Repsonse to "Use flake.nix, not Dockerfile"

This is a response to this youtube video where the speaker goes through why Docker and containers suck compared to nix flakes.


Great presentation on nix flakes (I’ve never used it but I admit it looks really nice from a reproducability perspective).

Though I have to point out his initial comparison to docker is a bit disingenuous IMHO, he basically picks up some of the worst things you can do in a Dockerfile for the initial example including:

  1. FROM ubuntu:latest; it’s best practice to use the most specific tagged image possible, at bare minimum ubuntu:xenial, but even better would be ubuntu:xenial-20210804. Expanding on that it’s also generally better to pull your toolset’s image rather than a generic one if possible, e.g. at work for our Golang projects we use golang:1.xxx where 1.xxx is the version of Go we need. That way it doesn’t change underneath us between builds.
  2. apt-get update && apt-get upgrade; yes, this changes every time. So if you’re really worried about that you should have a “base” Dockerfile image to build, tag that and push it to your registry, and then have your app’s image use that in its FROM line so that you don’t have to worry about that layer ever changing.
  3. CMD ["hello"]; ok, I’ll concede this one since the path can change but usually it’s a better idea to put the entire path to the binary as ENTRYPOINT/CMD so you don’t have to worry about $PATH being wrong (and the risk of this gets lower if you use an intermediate image after the install-ey lines too since that controls the change more).
tl;dr: this is a bad example of a Dockerfile and containers in general, just like there are probably bad flake.nix out there, this is a REALLY bad Dockerfile example. It might not be quite as reproducible as a flake.nix but you can make OCI containers more reproducible than the example the speaker initially presented.

I do want to say as an outsider that learning the entire language puts a weird taste in my mouth compared to just describing the state of a container via a Dockerfile but that might be because I’ve been happily using them for too long. I really need to do more research and fiddle more with nix…

Jacob Lindgren

Jacob Lindgren

Nebraska, USA