1. Analyzing Technical Lag in
Docker Images
Work in Progress
Ahmed Zerouali, Tom Mens, Gregorio Robles and Jesus M.
Gonzalez-Barahona
The 17th Belgium-Netherlands Software Evolution Workshop
December 10-11, 2018 - Delft
3. /previous work
- Cox J, et al. Measuring dependency freshness in software systems. International Conference
Software Engineering 2015 (pp. 109-118). IEEE
- Kula RG, et al. Do developers update their library dependencies? Empirical Software Engineering.
2018; 23(1):384-417. Elsevier
- Zerouali A, et al. An empirical analysis of technical lag in npm package dependencies. International
Conference on Software Reuse 2018 (pp. 95-110). Springer
4. “A lightweight, standalone, executable package of software that includes everything
needed to run an application: code, runtime, system tools, system libraries and
settings.” Docker, inc.
/What is a Docker container?
8. /Method: Focus
* Alpine is a minimal image (8MB in size) based on the
security-oriented, lightweight Alpine Linux distribution.
9. /Method: Data Extraction
1) Image identifications: 2,253 images out of 12,840
official images (i.e., 17.5%), coming from 42 official repositories.
2) Extracted installed packages: 82,949 package versions.
3) Tracked packages in the package manager: 63,581 package
versions (23% missing)
10. /Method: Technical lag
Technical lag*: the difference between deployed
software packages and the latest available packages.
(*) Gonzalez-Barahona, et al. "Technical Lag in Software Compilations: Measuring How Outdated a Software Deployment Is."
IFIP International Conference on Open Source Systems. Springer, 2017.
1.0.1 1.2.0 2.0.12.0.0 2.1.0
Technical lag
Deployed
latest
Available
Dependency
11. - Measurement = ?
/Method: Technical lag
RQ: How can we quantify technical lag induced by packages in
Docker images?
13. /Method: Technical lag
1.0.1 1.2.0 2.0.12.0.0 2.1.0
Technical lag
Deployed
latest
Available
Dependency
package time lag = date(2.1.0) - date(1.2.0)
package version lag = 3 versions
1
2 3
14. /Package level
/time lag
- All images have outdated packages.
- Time lag is related to the Alpine version.
16. /Package level
- After one month: Updated images, updated only 2.9% of their
installed packages.
- Most of the updates happened for : openssl, libcrypto1.0,
libssl1.0
19. /Limitations
- There are other measurements, e.g. repository lag impact.
- We relied only on Alpine packages.
- 23% of packages are missed.
- We did not consider community Docker images.
21. /Future work
- Study packages coming from different package managers.
- Consider other aspects of technical lag: security, bugs, etc.
- Create models to recommend updates to container deployers.