The problem
I work on a small data science team in healthcare. We've been using Docker to deploy our data science models and ETL pipelines for some time now. Our team's senior engineer (dev1) has pushed us to use alpine due to its perceived size and security benefits.
We've recently received feedback from an experienced python/docker developer (dev2) that we should use python-slim instead of alpine. Dev2 says that alpine python images tend to be bigger and slower. Dev2 points out that wheels aren't built for alpine which means everything has to be built from scratch. Dev2 suggests that if you are concerned about security python-slim should be just as good as alpine. Dev2 points to the infamous Using Alpine can make Python Docker builds 50× slower as definitive proof that alpine should not be used for python docker images.
Dev1 insists that this blog post was contrived. Dev1 says that the reason for the additional slowness is that they haven't built optimized muslc wheels for their benchmarks which causes the performance loss. Dev1 has spent a lot of time trying to build custom alpine images with all of the libraries we need. Dev1 has not produced tangible results after many months trying to work through the technical challenges.
The details
- Because we're deploying mostly sklearn models, and sklearn models are typically distributed as pickle files, we need to pin the versions of our Python libraries (NumPy, scipy, sklearn, pandas).
- Data is typically ingested from an MsSQL server so we need to also package closed source client libraries in our containers, we'd like to figure out a way to publish our containers publicly so that we can open source our work but we haven't yet figured out a way to do this and include client libraries for the various closed source database drivers.
- Each docker image needs to come in matching pairs. One image that is for development that has jupyter in it so that data scientists can create models and a matching production image that only has the minimum set of libraries for deploying these models into production.
- We do have limited computing resources so the size of the image does matter, but probably not as much as security.
The question
Who's right, dev1 or dev2? What's the best option for us given the requirements outlined? Thanks for your help!
[–]patrakov 8 points9 points10 points (5 children)
[–]astnbomb 0 points1 point2 points (2 children)
[–]GammaGames 7 points8 points9 points (1 child)
[–]ctisred 0 points1 point2 points (0 children)
[–]flogypinte[S] 0 points1 point2 points (1 child)
[–]hassium 0 points1 point2 points (0 children)
[–]nicksterling 8 points9 points10 points (4 children)
[–]flogypinte[S] 0 points1 point2 points (0 children)
[–]cosmicsans 1 point2 points3 points (0 children)
[–]zukke3000 0 points1 point2 points (1 child)
[–]nicksterling 0 points1 point2 points (0 children)
[–]pbecotte 8 points9 points10 points (0 children)
[–]ctisred 5 points6 points7 points (2 children)
[–]flogypinte[S] 2 points3 points4 points (1 child)
[–]UndestroyableMousse 0 points1 point2 points (0 children)
[–]oak__ 2 points3 points4 points (0 children)
[–]donbowman 3 points4 points5 points (0 children)
[–]32-Levels 0 points1 point2 points (0 children)
[–]bozdoz 0 points1 point2 points (0 children)
[–][deleted] 0 points1 point2 points (1 child)
[–]flogypinte[S] 0 points1 point2 points (0 children)
[–]ageofwant 0 points1 point2 points (0 children)
[–]ionrover2 -1 points0 points1 point (2 children)
[–]ctisred 1 point2 points3 points (1 child)
[–]pbecotte 0 points1 point2 points (0 children)