118). IEEE - Kula RG, et al. Do developers update their library dependencies? Empirical Software Engineering. 2018; 23(1):384-417. Elsevier - Zerouali A, et al. An empirical analysis of technical lag in npm package dependencies. International Conference on Software Reuse 2018 (pp. 95-110). Springer
“A lightweight, standalone, executable package of software that includes everything needed to run an application: code, runtime, system tools, system libraries and settings.” Docker, inc. /What is a Docker container?
Isolation Portability Reusability /What is a Docker container?
/DockerHub
/DockerHub:node Usage: $ docker pull node:<tag> For example: $ docker pull node:8-jessie $ docker pull node:8-alpine
/Method: Focus * Alpine is a minimal image (8MB in size) based on the security-oriented, lightweight Alpine Linux distribution.
/Method: Data Extraction 1) Image identifications: 2,253 images out of 12,840 official images (i.e., 17.5%), coming from 42 official repositories. 2) Extracted installed packages: 82,949 package versions. 3) Tracked packages in the package manager: 63,581 package versions (23% missing)
/Method: Technical lag Technical lag*: the difference between deployed software packages and the latest available packages. (*) Gonzalez-Barahona, et al. "Technical Lag in Software Compilations: Measuring How Outdated a Software Deployment Is." IFIP International Conference on Open Source Systems. Springer, 2017. 1.0.1 1.2.0 2.0.12.0.0 2.1.0 Technical lag Deployed latest Available Dependency
- Measurement = ? /Method: Technical lag RQ: How can we quantify technical lag induced by packages in Docker images?
/Method: Technical lag Package level: package time lag: time difference. package version lag: version difference.
/Method: Technical lag 1.0.1 1.2.0 2.0.12.0.0 2.1.0 Technical lag Deployed latest Available Dependency package time lag = date(2.1.0) - date(1.2.0) package version lag = 3 versions 1 2 3
/Package level /time lag - All images have outdated packages. - Time lag is related to the Alpine version.
/Package level /version lag Last updated images have packages with less version lag.
/Package level - After one month: Updated images, updated only 2.9% of their installed packages. - Most of the updates happened for : openssl, libcrypto1.0, libssl1.0
/Technical lag impact Image level: Image lag impact: number of packages with non-zero technical lag.
/image level /lag impact Number of outdated packages in Docker images is increasing over time.
/Limitations - There are other measurements, e.g. repository lag impact. - We relied only on Alpine packages. - 23% of packages are missed. - We did not consider community Docker images.
/Conclusion Technical lag can be used to assess the health of Docker images and their repositories.
/Future work - Study packages coming from different package managers. - Consider other aspects of technical lag: security, bugs, etc. - Create models to recommend updates to container deployers.
Thank you
More information about how to calculate technical lag when package version make use of constraints (npm) . . . /
/method /technical lag 1.0.1 1.2.0 2.0.1 3.6.0 4.1.04.0.0 5.0.0 2.0.0 2.1.0 npm package: P dependency: D ^1.0.0 Technical lag * ^1.0.0 ^2.0.0 ^1.0.0 = [ 1.0.0, 2.0.0 [ allowed
/method /technical lag 1.0.1 1.2.0 2.0.1 3.6.0 4.1.04.0.0 5.0.0 2.0.0 2.1.0 npm package: P dependency: D ^1.0.0 Technical lag * ^1.0.0 ^2.0.0 allowed ^1.0.0 = [ 1.0.0, 2.0.0 [
/method /technical lag 1.0.1 1.2.0 2.0.1 3.6.0 4.1.04.0.0 5.0.0 2.0.0 2.1.0 npm package: P dependency: D ^1.0.0 Technical lag = 0 * ^1.0.0 ^2.0.0 allowed ^1.0.0 = [ 1.0.0, 2.0.0 [
/repository lag impact

More Related Content

PPTX
Analyzing Packages in Docker images hosted On DockerHub
Ahmed Zerouali
 
PDF
Technical Lag in Software Ecosystems
Ahmed Zerouali
 
PDF
Evolution of Technical Lag in DockerHub images - Benevol20
Ahmed Zerouali
 
PDF
UniK - a unikernel compiler and runtime
Lee Calcote
 
PDF
Hands on kubernetes_container_orchestration
Amir Hossein Sorouri
 
PPTX
Cigna Innovation Summit
Idit Levine
 
PPTX
Debugging Microservices - QCON 2017
Idit Levine
 
PPT
OpenStack with-docker-team-17
Jaspreet Singh
 
Analyzing Packages in Docker images hosted On DockerHub
Ahmed Zerouali
 
Technical Lag in Software Ecosystems
Ahmed Zerouali
 
Evolution of Technical Lag in DockerHub images - Benevol20
Ahmed Zerouali
 
UniK - a unikernel compiler and runtime
Lee Calcote
 
Hands on kubernetes_container_orchestration
Amir Hossein Sorouri
 
Cigna Innovation Summit
Idit Levine
 
Debugging Microservices - QCON 2017
Idit Levine
 
OpenStack with-docker-team-17
Jaspreet Singh
 

What's hot (6)

PDF
Testing fácil con Docker: Gestiona dependencias y unifica entornos
Micael Gallego
 
PDF
Linux advanced concepts - Part 2
NAILBITER
 
PPTX
Microsoft .Net Technology
vijayakumari kaliannan
 
PPTX
Python programming 2nd
Aishwarya Deshmukh
 
PDF
Compiler.design.in.c.docs
Abid Syed
 
PDF
Embedded Webinar #13: "From Zero to Hero: contribute to Linux Kernel in 15 mi...
GlobalLogic Ukraine
 
Testing fácil con Docker: Gestiona dependencias y unifica entornos
Micael Gallego
 
Linux advanced concepts - Part 2
NAILBITER
 
Microsoft .Net Technology
vijayakumari kaliannan
 
Python programming 2nd
Aishwarya Deshmukh
 
Compiler.design.in.c.docs
Abid Syed
 
Embedded Webinar #13: "From Zero to Hero: contribute to Linux Kernel in 15 mi...
GlobalLogic Ukraine
 
Ad

Similar to Technical Lag in Docker Containers (20)

PDF
A multi-dimensional analysis of technical lag in Debian-based Docker images
Ahmed Zerouali
 
PDF
An Empirical Analysis of Technical Lag in npm Package Dependencies
Ahmed Zerouali
 
PPTX
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
Tom Mens
 
PDF
Technical lag in npm and docker ecosystems
Ahmed Zerouali
 
PDF
On the fragility of open source software packaging ecosystems
Tom Mens
 
PDF
Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016
Manideep Konakandla
 
PDF
Container Security: How We Got Here and Where We're Going
Phil Estes
 
PPTX
Docker - BWI Innovation Talk
Timm Heuss
 
PDF
Demystifying Containerization Principles for Data Scientists
Dr Ganesh Iyer
 
PDF
WhitePaper - Implementing a Porting Automation Tool as an Eclipse Plugin
Tyrell Perera
 
PPTX
Docker and stuff
Varun Sharma
 
ODP
Improvements in the OOo Release
Alexandro Colorado
 
PDF
Modern IoT and Embedded Linux Deployment - Berlin
Djalal Harouni
 
PPTX
Building an Ionic hybrid mobile app with TypeScript
Serge van den Oever
 
PDF
DEEP: a user success story
EOSC-hub project
 
PDF
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
sparkfabrik
 
PDF
Why you need a private container image registry SCALE 2019
Steve Wong
 
PDF
Unikernels - Bristech June 2016
Daniel Drozdzewski
 
PDF
Dependency Issues in Open Source Software Package Registries
Tom Mens
 
PDF
Rappel 12 facteurs.pdf
Olivier572675
 
A multi-dimensional analysis of technical lag in Debian-based Docker images
Ahmed Zerouali
 
An Empirical Analysis of Technical Lag in npm Package Dependencies
Ahmed Zerouali
 
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
Tom Mens
 
Technical lag in npm and docker ecosystems
Ahmed Zerouali
 
On the fragility of open source software packaging ecosystems
Tom Mens
 
Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016
Manideep Konakandla
 
Container Security: How We Got Here and Where We're Going
Phil Estes
 
Docker - BWI Innovation Talk
Timm Heuss
 
Demystifying Containerization Principles for Data Scientists
Dr Ganesh Iyer
 
WhitePaper - Implementing a Porting Automation Tool as an Eclipse Plugin
Tyrell Perera
 
Docker and stuff
Varun Sharma
 
Improvements in the OOo Release
Alexandro Colorado
 
Modern IoT and Embedded Linux Deployment - Berlin
Djalal Harouni
 
Building an Ionic hybrid mobile app with TypeScript
Serge van den Oever
 
DEEP: a user success story
EOSC-hub project
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
sparkfabrik
 
Why you need a private container image registry SCALE 2019
Steve Wong
 
Unikernels - Bristech June 2016
Daniel Drozdzewski
 
Dependency Issues in Open Source Software Package Registries
Tom Mens
 
Rappel 12 facteurs.pdf
Olivier572675
 
Ad

More from Ahmed Zerouali (10)

PDF
Prevalence and Evolution of License Violations in npm and RubyGems Dependency...
Ahmed Zerouali
 
PPTX
Analysis And Observations Of The Evolution Of Testing Library Usage
Ahmed Zerouali
 
PPTX
On Popularity and Quality Metrics of npm Packages
Ahmed Zerouali
 
PDF
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...
Ahmed Zerouali
 
PDF
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...
Ahmed Zerouali
 
PPTX
On the Diversity of Software Package Popularity Metrics: An Empirical Study o...
Ahmed Zerouali
 
PPTX
ConPan: A Tool to Analyze Packages in Software Containers
Ahmed Zerouali
 
PPTX
Analyzing the Evolution of Testing Library Usage in Open Source Java Projects
Ahmed Zerouali
 
PPTX
An Empirical Comparison of the Development History of CloudStack and Eucalyptus
Ahmed Zerouali
 
PPTX
Analyzing the Evolution of Testing Library Usage in Open Source Java Projects
Ahmed Zerouali
 
Prevalence and Evolution of License Violations in npm and RubyGems Dependency...
Ahmed Zerouali
 
Analysis And Observations Of The Evolution Of Testing Library Usage
Ahmed Zerouali
 
On Popularity and Quality Metrics of npm Packages
Ahmed Zerouali
 
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...
Ahmed Zerouali
 
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...
Ahmed Zerouali
 
On the Diversity of Software Package Popularity Metrics: An Empirical Study o...
Ahmed Zerouali
 
ConPan: A Tool to Analyze Packages in Software Containers
Ahmed Zerouali
 
Analyzing the Evolution of Testing Library Usage in Open Source Java Projects
Ahmed Zerouali
 
An Empirical Comparison of the Development History of CloudStack and Eucalyptus
Ahmed Zerouali
 
Analyzing the Evolution of Testing Library Usage in Open Source Java Projects
Ahmed Zerouali
 

Recently uploaded (20)

PPTX
Fluid dynamics vivavoce presentation of prakash
ssuser9878d0
 
PDF
CHAPTER 3 Cell Structures and Their Functions Lecture Outline.pdf
DaniseNobrera
 
PPTX
Understanding the Circulatory System……..
Sibongokuhle1
 
PDF
Worlds Next Door: A Candidate Giant Planet Imaged in the Habitable Zone of ↵ ...
Sérgio Sacani
 
PDF
GROUP 2 ORIGINAL PPT. pdf Hhfiwhwifhww0ojuwoadwsfjofjwsofjw
jjsaplad10
 
PPTX
ap-psych-ch-1-introduction-to-psychology-presentation.pptx
sz664
 
PDF
Cosmic Outliers: Low-spin Halos Explain the Abundance, Compactness, and Redsh...
Sérgio Sacani
 
PPTX
gene cloning powerpoint for general biology 2
G17RodriguezJanelleA
 
PDF
BET Eukaryotic signal Transduction BET Eukaryotic signal Transduction.pdf
enreddy1
 
PPTX
BODY FLUIDS AND CIRCULATION class 11 .pptx
chinmayikalokhe
 
PDF
Is Earendel a Star Cluster?: Metal-poor Globular Cluster Progenitors at z ∼ 6
Sérgio Sacani
 
PPTX
Welcome-grrewfefweg-students-of-2024.pptx
rhyshryrochroyeras
 
PPTX
POULTRY PRODUCTION AND MANAGEMENTNNN.pptx
RomnickTanilon
 
PPTX
Hypertension_Training_materials_English_2024[1] (1).pptx
johnsalaoudine
 
PPTX
GREEN FIELDS SCHOOL PPT ON HOLIDAY HOMEWORK
GandharvaVerma
 
PDF
CHAPTER 2 The Chemical Basis of Life Lecture Outline.pdf
DaniseNobrera
 
PPTX
PMR- PPT.pptx for students and doctors tt
DiyaSajid2
 
PPTX
INTRODUCTION TO PAEDIATRICS AND PAEDIATRIC HISTORY TAKING-1.pptx
godfreymandela88
 
PPTX
Biomechanics of the Hip - Basic Science.pptx
BruhKefale
 
PPTX
SCIENCE 4 Q2W5 PPT.pptx Lesson About Plnts and animals and their habitat
irishjeancui
 
Fluid dynamics vivavoce presentation of prakash
ssuser9878d0
 
CHAPTER 3 Cell Structures and Their Functions Lecture Outline.pdf
DaniseNobrera
 
Understanding the Circulatory System……..
Sibongokuhle1
 
Worlds Next Door: A Candidate Giant Planet Imaged in the Habitable Zone of ↵ ...
Sérgio Sacani
 
GROUP 2 ORIGINAL PPT. pdf Hhfiwhwifhww0ojuwoadwsfjofjwsofjw
jjsaplad10
 
ap-psych-ch-1-introduction-to-psychology-presentation.pptx
sz664
 
Cosmic Outliers: Low-spin Halos Explain the Abundance, Compactness, and Redsh...
Sérgio Sacani
 
gene cloning powerpoint for general biology 2
G17RodriguezJanelleA
 
BET Eukaryotic signal Transduction BET Eukaryotic signal Transduction.pdf
enreddy1
 
BODY FLUIDS AND CIRCULATION class 11 .pptx
chinmayikalokhe
 
Is Earendel a Star Cluster?: Metal-poor Globular Cluster Progenitors at z ∼ 6
Sérgio Sacani
 
Welcome-grrewfefweg-students-of-2024.pptx
rhyshryrochroyeras
 
POULTRY PRODUCTION AND MANAGEMENTNNN.pptx
RomnickTanilon
 
Hypertension_Training_materials_English_2024[1] (1).pptx
johnsalaoudine
 
GREEN FIELDS SCHOOL PPT ON HOLIDAY HOMEWORK
GandharvaVerma
 
CHAPTER 2 The Chemical Basis of Life Lecture Outline.pdf
DaniseNobrera
 
PMR- PPT.pptx for students and doctors tt
DiyaSajid2
 
INTRODUCTION TO PAEDIATRICS AND PAEDIATRIC HISTORY TAKING-1.pptx
godfreymandela88
 
Biomechanics of the Hip - Basic Science.pptx
BruhKefale
 
SCIENCE 4 Q2W5 PPT.pptx Lesson About Plnts and animals and their habitat
irishjeancui
 

Technical Lag in Docker Containers

  • 1. Analyzing Technical Lag in Docker Images Work in Progress Ahmed Zerouali, Tom Mens, Gregorio Robles and Jesus M. Gonzalez-Barahona The 17th Belgium-Netherlands Software Evolution Workshop December 10-11, 2018 - Delft
  • 3. /previous work - Cox J, et al. Measuring dependency freshness in software systems. International Conference Software Engineering 2015 (pp. 109-118). IEEE - Kula RG, et al. Do developers update their library dependencies? Empirical Software Engineering. 2018; 23(1):384-417. Elsevier - Zerouali A, et al. An empirical analysis of technical lag in npm package dependencies. International Conference on Software Reuse 2018 (pp. 95-110). Springer
  • 4. “A lightweight, standalone, executable package of software that includes everything needed to run an application: code, runtime, system tools, system libraries and settings.” Docker, inc. /What is a Docker container?
  • 7. /DockerHub:node Usage: $ docker pull node:<tag> For example: $ docker pull node:8-jessie $ docker pull node:8-alpine
  • 8. /Method: Focus * Alpine is a minimal image (8MB in size) based on the security-oriented, lightweight Alpine Linux distribution.
  • 9. /Method: Data Extraction 1) Image identifications: 2,253 images out of 12,840 official images (i.e., 17.5%), coming from 42 official repositories. 2) Extracted installed packages: 82,949 package versions. 3) Tracked packages in the package manager: 63,581 package versions (23% missing)
  • 10. /Method: Technical lag Technical lag*: the difference between deployed software packages and the latest available packages. (*) Gonzalez-Barahona, et al. "Technical Lag in Software Compilations: Measuring How Outdated a Software Deployment Is." IFIP International Conference on Open Source Systems. Springer, 2017. 1.0.1 1.2.0 2.0.12.0.0 2.1.0 Technical lag Deployed latest Available Dependency
  • 11. - Measurement = ? /Method: Technical lag RQ: How can we quantify technical lag induced by packages in Docker images?
  • 12. /Method: Technical lag Package level: package time lag: time difference. package version lag: version difference.
  • 13. /Method: Technical lag 1.0.1 1.2.0 2.0.12.0.0 2.1.0 Technical lag Deployed latest Available Dependency package time lag = date(2.1.0) - date(1.2.0) package version lag = 3 versions 1 2 3
  • 14. /Package level /time lag - All images have outdated packages. - Time lag is related to the Alpine version.
  • 15. /Package level /version lag Last updated images have packages with less version lag.
  • 16. /Package level - After one month: Updated images, updated only 2.9% of their installed packages. - Most of the updates happened for : openssl, libcrypto1.0, libssl1.0
  • 17. /Technical lag impact Image level: Image lag impact: number of packages with non-zero technical lag.
  • 18. /image level /lag impact Number of outdated packages in Docker images is increasing over time.
  • 19. /Limitations - There are other measurements, e.g. repository lag impact. - We relied only on Alpine packages. - 23% of packages are missed. - We did not consider community Docker images.
  • 20. /Conclusion Technical lag can be used to assess the health of Docker images and their repositories.
  • 21. /Future work - Study packages coming from different package managers. - Consider other aspects of technical lag: security, bugs, etc. - Create models to recommend updates to container deployers.
  • 23. More information about how to calculate technical lag when package version make use of constraints (npm) . . . /
  • 24. /method /technical lag 1.0.1 1.2.0 2.0.1 3.6.0 4.1.04.0.0 5.0.0 2.0.0 2.1.0 npm package: P dependency: D ^1.0.0 Technical lag * ^1.0.0 ^2.0.0 ^1.0.0 = [ 1.0.0, 2.0.0 [ allowed
  • 25. /method /technical lag 1.0.1 1.2.0 2.0.1 3.6.0 4.1.04.0.0 5.0.0 2.0.0 2.1.0 npm package: P dependency: D ^1.0.0 Technical lag * ^1.0.0 ^2.0.0 allowed ^1.0.0 = [ 1.0.0, 2.0.0 [
  • 26. /method /technical lag 1.0.1 1.2.0 2.0.1 3.6.0 4.1.04.0.0 5.0.0 2.0.0 2.1.0 npm package: P dependency: D ^1.0.0 Technical lag = 0 * ^1.0.0 ^2.0.0 allowed ^1.0.0 = [ 1.0.0, 2.0.0 [