This article covers some internals of image layering created by container image builder Jib and explore what distroless images are and their benefits.
Are you are wondering what Jib is, actually?. You probably should read my previous article before going ahead.
Jib is an excellent tool for Java developers who are interested in containerizing Java applications but not so interested in creating and maintaining Dockerfile or installing Docker.
A Java developer can add a plugin to Maven or Gradle, and that's it. You don't have to learn new technology just to containerize your Java application.
Now let's talk about some internals.
Jib intelligently divides your images into the following layers for more granular incremental builds.
- Snapshot dependencies
- All other dependencies Each extra directory (jib.extraDirectories in Gradle, in Maven) builds to its own layer
When you do any code changes, only your changes are rebuilt, not your entire application. Which means Jib only pushes the layer which is changed and the rest of the layers remain the same.
For example, in the following demo, only a class file was changed and Jib pushed only the compiled class layer. Later on, we could see that during the docker pull only the changed layer was extracted.
Furthermore to dig deeper, now we will use the simple spring boot application that was used in the previous article. The source code is available here. We will run maven in debug mode to understand these layers. However, In the following logs, you will see only dependencies, resources, and classes as separate layers since we don't have other dependencies.
You can inspect images created by Jib using the Dive tool. As you can see on RHS, we have exploded directory structure for classes, resources and dependencies in the following path and their size is very minimal.
Rest of the contents are of your base image.
Dive also tells you if you are wasting any space and if you are then you can discover ways to shrink the size of your Docker/OCI image. However, in our case, no space is wasted :).!
You can view the content of an image with a docker history command as well. Let's see what it looks like.
Google defines distroless images as the following:
Distroless images are lightweight base images as they contain only dependencies required to run your application. They do not contain package managers, shells or any other programs you would expect to find in a standard Linux distribution.
Furthermore, the layers created by Jib are created on top of a distroless base image. Jib by default uses distroless Java 8 image but you have the option to choose an image of your choice.
- Fewer vulnerabilities to patch
- Better security
- Built with minimum dependencies
Since there are no package managers installed and you cannot do ssh to your container running with distroless base image makes them hard for debugging. In an ideal world, you would add better logging then you know enable shell access for your containers. But there are ways with which you can add shell support and debug your application.
In this article, we have covered some internals about Jib .i.e. image layering which makes it fast. We have also covered distroless images with their benefits and pitfalls like debugging.
You can also read some of my previous articles