Demystifying the Google Container Tool, Jib: Java Image Builder
This article covers some internals of image layering created by container image builder Jib and explore what distroless images are and their benefits.
Join the DZone community and get the full member experience.Join For Free
Are you wondering what Jib is, actually? You should probably read my previous article before going ahead. In short, Jib is an excellent tool for Java developers who are interested in containerizing Java applications, but not so interested in creating and maintaining Dockerfile or installing Docker. A Java developer can add a plugin to Maven or Gradle, and that's it. You don't have to learn new technology just to containerize your Java application. Now, let's talk about some internals.
Jib Image Layering
Jib intelligently divides your images into the following layers for more granular incremental builds.
- Snapshot dependencies
- All other dependencies, each extra directory (jib.extraDirectories in Gradle, in Maven) builds to its own layer.
When you do any code changes, only your changes are rebuilt, not your entire application. This means Jib only pushes the layer, which is changed, and the rest of the layers remain the same. For example, in the following demo, only a class file was changed and Jib pushed only the compiled class layer. Later on, we could see that during the docker pull, only the changed layer was extracted.
Furthermore to dig deeper, now, we will use the simple spring boot application that was used in the previous article. The source code is available here. We will run maven in debug mode to understand these layers. However, In the following logs, you will see only dependencies, resources, and classes as separate layers, since we don't have other dependencies.
Deep-Dive Image Layer
You can inspect images created by Jib using the Dive tool. As you can see, on RHS, we have exploded directory structure for classes, resources, and dependencies in the following path and their size are very minimal. The rest of the contents are of your base image.
Dive also tells you if you are wasting any space and, if you are, then you can discover ways to shrink the size of your Docker/OCI image. However, in our case, no space is wasted! You can view the content of an image with a docker history command as well. Let's see what it looks like in the image below:
What Are Distroless Images?
Google defines distroless images as the following:
Distroless images are lightweight base images, as they contain only dependencies required to run your application. They do not contain package managers, shells, or any other programs you would expect to find in a standard Linux distribution.
Furthermore, the layers created by Jib are created on top of a distroless base image. Jib by default uses distroless Java 8 image, but you have the option to choose an image of your choice.
- Fewer vulnerabilities to patch.
- Better security.
- Built with minimum dependencies.
Debugging Distroless Images
Since there are no package managers installed, and you cannot do ssh to your container running with distroless base image, it makes them hard for debugging. In an ideal world, you would add better logging, instead of allowing shell access for your containers. But, there are ways with which you can add shell support and debug your application.
In this article, we have covered some internals about Jib .i.e. image layering, which makes it fast. We have also covered distroless images with their benefits and pitfalls, such as debugging.
If you like what you just read, then you can buy me a coffee by clicking the link in the image below:
You can also read some of my previous articles here.
Published at DZone with permission of Ashish Choudhary. See the original article here.
Opinions expressed by DZone contributors are their own.