Debian Image Docker



The official Python image for Docker is quite popular, and in fact I recommend one of its variations as a base image.But many people don’t quite understand what it does, which can lead to confusion and brokenness.

  1. Most Docker images are available on Docker Hub. It is a cloud-based registry service which among other functionalities is used for keeping the Docker images either in a public or private repository. To search for an image from the Docker Hub registry, use the docker search command. For example, to search for a Debian image, you would type.
  2. Docker containers are built from Docker images. By default, Docker pulls these images from Docker Hub, a Docker registry managed by Docker, the company behind the Docker project. Anyone can host their Docker images on Docker Hub, so most applications and Linux distributions you’ll need will have images hosted there.
  3. This page attempts to document how to create a Debian image for Docker. Docker.com provide Debian images they describe as 'semi-official'. They are built from stock Debian (for details on how the root filesystem is made in a fairly secure way, read about Debuerreotype). The modifications and image are maintained by paultag@ and tianon@.

In this post I will therefore go over how it’s constructed, why it’s useful, how to use it correctly, as well as its limitations.In particular, I’ll be reading through the python:3.8-slim-buster variant, as of August 19, 2020, and explaining it as I go along.

Reading the Dockerfile

It is a minimalist, Debian-based Docker image built using debootstrap. It sits at 50 MB, giving you standard glibc and access to standard Debian packages. It also has a convenience script to.

The base image

We start with the base image:

That is, the base image is Debian GNU/Linux 10, the current stable release of the Debian distribution, also known as Buster because Debian names all their releases after characters from Toy Story.In case you’re wondering, Buster is Andy’s pet dog.

So to begin with, this is a Linux distribution that guarantees stability over time, while providing bug fixes.The slim variant has less packages installed, so no compilers for example.

Environment variables

Next, some environment variables.The first makes sure /usr/local/bin is early in the $PATH:

Basically, the Python image works by installing Python into /usr/local, so this ensures the executables it installs are the default ones used.

Next, the locale is set:

As far as I can tell modern Python 3 will default to UTF-8 even without this, so I’m not sure it’s necessary these days.

Debian 10 docker image

There’s also an environment variable that tells you the current Python version:

And an environment variable with a GPG key, used to verify the Python source code when it’s downloaded.

Runtime dependencies

In order to run, Python needs some additional packages:

The first, ca-certificates, is the list of standard certificate authorities’s certificates, comparable to what your browser uses to validate https:// URLs.This allows Python, wget, and other tools to validate certificates provided by servers.

The second, netbase, installs a few files in /etc that are needed to map certain names to corresponding ports or protocols.For example, /etc/services maps service names like https to corresponding port numbers, in this case 443/tcp.

Installing Python

Next, a compiler toolchain is installed, Python source code is downloaded, Python is compiled, and then the unneeded Debian packages are uninstalled:

There’s a lot in there, but the basic outcome is:

  1. Python is installed into /usr/local.
  2. All .pyc files are deleted.
  3. The packages—gcc and so on—needed to compile Python are removed once they are no longer needed.
Debian Image Docker

Because this all happens in a single RUN command, the image does not end up storing the compiler in any of its layers, keeping it smaller.

One thing you might notice is that Python requires libbluetooth-dev to compile.I found this surprising, so I asked, and apparently Python can create Bluetooth sockets, but only if compiled with this package installed.

Setting up aliases

Next, /usr/local/bin/python3 gets an alias /usr/local/bin/python, so you can call it either way:

Installing pip

The pip package download tool has its own release schedule, distinct from Python’s.For example, this Dockerfile is installing Python 3.8.5, released in July 2020.pip 20.2.2 was released in August, after that, but the Dockerfile makes sure to include that newer pip:

Again, all .pyc files are deleted.

The entrypoint

Finally, the Dockerfile specifices the entrypoint:

By using CMD with an empty ENTRYPOINT, you get python by default when you run the image:

But, you can also can specify other executables if you want:

What have we learned?

Again, focusing specifically on the slim-buster variant, here are some takeaways.

The python official image includes Python

While this point may seem obvious, it’s worth noticing how it’s included: it’s a custom install in /usr/local.

A common mistake for people using this base image is to install Python again, by using Debian’s version of Python:

That installs an additional Python install in /usr, rather than /usr/local, and it will typically be a different version of Python.You probably don’t want two different versions of Python in the same image; mostly it just leads to confusion.

If you really want to use the Debian version of Python, use debian:buster-slim as the base image instead.

The python official image includes the latest pip

For example, the last release of Python 3.5 was in November 2019, but the Docker image for python:3.5-slim-buster includes pip from August 2020.This is (usually) a good thing, it means you get the latest bug fixes, performance improvements, and support for newer wheel variants.

The python official image deletes all .pyc files

If you want to speed up startup very slightly, you may wish to compile the standard library source code to .pyc in your own image with the compileall module.

The python official image does not install Debian security updates

While the base debian:buster-slim and python images do get regenerated often, there are windows where a new Debian security fix has been released, but the images have not been regenerated.You should install security updates to the base Linux distribution.

Estimated reading time: 10 minutes

To get started with Docker Engine on Debian, make sure youmeet the prerequisites, theninstall Docker.

Prerequisites

OS requirements

To install Docker Engine, you need the 64-bit version of one of these Debian orRaspbian versions:

  • Debian Buster 10 (stable)
  • Debian Stretch 9 / Raspbian Stretch

Docker Engine is supported on x86_64 (or amd64), armhf, and arm64 architectures.

Uninstall old versions

Older versions of Docker were called docker, docker.io, or docker-engine.If these are installed, uninstall them:

It’s OK if apt-get reports that none of these packages are installed.

The contents of /var/lib/docker/, including images, containers, volumes, andnetworks, are preserved. The Docker Engine package is now called docker-ce.

Installation methods

You can install Docker Engine in different ways, depending on your needs:

  • Most usersset up Docker’s repositories and installfrom them, for ease of installation and upgrade tasks. This is therecommended approach, except for Raspbian.

  • Some users download the DEB package andinstall it manually and manageupgrades completely manually. This is useful in situations such as installingDocker on air-gapped systems with no access to the internet.

  • In testing and development environments, some users choose to use automatedconvenience scripts to install Docker.This is currently the only approach for Raspbian.

Install using the repository

Before you install Docker Engine for the first time on a new host machine, you needto set up the Docker repository. Afterward, you can install and update Dockerfrom the repository.

Raspbian users cannot use this method!

For Raspbian, installing using the repository is not yet supported. You mustinstead use the convenience script.

Set up the repository

  1. Update the apt package index and install packages to allow apt to use arepository over HTTPS:

  2. Add Docker’s official GPG key:

  3. Use the following command to set up the stable repository. To add thenightly or test repository, add the word nightly or test (or both)after the word stable in the commands below. Learn about nightly and test channels.

    Note: The lsb_release -cs sub-command below returns the name of yourDebian distribution, such as helium. Sometimes, in a distributionlike BunsenLabs Linux, you might need to change $(lsb_release -cs)to your parent Debian distribution. For example, if you are using BunsenLabs Linux Helium, you could use stretch. Docker does not offer any guarantees on untestedand unsupported Debian distributions.

Install Docker Engine

This procedure works for Debian on x86_64 / amd64, armhf, arm64, and Raspbian.

  1. Update the apt package index, and install the latest version of DockerEngine and containerd, or go to the next step to install a specific version:

    Got multiple Docker repositories?

    If you have multiple Docker repositories enabled, installingor updating without specifying a version in the apt-get install orapt-get update command always installs the highest possible version,which may not be appropriate for your stability needs.

  2. To install a specific version of Docker Engine, list the available versionsin the repo, then select and install:

    a. List the versions available in your repo:

    b. Install a specific version using the version string from the second column, for example, 5:18.09.1~3-0~debian-stretch .

  3. Verify that Docker Engine is installed correctly by running the hello-worldimage.

    This command downloads a test image and runs it in a container. When thecontainer runs, it prints an informational message and exits.

Docker Engine is installed and running. The docker group is created but no usersare added to it. You need to use sudo to run Docker commands.Continue to Linux postinstall to allow non-privilegedusers to run Docker commands and for other optional configuration steps.

Upgrade Docker Engine

To upgrade Docker Engine, first run sudo apt-get update, then follow theinstallation instructions, choosing the newversion you want to install.

Debian 10 Docker Image

Install from a package

If you cannot use Docker’s repository to install Docker Engine, you can download the.deb file for your release and install it manually. You need to downloada new file each time you want to upgrade Docker.

  1. Go to https://download.docker.com/linux/debian/dists/,choose your Debian version, then browse to pool/stable/, choose amd64,armhf, or arm64, and download the .deb file for the Docker Engineversion you want to install.

    Note: To install a nightly or test (pre-release) package,change the word stable in the above URL to nightly or test.Learn about nightly and test channels.

  2. Install Docker Engine, changing the path below to the path where you downloadedthe Docker package.

    The Docker daemon starts automatically.

  3. Verify that Docker Engine is installed correctly by running the hello-worldimage.

    This command downloads a test image and runs it in a container. When thecontainer runs, it prints an informational message and exits.

Docker Engine is installed and running. The docker group is created but no usersare added to it. You need to use sudo to run Docker commands.Continue to Post-installation steps for Linux to allownon-privileged users to run Docker commands and for other optional configurationsteps.

Upgrade Docker Engine

To upgrade Docker Engine, download the newer package file and repeat theinstallation procedure, pointing to the new file.

Debian Image Docker Usb

Install using the convenience script

Docker provides convenience scripts at get.docker.comand test.docker.com for installing edge andtesting versions of Docker Engine - Community into development environments quickly andnon-interactively. The source code for the scripts is in thedocker-install repository.Using these scripts is not recommended for productionenvironments, and you should understand the potential risks before you usethem:

  • The scripts require root or sudo privileges to run. Therefore,you should carefully examine and audit the scripts before running them.
  • The scripts attempt to detect your Linux distribution and version andconfigure your package management system for you. In addition, the scripts donot allow you to customize any installation parameters. This may lead to anunsupported configuration, either from Docker’s point of view or from your ownorganization’s guidelines and standards.
  • The scripts install all dependencies and recommendations of the packagemanager without asking for confirmation. This may install a large number ofpackages, depending on the current configuration of your host machine.
  • The script does not provide options to specify which version of Docker to install,and installs the latest version that is released in the “edge” channel.
  • Do not use the convenience script if Docker has already been installed on thehost machine using another mechanism.

This example uses the script at get.docker.com toinstall the latest release of Docker Engine - Community on Linux. To install the latesttesting version, use test.docker.com instead. Ineach of the commands below, replace each occurrence of get with test.

Warning:

Debian Docker Image Text Editor

Always examine scripts downloaded from the internet beforerunning them locally.

If you would like to use Docker as a non-root user, you should now consideradding your user to the “docker” group with something like:

Remember to log out and back in for this to take effect!

Warning:

Adding a user to the “docker” group grants them the ability to run containerswhich can be used to obtain root privileges on the Docker host. Refer toDocker Daemon Attack Surfacefor more information.

Debian Docker Image Apt-get

Docker Engine - Community is installed. It starts automatically on DEB-based distributions. OnRPM-based distributions, you need to start it manually using the appropriatesystemctl or service command. As the message indicates, non-root users can’trun Docker commands by default.

Note:

To install Docker without root privileges, seeRun the Docker daemon as a non-root user (Rootless mode).

Upgrade Docker after using the convenience script

If you installed Docker using the convenience script, you should upgrade Dockerusing your package manager directly. There is no advantage to re-running theconvenience script, and it can cause issues if it attempts to re-addrepositories which have already been added to the host machine.

Uninstall Docker Engine

  1. Uninstall the Docker Engine, CLI, and Containerd packages:

  2. Images, containers, volumes, or customized configuration files on your hostare not automatically removed. To delete all images, containers, andvolumes:

You must delete any edited configuration files manually.

Next steps

  • Continue to Post-installation steps for Linux.
  • Review the topics in Develop with Docker to learn how to build new applications using Docker.
requirements, apt, installation, debian, install, uninstall, upgrade, update