Re: Docker tutorial

To: Borden <borden_c@tutanota.com>
Cc: Debian User <debian-user@lists.debian.org>, Paul Tagliamonte <paultag@debian.org>
Subject: Re: Docker tutorial
From: Tianon Gravi <tianon@debian.org>
Date: Tue, 1 Jul 2025 01:29:48 -0700
Message-id: <[🔎] CAHnKnK1_h1cbXdjn+VYKpuz95xLqFxay2WBwdkKDNu04McKRQQ@mail.gmail.com>
In-reply-to: <OTxx-9y--F-9@tutanota.com>
References: <OTxx-9y--F-9@tutanota.com>

On Sun, 29 Jun 2025 at 19:39, Borden <borden_c@tutanota.com> wrote:
> In general, https://wiki.debian.org/Docker warns that, for the images at https://hub.docker.com/_/debian,  "you may not trust their maintainer on having done the right thing for you."  That sounds awfully  like a security warning. Yet Tianon and Paul Tagliamonte maintain those repos, so they should be perfectly safe and reliable, no?

Oof, this was definitely extremely outdated; the way the images are
built has changed dramatically since that note was added more than ten
years ago, so I've just removed that entire paragraph now. 🙇

> If I understand Geert's advice, the official Docker images use debuerreotype⁠, so your link to the GitHub repo would, in theory, allow me to roll my own containers virtually identical to the official images. As not to duplicate effort, I may just link the wiki/Docker page to GitHub.

Yeah, the whole goal of debuerreotype is that you could recreate not
just virtually identical images, but exactly identical images.  If
that's something you want to do and you're not able to do so
successfully, I'd consider that a bug and would welcome a filing with
details so I can investigate and fix it. ❤

> Tying in John's commentary, it appears mkimage.sh got moved out of docker.io. In fairness, I had no way of knowing that mkimage.sh referred to the mkimage package and not some custom script in docker.io. Based on the official images, debuerreotype⁠ would be the "recommended way" to build an image over mkimage.sh, right?

Whoops, that's actually technically my bad:
https://github.com/moby/moby/pull/41440
(see also https://bugs.debian.org/969940#22)

As noted in that upstream PR, those scripts were long-since
unmaintained and really shouldn't be used.

If you'd like to create your own images, I'd suggest debootstrap,
mmdebstrap, or debuerreotype (depending on what you're trying to
accomplish by creating your own and what your goals are).  If you want
to reproduce the images maintained at https://hub.docker.com/_/debian
by paultag and I, debuerreotype is designed for that, but if you just
need minimal images of a modern release, mmdebstrap is probably the
best bet.

As a consequence of this, I'm not sure
https://wiki.debian.org/Cloud/CreateDockerImage provides any value
anymore over the content that already exists at
https://wiki.debian.org/Docker, save for *maybe* that initial
paragraph, and I'd honestly consider deleting it entirely but I'm not
sure what the consequences of that might be, so deleting most of the
content is probably a safer first pass?

> I just want to make sure my foundations are correct before I start breaking things.

♥,
- Tianon
  4096R / B42F 6819 007F 00F8 8E36  4FD4 036A 9C25 BF35 7DD4

(please feel free to keep me in explicit CC - I'm not subscribed to
"debian-user" but I'm happy to discuss this further 👍)

Reply to:

Follow-Ups:
- Re: Docker tutorial
  - From: "Jonathan Dowland" <jmtd@debian.org>

Prev by Date: Re: more problems with su and sudo
Next by Date: Re: Docker tutorial
Previous by thread: Re: more problems with su and sudo
Next by thread: Re: Docker tutorial
Index(es):
- Date
- Thread