A talk listing few main shortcomings of Docker, showing potential however questionable remedies, to finally introduce Alpine Linux - biggest revolution in Docker of recent. Following on that rabbit a bit deeper down its hole, we introduce Unikernels - the next big thing in cloud, embedded, big data and scientific computing... well at least Docker is betting on it too.

2. unikernels
...do you realy need that email server to
run “Hello World” ?

3. quick bio
Modelled HP-UX compartments in Prolog for MSc Thesis
(@HP Labs Bristol) in 2006
… then a big IT walkabout …
2013 multi-VM integration tests, LXC led to Docker
active-active HDFS replication: tests and dev using Docker
small in-house Big Data project Docker and Docker-Compose
still frustrated when running 8+ containers on a dev box

4. overview
challenges brought by Docker
remedies
unikernels
demo
beer

5. challenges by Docker: bloat
“Official” Java 8 (openjdk jre) 124 – 243 MB
Official Node.js 5.11 image 82 – 254 MB
Official Ruby 2.3.1 100 – 277 MB
Official MySQL 5.7.12 129 MB
Official Fedora 23 74 MB
Official Debian 37 – 51 MB
Official Ubuntu 44 – 66 MB
Ubuntu + JRE 8 + Apache Storm 1.2 GB

6. challenges by Docker: bloat
Debian official Dockerfile fights bloat:
FROM scratch
ADD rootfs.tar.xz /
CMD [“/bin/bash”]
...sacrifycing transparency
same trick for Ubuntu, Fedora/CentOS and openSUSE

7. challenges: quality
size of software to effort ...
size of software to number of bugs ...
size of software to runtime overheads …
… are dependent NOT linearly
Industry (very rough) average: 15 - 50 bugs per 1k SLOC
by Steve McConnel of Code Complete
Static code analysis of OSS: ~1 bug per 1k SLOC
YMMV!

8. challenges: size

11. challenges: security
bigger attack surface
greater complexity
misconfiguration plays big part
N connected Linux boxes << N unconected Linux boxes
^---much less secure
very popular open source code dependencies
(i.e. glibc, openssh, skia, ...)
inter image dependencies

12. challenges: security
see www.banyanops.com/blog/analyzing-docker-hub/
Third of all Official images on docker hub are vulnerable

13. challenges: complexity
usfulness of universal tools argument

14. challenges: complexity
Linux Scheduler: a Decade of Wasted Cores
www.ece.ubc.ca/~sasha/papers/eurosys16-final29.pdf
Eurosys 2016 paper showing that some applications run 2x
to 27x slower due to sheduling mistakes by Linux.
Bug:
Core interconnects are expensive, hence it's not N x N
Some cores appear in more than one scheduling group
Scheduler uses core groups' avg load to steal work

15. challenges: litigation
This man is after every developer
www.infoq.com/news/2016/03/docker-java

16. challenges: litigation
Oracle JDK Dockerfile:
[...]
RUN mkdir /opt && curl -jksSLH "Cookie: oraclelicense=accept-securebackup-
cookie"
http://download.oracle.com/otn-pub/java/jdk/7u79-b15/jdk-7u79-linux-
x64.tar.gz
| tar -xzf - -C /opt &&
ln -s /opt/jdk1.7.0_79 /opt/jdk &&
rm -rf /opt/jdk/*src.zip
/opt/jdk/lib/missioncontrol
/opt/jdk/lib/visualvm
[...]

17. challenges: litigation
“Oracle grants you a non-exclusive, non-transferable, limited
license without fees to reproduce and distribute the
Software, provided that (i) you distribute the Software
complete and unmodified and only bundled as part of, and for
the sole purpose of running, your Programs…”

18. remedies?
use Go for 0 bytes scratch base image
remove package groups / metapackages and packages
remove directories
buildpack-deps
bring -> act -> remove packages (and their dependencies)
import whole slim file system in one ADD
flatten containers

19. remedy
use Alpine Linux as your base image
container size ~5MB (!!!)
general purpose Linux distribution with 100s of packages
focused on security and reliability
based on musl libc and busybox
creator (Natanael Copa) hired by Docker (Feb 2016)
official Docker images moving to Alpine (from Debian)

20. remedies: Alpine
… ehm, I have lied to you earlier about docker image sizes
Official Java 8 (openjdk jre) 42 MB
Official Node.js 5.11 n/a
Official Ruby 2.3.1 38 MB
Official MySQL 5.7.12 n/a

21. remedies: general
standard C lib alternatives
http://www.etalabs.net/compare_libcs.html
java 9 modularity: Project Jigsaw + OSGI
http://openjdk.java.net/projects/jigsaw/
software that sucks less movement
http://suckless.org

22. unikernels
single-address-space machine images
built using library operating systems
improved security
small
highly optimised for applications running
fast boot (miliseconds)

23. unikernels
Clive - Go runtime
LING – Erlang runtime (Erlang on Xen)
MirageOS – Ocaml based, 100s of libraries
Osv – C, JVM, Node, Ruby runtimes
Rumprun – unmodified Posix software runtime
runtime.js – JS runtime for the cloud based on V8
ZeroVm (based on Google's NaCl)

24. unikernels
good intro to unikernels philosophy:
The Rise and Fall of Operating System
http://www.fixup.fi/misc/usenix-login-2015/login_oct15_02_kantee.pdf

25. unikernels
demo time

26. sudo docker kill dan:talk
cyberstalk me: @digi_noise or www.linkedin.com/in/agiledan

27. extras: complexity
From StackOverflow (fantastic read – just Bing(TM) it)
Why processing sorted array is faster than unsorted ?
Why is one loop slower than two loops ?
Why GCC can't see a*a*a*a*a*a == (a*(a*a))*(a*a*a) ?
Why does HTML think “chucknorris” is a color ?
Why is printing “B” dramatically slower than printing “#” ?

28. extras: complexity
From The Information Superhighway
High CPU use by taskhost.exe when Windows 8.1 username ~ “user”
https://support.microsoft.com/en-us/kb/3053711
The case of 500-mile email
www.ibiblio.org/harris/500milemail.html
Open Office does not print on Tuesdays
https://bugs.launchpad.net/ubuntu/+source/file/+bug/248619