Skip to content

4. Can we achieve all these with simple OCI multiple stage container definitions

Jump to bottom
SMART2016 edited this page Mar 19, 2025 · 2 revisions

🚀 Can We Achieve Apko's Features Using Docker Multi-Stage Builds?

Yes, but with trade-offs. Let's break it down.

1. Minimal Image Size

Docker Multi-Stage:

  • You can use FROM alpine and remove unnecessary layers.
  • Example: 
    FROM alpine:latest AS builder
RUN apk add --no-cache busybox

FROM scratch
COPY --from=builder /bin/busybox /bin/busybox
ENTRYPOINT ["/bin/busybox", "sh"]
  • Limitation:
    • The final image still contains unnecessary metadata (e.g., /etc/apk, package manager data).
    • You need to manually strip unwanted files.

Apko:

  • Doesn’t use layers or a package manager at runtime.
  • Automatically optimizes the image for minimal size.
  • No manual cleanup needed.

2. No Docker Daemon Needed

Docker Multi-Stage:

  • Requires Docker Daemon (dockerd).
  • Workarounds: Use buildah or kaniko, but this adds complexity.

Apko:

  • Works without Docker.
  • Builds OCI-compliant images without dockerd.
  • Fully rootless.

📌 Why This Matters:

  • In CI/CD pipelines, running dockerd is insecure and requires privileged mode.
  • Apko can build images inside Kubernetes pods without security risks.

3. Reproducible Builds (No Drift)

Docker Multi-Stage:

  • Not fully deterministic—results can change based on:
    • Base image updates
    • apk add downloading latest package versions

Apko:

  • Uses a declarative YAML config (apko.yaml).
  • Guarantees the same image every time.
  • Reproducible builds (no surprises).

📌 Why This Matters:

  • In production, you don’t want “works on my machine” issues.
  • Apko locks dependencies to avoid accidental updates.

4. Security (No Shell, No Package Manager)

Docker Multi-Stage:

  • You can remove /bin/sh, apk, and other utilities.
  • Example: 
    FROM alpine AS builder
RUN apk add --no-cache busybox

FROM scratch
COPY --from=builder /bin/busybox /bin/busybox
ENTRYPOINT ["/bin/busybox", "sh"]
  • Problem:
    • Manual effort required to strip all unwanted utilities.
    • Easy to accidentally include insecure components.

Apko:

  • Hardened by default.
  • Does not include a shell or package manager unless explicitly added.
  • Less attack surface (better security).

📌 Why This Matters:

  • Zero-trust security environments.
  • Compliance requirements like FIPS, CIS benchmarks.

5. Built-in Image Signing & SBOM (Software Bill of Materials)

Docker Multi-Stage:

  • Requires extra tools (cosign, syft, etc.).
  • Example for SBOM generation: 
    syft my-image:latest -o json > sbom.json

Apko:

  • Automatically generates an SBOM.
  • Supports signing with cosign out of the box.

📌 Why This Matters:

  • Software supply chain security (SLSA, CISA guidelines).
  • Automatic provenance tracking.

6. No Unnecessary Layers (Faster Pulls)

Docker Multi-Stage:

  • Even with --squash, Docker images still retain extra layers.

Apko:

  • Single-layer OCI imageFaster pulls and lower disk usage.

📌 Why This Matters:

  • Faster deployments in CI/CD and Kubernetes.
  • Less network and storage usage.

7. Faster Cold Start (Serverless & Kubernetes)

Docker Multi-Stage:

  • You can optimize for speed, but still slower than Apko due to:
    • Extra init scripts
    • Layer metadata
    • Package manager overhead

Apko:

  • Starts instantly (no init system, no package manager).
  • Perfect for AWS Lambda, GCP Cloud Run, and edge computing.

📌 Why This Matters:

  • Serverless cold starts.
  • Kubernetes workloads requiring fast boot times.

8. Better Multi-Arch Support (ARM64 & x86_64)

Docker Multi-Stage:

  • Requires manual setup (buildx, qemu).
  • Example: 
    docker buildx build --platform linux/amd64,linux/arm64 -t my-image .

Apko:

  • Native multi-arch support (archs field in apko.yaml).

📌 Why This Matters:

  • Developing locally on Apple M1/M2 (ARM64).
  • Running containers on AWS Graviton (ARM-based cloud instances).

🚀 Summary: Docker Multi-Stage vs. Apko

Feature Docker Multi-Stage Apko
Minimal Image Size ✅ Possible (manual effort) ✅ Automatic
No Docker Daemon Required ❌ Needs dockerd ✅ Rootless
Reproducibility ❌ Prone to drift ✅ Guaranteed
Security Hardened ❌ Requires manual stripping ✅ No shell, no package manager
Image Signing & SBOM ❌ Needs extra tools ✅ Built-in
Faster Cold Starts ❌ Some overhead ✅ Optimized
Single OCI Layer (Faster Pulls) ❌ Retains unnecessary layers ✅ Always single-layer
Multi-Arch Support (ARM64 & x86_64) ❌ Needs buildx ✅ Native support

📌 Final Verdict

Use Docker Multi-Stage if:

✅ You are already invested in Docker and have CI/CD built around it.
✅ You need flexibility (Apko is Alpine-only).
✅ You’re OK with some manual optimizations.

Use Apko if

✅ You need minimal, secure, and reproducible builds.
✅ You want rootless, declarative images (no dockerd).
✅ You need faster, optimized images (better for Kubernetes, serverless).

Clone this wiki locally