Menu
In Docker 1.13 the new --squash parameter was added.
I'm now hoping to reduce the size of my images as well as being able to "hide" secret files I have in my layers.
Below you can now see the difference from doing a build with and without the --squash parameter.
Without Squash
With Squash
Now to my question.
If I add a secret file in my first layer, then use the secret file in my second layer, and the finally remove my secret file in the third layer, and then build with the --squash flag.
Will there be any way now to get the secret file?
894
Used Docker Squash to reduce the size of the final image. This is effective if your image has multiple layers created using RUN clause. The Squash attempts to create a single layer out of all the layers and thus reduced the overall size. I did get the size down up to ~12% for a few images.
Docker allocates a read-write filesystem to the container, as its final layer. This allows a running container to create or modify files and directories in its local filesystem. Docker creates a network interface to connect the container to the default network, since you did not specify any networking options.
docker images are compressed by default. you will notice when running docker pull , where it will download the needed images\layers and then extract\decompress them. there is no need for you to compress the files within your docker images.
If I add a secret file in my first layer, then use the secret file in my second layer, and the finally remove my secret file in the third layer, and then build with the --squash flag.
Will there be any way now to get the secret file?
Answer: Your image won't have the secret file.
How --squash works:
Once the build is complete, Docker creates a new image loading the diffs from each layer into a single new layer and references all the parent's layers.
In other words: when squashing, Docker will take all the filesystem layers produced by a build and collapse them into a single new layer.
This can simplify the process of creating minimal container images, but may result in slightly higher overhead when images are moved around (because squashed layers can no longer be shared between images). Docker still caches individual layers to make subsequent builds fast.
Please note this feature squashes all the newly built layers into a single layer, it is not squashing to scratch.
Side notes:
Docker 1.13 also has support for compressing the build context that is sent from CLI to daemon using the --compress flag. This will speed up builds done on remote daemons by reducing the amount of data sent.
Please note as of Docker 1.13 this feature is experimental.
177
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
