DockerSlim and Slim.AI have been growing in adoption and usage, and along with this, so has our community. We often receive questions from users regarding the product, experience and the open source project itself.
In this post you’ll find a roundup of the most commonly asked questions, and we’ll try to do this every once in a while, when more frequently asked questions come in from our users.
# Question 1: How does DockerSlim work under the hood?
DockerSlim uses a technology called ptrace (opens new window), a standard Linux and Unix utility that allows you to scan and ultimately control a process, then have visibility into the system when it runs. With ptrace, a system can view and understand all the file access, executables, and processes that are running in a Linux kernel. For our purposes, that applies to a running Docker container. During the minification and optimization process, DockerSlim goes through the ptrace data and selects which files and executables to keep in the container by analyzing the ptrace output.
This means that during minification ptrace will analyze whether a certain file or process was accessed, checked, opened or executed, and depending on the type of access, DockerSlim will decide whether to include these in the new image or not.
DockerSlim then creates a container image from scratch including just what is required to successfully run your application, along with any custom configurations you may have provided (more on that later).
A quick note on why ptrace was selected for DockerSlim: DockerSlim is a project that got started well before Slim.AI, when Docker adoption was just gaining momentum. When DockerSlim was first created, technologies like eBPF and lsof were not widely available, and certainly not robust enough for production-grade container minification. The DockerSlim contributors are constantly looking at new kernel technologies to see if they would help improve our results, and there are some exciting demos our team has done with this new tech.
Follow-up question: Does Slim.AI offer any other ways of slimming a container other than the DockerSlim CLI?
Yes - one of the newest features of Slim.AI SaaS is minification optimization (opens new window), which is essentially like hosted DockerSlim, enabling you to minify your containers through a convenient UI, instead of the CLI flags, and running on Slim.AI’s build servers.
So if using the CLI-based Docker Slim is too complex or has too many options, you can use the UI for a better web-based user experience.
# Question 2: What type of applications work best with DockerSlim?
DockerSlim works on any Linux-based OCI-complaint container and supports all application types, technology stacks, and base images for optimization and minification. It’s a founding principle of the project that developers should be able to work the way they want with their favorite tools and tech.
It’s a founding principle of the project that developers should be able to work the way they want with their favorite tools and tech.
That said, DockerSlim is particularly suited for web applications, because it has extensive HTTP probes, which leverages crawlers to check endpoints in the apps, making it simpler for ptrace and other tools to understand what’s happening. This enables DockerSlim to do most of the work automatically, and is one reason the project is popular with Node, Python, DotNet, and Ruby-on-Rails developers — though we see our share of Go, Java, and other frameworks as well.
Console or CLI apps require a bit more manual work and intervention for slimming. To achieve the same level of automation you will either need to write a script or test, for it to run and execute the different commands your apps will need to run successfully. Some external source needs to interact with the CLI in order for ptrace to detect what the application needs, and ensure it is included in the minified version.
DockerSlim also leverages standard HTTP/S for the HTTP probe for server interfacing, to keep this standardized.
# Question 3: How do I integrate DockerSlim into my CI/CD pipeline?
Since DockerSlim is a standard utility to run in a terminal, you can easily implement it into your CI/CD pipeline, as long as you have the relevant permissions to access Docker and provide an environment that can actually run Docker. This means it can support any CI/CD tool that has Docker enabled as part of the environment. Check out this article on Automating DockerSlim in your CI/CD Pipeline (opens new window), which leverages DockerSlim as part of a GitHub Action. We’ve written or seen similar examples using Jenkins, CircleCI, and many other common CI tools.
It’s worth noting that at the time of writing this article, some GitLab users can experience issues with timeouts when running DockerSlim in their CI pipeline. A quick fix is to invoke the `--sensor-ipc-mode proxy` flag in your build command. More on this issue can be found in the DockerSlim Issues section on GitHub (opens new window).
Regardless of which CI/CD system you use, it is important to have a good suite of tests running on a newly slimmed container before it makes its way to production. You want to ensure that the application in the container is indeed functionally equivalent to the original, and have some process to fall back to the original or stop the deployment should something unexpected happen in the build process.
Regardless of which CI/CD system you use, it is important to have a good suite of tests running on a newly slimmed container before it makes its way to production.
Followup Question: What Slim.AI connectors are they and when are they used?
Slim.AI connectors are not directly related to CI/CD but they are the way to connect to a private Docker registry if you need. With these connectors you will be able to see the containers you have in your private registries, such as a private Docker Hub or private AWS registry.
# Question 4: What if my minified container stops working - how do I debug it?
The best way to check why your container has stopped working is to use Slim.AI’s diffing capabilities, and compare the changes between the slimmed and non-slimmed container. This will help you understand which files are missing and were removed in the minification process. Once you are equipped with this information, you can then use the built-in flags to tell Docker Slim to include that file, no matter what happens with it during the ptrace scan.
If you have automated testing, DockerSlim supports any utility you are already using. You can run these tests as part of your pipeline, and you can even have the process fail based on predefined statements, which will prevent the build from proceeding to slimming.
# Question 5: Does DockerSlim work with Podman or other Docker alternatives?
DockerSlim does not currently work with Podman directly, however, you can use DockerSlim created containers with Kubernetes and with Podman, but be aware that the slimming process can’t run without Docker. Once minified, the containers can be run on any OCI compliant runtime, including containerd, podman, K8s, among others.
We hope these questions helped you learn a little bit more about how DockerSlim works, as well as works together with Slim.AI. Feel free to drop your questions in our Discord (opens new window), and we will continue to do roundups when we have new and interesting questions from the community.