Technical Lag in Docker Containers

Ahmed Zerouali
Ahmed ZeroualiPostdoc Researcher
Analyzing Technical Lag in
Docker Images
Work in Progress
Ahmed Zerouali, Tom Mens, Gregorio Robles and Jesus M.
Gonzalez-Barahona
The 17th Belgium-Netherlands Software Evolution Workshop
December 10-11, 2018 - Delft
/background
/previous work
- Cox J, et al. Measuring dependency freshness in software systems. International Conference
Software Engineering 2015 (pp. 109-118). IEEE
- Kula RG, et al. Do developers update their library dependencies? Empirical Software Engineering.
2018; 23(1):384-417. Elsevier
- Zerouali A, et al. An empirical analysis of technical lag in npm package dependencies. International
Conference on Software Reuse 2018 (pp. 95-110). Springer
“A lightweight, standalone, executable package of software that includes everything
needed to run an application: code, runtime, system tools, system libraries and
settings.” Docker, inc.
/What is a Docker container?
Isolation Portability
Reusability
/What is a Docker container?
/DockerHub
/DockerHub:node
Usage:
$ docker pull node:<tag>
For example:
$ docker pull node:8-jessie
$ docker pull node:8-alpine
/Method: Focus
* Alpine is a minimal image (8MB in size) based on the
security-oriented, lightweight Alpine Linux distribution.
/Method: Data Extraction
1) Image identifications: 2,253 images out of 12,840
official images (i.e., 17.5%), coming from 42 official repositories.
2) Extracted installed packages: 82,949 package versions.
3) Tracked packages in the package manager: 63,581 package
versions (23% missing)
/Method: Technical lag
Technical lag*: the difference between deployed
software packages and the latest available packages.
(*) Gonzalez-Barahona, et al. "Technical Lag in Software Compilations: Measuring How Outdated a Software Deployment Is."
IFIP International Conference on Open Source Systems. Springer, 2017.
1.0.1 1.2.0 2.0.12.0.0 2.1.0
Technical lag
Deployed
latest
Available
Dependency
- Measurement = ?
/Method: Technical lag
RQ: How can we quantify technical lag induced by packages in
Docker images?
/Method: Technical lag
Package level:
package time lag: time difference.
package version lag: version difference.
/Method: Technical lag
1.0.1 1.2.0 2.0.12.0.0 2.1.0
Technical lag
Deployed
latest
Available
Dependency
package time lag = date(2.1.0) - date(1.2.0)
package version lag = 3 versions
1
2 3
/Package level
/time lag
- All images have outdated packages.
- Time lag is related to the Alpine version.
/Package level
/version lag
Last updated images have packages with less version lag.
/Package level
- After one month: Updated images, updated only 2.9% of their
installed packages.
- Most of the updates happened for : openssl, libcrypto1.0,
libssl1.0
/Technical lag impact
Image level:
Image lag impact: number of packages with non-zero
technical lag.
/image level
/lag impact
Number of outdated packages in Docker images is increasing over
time.
/Limitations
- There are other measurements, e.g. repository lag impact.
- We relied only on Alpine packages.
- 23% of packages are missed.
- We did not consider community Docker images.
/Conclusion
Technical lag can be used to assess the health of Docker
images and their repositories.
/Future work
- Study packages coming from different package managers.
- Consider other aspects of technical lag: security, bugs, etc.
- Create models to recommend updates to container deployers.
Thank you
More information about how to calculate technical lag
when package version make use of constraints (npm)
.
.
.
/
/method
/technical lag
1.0.1 1.2.0 2.0.1
3.6.0 4.1.04.0.0 5.0.0
2.0.0 2.1.0
npm package: P
dependency: D
^1.0.0
Technical lag
*
^1.0.0 ^2.0.0
^1.0.0 = [ 1.0.0, 2.0.0 [
allowed
/method
/technical lag
1.0.1 1.2.0 2.0.1
3.6.0 4.1.04.0.0 5.0.0
2.0.0 2.1.0
npm package: P
dependency: D
^1.0.0
Technical lag
*
^1.0.0 ^2.0.0
allowed
^1.0.0 = [ 1.0.0, 2.0.0 [
/method
/technical lag
1.0.1 1.2.0 2.0.1
3.6.0 4.1.04.0.0 5.0.0
2.0.0 2.1.0
npm package: P
dependency: D
^1.0.0
Technical lag = 0
*
^1.0.0 ^2.0.0
allowed
^1.0.0 = [ 1.0.0, 2.0.0 [
/repository lag impact
1 of 27

Recommended

Analyzing Packages in Docker images hosted On DockerHub by
Analyzing Packages in Docker images hosted On DockerHubAnalyzing Packages in Docker images hosted On DockerHub
Analyzing Packages in Docker images hosted On DockerHubAhmed Zerouali
31 views40 slides
Technical Lag in Software Ecosystems by
Technical Lag in Software EcosystemsTechnical Lag in Software Ecosystems
Technical Lag in Software EcosystemsAhmed Zerouali
167 views18 slides
Evolution of Technical Lag in DockerHub images - Benevol20 by
Evolution of Technical Lag in DockerHub images - Benevol20Evolution of Technical Lag in DockerHub images - Benevol20
Evolution of Technical Lag in DockerHub images - Benevol20Ahmed Zerouali
121 views23 slides
UniK - a unikernel compiler and runtime by
UniK - a unikernel compiler and runtimeUniK - a unikernel compiler and runtime
UniK - a unikernel compiler and runtimeLee Calcote
2K views31 slides
Hands on kubernetes_container_orchestration by
Hands on kubernetes_container_orchestrationHands on kubernetes_container_orchestration
Hands on kubernetes_container_orchestrationAmir Hossein Sorouri
124 views107 slides
Cigna Innovation Summit by
Cigna Innovation SummitCigna Innovation Summit
Cigna Innovation SummitIdit Levine
974 views44 slides

More Related Content

What's hot

Testing fácil con Docker: Gestiona dependencias y unifica entornos by
Testing fácil con Docker: Gestiona dependencias y unifica entornosTesting fácil con Docker: Gestiona dependencias y unifica entornos
Testing fácil con Docker: Gestiona dependencias y unifica entornosMicael Gallego
2K views126 slides
Linux advanced concepts - Part 2 by
Linux advanced concepts - Part 2Linux advanced concepts - Part 2
Linux advanced concepts - Part 2NAILBITER
3.3K views19 slides
Microsoft .Net Technology by
Microsoft .Net TechnologyMicrosoft .Net Technology
Microsoft .Net Technologyvijayakumari kaliannan
24 views20 slides
Python programming 2nd by
Python programming 2ndPython programming 2nd
Python programming 2ndAishwarya Deshmukh
27 views18 slides
Compiler.design.in.c.docs by
Compiler.design.in.c.docsCompiler.design.in.c.docs
Compiler.design.in.c.docsAbid Syed
530 views55 slides
Embedded Webinar #13: "From Zero to Hero: contribute to Linux Kernel in 15 mi... by
Embedded Webinar #13: "From Zero to Hero: contribute to Linux Kernel in 15 mi...Embedded Webinar #13: "From Zero to Hero: contribute to Linux Kernel in 15 mi...
Embedded Webinar #13: "From Zero to Hero: contribute to Linux Kernel in 15 mi...GlobalLogic Ukraine
469 views52 slides

What's hot(6)

Testing fácil con Docker: Gestiona dependencias y unifica entornos by Micael Gallego
Testing fácil con Docker: Gestiona dependencias y unifica entornosTesting fácil con Docker: Gestiona dependencias y unifica entornos
Testing fácil con Docker: Gestiona dependencias y unifica entornos
Micael Gallego2K views
Linux advanced concepts - Part 2 by NAILBITER
Linux advanced concepts - Part 2Linux advanced concepts - Part 2
Linux advanced concepts - Part 2
NAILBITER3.3K views
Compiler.design.in.c.docs by Abid Syed
Compiler.design.in.c.docsCompiler.design.in.c.docs
Compiler.design.in.c.docs
Abid Syed530 views
Embedded Webinar #13: "From Zero to Hero: contribute to Linux Kernel in 15 mi... by GlobalLogic Ukraine
Embedded Webinar #13: "From Zero to Hero: contribute to Linux Kernel in 15 mi...Embedded Webinar #13: "From Zero to Hero: contribute to Linux Kernel in 15 mi...
Embedded Webinar #13: "From Zero to Hero: contribute to Linux Kernel in 15 mi...

Similar to Technical Lag in Docker Containers

A multi-dimensional analysis of technical lag in Debian-based Docker images by
A multi-dimensional analysis of technical lag in Debian-based Docker imagesA multi-dimensional analysis of technical lag in Debian-based Docker images
A multi-dimensional analysis of technical lag in Debian-based Docker imagesAhmed Zerouali
88 views30 slides
An Empirical Analysis of Technical Lag in npm Package Dependencies by
An Empirical Analysis of Technical Lag in npm Package DependenciesAn Empirical Analysis of Technical Lag in npm Package Dependencies
An Empirical Analysis of Technical Lag in npm Package DependenciesAhmed Zerouali
338 views41 slides
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,... by
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...Tom Mens
508 views26 slides
Technical lag in npm and docker ecosystems by
Technical lag in npm and docker ecosystemsTechnical lag in npm and docker ecosystems
Technical lag in npm and docker ecosystemsAhmed Zerouali
30 views33 slides
On the fragility of open source software packaging ecosystems by
On the fragility of open source software packaging ecosystemsOn the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsTom Mens
226 views51 slides
Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016 by
Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016
Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016Manideep Konakandla
967 views38 slides

Similar to Technical Lag in Docker Containers(20)

A multi-dimensional analysis of technical lag in Debian-based Docker images by Ahmed Zerouali
A multi-dimensional analysis of technical lag in Debian-based Docker imagesA multi-dimensional analysis of technical lag in Debian-based Docker images
A multi-dimensional analysis of technical lag in Debian-based Docker images
Ahmed Zerouali88 views
An Empirical Analysis of Technical Lag in npm Package Dependencies by Ahmed Zerouali
An Empirical Analysis of Technical Lag in npm Package DependenciesAn Empirical Analysis of Technical Lag in npm Package Dependencies
An Empirical Analysis of Technical Lag in npm Package Dependencies
Ahmed Zerouali338 views
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,... by Tom Mens
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
Tom Mens508 views
Technical lag in npm and docker ecosystems by Ahmed Zerouali
Technical lag in npm and docker ecosystemsTechnical lag in npm and docker ecosystems
Technical lag in npm and docker ecosystems
Ahmed Zerouali30 views
On the fragility of open source software packaging ecosystems by Tom Mens
On the fragility of open source software packaging ecosystemsOn the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystems
Tom Mens226 views
Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016 by Manideep Konakandla
Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016
Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016
Container Security: How We Got Here and Where We're Going by Phil Estes
Container Security: How We Got Here and Where We're GoingContainer Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're Going
Phil Estes398 views
Docker - BWI Innovation Talk by Timm Heuss
Docker - BWI Innovation TalkDocker - BWI Innovation Talk
Docker - BWI Innovation Talk
Timm Heuss134 views
Demystifying Containerization Principles for Data Scientists by Dr Ganesh Iyer
Demystifying Containerization Principles for Data ScientistsDemystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data Scientists
Dr Ganesh Iyer198 views
Modern IoT and Embedded Linux Deployment - Berlin by Djalal Harouni
Modern IoT and Embedded Linux Deployment - BerlinModern IoT and Embedded Linux Deployment - Berlin
Modern IoT and Embedded Linux Deployment - Berlin
Djalal Harouni163 views
Building an Ionic hybrid mobile app with TypeScript by Serge van den Oever
Building an Ionic hybrid mobile app with TypeScript Building an Ionic hybrid mobile app with TypeScript
Building an Ionic hybrid mobile app with TypeScript
Serge van den Oever22.8K views
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th... by sparkfabrik
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
sparkfabrik15 views
Why you need a private container image registry SCALE 2019 by Steve Wong
Why you need a private container image registry SCALE 2019Why you need a private container image registry SCALE 2019
Why you need a private container image registry SCALE 2019
Steve Wong311 views
Measuring Technical Lag in Software Deployments (CHAOSScon 2020) by Tom Mens
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Tom Mens115 views
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ... by Ahmed Zerouali
PhD public defense: A Measurement Framework for  Analyzing Technical Lag in  ...PhD public defense: A Measurement Framework for  Analyzing Technical Lag in  ...
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...
Ahmed Zerouali97 views

More from Ahmed Zerouali

Prevalence and Evolution of License Violations in npm and RubyGems Dependency... by
Prevalence and Evolution of License Violations in npm and RubyGems Dependency...Prevalence and Evolution of License Violations in npm and RubyGems Dependency...
Prevalence and Evolution of License Violations in npm and RubyGems Dependency...Ahmed Zerouali
14 views24 slides
Analysis And Observations Of The Evolution Of Testing Library Usage by
Analysis And Observations Of The Evolution Of Testing Library UsageAnalysis And Observations Of The Evolution Of Testing Library Usage
Analysis And Observations Of The Evolution Of Testing Library UsageAhmed Zerouali
4 views19 slides
On Popularity and Quality Metrics of npm Packages by
On Popularity and Quality Metrics of npm PackagesOn Popularity and Quality Metrics of npm Packages
On Popularity and Quality Metrics of npm PackagesAhmed Zerouali
18 views30 slides
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ... by
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...Ahmed Zerouali
10 views24 slides
On the Diversity of Software Package Popularity Metrics: An Empirical Study o... by
On the Diversity of Software Package Popularity Metrics: An Empirical Study o...On the Diversity of Software Package Popularity Metrics: An Empirical Study o...
On the Diversity of Software Package Popularity Metrics: An Empirical Study o...Ahmed Zerouali
40 views16 slides
ConPan: A Tool to Analyze Packages in Software Containers by
ConPan: A Tool to Analyze Packages in Software ContainersConPan: A Tool to Analyze Packages in Software Containers
ConPan: A Tool to Analyze Packages in Software ContainersAhmed Zerouali
29 views14 slides

More from Ahmed Zerouali(9)

Prevalence and Evolution of License Violations in npm and RubyGems Dependency... by Ahmed Zerouali
Prevalence and Evolution of License Violations in npm and RubyGems Dependency...Prevalence and Evolution of License Violations in npm and RubyGems Dependency...
Prevalence and Evolution of License Violations in npm and RubyGems Dependency...
Ahmed Zerouali14 views
Analysis And Observations Of The Evolution Of Testing Library Usage by Ahmed Zerouali
Analysis And Observations Of The Evolution Of Testing Library UsageAnalysis And Observations Of The Evolution Of Testing Library Usage
Analysis And Observations Of The Evolution Of Testing Library Usage
Ahmed Zerouali4 views
On Popularity and Quality Metrics of npm Packages by Ahmed Zerouali
On Popularity and Quality Metrics of npm PackagesOn Popularity and Quality Metrics of npm Packages
On Popularity and Quality Metrics of npm Packages
Ahmed Zerouali18 views
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ... by Ahmed Zerouali
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...
Ahmed Zerouali10 views
On the Diversity of Software Package Popularity Metrics: An Empirical Study o... by Ahmed Zerouali
On the Diversity of Software Package Popularity Metrics: An Empirical Study o...On the Diversity of Software Package Popularity Metrics: An Empirical Study o...
On the Diversity of Software Package Popularity Metrics: An Empirical Study o...
Ahmed Zerouali40 views
ConPan: A Tool to Analyze Packages in Software Containers by Ahmed Zerouali
ConPan: A Tool to Analyze Packages in Software ContainersConPan: A Tool to Analyze Packages in Software Containers
ConPan: A Tool to Analyze Packages in Software Containers
Ahmed Zerouali29 views
Analyzing the Evolution of Testing Library Usage in Open Source Java Projects by Ahmed Zerouali
Analyzing the Evolution of Testing Library Usage in Open Source Java ProjectsAnalyzing the Evolution of Testing Library Usage in Open Source Java Projects
Analyzing the Evolution of Testing Library Usage in Open Source Java Projects
Ahmed Zerouali27 views
An Empirical Comparison of the Development History of CloudStack and Eucalyptus by Ahmed Zerouali
An Empirical Comparison of the Development History of CloudStack and EucalyptusAn Empirical Comparison of the Development History of CloudStack and Eucalyptus
An Empirical Comparison of the Development History of CloudStack and Eucalyptus
Ahmed Zerouali37 views
Analyzing the Evolution of Testing Library Usage in Open Source Java Projects by Ahmed Zerouali
Analyzing the Evolution of Testing Library Usage in Open Source Java ProjectsAnalyzing the Evolution of Testing Library Usage in Open Source Java Projects
Analyzing the Evolution of Testing Library Usage in Open Source Java Projects
Ahmed Zerouali26 views

Recently uploaded

POSTER IV LAWCN_ROVER_IUE.pdf by
POSTER IV LAWCN_ROVER_IUE.pdfPOSTER IV LAWCN_ROVER_IUE.pdf
POSTER IV LAWCN_ROVER_IUE.pdfSOCIEDAD JULIO GARAVITO
12 views1 slide
vitamine B1.pptx by
vitamine B1.pptxvitamine B1.pptx
vitamine B1.pptxajithkilpart
29 views22 slides
DEVELOPMENT OF FROG.pptx by
DEVELOPMENT OF FROG.pptxDEVELOPMENT OF FROG.pptx
DEVELOPMENT OF FROG.pptxsushant292556
11 views21 slides
TF-FAIR.pdf by
TF-FAIR.pdfTF-FAIR.pdf
TF-FAIR.pdfDirk Roorda
6 views120 slides
A giant thin stellar stream in the Coma Galaxy Cluster by
A giant thin stellar stream in the Coma Galaxy ClusterA giant thin stellar stream in the Coma Galaxy Cluster
A giant thin stellar stream in the Coma Galaxy ClusterSérgio Sacani
19 views14 slides
별헤는 사람들 2023년 12월호 전명원 교수 자료 by
별헤는 사람들 2023년 12월호 전명원 교수 자료별헤는 사람들 2023년 12월호 전명원 교수 자료
별헤는 사람들 2023년 12월호 전명원 교수 자료sciencepeople
68 views30 slides

Recently uploaded(20)

A giant thin stellar stream in the Coma Galaxy Cluster by Sérgio Sacani
A giant thin stellar stream in the Coma Galaxy ClusterA giant thin stellar stream in the Coma Galaxy Cluster
A giant thin stellar stream in the Coma Galaxy Cluster
Sérgio Sacani19 views
별헤는 사람들 2023년 12월호 전명원 교수 자료 by sciencepeople
별헤는 사람들 2023년 12월호 전명원 교수 자료별헤는 사람들 2023년 12월호 전명원 교수 자료
별헤는 사람들 2023년 12월호 전명원 교수 자료
sciencepeople68 views
ELECTRON TRANSPORT CHAIN by DEEKSHA RANI
ELECTRON TRANSPORT CHAINELECTRON TRANSPORT CHAIN
ELECTRON TRANSPORT CHAIN
DEEKSHA RANI11 views
Structure of purines and pyrimidines - Jahnvi arora (11228108), mmdu ,mullana... by jahnviarora989
Structure of purines and pyrimidines - Jahnvi arora (11228108), mmdu ,mullana...Structure of purines and pyrimidines - Jahnvi arora (11228108), mmdu ,mullana...
Structure of purines and pyrimidines - Jahnvi arora (11228108), mmdu ,mullana...
jahnviarora9897 views
Small ruminant keepers’ knowledge, attitudes and practices towards peste des ... by ILRI
Small ruminant keepers’ knowledge, attitudes and practices towards peste des ...Small ruminant keepers’ knowledge, attitudes and practices towards peste des ...
Small ruminant keepers’ knowledge, attitudes and practices towards peste des ...
ILRI6 views
Discovery of therapeutic agents targeting PKLR for NAFLD using drug repositio... by Trustlife
Discovery of therapeutic agents targeting PKLR for NAFLD using drug repositio...Discovery of therapeutic agents targeting PKLR for NAFLD using drug repositio...
Discovery of therapeutic agents targeting PKLR for NAFLD using drug repositio...
Trustlife146 views
Oral_Presentation_by_Fatma (2).pdf by fatmaalmrzqi
Oral_Presentation_by_Fatma (2).pdfOral_Presentation_by_Fatma (2).pdf
Oral_Presentation_by_Fatma (2).pdf
fatmaalmrzqi8 views
Experimental animal Guinea pigs.pptx by Mansee Arya
Experimental animal Guinea pigs.pptxExperimental animal Guinea pigs.pptx
Experimental animal Guinea pigs.pptx
Mansee Arya40 views
Applications of Large Language Models in Materials Discovery and Design by Anubhav Jain
Applications of Large Language Models in Materials Discovery and DesignApplications of Large Language Models in Materials Discovery and Design
Applications of Large Language Models in Materials Discovery and Design
Anubhav Jain14 views
Evaluation and Standardization of the Marketed Polyherbal drug Patanjali Divy... by Anmol Vishnu Gupta
Evaluation and Standardization of the Marketed Polyherbal drug Patanjali Divy...Evaluation and Standardization of the Marketed Polyherbal drug Patanjali Divy...
Evaluation and Standardization of the Marketed Polyherbal drug Patanjali Divy...
application of genetic engineering 2.pptx by SankSurezz
application of genetic engineering 2.pptxapplication of genetic engineering 2.pptx
application of genetic engineering 2.pptx
SankSurezz14 views

Technical Lag in Docker Containers

  • 1. Analyzing Technical Lag in Docker Images Work in Progress Ahmed Zerouali, Tom Mens, Gregorio Robles and Jesus M. Gonzalez-Barahona The 17th Belgium-Netherlands Software Evolution Workshop December 10-11, 2018 - Delft
  • 3. /previous work - Cox J, et al. Measuring dependency freshness in software systems. International Conference Software Engineering 2015 (pp. 109-118). IEEE - Kula RG, et al. Do developers update their library dependencies? Empirical Software Engineering. 2018; 23(1):384-417. Elsevier - Zerouali A, et al. An empirical analysis of technical lag in npm package dependencies. International Conference on Software Reuse 2018 (pp. 95-110). Springer
  • 4. “A lightweight, standalone, executable package of software that includes everything needed to run an application: code, runtime, system tools, system libraries and settings.” Docker, inc. /What is a Docker container?
  • 7. /DockerHub:node Usage: $ docker pull node:<tag> For example: $ docker pull node:8-jessie $ docker pull node:8-alpine
  • 8. /Method: Focus * Alpine is a minimal image (8MB in size) based on the security-oriented, lightweight Alpine Linux distribution.
  • 9. /Method: Data Extraction 1) Image identifications: 2,253 images out of 12,840 official images (i.e., 17.5%), coming from 42 official repositories. 2) Extracted installed packages: 82,949 package versions. 3) Tracked packages in the package manager: 63,581 package versions (23% missing)
  • 10. /Method: Technical lag Technical lag*: the difference between deployed software packages and the latest available packages. (*) Gonzalez-Barahona, et al. "Technical Lag in Software Compilations: Measuring How Outdated a Software Deployment Is." IFIP International Conference on Open Source Systems. Springer, 2017. 1.0.1 1.2.0 2.0.12.0.0 2.1.0 Technical lag Deployed latest Available Dependency
  • 11. - Measurement = ? /Method: Technical lag RQ: How can we quantify technical lag induced by packages in Docker images?
  • 12. /Method: Technical lag Package level: package time lag: time difference. package version lag: version difference.
  • 13. /Method: Technical lag 1.0.1 1.2.0 2.0.12.0.0 2.1.0 Technical lag Deployed latest Available Dependency package time lag = date(2.1.0) - date(1.2.0) package version lag = 3 versions 1 2 3
  • 14. /Package level /time lag - All images have outdated packages. - Time lag is related to the Alpine version.
  • 15. /Package level /version lag Last updated images have packages with less version lag.
  • 16. /Package level - After one month: Updated images, updated only 2.9% of their installed packages. - Most of the updates happened for : openssl, libcrypto1.0, libssl1.0
  • 17. /Technical lag impact Image level: Image lag impact: number of packages with non-zero technical lag.
  • 18. /image level /lag impact Number of outdated packages in Docker images is increasing over time.
  • 19. /Limitations - There are other measurements, e.g. repository lag impact. - We relied only on Alpine packages. - 23% of packages are missed. - We did not consider community Docker images.
  • 20. /Conclusion Technical lag can be used to assess the health of Docker images and their repositories.
  • 21. /Future work - Study packages coming from different package managers. - Consider other aspects of technical lag: security, bugs, etc. - Create models to recommend updates to container deployers.
  • 23. More information about how to calculate technical lag when package version make use of constraints (npm) . . . /
  • 24. /method /technical lag 1.0.1 1.2.0 2.0.1 3.6.0 4.1.04.0.0 5.0.0 2.0.0 2.1.0 npm package: P dependency: D ^1.0.0 Technical lag * ^1.0.0 ^2.0.0 ^1.0.0 = [ 1.0.0, 2.0.0 [ allowed
  • 25. /method /technical lag 1.0.1 1.2.0 2.0.1 3.6.0 4.1.04.0.0 5.0.0 2.0.0 2.1.0 npm package: P dependency: D ^1.0.0 Technical lag * ^1.0.0 ^2.0.0 allowed ^1.0.0 = [ 1.0.0, 2.0.0 [
  • 26. /method /technical lag 1.0.1 1.2.0 2.0.1 3.6.0 4.1.04.0.0 5.0.0 2.0.0 2.1.0 npm package: P dependency: D ^1.0.0 Technical lag = 0 * ^1.0.0 ^2.0.0 allowed ^1.0.0 = [ 1.0.0, 2.0.0 [