Hellp zimoun, my two cents on Docker as container images builder (not as "container instantiation toolbox") zimoun writes: [...] > The relationship between Docker and GNU Guix is container and the LXC > [1] technology. They use both but differently: > > - Docker is rooted in mutable/imperative and tries to go to more > functional; Docker images are immutable, they are usually (but not exclusively) generated via `docker build` using an imperative "dockerfile language" (so immutable/imperative :-) ); images are used to instantiate Linux containers and there are tools (bind mounts, environment) to separate state (data/config) from "system" to obtain a stateless container: the "stateless" status of the container however is strictly tied to the stateless properties of the underlying ditribution used to build the container I'm not sure what you mean with "tries to go more funtional" since AFAIU dockerfile "language" is not going to be funcional anytime soon, probably it does not even need to. The main issue with the use of dockerfiles is that unfortunately the FROM layering option (usually *heavily* used by docker images packagers) often makes keeping control of what is actually distributed with the image [1], cryptominers included, simply an... illusion... ehrm hard work :-). I've done it for work and that is the main reason I *avoid* any docker image not built by me as soon as I can. [...] > Everything starts with a configuration file: Dockerfile versus manifest.scm. > > - Dockerfile depends on the state of the distribution that one will > use -- say Debian -- and each time "RUN apt-get update" and/or "RUN > apt-get install" is called then no one can know in advance what the > resulting disk image will *exactly* contain; The non reproducible (not stateful) nature of the resulting docker images directly depends on the distribution used to build it: Debian have no means to "pin" a specific version in time (tag or commit, ala Guix) to use; indeed if I use Guix as initial system image (FROM guix-base) and a combination of manifests and channels definitions I can get a reproducible image (never tried this, just theory :-) ) Anyway, using `guix pack -f docker...` is much much better than the above dockerfile example :-O This is just to say that it is not `docker build` fault not creating reproducible images :-) [...] Ciao. Gio' [1] even from a legal POV -- Giovanni Biscuolo Xelera IT Infrastructures