Dive: A tool for exploring a Docker image, layer contents and more (opens in new tab)

(github.com)

464 pointstomas7892y ago61 comments

61 comments

59 comments · 18 top-level

miquong2y ago· 15 in thread

For image and layer manipulation, crane is awesome - as is the underlying go-containerregistry library.

It lets you add new layers, or edit any metadata (env vars, labels, entrypoint, etc) in existing images. You can also "flatten" an image with multiple layers into a single layer. Additionally you can "rebase" an image (re-apply your changes onto a new/updated base image). It does all this directly in the registry, so no docker needed (though it's still useful for creating the original image).

https://github.com/google/go-containerregistry/blob/main/cmd...

(updated: better link)

lyxell2y ago

This is a great recommendation. It is worth noting that unlike Docker, crane is root- and daemonless which makes it work great in Nix (it's called 'crane' in the Nix repository). This allows for Nix to be used to manage dependencies for both building (e.g. Go) as well as packaging and deploying (e.g. gnu tar, crane).

pbowyer2y ago

Is there any performance benefit to having fewer layers? My understanding is that there's no gain by merging layers as the size of the image remains constant.

apt-get2y ago

There are some useful cases — for example, if you're taking a rather bloated image as a base and trimming it down with `rm` commands, those will be saved as differential layers, which will not reduce the size of the final image in the slightest. Only merging will actually "register" these deletions.

fishpen02y ago

Less performance and more security. Lots of ameteur images use a secret file or inadvertently store a secret to a layer without realizing an rm or other process in another layer doesn't actually eliminate it. If the final step of your build squashes the filesystem flat again you can remove a lot of potentially exposed metadata and secrets stored in intermediate layers

miquong2y ago

Eventually, once zstd support gets fully supported, and tiny gzip compression windows are not a limitation, then compressing a full layer would almost certainly have a better ratio over several smaller layers

https://github.com/opencontainers/image-spec/issues/803

pbowyer2y ago

Is it coming? That ticket doesn't fill me with hope, given its age and the disagreements over backwards compatibility.

yrro2y ago

If you've got a 50 layer image then each time you open a file, I believe the kernel has to look for that file in all 50 layers before it can fail with ENOENT.

cmckn2y ago

It depends on your OCI engine; but this isn’t the case with containers. Each layer is successively “unpacked” upon a “snapshot”, from which containers are created.

1 more reply

naikrovek2y ago

That seems ripe for optimization, if true, especially since those layers are all immutable.

1 more reply

dayjaby2y ago

One simple case where the resulting image is bigger than necessary:

``` COPY ./package.deb /tmp/package.deb

RUN dpkg -i /tmp/*.deb && rm -rf /tmp/*.deb ```

This results in two layers, with one layer containing a huge file, thus being part of the final image if you don't do multi-stage builds.

momothereal2y ago

I'm working on a tool that does the opposite: to split layers into smaller, deterministic deltas.

mcpherrinm2y ago

If files are overwritten or removed in a lower layer, there can be size savings from that.

natebc2y ago

some startup performance savings in fewer http requests to fetch the image. small for sure but it's something?

electroly2y ago

In practice I've found the performance savings often goes the other way--for large (multi-GB) images it's faster to split it up into more layers that it can download in parallel from the registry. It won't parallelize the download of a single layer and in EC2+ECR you won't get particularly good throughput with a single layer.

whirlwin2y ago

Depends. If you would have to fetch a big layer often because of updates, that's not good. But if what is changing frequently is in a smaller layer, it will be more favorable

maxloh2y ago· 13 in thread

A dumb question: Why are most of the container/infrastructure tools written in GoLang?

Examples that come to my mind include Docker, Podman, nerdctl, Terraform and Kubernetes.

Is there any obvious advantage that GoLang offers, making it so popular for building these tools?

bombela2y ago

I think I can answer for Docker. The first prototype was written in Python, the company was a Python shop. The main reason for a rewrite in Go was to ride the popularity of Go that was growing at the time (2012).

source: I was there.

mardifoufs2y ago

In hindsight, docker is probably much better off with Go, considering the use case. And I say that as someone who loves python and isn't too much into go!

baby_souffle2y ago

> In hindsight, docker is probably much better off with Go, considering the use case. And I say that as someone who loves python and isn't too much into go!

Same. I use docker to escape the versioning hell that is modern python.

When you're trying to build a tool, the more self-contained the better.

Yasuraka2y ago

Easiest language to (cross-)compile and distribute, stellar productivity to performance ratio, native (uncolored) concurrency, great networking capabilities in the stdlib. Imagine if you will Docker and Kubernetes written in any of the other popular languages.

wavemode2y ago

I would argue system tools and utilities, CLIs and networking software are where Go shines the most.

Rust is probably the only good modern alternative that is mature.

rochak2y ago

I have a question for big companies building software in Rust. How are they able to find the talent? Unlike most other common languages, it is magnitudes more difficult to ramp up entry level new hires in Rust for the simple reason that Rust requires more than normal understanding of Computer Science. Is it just the C++ devs that wanna transition or have already transitioned to Rust that those companies can recruit?

steveklabnik2y ago

> How are they able to find the talent? Unlike most other common languages, it is magnitudes more difficult to ramp up entry level new hires in Rust

They have not found this to be true.

https://news.ycombinator.com/item?id=38869786

fishpen02y ago

Kubernetes specifically is in go because google invented go and also invented Kubernetes. Their internal teams have a lot of go engineers due to the whole inventing it thing

pjmlp2y ago

Kubernetes is in Go, because a couple of Go advocates joined the team and pushed for a Go rewrite.

It was originally written in Java.

In fact, most Go users are outside Google, internally it is all about Java, Kotlin, Dart, C++ and Python, and now Rust as well.

Kubernetes, gVisor and Android GPU debugger are probably the only major internal projects in Go.

dmlittle2y ago

I believe the original Kubernetes proof of concept was written in Java

quickthrower22y ago

I think k8s came from Borg though which is pre-Go

jacurtis2y ago

K8s was a generational iteration of Borg, but it was a full re-write with an emphasis on making it more universally usable and pluggable.

> We've incorporated the best ideas from Borg in Kubernetes, and have tried to address some pain points that users identified with Borg over the years.

Borg was written in C++, but only contained container scheduling, resource allocation and some service discovery. Many other features of what is now Kubernetes were built later and essentially "shimmed" onto Borg.

Kubernetes was a re-write of Borg to rebuild many of its original features from the ground up using the lessons they had learned since originally building Borg. By this time, Go had been developed and was being actively used for many of these shims and supporting services surrounding Borg. Since the same team(s) were rebuilding Borg that had developed and maintained these other services, and because many of these shims and supporting services (which are already in Go) were being incorporated into Kubernetes, they decided to build the new version (which became Kubernetes) in Go.

Sources:

- https://kubernetes.io/blog/2015/04/borg-predecessor-to-kuber...

- https://storage.googleapis.com/gweb-research2023-media/pubto...

arccy2y ago

when you run containers, you want to care as little about the underlying system as possible, and go makes it easy to be in its own little world.

plus ecosystem effects of you can just use the packages of a different implementation for part of your code.

tornadofart2y ago· 5 in thread

What exactly is meant by a layer?

iCarrot2y ago

It is a Docker's term: https://docs.docker.com/build/guide/layers/

tornadofart2y ago

Thanks.

manojlds2y ago

Docker images have layers. Sort of like snapshots.

gilnaa2y ago

Like an onion

jake_morrison2y ago

Like ogres

runfaster20002y ago· 4 in thread

Dive is great. Tools like that are critical for both learning and developing confidence on what you are precisely building/shipping.

Dredge is another tool to look at. I use it for diffing layers.

https://github.com/mthalman/dredge/blob/main/docs/commands/i...

geek_at2y ago

It really does sound amazing. Would have needed this when you guys (hn) and reddit helped me figure out what a rogue Raspberry Pi was doing in our server closet

https://blog.haschek.at/2019/the-curious-case-of-the-RasPi-i...

WirelessGigabit2y ago

2019! Can you post an update?

8organicbits2y ago

(edit) See https://news.ycombinator.com/item?id=29965250

thunderbong2y ago

That's an awesome article!

TechIsCool2y ago· 1 in thread

I love dive and its something that I use in my tool kit multiple times a month.

I am curious if anyone knows how to get the contents of the file you have highlighted, a lot of the times I use dive to validate that a file exists in a layer and then I want to peak at it. Currently I normally revert to running the container and using cat or extracting the contents and then wandering into the folders.

a_t482y ago

You can use rsync with some magic to get at the files, but it's not much removed from using cat.

diazc2y ago· 1 in thread

There’s other great TUI terminal tools like dive here [0], lazydocker and dry come to mind.

And some in the docker category as well:

[0] https://terminaltrove.com/

pricci2y ago

Lazydocker has a similar, although simpler, funtionality.

Edit: just checked and it allows to see the layers, but only shows the commands of each one

sureglymop2y ago· 1 in thread

There's a tool from google called container-diff that's also really useful!

I use it to see what random scripts one is encouraged to pipe into bash would do to a system.

roastedfunction2y ago

This is less related to general container utilities but I’m an avid user of GoogleContainerTools/container-structure-test. It’s a handy way to run integration tests on container apps or images.

These Google open source projects seem to be in need of some TLC as a lot of the original maintainers have moved on, which is a shame. I try to throw a PR their way and close out the odd issue when I can. The testing tool in particular is invaluable to keep my sanity with a large amount of base images I have to maintain internally.

vbezhenar2y ago· 1 in thread

What's the reason docker uses tar archives instead of ordinary directories for layer contents? This tool is great but it fixes something that should not exist in the first place.

cachvico2y ago

So images are serialized and able to be transmitted over a network.

When an image is used (or "run"), it becomes a container, which makes it behave (to the client) like ordinary files & directories.

notatoad2y ago

I found dive super useful for understanding how docker images work, and how to write efficient dockerfiles. Reading the docs is one thing, but making a change to the dockerfile and then seeing how it has affected the resulting layer structure is what really made me get it.

indrora2y ago

Dive has saved my ass so many times it's not funny when trying to pull apart what various common docker containers do when I'm extending them.

A+ software.

kylegalbraith2y ago

Dive is an amazing tool in the container/Docker space. It makes life so much easier to debug what is actually in your container. When we were first getting started with Depot [0], we often got asked how to reduce image size as well as make builds faster. So we wrote up a quick blog post that shows how to use Dive to help with that problem [1]. It might be a bit dated now, but in case it helps a future person.

Dive also inspired us to make it easier to surface what is actually in your build context, on every build. So we shipped that as a feature in Depot a few weeks back.

[0] https://depot.dev

[1] https://depot.dev/blog/reducing-image-size-with-dive

[2] https://depot.dev/blog/build-context

eris_agx2y ago

Other than being super useful, Dive has an underrated feature: its author is a great developer and very fun to work with.

tonymet2y ago

Dive is a gem. It's helped me find a lot of cruft ...

- unneeded build dependencies. Used a scratch image and/or removed build deps in the same step - node_modules for dev-deps . Used prod - Embeded Chromium builds (with puppetteer). Removed chromium and remoted an external build

Docker desktop now has this feature built in, but I've been using dive for years to find wasted space & potential security issues.

oooyay2y ago

Dive is incredible, it saved my butt numerous times and taught me a lot about layers. It's so good that Docker Desktop emulated its functionality.

radus2y ago

Great tool, I use it with this alias:

  alias dive='docker run -ti --rm -v /var/run/docker.sock:/var/run/docker.sock wagoodman/dive'

(as suggested in project the README)

animeshjain2y ago

I used dive when I was trying to cut down on the size of the image. Diffing and seeing what files/directories go into each layer was very useful.

a_t482y ago

Dive is great. It struggles a bit with very very large images but beyond that no real complaints.

greenie_beans2y ago

this helped me debug a docker thing recently, very handy tool!

j / k navigate · click thread line to collapse

61 comments

59 comments · 18 top-level

miquong2y ago· 15 in thread

For image and layer manipulation, crane is awesome - as is the underlying go-containerregistry library.

https://github.com/google/go-containerregistry/blob/main/cmd...

(updated: better link)

lyxell2y ago

pbowyer2y ago

Is there any performance benefit to having fewer layers? My understanding is that there's no gain by merging layers as the size of the image remains constant.

apt-get2y ago

fishpen02y ago

miquong2y ago

https://github.com/opencontainers/image-spec/issues/803

pbowyer2y ago

Is it coming? That ticket doesn't fill me with hope, given its age and the disagreements over backwards compatibility.

yrro2y ago

If you've got a 50 layer image then each time you open a file, I believe the kernel has to look for that file in all 50 layers before it can fail with ENOENT.

cmckn2y ago

It depends on your OCI engine; but this isn’t the case with containers. Each layer is successively “unpacked” upon a “snapshot”, from which containers are created.

1 more reply

naikrovek2y ago

That seems ripe for optimization, if true, especially since those layers are all immutable.

1 more reply

dayjaby2y ago

One simple case where the resulting image is bigger than necessary:

``` COPY ./package.deb /tmp/package.deb

RUN dpkg -i /tmp/*.deb && rm -rf /tmp/*.deb ```

This results in two layers, with one layer containing a huge file, thus being part of the final image if you don't do multi-stage builds.

momothereal2y ago

I'm working on a tool that does the opposite: to split layers into smaller, deterministic deltas.

mcpherrinm2y ago

If files are overwritten or removed in a lower layer, there can be size savings from that.

natebc2y ago

some startup performance savings in fewer http requests to fetch the image. small for sure but it's something?

electroly2y ago

whirlwin2y ago

Depends. If you would have to fetch a big layer often because of updates, that's not good. But if what is changing frequently is in a smaller layer, it will be more favorable

maxloh2y ago· 13 in thread

A dumb question: Why are most of the container/infrastructure tools written in GoLang?

Examples that come to my mind include Docker, Podman, nerdctl, Terraform and Kubernetes.

Is there any obvious advantage that GoLang offers, making it so popular for building these tools?

bombela2y ago

source: I was there.

mardifoufs2y ago

In hindsight, docker is probably much better off with Go, considering the use case. And I say that as someone who loves python and isn't too much into go!

baby_souffle2y ago

> In hindsight, docker is probably much better off with Go, considering the use case. And I say that as someone who loves python and isn't too much into go!

Same. I use docker to escape the versioning hell that is modern python.

When you're trying to build a tool, the more self-contained the better.

Yasuraka2y ago

wavemode2y ago

I would argue system tools and utilities, CLIs and networking software are where Go shines the most.

Rust is probably the only good modern alternative that is mature.

rochak2y ago

steveklabnik2y ago

> How are they able to find the talent? Unlike most other common languages, it is magnitudes more difficult to ramp up entry level new hires in Rust

They have not found this to be true.

https://news.ycombinator.com/item?id=38869786

fishpen02y ago

Kubernetes specifically is in go because google invented go and also invented Kubernetes. Their internal teams have a lot of go engineers due to the whole inventing it thing

pjmlp2y ago

Kubernetes is in Go, because a couple of Go advocates joined the team and pushed for a Go rewrite.

It was originally written in Java.

In fact, most Go users are outside Google, internally it is all about Java, Kotlin, Dart, C++ and Python, and now Rust as well.

Kubernetes, gVisor and Android GPU debugger are probably the only major internal projects in Go.

dmlittle2y ago

I believe the original Kubernetes proof of concept was written in Java

quickthrower22y ago

I think k8s came from Borg though which is pre-Go

jacurtis2y ago

K8s was a generational iteration of Borg, but it was a full re-write with an emphasis on making it more universally usable and pluggable.

> We've incorporated the best ideas from Borg in Kubernetes, and have tried to address some pain points that users identified with Borg over the years.

Sources:

- https://kubernetes.io/blog/2015/04/borg-predecessor-to-kuber...

- https://storage.googleapis.com/gweb-research2023-media/pubto...

arccy2y ago

when you run containers, you want to care as little about the underlying system as possible, and go makes it easy to be in its own little world.

plus ecosystem effects of you can just use the packages of a different implementation for part of your code.

tornadofart2y ago· 5 in thread

What exactly is meant by a layer?

iCarrot2y ago

It is a Docker's term: https://docs.docker.com/build/guide/layers/

tornadofart2y ago

Thanks.

manojlds2y ago

Docker images have layers. Sort of like snapshots.

gilnaa2y ago

Like an onion

jake_morrison2y ago

Like ogres

runfaster20002y ago· 4 in thread

Dive is great. Tools like that are critical for both learning and developing confidence on what you are precisely building/shipping.

Dredge is another tool to look at. I use it for diffing layers.

https://github.com/mthalman/dredge/blob/main/docs/commands/i...

geek_at2y ago

It really does sound amazing. Would have needed this when you guys (hn) and reddit helped me figure out what a rogue Raspberry Pi was doing in our server closet

https://blog.haschek.at/2019/the-curious-case-of-the-RasPi-i...

WirelessGigabit2y ago

2019! Can you post an update?

8organicbits2y ago

(edit) See https://news.ycombinator.com/item?id=29965250

thunderbong2y ago

That's an awesome article!

TechIsCool2y ago· 1 in thread

I love dive and its something that I use in my tool kit multiple times a month.

a_t482y ago

You can use rsync with some magic to get at the files, but it's not much removed from using cat.

diazc2y ago· 1 in thread

There’s other great TUI terminal tools like dive here [0], lazydocker and dry come to mind.

And some in the docker category as well:

[0] https://terminaltrove.com/

pricci2y ago

Lazydocker has a similar, although simpler, funtionality.

Edit: just checked and it allows to see the layers, but only shows the commands of each one

sureglymop2y ago· 1 in thread

There's a tool from google called container-diff that's also really useful!

I use it to see what random scripts one is encouraged to pipe into bash would do to a system.

roastedfunction2y ago

This is less related to general container utilities but I’m an avid user of GoogleContainerTools/container-structure-test. It’s a handy way to run integration tests on container apps or images.

vbezhenar2y ago· 1 in thread

What's the reason docker uses tar archives instead of ordinary directories for layer contents? This tool is great but it fixes something that should not exist in the first place.

cachvico2y ago

So images are serialized and able to be transmitted over a network.

When an image is used (or "run"), it becomes a container, which makes it behave (to the client) like ordinary files & directories.

notatoad2y ago

indrora2y ago

Dive has saved my ass so many times it's not funny when trying to pull apart what various common docker containers do when I'm extending them.

A+ software.

kylegalbraith2y ago

Dive also inspired us to make it easier to surface what is actually in your build context, on every build. So we shipped that as a feature in Depot a few weeks back.

[0] https://depot.dev

[1] https://depot.dev/blog/reducing-image-size-with-dive

[2] https://depot.dev/blog/build-context

eris_agx2y ago

Other than being super useful, Dive has an underrated feature: its author is a great developer and very fun to work with.

tonymet2y ago

Dive is a gem. It's helped me find a lot of cruft ...

Docker desktop now has this feature built in, but I've been using dive for years to find wasted space & potential security issues.

oooyay2y ago

Dive is incredible, it saved my butt numerous times and taught me a lot about layers. It's so good that Docker Desktop emulated its functionality.

radus2y ago

Great tool, I use it with this alias:

  alias dive='docker run -ti --rm -v /var/run/docker.sock:/var/run/docker.sock wagoodman/dive'

(as suggested in project the README)

animeshjain2y ago

I used dive when I was trying to cut down on the size of the image. Diffing and seeing what files/directories go into each layer was very useful.

a_t482y ago

Dive is great. It struggles a bit with very very large images but beyond that no real complaints.

greenie_beans2y ago

this helped me debug a docker thing recently, very handy tool!

j / k navigate · click thread line to collapse