Home Linux Containers How To Analyze And Compare Container Images Using Container-diff

How To Analyze And Compare Container Images Using Container-diff

Container-diff - Diff your Docker containers

By sk
Published: Last Updated on 3.5k views

In this tutorial, we are going to learn what is Container-diff, how to install Container-diff in various Linux distributions, and finally how to analyze and compare container images using Container-diff.

Introduction

I've got a good news for those who are building applications on containers.

Picture this scenario. You're a software developer. You're working on an application, on a run time container image which is maintained by someone else.

In the middle of the development, the original creator of the container image releases a new version of that base image with updated system packages.

You download the updated base image and continue rebuilding your application on it. Suddenly, your application stopped working.

You have successfully made it working in the previous image, but your application didn't work in the latest base image.

You're also pretty sure the application worked well on the previous version of system packages in the base image, but you have no idea which one. This is where "Container-diff" comes in help.

What is Container-diff?

Container-diff is an open source tool from Google that helps you to analyze and compare container images hosted in Google cloud platform.

Container-diff, is used to easily track what changes have been made between the two base images, so you can get a better understanding of what has really changed inside the images.

This will save you a lot of time to find the package version incompatibility, and you can decide whether to rebuild the application on latest container image or just stick with the old version until you find a suitable workaround.

It also helps you to easily examine whether your application will work or not on the new builds of a container image.

Container-diff analyzes the following in Container images.

  • Docker Image History,
  • Image file system,
  • Image size,
  • Apt packages,
  • Rpm packages,
  • pip packages,
  • npm packages.

Now, let us see how to install Container-diff and how to use it to compare container images.

Install Container-diff in Linux

I tested Container-diff on an Ubuntu system. However, it should work on Debian and other Ubuntu variants and also other Linux distributions.

First, make sure you have installed Docker. If you haven't installed it already, refer the following link.

Once Docker is installed, install Container-diff on your Linux system using the following commands:

$ curl -LO https://storage.googleapis.com/container-diff/latest/container-diff-linux-amd64
$ sudo install container-diff-linux-amd64 /usr/local/bin/container-diff

Or, if you don't want to use sudo, run:

$ curl -LO https://storage.googleapis.com/container-diff/latest/container-diff-linux-amd64
$ mkdir -p "$HOME/bin" 
$ export PATH="$PATH:$HOME/bin"
$ install container-diff-linux-amd64 $HOME/bin/container-diff

If you're on Arch Linux, you can install Container-diff using the following command:

$ sudo pacman -S container-diff

Analyze Container Images

First, let us analyze a container image, for example Debian 9, which is stored in Google Container Registry.

$ container-diff analyze gcr.io/google-appengine/debian9:latest

Sample output:

Retrieving image gcr.io/google-appengine/debian9:latest from source Cloud Registry
Retrieving analyses

-----Apt-----

Packages found in gcr.io/google-appengine/debian9:latest:
NAME VERSION SIZE
-adduser 3.115 849K
-apt 1.4.8 3.5M
-base-files 9.9 deb9u2 333K
-base-passwd 3.5.43 229K
-bash 4.4-5 5.7M
-bsdutils 1:2.29.2-1 238K
-ca-certificates 20161130 nmu1 468K
-coreutils 8.26-3 14.7M
-dash 0.5.8-2.4 204K
-debconf 1.5.61 558K
-debian-archive-keyring 2017.5 118K
-debianutils 4.8.1.1 213K
-diffutils 1:3.5-3 1.3M
-dpkg 1.18.24 6.6M
-e2fslibs 1.43.4-2 449K
-e2fsprogs 1.43.4-2 3.9M
-findutils 4.6.0 git+20161106-2 1.8M
-gcc-6-base 6.3.0-18 209K
-gpgv 2.1.18-8~deb9u1 721K
-grep 2.27-2 1.1M
-gzip 1.6-5 b1 231K
-hostname 3.18 b1 47K
-init-system-helpers 1.48 131K
-libacl1 2.2.52-3 b1 62K
-libapt-pkg5.0 1.4.8 3M
-libattr1 1:2.4.47-2 b2 42K
-libaudit-common 1:2.6.7-2 30K
-libaudit1 1:2.6.7-2 150K
-libblkid1 2.29.2-1 367K
-libbz2-1.0 1.0.6-8.1 96K
-libc-bin 2.24-11 deb9u1 3.3M
-libc6 2.24-11 deb9u1 10.4M
-libcap-ng0 0.7.7-3 b1 43K
-libcomerr2 1.43.4-2 83K
-libdb5.3 5.3.28-12 deb9u1 1.8M
-libdebconfclient0 0.227 67K
-libfdisk1 2.29.2-1 469K
-libgcc1 1:6.3.0-18 108K
-libgcrypt20 1.7.6-2 deb9u2 1.2M
-libgpg-error0 1.26-2 572K
-liblz4-1 0.0~r131-2 b1 93K
-liblzma5 5.2.2-1.2 b1 339K
-libmount1 2.29.2-1 403K
-libncursesw5 6.0 20161126-1+deb9u1 347K
-libpam-modules 1.1.8-3.6 874K
-libpam-modules-bin 1.1.8-3.6 220K
-libpam-runtime 1.1.8-3.6 1016K
-libpam0g 1.1.8-3.6 229K
-libpcre3 2:8.39-3 668K
-libselinux1 2.6-3 b3 209K
-libsemanage-common 2.6-2 39K
-libsemanage1 2.6-2 291K
-libsepol1 2.6-2 653K
-libsmartcols1 2.29.2-1 257K
-libss2 1.43.4-2 95K
-libssl1.1 1.1.0f-3 deb9u1 3.4M
-libstdc++6 6.3.0-18 2M
-libsystemd0 232-25 deb9u1 652K
-libtinfo5 6.0 20161126-1+deb9u1 478K
-libudev1 232-25 deb9u1 222K
-libustr-1.0-1 1.0.4-6 258K
-libuuid1 2.29.2-1 107K
-login 1:4.4-4.1 2.7M
-lsb-base 9.20161125 49K
-mawk 1.3.3-17 b3 183K
-mount 2.29.2-1 444K
-multiarch-support 2.24-11 deb9u1 220K
-ncurses-base 6.0 20161126-1+deb9u1 340K
-ncurses-bin 6.0 20161126-1+deb9u1 536K
-netbase 5.4 44K
-openssl 1.1.0f-3 deb9u1 1.2M
-passwd 1:4.4-4.1 2.4M
-perl-base 5.24.1-3 deb9u2 7.4M
-sed 4.4-1 799K
-sensible-utils 0.0.9 110K
-sysvinit-utils 2.88dsf-59.9 110K
-tar 1.29b-1.1 2.7M
-tzdata 2017c-0 deb9u1 2.9M
-util-linux 2.29.2-1 3.5M
-zlib1g 1:1.2.8.dfsg-5 156K

As you can see, Container-diff displays the APT analysis with no --type flag specified.

The list of available analyzers are;

  • --type=history [History]
  • --type=file [File System]
  • --type=pip [Pip]
  • --type=apt [Apt]
  • --type=node [Node]

You can run multiple analyzers at once like below.

$ container-diff analyze gcr.io/google-appengine/debian9:latest --type=history --type=apt --type=file

Compare Container images using Container-diff

To compare two Containers images, use the following command:

$ container-diff diff gcr.io/google-appengine/debian9:latest gcr.io/google-appengine/debian9:2017-10-18-191738

Here, I am comparing two container images, the latest Debian 9 build image and a Debian 9 image built on 18th, 10, 2017.

Sample output:

Starting diff on images gcr.io/google-appengine/debian9:latest and gcr.io/google-appengine/debian9:2017-10-18-191738, using differs: [apt]
Retrieving image gcr.io/google-appengine/debian9:2017-10-18-191738 from source Cloud Registry
Retrieving image gcr.io/google-appengine/debian9:latest from source Cloud Registry
Computing diffs

-----Apt-----

Packages found only in gcr.io/google-appengine/debian9:latest: None

Packages found only in gcr.io/google-appengine/debian9:2017-10-18-191738: None

Version differences:
PACKAGE IMAGE1 (gcr.io/google-appengine/debian9:latest) IMAGE2 (gcr.io/google-appengine/debian9:2017-10-18-191738)
-libssl1.1 1.1.0f-3 deb9u1, 3.4M 1.1.0f-3, 3.4M
-openssl 1.1.0f-3 deb9u1, 1.2M 1.1.0f-3, 1.2M
-tzdata 2017c-0 deb9u1, 2.9M 2017b-1, 2.9M

As you can see in the output, there are three packages have been updated in the latest build.

If there are no differences between the two images, you will see an output something like below.

Computing diffs

-----Apt-----

Packages found only in gcr.io/google-appengine/debian9:latest: None

Packages found only in gcr.io/google-appengine/debian9:2017-11-27-220229: None

Version differences: None

Like I already said, by default, with no --type flag specified, container-diff will run Apt package analysis.

We can run multiple analyzers at once as shown below.

$ container-diff diff gcr.io/google-appengine/debian9:latest gcr.io/google-appengine/debian9:2017-10-18-191738 --type=history --type=apt --type=node

Here, I am running three analyzers namely history, apt, and node.

Sample output:

Starting diff on images gcr.io/google-appengine/debian9:latest and gcr.io/google-appengine/debian9:2017-10-18-191738, using differs: [history apt node]
Retrieving image gcr.io/google-appengine/debian9:2017-10-18-191738 from source Cloud Registry
Retrieving image gcr.io/google-appengine/debian9:latest from source Cloud Registry
Computing diffs

-----Apt-----

Packages found only in gcr.io/google-appengine/debian9:latest: None

Packages found only in gcr.io/google-appengine/debian9:2017-10-18-191738: None

Version differences:
PACKAGE IMAGE1 (gcr.io/google-appengine/debian9:latest) IMAGE2 (gcr.io/google-appengine/debian9:2017-10-18-191738)
-libssl1.1 1.1.0f-3 deb9u1, 3.4M 1.1.0f-3, 3.4M
-openssl 1.1.0f-3 deb9u1, 1.2M 1.1.0f-3, 1.2M
-tzdata 2017c-0 deb9u1, 2.9M 2017b-1, 2.9M

-----History-----

Docker history lines found only in gcr.io/google-appengine/debian9:latest: None

Docker history lines found only in gcr.io/google-appengine/debian9:2017-10-18-191738: None

-----Node-----

Packages found only in gcr.io/google-appengine/debian9:latest: None

Packages found only in gcr.io/google-appengine/debian9:2017-10-18-191738: None

Version differences: None

You can also compare locally stored image with the remote image as shown below.

$ container-diff diff daemon://modified_debian:latest remote://gcr.io/google-appengine/debian9:latest

For more details, refer Container-diff official links given below.

Resources:

You May Also Like

Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. By using this site, we will assume that you're OK with it. Accept Read More