DockerSlim @ RawKode Academy

# DockerSlim @ RawKode Academy ## Prerequisites - A Linux or macOS machine (2+ CPUs, 8+ GB RAM) running Docker - `git`, `cmake`, `curl` - [bonus] a local Kubernetes cluster (via `kind` or `minikube`) ## Intro Explain the idea real quick. ![](https://i.imgur.com/jmxJ1rO.jpg) ## Demo 1: Basics Make a curl-only image out of a full-blown CentOS distro. Show what's inside of the minified image (potentially, using our SaaS). ```shell # Pull image to the local machine docker pull centos:latest # Slim it! docker-slim build \ --target centos:latest \ --tag centos:curl \ --http-probe=false \ --exec "curl -s checkip.amazonaws.com" # Make sure the slim version is functional docker run -it --rm centos:curl curl -s checkip.amazonaws.com # Take a look at sizes (~300MB vs ~10MB) docker images # Analyze the slim image docker-slim xray \ --target centos:curl \ --export-all-data-artifacts . # ^ take a look at the console output # potentially upload the tar file to portal.slim.dev ``` ## Demo 2: Advanced HTTP probing More real scenario: minify the image of a Node.js server with a non-trivial HTTP API. We'll use the DockerSlim's **built-in HTTP probing** leveraging the server's Swagger spec. ```shell git clone https://github.com/docker-slim/examples.git cd http_probe_swagger # Examine our guinea pig service less service/server.js less service/package.json less Dockerfile # Build the fat version make fat-build docker images # Show that it works make fat-run docker ps curl localhost:1300 make fat-stop # Build a slim version make slim-build docker images # Show that it works make slim-run docker ps curl localhost:1300 make slim-stop ``` ## Demo 3: Auto-generating seccomp profiles One of the cool features of DockerSlim, besides the minimization itself, is generating seccomp and AppArmor profiles based on the sensor's intelligence. Might not be fully production ready, but a good start for those wanting to harden their workloads using security profiles. ``` make slim-build-and-keep-artifacts # Allow two more syscalls (for some reason, they are missing) # - "fstatfs" # - "faccessat2" make slim-run-seccomp curl localhost:1300 ``` ## Demo 4: Slimming Kubernets workloads (PoC) <u>**Important**: We'll have to build DockerSlim from the master branch before this demo.</u> Docker is historically the first container runtime DockerSlim supported. **The problem is that containers rarely run in solitude** - services typically have several external dependencies these days. Implementing Docker Compose support was a natural second step, but now we're adding other runtimes, starting from Kubernetes. ```shell git clone https://github.com/docker-slim/examples.git cd kubernetes-deployment-simple make kind-create-cluster # Examine our guinea pig service less app/server.js less app/kubernetes/app-deployment.yaml less app/kubernetes/app-service.yaml less app/kubernetes/redis-deployment.yaml less app/kubernetes/redis-service.yaml # Build, load & run the fat version make fat-build make fat-load make fat-run kubectl get all # Build a slim version from the running workload make slim-build-from-running-fat make fat-stop # Test the slim version make slim-load make slim-run kubectl get all ```