Jordan Henkel,Christian Bird,Shuvendu K. Lahiri,Thomas Reps

DOI: https://doi.org/10.1145/3377811.3380406

2020-02-08

Abstract:With the growing use of DevOps tools and frameworks, there is an increased need for tools and techniques that support more than code. The current state-of-the-art in static developer assistance for tools like Docker is limited to shallow syntactic validation. We identify three core challenges in the realm of learning from, understanding, and supporting developers writing DevOps artifacts: (i) nested languages in DevOps artifacts, (ii) rule mining, and (iii) the lack of semantic rule-based analysis. To address these challenges we introduce a toolset, binnacle, that enabled us to ingest 900,000 GitHub repositories. Focusing on Docker, we extracted approximately 178,000 unique Dockerfiles, and also identified a Gold Set of Dockerfiles written by Docker experts. We addressed challenge (i) by reducing the number of effectively uninterpretable nodes in our ASTs by over 80% via a technique we call phased parsing. To address challenge (ii), we introduced a novel rule-mining technique capable of recovering two-thirds of the rules in a benchmark we curated. Through this automated mining, we were able to recover 16 new rules that were not found during manual rule collection. To address challenge (iii), we manually collected a set of rules for Dockerfiles from commits to the files in the Gold Set. These rules encapsulate best practices, avoid docker build failures, and improve image size and build latency. We created an analyzer that used these rules, and found that, on average, Dockerfiles on GitHub violated the rules five times more frequently than the Dockerfiles in our Gold Set. We also found that industrial Dockerfiles fared no better than those sourced from GitHub. The learned rules and analyzer in binnacle can be used to aid developers in the IDE when creating Dockerfiles, and in a post-hoc fashion to identify issues in, and to improve, existing Dockerfiles.

Software Engineering

Mingjie Li,Xiaoying Bai,Minghua Ma,Dan Pei

DOI: https://doi.org/10.48550/arxiv.2104.05490

2021-01-01

Abstract:Continuous Integration (CI) and Continuous Deployment (CD) are widely adopted in software engineering practice. In reality, the CI/CD pipeline execution is not yet reliably continuous because it is often interrupted by Docker build failures. However, the existing trial-and-error practice to detect faults is time-consuming. To timely detect Dockerfile faults, we propose a context-based pre-build analysis approach, named DockerMock, through mocking the execution of common Dockerfile instructions. A Dockerfile fault is declared when an instruction conflicts with the approximated and accumulated running context. By explicitly keeping track of whether the context is fuzzy, DockerMock strikes a good balance of detection precision and recall. We evaluated DockerMock with 53 faults in 41 Dockerfiles from open source projects on GitHub and 130 faults in 105 Dockerfiles from student course projects. On average, DockerMock detected 68.0% Dockerfile faults in these two datasets. While baseline hadolint detected 6.5%, and baseline BuildKit detected 60.5% without instruction execution. In the GitHub dataset, DockerMock reduces the number of builds to 47, outperforming that of hadolint (73) and BuildKit (74).

Huachao Long,Yulai Xie,Daisong Yu,Minpeng Jin,Xuan Li

DOI: https://doi.org/10.1109/ICBCTIS55569.2022.00034

2022-07-01

Abstract:Compared with virtual machine technology, container technology is more and more popular by virtue of its excellent convenience and reliable security isolation. Containers will encounter various anomalies during operation. For maintenance personnel, a large number of abnormal logs makes the work of anomaly analysis very difficult, so anomaly detection technology is needed. In this paper, a container anomaly detection system based on rule mining and matching is proposed, which collects and simplifies the container's logs generated in the abnormal time period, then delivers them to association rule mining algorithm for rule mining and display rules to the maintainer who makes a decision after a simple analysis. The experimental results show that the rule mining algorithm can process log entries in less time consumption compared with traditional association rule mining algorithm, and container anomaly detection system can effectively help system administrator to locate anomalies.

Computer Science

Giovanni Rosa,Simone Scalabrino,Rocco Oliveto

DOI: https://doi.org/10.48550/arXiv.2208.09097

2022-08-19

Abstract:Background. Containerization technologies are widely adopted in the DevOps workflow. The most commonly used one is Docker, which requires developers to define a specification file (Dockerfile) to build the image used for creating containers. There are several best practice rules for writing Dockerfiles, but the developers do not always follow them. Violations of such practices, known as Dockerfile smells, can negatively impact the reliability and the performance of Docker images. Previous studies showed that Dockerfile smells are widely diffused, and there is a lack of automatic tools that support developers in fixing them. However, it is still unclear what Dockerfile smells get fixed by developers and to what extent developers would be willing to fix smells in the first place. Objective. The aim of our exploratory study is twofold. First, we want to understand what Dockerfiles smells receive more attention from developers, i.e., are fixed more frequently in the history of open-source projects. Second, we want to check if developers are willing to accept changes aimed at fixing Dockerfile smells (e.g., generated by an automated tool), to understand if they care about them. Method. In the first part of the study, we will evaluate the survivability of Dockerfile smells on a state-of-the-art dataset composed of 9.4M unique Dockerfiles. We rely on a state-of-the-art tool (hadolint) for detecting which Dockerfile smells disappear during the evolution of Dockerfiles, and we will manually analyze a large sample of such cases to understand if developers fixed them and if they were aware of the smell. In the second part, we will detect smelly Dockerfiles on a set of GitHub projects, and we will use a rule-based tool to automatically fix them. Finally, we will open pull requests proposing the modifications to developers, and we will quantitatively and qualitatively evaluate their outcome.

Software Engineering

Jordan Henkel,Christian Bird,Shuvendu K. Lahiri,Thomas Reps

DOI: https://doi.org/10.1145/3379597.3387498

2020-03-29

Abstract:Dockerfiles are one of the most prevalent kinds of DevOps artifacts used in industry. Despite their prevalence, there is a lack of sophisticated semantics-aware static analysis of Dockerfiles. In this paper, we introduce a dataset of approximately 178,000 unique Dockerfiles collected from GitHub. To enhance the usability of this data, we describe five representations we have devised for working with, mining from, and analyzing these Dockerfiles. Each Dockerfile representation builds upon the previous ones, and the final representation, created by three levels of nested parsing and abstraction, makes tasks such as mining and static checking tractable. The Dockerfiles, in each of the five representations, along with metadata and the tools used to shepard the data from one representation to the next are all available at: <a class="link-external link-https" href="https://doi.org/10.5281/zenodo.3628771" rel="external noopener nofollow">this https URL</a>.

Software Engineering

Yulong Wang,Qixu Wang,Xue Qin,Xingshu Chen,Bangzhou Xin,Run Yang

DOI: https://doi.org/10.1007/s00500-022-07546-2

IF: 3.732

2022-10-05

Soft Computing

Abstract:As an emerging virtualization technology, the Linux container provides a more lightweight, flexible, and high-performance operating-system-level virtual run-time environment. Its appearance has profoundly changed the development and deployment of multi-tier distributed applications. However, the imperfect system resource isolation features and the kernel-sharing mechanism will introduce significant security risks to the cloud platform. In this paper, we present DockerWatch, a real-time detection system for malware detection in the container-based cloud platform. DockerWatch uses a non-intrusive manner to extract executable files inside the containers, then uses the ensemble of various static features and behavior-based graphs as the analysis vector to learn the robust representations of malicious patterns. Consequently, a two-phase hybrid detection method based on deep learning is proposed to accelerate and enhance the detection performance, aiming to address the trade-off between fast and high-performance real-time detection. Extensive experiments are conducted and compared with extensive existing related methods using real-world datasets to validate the effectiveness of our system. The results show that DockerWatch achieves excellent detection performance with acceptable run-time performance overhead introduced into the platform.

computer science, artificial intelligence, interdisciplinary applications

Kalvin Eng,Abram Hindle

DOI: https://doi.org/10.48550/arXiv.2103.12298

2021-03-23

Abstract:Docker is becoming ubiquitous with containerization for developing and deploying applications. Previous studies have analyzed Dockerfiles that are used to create container images in order to better understand how to improve Docker tooling. These studies obtain Dockerfiles using either Docker Hub or Github. In this paper, we revisit the findings of previous studies using the largest set of Dockerfiles known to date with over 9.4 million unique Dockerfiles found in the World of Code infrastructure spanning from 2013-2020. We contribute a historical view of the Dockerfile format by analyzing the Docker engine changelogs and use the history to enhance our analysis of Dockerfiles. We also reconfirm previous findings of a downward trend in using OS images and an upward trend of using language images. As well, we reconfirm that Dockerfile smell counts are slightly decreasing meaning that Dockerfile authors are likely getting better at following best practices. Based on these findings, it indicates that previous analyses from prior works have been correct in many of their findings and their suggestions to build better tools for Docker image creation are further substantiated.

Software Engineering

Wei Chen,Hongjie Ye,Guoquan Wu,Jiahong Zhou,Jun Wei,Jiaxin Zhu

DOI: https://doi.org/10.1109/COMPSAC51774.2021.00133

2021-07-01

Abstract:Docker is the de-facto container technology for software system deployment and delivery. A Dockerfile specifies how to containerize a system into a Docker image. However, creating a Dockerfile is not trivial since resolving the dependencies (e.g., third-party libraries) of diverse software requires comprehensive domain knowledge. In this paper, we propose DockerGen to containerize software packages automatically. DockerGen constructs a knowledge graph containing rich knowledge of building Docker images by analyzing nearly 220 thousand Dockerfiles. DockerGen exploits the knowledge graph to containerize the target software by creating a Dockerfile specifying the base image, dependencies, and the operation workflow. We evaluate DockerGen on 100 software packages of various categories. DockerGen achieves a 73% build success rate and a 59% configuration success rate. The experimental result indicates it is viable to automate software containerization based on a domain knowledge graph.

Computer Science

Jürgen Cito,Gerald Schermann,Erik Wittern,Philipp Leitner,Sali Zumberi,Harald C. Gall

DOI: https://doi.org/10.7287/peerj.preprints.2905v1

2017-04-03

Abstract:Docker allows packaging an application with its dependencies into a standardized, self-contained unit (a so-called container), which can be used for software development and to run the application on any system. Dockerfiles are declarative definitions of an environment that aim to enable reproducible builds of the container. They can often be found in source code repositories and enable the hosted software to come to life in its execution environment. We conduct an exploratory empirical study with the goal of characterizing the Docker ecosystem, prevalent quality issues, and the evolution of Dockerfiles. We base our study on a data set of over 70000 Dockerfiles, and contrast this general population with samplings that contain the Top-100 and Top-1000 most popular Docker-using projects. We find that most quality issues (28.6%) arise from missing version pinning (i.e., specifying a concrete version for dependencies). Further, we were not able to build 34% of Dockerfiles from a representative sample of 560 projects. Integrating quality checks, e.g., to issue version pinning warnings, into the container build process could result into more reproducible builds. The most popular projects change more often than the rest of the Docker population, with 5.81 revisions per year and 5 lines of code changed on average. Most changes deal with dependencies, that are currently stored in a rather unstructured manner. We propose to introduce an abstraction that, for instance, could deal with the intricacies of different package managers and could improve migration to more light-weight images.

YU Zhen,SU Xiao-hong,WANG Tian-tian,MA Pei-jun

DOI: https://doi.org/10.3969/j.issn.0372-2112.2013.02.007

2013-01-01

Abstract:A general and efficient method is proposed to automatically extract the rules and detect violations to the rules extracted.Closed frequent itemset mining is applied to mine programming patterns.Then these patterns are used to generate programming rules.The concept of Positive Order Rule is introduced to avoid generating redundant rules from the same programming pattern.Based on these efforts,we also propose an efficient violations detection algorithm to detect program segments that are not consistent with the extracted rules.The experiment results on large software source code indicate that this method can automatically extract lots of implicit programming rules and also can efficiently detect the code segments that violate the extracted rules.

Mubin Ul Haque,Leonardo Horn Iwaya,M. Ali Babar

DOI: https://doi.org/10.1145/3382494.3410693

2020-08-11

Abstract:Docker technology has been increasingly used among software developers in a multitude of projects. This growing interest is due to the fact that Docker technology supports a convenient process for creating and building containers, promoting close cooperation between developer and operations teams, and enabling continuous software delivery. As a fast-growing technology, it is important to identify the Docker-related topics that are most popular as well as existing challenges and difficulties that developers face. This paper presents a large-scale empirical study identifying practitioners' perspectives on Docker technology by mining posts from the Stack Overflow (SoF) community. Method: A dataset of 113,922 Docker-related posts was created based on a set of relevant tags and contents. The dataset was cleaned and prepared. Topic modelling was conducted using Latent Dirichlet Allocation (LDA), allowing the identification of dominant topics in the domain. Our results show that most developers use SoF to ask about a broad spectrum of Docker topics including framework development, application deployment, continuous integration, web-server configuration and many more. We determined that 30 topics that developers discuss can be grouped into 13 main categories. Most of the posts belong to categories of application development, configuration, and networking. On the other hand, we find that the posts on monitoring status, transferring data, and authenticating users are more popular among developers compared to the other topics. Specifically, developers face challenges in web browser issues, networking error and memory management. Besides, there is a lack of experts in this domain. Our research findings will guide future work on the development of new tools and techniques, helping the community to focus efforts and understand existing trade-offs on Docker topics.

Software Engineering,Information Retrieval

ZHOU Tianyu,SHEN Wenbo,YANG Nanzi,LI Jinku,QIN Chenggang,YU Wang

DOI: https://doi.org/10.11959/j.issn.2096-109x.2020074

2020-01-01

Abstract:In recent years, Docker has been widely deployed due to its flexibility and high scalability. However, its modular design leads to the DoS attacks on inter-component communication. A new DoS attack that outputs to stdout, causing high CPU usages among different Docker components. Analysis shows that the stdout output triggers the goroutines of Docker components. To find all goroutines setup paths, using the static analysis method to analyze the Docker components systematically was proposed. A static analysis framework was designed and implemented, and evaluated on Docker source code. The results show that static analysis framework finds 34 paths successfully, while 22 of them are confirmed by runtime verification.

Giovanni Rosa,Simone Scalabrino,Gabriele Bavota,Rocco Oliveto

DOI: https://doi.org/10.1145/3603111

IF: 3.685

2023-05-31

ACM Transactions on Software Engineering and Methodology

Abstract:Docker is a containerization technology that allows developers to ship software applications along with their dependencies in Docker images. Developers can extend existing images using them as base images when writing Dockerfiles. However, a lot of alternative functionally-equivalent base images are available. While many studies define and evaluate quality features that can be extracted from Docker artifacts, it is still unclear what are the criteria on which developers choose a base image over another. In this paper, we aim to fill this gap. First, we conduct a literature review through which we define a taxonomy of quality features, identifying two main groups: Configuration-related features ( i.e., mainly related to the Dockerfile and image build process), and externally observable features ( i.e., what the Docker image users can observe). Second, we ran an empirical study considering the developers’ preference for 2,441 Docker images in 1,911 open-source software projects. We want to understand (i) how the externally observable features influence the developers’ preferences, and (ii) how they are related to the configuration-related features . Our results pave the way to the definition of a reliable quality measure for Docker artifacts, along with tools that support developers for a quality-aware development of them.

computer science, software engineering

Jia-Ju Bai,Yu-Ping Wang,Hu-Qiu Liu,Shi-Min Hu

DOI: https://doi.org/10.1016/j.infsof.2016.01.018

IF: 3.9

2016-01-01

Information and Software Technology

Abstract:Context: Device drivers often call specific kernel interface functions in pairs to allocate and release resources, and these functions can be called as paired functions. But due to poor documentation and carelessness, developers sometimes misuse paired functions in drivers, which causes resource-usage violations.Objective: Many dynamic approaches have been proposed to mine API rules and check resource usage for user-mode applications, but they are rarely applied to kernel-mode device drivers due to their designs. Meanwhile, most existing dynamic approaches lack systematic mechanisms to cover error handling code, which limits their availability and scalability. Our goal is to improve dynamic analysis to solve these problems.Method: In this paper, we propose PairCheck, a novel approach for mining and checking paired functions in device drivers, using three techniques. Firstly, we design a characteristic fault injection framework to generate test cases, which simulates occasional errors and covers most error handling code with little effort. Secondly, complete runtime information is recorded through call interception during test-case execution. Thirdly, we mine and check paired functions based on collected runtime information, name patterns and statistical analysis.Result: To validate the availability of PairCheck, we evaluate it on 11 Linux Ethernet card drivers. PairCheck mines 37 and 43 real paired functions in Linux 3.1.1 and 3.17.2, respectively. With these mined paired functions, it finds 10 violations in Linux 3.1.1 which have been fixed in 3.17.2, and 35 new violations in 3.17.2. The replies from developers indicate the false positive rate is low. Compared to normal execution, code coverage increases by 8.3% on average.Conclusion: Our work shows that it is possible to precisely mine API rules of resource usage by using characteristic fault injection. The mined rules are useful for improving the reliability of device drivers. (C) 2016 Elsevier B.V. All rights reserved.

Guoli He,Donglian Qi

DOI: https://doi.org/10.23919/CCC50068.2020.9188902

2020-01-01

Abstract:In this paper, a keypoint-guided pipeline for safety violation identification is proposed. Firstly, a top-down keypoint detector is adopted to detect human areas and 17 keypoints in each human bounding box. Secondly, related regions such as head, trunk, etc. are accurately located. Finally, these regions are cropped from the original image and fed into a unified classifier for feature extraction and violation identification. The experimental results show the superiority of the proposed pipeline than other existing counterparts. An average accuracy of 91.2% is achieved on identifications of not wearing helmet, work clothes and smoking.

Xiaoxue Ren,Xinyuan Ye,Zhenchang Xing,Xin Xia,Xiwei Xu,Liming Zhu,Jianling Sun

DOI: https://doi.org/10.1145/3324884.3416551

2020-01-01

Abstract:ABSTRACTAPI misuses cause significant problem in software development. Existing methods detect API misuses against frequent API usage patterns mined from codebase. They make a naive assumption that API usage that deviates from the most-frequent API usage is a misuse. However, there is a big knowledge gap between API usage patterns and API usage caveats in terms of comprehensiveness, explainability and best practices. In this work, we propose a novel approach that detects API misuses directly against the API caveat knowledge, rather than API usage patterns. We develop open information extraction methods to construct a novel API-constraint knowledge graph from API reference documentation. This knowledge graph explicitly models two types of API-constraint relations (call-order and condition-checking) and enriches return and throw relations with return conditions and exception triggers. It empowers the detection of three types of frequent API misuses - missing calls, missing condition checking and missing exception handling, while existing detectors mostly focus on only missing calls. As a proof-of-concept, we apply our approach to Java SDK API Specification. Our evaluation confirms the high accuracy of the extracted API-constraint relations. Our knowledge-driven API misuse detector achieves 0.60 (68/113) precision and 0.28 (68/239) recall for detecting Java API misuses in the API misuse benchmark MuBench. This performance is significantly higher than that of existing pattern-based API misused detectors. A pilot user study with 12 developers shows that our knowledge-driven API misuse detection is very promising in helping developers avoid API misuses and debug the bugs caused by API misuses.

Shuilin Ren,Yubo Tao,Hai Lin

DOI: https://doi.org/10.3969/j.issn.1003-9775.2016.11.010

2016-01-01

Abstract:Sparse traffic trajectory data can be used to detect fake plate vehicles effectively. Most existing tech-niques are based on rules to search for fake plate vehicles records, but they generally don’t provide intuitive meanings of rules and their impacts on results. Moreover, they provides less analysis on the behavior patterns of fake plate vehicles. This paper presents a visual analysis system to interactively detect and analyze fake plate ve-hicles based on sparse traffic trajectory data. We first design a visual query model based on the rule-based fake plate vehicles detection algorithm, then use maps and timelines to display temporal spatial distribution of different types of fake plate vehicles, especially for cell locations and times that fake plate vehicles appear multiple times. The statistical information on a single cell and a cell pair is presented by CirFlow and histograms, to visually analyze the impacts of different rules on the results. Finally, Case studies show the effectiveness of our system.

Haneul Lee,Soonhong Kwon,Jong-Hyouk Lee

DOI: https://doi.org/10.3390/electronics12040940

IF: 2.9

2023-02-16

Electronics

Abstract:Docker has become widely used as an open-source platform for packaging and running applications as containers. It is in the limelight especially at companies and IT developers that provide cloud services thanks to its advantages such as the portability of applications and being lightweight. Docker provides communication between multiple containers through internal network configuration, which makes it easier to configure various services by logically connecting containers to each other, but cyberattacks exploiting the vulnerabilities of the Docker container network, e.g., distributed denial of service (DDoS) and cryptocurrency mining attacks, have recently occurred. In this paper, we experiment with cyberattacks such as ARP spoofing, DDoS, and elevation of privilege attacks to show how attackers can execute various attacks and analyze the results in terms of network traffic, CPU consumption, and malicious reverse shell execution. In addition, by examining the attacks from the network perspective of the Docker container environment, we lay the groundwork for detecting and preventing lateral movement attacks that may occur between the Docker containers.

engineering, electrical & electronic,computer science, information systems,physics, applied

Taha Shabani,Noor Nashid,Parsa Alian,Ali Mesbah

2024-08-10

Abstract:Dockerfile flakiness, characterized by inconsistent build behavior without Dockerfile or project source code changes, poses significant challenges in Continuous Integration and Delivery (CI/CD) pipelines. This issue can lead to unreliable deployments and increased debugging efforts, yet it remains underexplored in current research. We conduct a systematic analysis of Dockerfile flakiness, presenting a comprehensive taxonomy of common flakiness categories, including dependency-related errors and server connectivity issues. Furthermore, we introduce FlakiDock, a tool leveraging large language models and retrieval-augmented generation techniques with dynamic analysis and an iterative feedback loop to automatically repair flaky Dockerfiles. Our evaluation shows that FlakiDock achieves a 73.55% repair accuracy, outperforming existing tools such as PARFUM by 12,581% and GPT-4-based prompting by 94.63%. These results underscore the effectiveness of FlakiDock in addressing Dockerfile flakiness and improving build reliability.

Software Engineering

Yu Zhou,Xin Yan,Taolue Chen,Sebastiano Panichella,Harald Gall

DOI: https://doi.org/10.1109/icse-companion.2019.00052

2019-01-01

Abstract:Application programming interfaces (APIs) documentation is the official reference of the APIs. Defects in API documentation pose serious hurdles to their comprehension and usage. In this paper, we present DRONE, a tool that can automatically detect the directive defects in APIs documents and recommend repair solutions to fix them. Particularly, DRONE focuses on four defect types related to parameter usage constraints. To achieve this, DRONE leverages techniques from static program analysis, natural language processing and logic reasoning. The implementation is based on the Eclipse-plugin architecture, which provides an integrated user interface. Extensive experiments demonstrate the efficacy of the tool.