Docker Slim

7 minute read     Updated:

Sooter Saalu %
Sooter Saalu

Docker is an open containerization platform for developing, shipping, and running applications. It enables you to package your applications in isolated environments, called containers, where they can run independently from infrastructure. In the container, they have all the dependencies needed for the application to run.

However, a common issue with Docker images is their construction and size. Docker Slim is a tool for optimizing Dockerfiles and Docker images.

It can reduce image size up to thirty times without any manual optimization. It can also help automatically generate security profiles for your Docker containers and has built-in commands that help you analyze and understand your Docker files and images.

In this article, you’ll explore the various Docker Slim functionalities and how to use them effectively and efficiently to optimize your Docker images.

What Is Docker Slim

What is

Docker Slim was a Docker Global Hack Day 2015 project. It performs static and dynamic analysis on Docker images in order to reduce layers in the images and produce smaller Docker containers.

The current version of Docker Slim carries out inspections of the container metadata and data (static analysis), as well as the running application (dynamic analysis) to build an application artifact graph. This graph is then used to generate a smaller image.

Docker Slim is a versatile tool and is able to work on containers running applications in Node.js, Python, Ruby on Rails, Java, Go, Rust, Elixir, or PHP languages as well as with the following operating systems: Ubuntu, Debian, CentOS, Alpine, and even Distroless.

Docker Slim Use Cases

What is

Docker Slim can help you gain a deeper understanding of your Docker images and what they contain. This is especially crucial when you’re working with images you didn’t build. Docker Slim has three commands that specifically provide you with an analysis of your Dockerfiles and Docker images giving you more information about its functioning. These commands are xray, lint, and profile.

Docker Slim uses the analyzed data on your Docker image to create an image that is up to thirty times smaller than the original. Docker Slim optimizes your Docker image and the resulting container by reducing your image to the files, libraries, executables, and dependencies necessary for your containers’ regular operation.

This optimizes your development process, reducing bloat from your containers, making them smaller and more efficient. This benefits you as a software developer or DevOps engineer, as well as your eventual users.

In addition, Docker Slim can help you optimize the security of your image by automatically generating security profiles for your images that are specific to their functions and behavior using the information analyzed during its build process. The tool currently offers auto-generated Seccomp and AppArmor profiles.

Installing Docker Slim

Docker Slim currently works with Linux and Mac operating systems. It can be installed by downloading the binary packages or utilizing a package manager, like Homebrew. The tool is also available to be pulled as a Docker image, and Docker Slim offers a software-as-a-service (SaaS) platform to utilize its functionalities.

For the purpose of this article, an Ubuntu (18.04 LTS) environment was used with Docker Slim installed using the prepared Bash script available on the official Docker Slim GitHub repo and the following CLI command:

curl -sL \
 https://raw.githubusercontent.com/docker-slim/docker-slim/master/scripts/install-dockerslim.sh \
 | sudo -E bash -

Using Docker Slim

Docker Slim has an interactive CLI option that offers suggestions and helps you configure your commands. It can be used by running the docker-slim command:
Docker Slim interactive CLI

There are three main reasons to use Docker Slim in your development process: analysis, compression, and security. Let’s review each in turn.

Analysis

Docker Slim enables you to have a deeper understanding of your Dockerfiles, images, and containers, with tools that can probe the functioning of your Docker artifacts and generate optimization reports.

As mentioned before, there are three Docker Slim commands that cater toward analysis: lint, xray, and profile.

The Lint Command

The lint command analyzes your Dockerfile, running checks against the Dockerfile instructions. This command provides warnings, and surveys for errors while giving you information about the instructions in your Dockerfile. It checks for missing .dockerignore files, invalid instructions or commands, and unnecessary or unwieldy layers in your Dockerfile.

You can explore all the available checks from the lint command using the following CLI command:

docker-slim lint --list-checks
Available lint command checks

Using the lint command on Docker images is a work in progress. However, you can use the command on your Dockerfiles using the following syntax:

docker-slim lint --target "path-to-your-dockerfile"
lint command results

The Xray Command

The xray command analyzes your Docker images, exploring the layers of the Docker image, commands used, files, libraries, and executables, as well as the changes that will be made in the work environment when the Docker image is built. This command can be used to reverse engineer a Dockerfile from its targeted Docker image. It also gives you insight into the object file sizes and how much container space is being wasted.

Docker Slim often produces reports that are saved as slim.report.json in the directory, and the docker-slim command is run by default. You can change this by utilizing the --report tag.

You can use the xray command with the following syntax:

docker-slim --report nginx-report.json xray --target nginx --pull
This command performs static analysis on the nginx Docker image, exploring its metadata and data, and creates a docker-slim report called nginx-report.json. The pull tag pulls the target image from a repository if it’s not available locally:
Xray command results

The Profile Command

The profile command carries out a more involved analysis of your Docker images. It performs a dynamic analysis where the Docker image is run, and the container created by that image is then analyzed and probed. This command analyzes both the Docker image and the Docker container that is created from that image. In addition, the profile command offers advanced HTTP probe functionality by default that can explore your Docker container’s accessibility.

You can utilize this command with the following syntax:

docker-slim --report nginx-profile-report.json profile --target nginx
profile command results

Compression

One of the main features you can gain from Docker Slim is its compression ability when applied to your Docker images. For your developer teams that utilize Docker in their development and production lifecycles, you might often be left with multiple large-size Docker images. This has a significant impact on the speed of each step in your process, as it takes longer to load and build on larger Docker containers locally or in production.

Docker Slim offers the build command for this purpose. This command utilizes both static and dynamic analysis to optimize and create a minimized Docker image.

The build command uses the following syntax:

docker-slim --report nginx-build-report.json build --target nginx --copy-meta-artifacts .

The copy-meta-artifacts tag helps move the produced files from the build command to a location more convenient for you. The command above creates the reverse-engineered Dockerfile, optimized Dockerfile, your optimized Docker image, security profiles, and other files in your current working directory.

The results of the build command (at the bottom) show a compressed nginx.slim image of 12 MB over its original size of 142 MB:
build command results

Now you can use the optimized Docker image in your development process in place of your previous image.

Security

Docker, and in general, containerized applications, can often be more secure than traditional local applications. However, there are considerations to note, such as the permissions allowed by your kernel, the interaction between Docker, your containers and the file system, and any unnecessary loopholes in your configuration profile. These concerns can be alleviated by adding another safety layer with a unique security configuration profile to your container.

Docker Slim automatically generates AppArmor and Seccomp security profiles when the build or profile commands are used. These security profiles will be specific to your images and their functionality.

You can use the security profile generated in the previous build command using the following syntax:

docker run -it --rm -d -p 8080:80 \
--security-opt apparmor:nginx-apparmor-profile nginx.slim
This command utilizes the created apparmor security profile in the working directory to start up an nginx container using the minimized image. An nginx web server is up and running at http://localhost:8080/ and its security profile protects the container from internal or external threats by restricting program capabilities such as read or write permission on certain files, as well as root access. It also limits network access to bar unpermitted entry.
nginx web server

Conclusion

Docker Slim works to optimize your Docker development process, utilizing both static and dynamic analysis to generate information about your Docker resources that can be used to optimize and secure your images. It does this by disposing of miscellaneous packages and files, and streamlining your container to reduce its attack surface and vulnerabilities.

The advent of containerized applications has helped scale up the development and production process for DevOps teams. However, Docker’s containerization is not perfect, and improvements can be made.

In this article, you learned about Docker Slim and how it can be used to optimize your Docker resources, utilizing the lint, xray, profile, and build Docker Slim commands to optimize your Docker images and containers.

While you’re here:

Earthly is the effortless CI/CD framework.
Develop CI/CD pipelines locally and run them anywhere!

Sooter Saalu %
Sooter Saalu

Sooter Saalu is a data professional with experience as a data analyst, data scientist, and data engineer. He has an educational background in clinical psychology and is committed to writing engaging data stories for technical and non-technical audiences.

Published:

Get notified about new articles!

We won't send you spam. Unsubscribe at any time.