-
Notifications
You must be signed in to change notification settings - Fork 2
The update parameter
On debian based systems fpm-fry issues this hint: /var/lib/apt/lists is not empty, you could try to speed up builds with --update=never
. I have to be honest that this hint is not very obvious.
--update=never
tells fpm-fry not insert apt-get --yes update
before it installs packages. This setting is very beneficial in some circumstances.
Docker relies heavily on caching build steps. Caching inherently has two possible problems: false misses and false hits.
- False misses are bad performance-wise but the results can be recalculated correctly
- False hits are very good performance-wise but the results may be wrong
So if you think about that false hits are the bigger issue for package building. Therefore the cache and cache invalidation should be designed to avoid false hits.
When using a Dockerfile docker determines if its cache is valid by looking at the image id and the command used . Now most apt based Dockerfiles one finds around in the internet pretty much look the same. They use a base image that rarely changes ( and therefore rarely contains current package lists ) and they contain a line like this:
run apt-get --yes update && apt-get install ....
This works if you define "works" by "not gives an error". However, this line is prone to generate false hits. Consider you ran this Dockerfile some time ago. In the mean time the package lists on the server have changed. The base image sadly wasn't updated or regenerated. So if you run this Dockerfile again you get a cache hit because like neither the image id nor the command has changed 💥 .
But how bad is this? Well this depends heavily on the packages you install. The worst case is that the image contains outdated packages without you noticing it. Manual cache invalidation is not a solution to the problem because as I said you don't notice the problem.
We build our own base images whenever the package lists change ( and don't clean /var/lib/apt ). Before each package build we then pull the base image. This way the docker cache is properly invalidated and a new clean image is build containing the correct packages if needed. The system works quite well. None of our images contain an apt-get update
and our build hosts never needed a manual cache invalidation. Logically we build all our packages with --update=never
.
Very few docker base images are build like ours. So it's unlikely that this setting works for an arbitrary image. To make it easier for beginners to use fpm-fry we chose a working default which is to update but hint the user.