Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Analyzing Technical Lag in Docker Images Work in Progress Ahmed Zerouali, Tom Mens, Gregorio Robles and Jesus M. Gonzalez-...
/background
/previous work - Cox J, et al. Measuring dependency freshness in software systems. International Conference Software Engin...
“A lightweight, standalone, executable package of software that includes everything needed to run an application: code, ru...
Isolation Portability Reusability /What is a Docker container?
/DockerHub
/DockerHub:node Usage: $ docker pull node:<tag> For example: $ docker pull node:8-jessie $ docker pull node:8-alpine
/Method: Focus * Alpine is a minimal image (8MB in size) based on the security-oriented, lightweight Alpine Linux distribu...
/Method: Data Extraction 1) Image identifications: 2,253 images out of 12,840 official images (i.e., 17.5%), coming from 4...
/Method: Technical lag Technical lag*: the difference between deployed software packages and the latest available packages....
- Measurement = ? /Method: Technical lag RQ: How can we quantify technical lag induced by packages in Docker images?
/Method: Technical lag Package level: package time lag: time difference. package version lag: version difference.
/Method: Technical lag 1.0.1 1.2.0 2.0.12.0.0 2.1.0 Technical lag Deployed latest Available Dependency package time lag = ...
/Package level /time lag - All images have outdated packages. - Time lag is related to the Alpine version.
/Package level /version lag Last updated images have packages with less version lag.
/Package level - After one month: Updated images, updated only 2.9% of their installed packages. - Most of the updates hap...
/Technical lag impact Image level: Image lag impact: number of packages with non-zero technical lag.
/image level /lag impact Number of outdated packages in Docker images is increasing over time.
/Limitations - There are other measurements, e.g. repository lag impact. - We relied only on Alpine packages. - 23% of pac...
/Conclusion Technical lag can be used to assess the health of Docker images and their repositories.
/Future work - Study packages coming from different package managers. - Consider other aspects of technical lag: security, ...
Thank you
More information about how to calculate technical lag when package version make use of constraints (npm) . . . /
/method /technical lag 1.0.1 1.2.0 2.0.1 3.6.0 4.1.04.0.0 5.0.0 2.0.0 2.1.0 npm package: P dependency: D ^1.0.0 Technical ...
/method /technical lag 1.0.1 1.2.0 2.0.1 3.6.0 4.1.04.0.0 5.0.0 2.0.0 2.1.0 npm package: P dependency: D ^1.0.0 Technical ...
/method /technical lag 1.0.1 1.2.0 2.0.1 3.6.0 4.1.04.0.0 5.0.0 2.0.0 2.1.0 npm package: P dependency: D ^1.0.0 Technical ...
/repository lag impact
Upcoming SlideShare
Loading in …5
×

Technical Lag in Docker Containers

5 views

Published on

This presentation was given in Benevol 2018 in Delft

Published in: Science
no profile picture user

  • Login to see the comments

  • Be the first to like this

Technical Lag in Docker Containers

  1. 1. Analyzing Technical Lag in Docker Images Work in Progress Ahmed Zerouali, Tom Mens, Gregorio Robles and Jesus M. Gonzalez-Barahona The 17th Belgium-Netherlands Software Evolution Workshop December 10-11, 2018 - Delft
  2. 2. /background
  3. 3. /previous work - Cox J, et al. Measuring dependency freshness in software systems. International Conference Software Engineering 2015 (pp. 109-118). IEEE - Kula RG, et al. Do developers update their library dependencies? Empirical Software Engineering. 2018; 23(1):384-417. Elsevier - Zerouali A, et al. An empirical analysis of technical lag in npm package dependencies. International Conference on Software Reuse 2018 (pp. 95-110). Springer
  4. 4. “A lightweight, standalone, executable package of software that includes everything needed to run an application: code, runtime, system tools, system libraries and settings.” Docker, inc. /What is a Docker container?
  5. 5. Isolation Portability Reusability /What is a Docker container?
  6. 6. /DockerHub
  7. 7. /DockerHub:node Usage: $ docker pull node:<tag> For example: $ docker pull node:8-jessie $ docker pull node:8-alpine
  8. 8. /Method: Focus * Alpine is a minimal image (8MB in size) based on the security-oriented, lightweight Alpine Linux distribution.
  9. 9. /Method: Data Extraction 1) Image identifications: 2,253 images out of 12,840 official images (i.e., 17.5%), coming from 42 official repositories. 2) Extracted installed packages: 82,949 package versions. 3) Tracked packages in the package manager: 63,581 package versions (23% missing)
  10. 10. /Method: Technical lag Technical lag*: the difference between deployed software packages and the latest available packages. (*) Gonzalez-Barahona, et al. "Technical Lag in Software Compilations: Measuring How Outdated a Software Deployment Is." IFIP International Conference on Open Source Systems. Springer, 2017. 1.0.1 1.2.0 2.0.12.0.0 2.1.0 Technical lag Deployed latest Available Dependency
  11. 11. - Measurement = ? /Method: Technical lag RQ: How can we quantify technical lag induced by packages in Docker images?
  12. 12. /Method: Technical lag Package level: package time lag: time difference. package version lag: version difference.
  13. 13. /Method: Technical lag 1.0.1 1.2.0 2.0.12.0.0 2.1.0 Technical lag Deployed latest Available Dependency package time lag = date(2.1.0) - date(1.2.0) package version lag = 3 versions 1 2 3
  14. 14. /Package level /time lag - All images have outdated packages. - Time lag is related to the Alpine version.
  15. 15. /Package level /version lag Last updated images have packages with less version lag.
  16. 16. /Package level - After one month: Updated images, updated only 2.9% of their installed packages. - Most of the updates happened for : openssl, libcrypto1.0, libssl1.0
  17. 17. /Technical lag impact Image level: Image lag impact: number of packages with non-zero technical lag.
  18. 18. /image level /lag impact Number of outdated packages in Docker images is increasing over time.
  19. 19. /Limitations - There are other measurements, e.g. repository lag impact. - We relied only on Alpine packages. - 23% of packages are missed. - We did not consider community Docker images.
  20. 20. /Conclusion Technical lag can be used to assess the health of Docker images and their repositories.
  21. 21. /Future work - Study packages coming from different package managers. - Consider other aspects of technical lag: security, bugs, etc. - Create models to recommend updates to container deployers.
  22. 22. Thank you
  23. 23. More information about how to calculate technical lag when package version make use of constraints (npm) . . . /
  24. 24. /method /technical lag 1.0.1 1.2.0 2.0.1 3.6.0 4.1.04.0.0 5.0.0 2.0.0 2.1.0 npm package: P dependency: D ^1.0.0 Technical lag * ^1.0.0 ^2.0.0 ^1.0.0 = [ 1.0.0, 2.0.0 [ allowed
  25. 25. /method /technical lag 1.0.1 1.2.0 2.0.1 3.6.0 4.1.04.0.0 5.0.0 2.0.0 2.1.0 npm package: P dependency: D ^1.0.0 Technical lag * ^1.0.0 ^2.0.0 allowed ^1.0.0 = [ 1.0.0, 2.0.0 [
  26. 26. /method /technical lag 1.0.1 1.2.0 2.0.1 3.6.0 4.1.04.0.0 5.0.0 2.0.0 2.1.0 npm package: P dependency: D ^1.0.0 Technical lag = 0 * ^1.0.0 ^2.0.0 allowed ^1.0.0 = [ 1.0.0, 2.0.0 [
  27. 27. /repository lag impact

×