What is docker.io in relation to docker-ce and docker-ee (now called “Mirantis Kubernetes Engine”)?

by

Be wary of docker-ce

The accepted answer is under-complex.

docker-ce is provided by docker.com,
docker.io is provided by Debian.

On the surface, this means you can install docker.io rightaway, while for docker-ce you have to attach an external repository from docker.com beforehands.

More importantly, however, although both packages provide properly released versions of Docker, they have a very different internal structure:

  • docker.io does it the Debian (or Ubuntu) way: Each external dependency is a separate package that can and will be updated independently.
  • docker-ce does it the Golang way: All dependencies are pulled into the source tree before the build and the whole thing forms one single package afterwards. So you always update docker with all its dependencies at once.

The problem with the latter approach is that it goes against much of what Debian/Ubuntu are trying to do.

If everybody did it the way docker-ce does…

…you would have 174 versions of many libraries on your system, which not only consume a lot of memory, they also make it essentially impossible to decide whether you have that version 7.6.5 of library XYZ with that horrible security vulnerability somewhere among them.
Let alone close that vulnerability (or all 109 instances of it you have).

Worse, one of the 174 versions is likely to be version 5.4.3 of XYZ as of three years ago, which had another, very different, but just as gaping security vulnerability that the world has long since forgotten about but that will still exist happily on your system.

Some remarks:

  • Many web pages call docker.io “outdated”. That is because it was unmaintained for about a year. As of August 2019, this is no longer the case.
  • I learned all this today here and will now switch from using docker-ce to using docker.io — and presumably never go back again.
  • There is a reason why the Debian/Ubuntu packaging system is so complicated. A good reason.

Edit: As BobHy points out in a comment, the docker-ce approach
also has an advantage: It is less likely to have compatibility issues
with library XYZ. You have to trade off your risks.

Leave a Comment

deneme bonusu veren sitelerbahis casinomakrobetceltabetpinbahispolobetpolobet girişpinbahis girişmakrobet girişpulibet girişmobilbahis girişkolaybet giriş