SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.
SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.
Successfully reported this slideshow.
Activate your 14 day free trial to unlock unlimited reading.
1.
Analyzing Technical Lag in
Docker Images
Work in Progress
Ahmed Zerouali, Tom Mens, Gregorio Robles and Jesus M.
Gonzalez-Barahona
The 17th Belgium-Netherlands Software Evolution Workshop
December 10-11, 2018 - Delft
3.
/previous work
- Cox J, et al. Measuring dependency freshness in software systems. International Conference
Software Engineering 2015 (pp. 109-118). IEEE
- Kula RG, et al. Do developers update their library dependencies? Empirical Software Engineering.
2018; 23(1):384-417. Elsevier
- Zerouali A, et al. An empirical analysis of technical lag in npm package dependencies. International
Conference on Software Reuse 2018 (pp. 95-110). Springer
4.
“A lightweight, standalone, executable package of software that includes everything
needed to run an application: code, runtime, system tools, system libraries and
settings.” Docker, inc.
/What is a Docker container?
5.
Isolation Portability
Reusability
/What is a Docker container?
8.
/Method: Focus
* Alpine is a minimal image (8MB in size) based on the
security-oriented, lightweight Alpine Linux distribution.
9.
/Method: Data Extraction
1) Image identifications: 2,253 images out of 12,840
official images (i.e., 17.5%), coming from 42 official repositories.
2) Extracted installed packages: 82,949 package versions.
3) Tracked packages in the package manager: 63,581 package
versions (23% missing)
10.
/Method: Technical lag
Technical lag*: the difference between deployed
software packages and the latest available packages.
(*) Gonzalez-Barahona, et al. "Technical Lag in Software Compilations: Measuring How Outdated a Software Deployment Is."
IFIP International Conference on Open Source Systems. Springer, 2017.
1.0.1 1.2.0 2.0.12.0.0 2.1.0
Technical lag
Deployed
latest
Available
Dependency
11.
- Measurement = ?
/Method: Technical lag
RQ: How can we quantify technical lag induced by packages in
Docker images?
12.
/Method: Technical lag
Package level:
package time lag: time difference.
package version lag: version difference.
13.
/Method: Technical lag
1.0.1 1.2.0 2.0.12.0.0 2.1.0
Technical lag
Deployed
latest
Available
Dependency
package time lag = date(2.1.0) - date(1.2.0)
package version lag = 3 versions
1
2 3
14.
/Package level
/time lag
- All images have outdated packages.
- Time lag is related to the Alpine version.
15.
/Package level
/version lag
Last updated images have packages with less version lag.
16.
/Package level
- After one month: Updated images, updated only 2.9% of their
installed packages.
- Most of the updates happened for : openssl, libcrypto1.0,
libssl1.0
17.
/Technical lag impact
Image level:
Image lag impact: number of packages with non-zero
technical lag.
18.
/image level
/lag impact
Number of outdated packages in Docker images is increasing over
time.
19.
/Limitations
- There are other measurements, e.g. repository lag impact.
- We relied only on Alpine packages.
- 23% of packages are missed.
- We did not consider community Docker images.
20.
/Conclusion
Technical lag can be used to assess the health of Docker
images and their repositories.
21.
/Future work
- Study packages coming from different package managers.
- Consider other aspects of technical lag: security, bugs, etc.
- Create models to recommend updates to container deployers.