Docker Slim
We’re Earthly. We make building software simpler and therefore faster using containerization. This article is about optimizing Docker images with Docker Slim. Earthly is a powerful build tool can help streamline your Docker development process. Check it out.
Docker is an open containerization platform for developing, shipping, and running applications. It enables you to package your applications in isolated environments, called containers, where they can run independently from infrastructure. In the container, they have all the dependencies needed for the application to run.
However, a common issue with Docker images is their construction and size. Docker Slim is a tool for optimizing Dockerfiles and Docker images.
It can reduce image size up to thirty times without any manual optimization. It can also help automatically generate security profiles for your Docker containers and has built-in commands that help you analyze and understand your Docker files and images.
In this article, you’ll explore the various Docker Slim functionalities and how to use them effectively and efficiently to optimize your Docker images.
What Is Docker Slim
Docker Slim was a Docker Global Hack Day 2015 project. It performs static and dynamic analysis on Docker images in order to reduce layers in the images and produce smaller Docker containers.
The current version of Docker Slim carries out inspections of the container metadata and data (static analysis), as well as the running application (dynamic analysis) to build an application artifact graph. This graph is then used to generate a smaller image.
Docker Slim is a versatile tool and is able to work on containers running applications in Node.js, Python, Ruby on Rails, Java, Go, Rust, Elixir, or PHP languages as well as with the following operating systems: Ubuntu, Debian, CentOS, Alpine, and even Distroless.
Docker Slim Use Cases
Docker Slim can help you gain a deeper understanding of your Docker images and what they contain. This is especially crucial when you’re working with images you didn’t build. Docker Slim has three commands that specifically provide you with an analysis of your Dockerfiles and Docker images giving you more information about its functioning. These commands are xray
, lint
, and profile
.
Docker Slim uses the analyzed data on your Docker image to create an image that is up to thirty times smaller than the original. Docker Slim optimizes your Docker image and the resulting container by reducing your image to the files, libraries, executables, and dependencies necessary for your containers’ regular operation.
This optimizes your development process, reducing bloat from your containers, making them smaller and more efficient. This benefits you as a software developer or DevOps engineer, as well as your eventual users.
In addition, Docker Slim can help you optimize the security of your image by automatically generating security profiles for your images that are specific to their functions and behavior using the information analyzed during its build process. The tool currently offers auto-generated Seccomp and AppArmor profiles.
Installing Docker Slim
Docker Slim currently works with Linux and Mac operating systems. It can be installed by downloading the binary packages or utilizing a package manager, like Homebrew. The tool is also available to be pulled as a Docker image, and Docker Slim offers a software-as-a-service (SaaS) platform to utilize its functionalities.
For the purpose of this article, an Ubuntu (18.04 LTS) environment was used with Docker Slim installed using the prepared Bash script available on the official Docker Slim GitHub repo and the following CLI command:
curl -sL \
https://raw.githubusercontent.com/docker-slim/docker-slim/master/scripts/install-dockerslim.sh \
| sudo -E bash -
Using Docker Slim
Docker Slim has an interactive CLI option that offers suggestions and helps you configure your commands. It can be used by running thedocker-slim
command:
There are three main reasons to use Docker Slim in your development process: analysis, compression, and security. Let’s review each in turn.
Analysis
Docker Slim enables you to have a deeper understanding of your Dockerfiles, images, and containers, with tools that can probe the functioning of your Docker artifacts and generate optimization reports.
As mentioned before, there are three Docker Slim commands that cater toward analysis: lint
, xray
, and profile
.
The Lint Command
The lint
command analyzes your Dockerfile, running checks against the Dockerfile instructions. This command provides warnings, and surveys for errors while giving you information about the instructions in your Dockerfile. It checks for missing .dockerignore
files, invalid instructions or commands, and unnecessary or unwieldy layers in your Dockerfile.
You can explore all the available checks from the lint
command using the following CLI command:
docker-slim lint --list-checks
Using the lint
command on Docker images is a work in progress. However, you can use the command on your Dockerfiles using the following syntax:
docker-slim lint --target "path-to-your-dockerfile"
The Xray Command
The xray
command analyzes your Docker images, exploring the layers of the Docker image, commands used, files, libraries, and executables, as well as the changes that will be made in the work environment when the Docker image is built. This command can be used to reverse engineer a Dockerfile from its targeted Docker image. It also gives you insight into the object file sizes and how much container space is being wasted.
Docker Slim often produces reports that are saved as slim.report.json
in the directory, and the docker-slim
command is run by default. You can change this by utilizing the --report
tag.
You can use the xray
command with the following syntax:
docker-slim --report nginx-report.json xray --target nginx --pull
nginx
Docker image, exploring its metadata and data, and creates a docker-slim
report called nginx-report.json
. The pull
tag pulls the target image from a repository if it’s not available locally:
The Profile Command
The profile
command carries out a more involved analysis of your Docker images. It performs a dynamic analysis where the Docker image is run, and the container created by that image is then analyzed and probed. This command analyzes both the Docker image and the Docker container that is created from that image. In addition, the profile
command offers advanced HTTP probe functionality by default that can explore your Docker container’s accessibility.
You can utilize this command with the following syntax:
docker-slim --report nginx-profile-report.json profile --target nginx
Compression
One of the main features you can gain from Docker Slim is its compression ability when applied to your Docker images. For your developer teams that utilize Docker in their development and production lifecycles, you might often be left with multiple large-size Docker images. This has a significant impact on the speed of each step in your process, as it takes longer to load and build on larger Docker containers locally or in production.
Docker Slim offers the build
command for this purpose. This command utilizes both static and dynamic analysis to optimize and create a minimized Docker image.
The build
command uses the following syntax:
docker-slim --report nginx-build-report.json build --target nginx --copy-meta-artifacts .
The copy-meta-artifacts
tag helps move the produced files from the build command to a location more convenient for you. The command above creates the reverse-engineered Dockerfile, optimized Dockerfile, your optimized Docker image, security profiles, and other files in your current working directory.
nginx.slim
image of 12 MB over its original size of 142 MB:
Now you can use the optimized Docker image in your development process in place of your previous image.
Security
Docker, and in general, containerized applications, can often be more secure than traditional local applications. However, there are considerations to note, such as the permissions allowed by your kernel, the interaction between Docker, your containers and the file system, and any unnecessary loopholes in your configuration profile. These concerns can be alleviated by adding another safety layer with a unique security configuration profile to your container.
Docker Slim automatically generates AppArmor and Seccomp security profiles when the build
or profile
commands are used. These security profiles will be specific to your images and their functionality.
You can use the security profile generated in the previous build command using the following syntax:
docker run -it --rm -d -p 8080:80 \
--security-opt apparmor:nginx-apparmor-profile nginx.slim
apparmor
security profile in the working directory to start up an nginx
container using the minimized image. An nginx
web server is up and running at http://localhost:8080/ and its security profile protects the container from internal or external threats by restricting program capabilities such as read or write permission on certain files, as well as root access. It also limits network access to bar unpermitted entry.
Conclusion
Docker Slim is a handy tool. It uses static and dynamic analysis to clear out unnecessary stuff from your Docker images, making them safer and more effective. Despite Docker’s contribution to DevOps, it’s not flawless and that’s where Docker Slim can help. Through this tutorial, we’ve guided you on how to use Docker Slim and its commands: lint
, xray
, profile
, and build
to tweak your Docker images and containers.
Also if you’re craving more efficiency in your build processes, you might want to give Earthly a spin! This open-source build automation tool could be the next step in optimizing your development workflow.
Earthly makes CI/CD super simple
Fast, repeatable CI/CD with an instantly familiar syntax – like Dockerfile and Makefile had a baby.