1. Analyzing Technical Lag in
Docker Images
Work in Progress
Ahmed Zerouali, Tom Mens, Gregorio Robles and Jesus M.
Gonzalez-Barahona
The 17th Belgium-Netherlands Software Evolution Workshop
December 10-11, 2018 - Delft

2. /background

3. /previous work
- Cox J, et al. Measuring dependency freshness in software systems. International Conference
Software Engineering 2015 (pp. 109-118). IEEE
- Kula RG, et al. Do developers update their library dependencies? Empirical Software Engineering.
2018; 23(1):384-417. Elsevier
- Zerouali A, et al. An empirical analysis of technical lag in npm package dependencies. International
Conference on Software Reuse 2018 (pp. 95-110). Springer

4. “A lightweight, standalone, executable package of software that includes everything
needed to run an application: code, runtime, system tools, system libraries and
settings.” Docker, inc.
/What is a Docker container?

5. Isolation Portability
Reusability
/What is a Docker container?

6. /DockerHub

7. /DockerHub:node
Usage:
$ docker pull node:<tag>
For example:
$ docker pull node:8-jessie
$ docker pull node:8-alpine

8. /Method: Focus
* Alpine is a minimal image (8MB in size) based on the
security-oriented, lightweight Alpine Linux distribution.

9. /Method: Data Extraction
1) Image identifications: 2,253 images out of 12,840
official images (i.e., 17.5%), coming from 42 official repositories.
2) Extracted installed packages: 82,949 package versions.
3) Tracked packages in the package manager: 63,581 package
versions (23% missing)

10. /Method: Technical lag
Technical lag*: the difference between deployed
software packages and the latest available packages.
(*) Gonzalez-Barahona, et al. "Technical Lag in Software Compilations: Measuring How Outdated a Software Deployment Is."
IFIP International Conference on Open Source Systems. Springer, 2017.
1.0.1 1.2.0 2.0.12.0.0 2.1.0
Technical lag
Deployed
latest
Available
Dependency

11. - Measurement = ?
/Method: Technical lag
RQ: How can we quantify technical lag induced by packages in
Docker images?

12. /Method: Technical lag
Package level:
package time lag: time difference.
package version lag: version difference.

13. /Method: Technical lag
1.0.1 1.2.0 2.0.12.0.0 2.1.0
Technical lag
Deployed
latest
Available
Dependency
package time lag = date(2.1.0) - date(1.2.0)
package version lag = 3 versions
1
2 3

14. /Package level
/time lag
- All images have outdated packages.
- Time lag is related to the Alpine version.

15. /Package level
/version lag
Last updated images have packages with less version lag.

16. /Package level
- After one month: Updated images, updated only 2.9% of their
installed packages.
- Most of the updates happened for : openssl, libcrypto1.0,
libssl1.0

17. /Technical lag impact
Image level:
Image lag impact: number of packages with non-zero
technical lag.

18. /image level
/lag impact
Number of outdated packages in Docker images is increasing over
time.

19. /Limitations
- There are other measurements, e.g. repository lag impact.
- We relied only on Alpine packages.
- 23% of packages are missed.
- We did not consider community Docker images.

20. /Conclusion
Technical lag can be used to assess the health of Docker
images and their repositories.

21. /Future work
- Study packages coming from different package managers.
- Consider other aspects of technical lag: security, bugs, etc.
- Create models to recommend updates to container deployers.

22. Thank you

23. More information about how to calculate technical lag
when package version make use of constraints (npm)
.
.
.
/

24. /method
/technical lag
1.0.1 1.2.0 2.0.1
3.6.0 4.1.04.0.0 5.0.0
2.0.0 2.1.0
npm package: P
dependency: D
^1.0.0
Technical lag
*
^1.0.0 ^2.0.0
^1.0.0 = [ 1.0.0, 2.0.0 [
allowed

25. /method
/technical lag
1.0.1 1.2.0 2.0.1
3.6.0 4.1.04.0.0 5.0.0
2.0.0 2.1.0
npm package: P
dependency: D
^1.0.0
Technical lag
*
^1.0.0 ^2.0.0
allowed
^1.0.0 = [ 1.0.0, 2.0.0 [

26. /method
/technical lag
1.0.1 1.2.0 2.0.1
3.6.0 4.1.04.0.0 5.0.0
2.0.0 2.1.0
npm package: P
dependency: D
^1.0.0
Technical lag = 0
*
^1.0.0 ^2.0.0
allowed
^1.0.0 = [ 1.0.0, 2.0.0 [

27. /repository lag impact