container-diff
container-diff copied to clipboard
GoogleContainerTools
Add support for Alpine (apk)
This PR proposes to add support for analyzing and diffing Alpine Docker images with container-diff (amazing tool!).
I want to contribute a differ for apk which is very similar to the Debian apt differ since the database that apk uses (located at /lib/apk/db/installed) is also very similar to that of dpkg, with a line-based key value format.
I also include tests for the new differ in this PR.
Demo of how the feature works:
$ out/container-diff analyze alpine:3.15 --type=apk
-----Apk-----
Packages found in alpine:3.15:
NAME VERSION SIZE
-alpine-baselayout 3.2.0-r18 404K
-alpine-keys 2.4-r1 156K
-apk-tools 2.12.7-r3 304K
-busybox 1.34.1-r3 924K
-ca-certificates-bundle 20191127-r7 228K
-libc-utils 0.7.2-r3 4K
-libcrypto1.1 1.1.1l-r7 2.6M
-libretls 3.3.4-r2 84K
-libssl1.1 1.1.1l-r7 528K
-musl 1.2.2-r7 608K
-musl-utils 1.2.2-r7 140K
-scanelf 1.3.3-r0 92K
-ssl_client 1.34.1-r3 28K
-zlib 1.2.11-r3 108K
out/container-diff diff alpine:3.14 alpine:3.15 --type=apk
-----Apk-----
Packages found only in alpine:3.14: None
Packages found only in alpine:3.15: None
Version differences:
PACKAGE IMAGE1 (alpine:3.14) IMAGE2 (alpine:3.15)
-alpine-baselayout 3.2.0-r16, 404K 3.2.0-r18, 404K
-alpine-keys 2.4-r0, 156K 2.4-r1, 156K
-apk-tools 2.12.7-r0, 304K 2.12.7-r3, 304K
-busybox 1.33.1-r6, 928K 1.34.1-r3, 924K
-ca-certificates-bundle 20191127-r5, 228K 20191127-r7, 228K
-libcrypto1.1 1.1.1l-r0, 2.6M 1.1.1l-r7, 2.6M
-libretls 3.3.3p1-r2, 84K 3.3.4-r2, 84K
-libssl1.1 1.1.1l-r0, 528K 1.1.1l-r7, 528K
-musl 1.2.2-r3, 608K 1.2.2-r7, 608K
-musl-utils 1.2.2-r3, 144K 1.2.2-r7, 140K
-scanelf 1.3.2-r0, 92K 1.3.3-r0, 92K
-ssl_client 1.33.1-r6, 28K 1.34.1-r3, 28K
I use Go 1.17 locally and did run make test integration and received the following output:
Running go tests...
? github.com/GoogleContainerTools/container-diff [no test files]
ok github.com/GoogleContainerTools/container-diff/cmd (cached)
? github.com/GoogleContainerTools/container-diff/cmd/util/output [no test files]
ok github.com/GoogleContainerTools/container-diff/differs 0.037s
? github.com/GoogleContainerTools/container-diff/hack/release_notes [no test files]
? github.com/GoogleContainerTools/container-diff/pkg/util [no test files]
ok github.com/GoogleContainerTools/container-diff/util (cached)
? github.com/GoogleContainerTools/container-diff/version [no test files]
Checking gofmt...
Gofmt errors in files: ./tests/integration_test.go
make: *** [Makefile:59: test] Fehler 1
Edit2: With Go 1.16 it works like a charm, seems to be related to introduction of https://go.googlesource.com/proposal/+/master/design/draft-gobuild.md in Go 1.17.
Since this PR does not touch tests/integration_test.go I assume it should be fine.
Closes #361
Edit: anyone wanting to get quick access to the Linux amd64 binary can look at https://github.com/cmur2/container-diff/releases/tag/add-alpine-support at their own risk.
@tequilarista sorry for the cold call but you seem to be able to merge PRs like #376 - would you mind looking at my PR?
This feature is good to chainguard-images, other distroless technology builded with declarative system, apko, base on apk.
@nkubala 🏓
We can use this to analyze fs under some new apk installation. @dlorenc @kaniini
Yeah no reason this can't be in here. I'll see if someone with alpine experience could help review this. @imjasonh @jonjohnsonjr perhaps?
