5 Most Commonly Asked SlimToolkit Questions

Primož Ajdišek
← Slim Blog

SlimToolkit (previously DockerSlim) and Slim.AI have been growing in adoption and usage, and along with this, so has our community. We often receive questions from users regarding the product, experience and the open source project itself.

In this post you’ll find a roundup of the most commonly asked questions, and we’ll try to do this every once in a while, when more frequently asked questions come in from our users.

Question 1: How does SlimToolkit work under the hood?

SlimToolkit uses a technology called ptrace, a standard Linux and Unix utility that allows you to scan and ultimately control a process, then have visibility into the system when it runs. With ptrace, a system can view and understand all the file access, executables, and processes that are running in a Linux kernel. For our purposes, that applies to a running Docker container. During the minification and optimization process, SlimToolkit goes through the ptrace data and selects which files and executables to keep in the container by analyzing the ptrace output.

This means that during minification ptrace will analyze whether a certain file or process was accessed, checked, opened or executed, and depending on the type of access, SlimToolkit will decide whether to include these in the new image or not.

SlimToolkit then creates a container image from scratch including just what is required to successfully run your application, along with any custom configurations you may have provided (more on that later).

A quick note on why ptrace was selected for SlimToolkit: SlimToolkit is a project that got started well before Slim.AI, when Docker adoption was just gaining momentum. When DockerSlim was first created, technologies like eBPF and lsof were not widely available, and certainly not robust enough for production-grade container minification. The DockerSlim contributors are constantly looking at new kernel technologies to see if they would help improve our results, and there are some exciting demos our team has done with this new tech.

Follow-up question: Does Slim.AI offer any other ways of slimming a container other than the SlimToolkit CLI?

Yes - one of the newest features of Slim.AI SaaS is minification optimization, which is essentially like hosted SlimToolkit, enabling you to minify your containers through a convenient UI, instead of the CLI flags, and running on Slim.AI’s build servers.

So if using the CLI-based Docker Slim is too complex or has too many options, you can use the UI for a better web-based user experience.

Question 2: What type of applications work best with SlimToolkit?

SlimToolkit works on any Linux-based OCI-complaint container and supports all application types, technology stacks, and base images for optimization and minification. It’s a founding principle of the project that developers should be able to work the way they want with their favorite tools and tech.

It’s a founding principle of the project that developers should be able to work the way they want with their favorite tools and tech.

That said, SlimToolkit is particularly suited for web applications, because it has extensive HTTP probes, which leverages crawlers to check endpoints in the apps, making it simpler for ptrace and other tools to understand what’s happening. This enables SlimToolkit to do most of the work automatically, and is one reason the project is popular with Node, Python, DotNet, and Ruby-on-Rails developers — though we see our share of Go, Java, and other frameworks as well.

Console or CLI apps require a bit more manual work and intervention for slimming. To achieve the same level of automation you will either need to write a script or test, for it to run and execute the different commands your apps will need to run successfully. Some external source needs to interact with the CLI in order for ptrace to detect what the application needs, and ensure it is included in the minified version.

SlimToolkit also leverages standard HTTP/S for the HTTP probe for server interfacing, to keep this standardized.

Question 3: How do I integrate SlimToolkit into my CI/CD pipeline?

Since SlimToolkit is a standard utility to run in a terminal, you can easily implement it into your CI/CD pipeline, as long as you have the relevant permissions to access Docker and provide an environment that can actually run Docker. This means it can support any CI/CD tool that has Docker enabled as part of the environment. Check out this article on Automating SlimToolkit in your CI/CD Pipeline, which leverages SlimToolkit as part of a GitHub Action. We’ve written or seen similar examples using Jenkins, CircleCI, and many other common CI tools.

It’s worth noting that at the time of writing this article, some GitLab users can experience issues with timeouts when running SlimToolkit in their CI pipeline. A quick fix is to invoke the `--sensor-ipc-mode proxy` flag in your build command. More on this issue can be found in the SlimToolkit issues section on GitHub.

Regardless of which CI/CD system you use, it is important to have a good suite of tests running on a newly slimmed container before it makes its way to production. You want to ensure that the application in the container is indeed functionally equivalent to the original, and have some process to fall back to the original or stop the deployment should something unexpected happen in the build process.

Regardless of which CI/CD system you use, it is important to have a good suite of tests running on a newly slimmed container before it makes its way to production.

Followup Question: What Slim.AI connectors are they and when are they used?

Slim.AI connectors are not directly related to CI/CD but they are the way to connect to a private Docker registry if you need. With these connectors you will be able to see the containers you have in your private registries, such as a private Docker Hub or private AWS registry.

Question 4: What if my minified container stops working - how do I debug it?

The best way to check why your container has stopped working is to use Slim.AI’s diffing capabilities, and compare the changes between the slimmed and non-slimmed container. This will help you understand which files are missing and were removed in the minification process. Once you are equipped with this information, you can then use the built-in flags to tell Docker Slim to include that file, no matter what happens with it during the ptrace scan.

If you have automated testing, SlimToolkit supports any utility you are already using. You can run these tests as part of your pipeline, and you can even have the process fail based on predefined statements, which will prevent the build from proceeding to slimming.

Question 5: Does SlimToolkit work with Podman or other Docker alternatives?

SlimToolkit does not currently work with Podman directly, however, you can use SlimToolkit created containers with Kubernetes and with Podman, but be aware that the slimming process can’t run without Docker. Once minified, the containers can be run on any OCI compliant runtime, including containerd, podman, K8s, among others.

We hope these questions helped you learn a little bit more about how SlimToolkit works, as well as works together with Slim.AI. Feel free to drop your questions in our Discord, and we will continue to do roundups when we have new and interesting questions from the community.

Make security collaboration easier today

Join the waitlist to try out Slim's shared workspace for communicating and coordinating vulnerability fixes with your software vendors.
Responsive HubSpot Form

Join our Beta

Take the complexity and frustration out of coordinating vulnerability fixes with your vendors.

  • Communicate directly in the platform to assign owners, due dates and negotiate fixes
  • Get a view into the status of each vulnerability
  • Receive notifications the moment vulnerabilities are fixed

Additionally, our Beta users get access to:

  • Multiple vulnerability scanners
  • SBOM generation
  • Reachability analysis
  • Enhanced container intelligence software
  • Dedicated Support

Join our Beta

Take the frustration out of vulnerability fixes with software vendors directly on our platform.

  • Assign owners, set due dates, track vulnerability statuses, and get instant fix notifications.
  • Beta users gain access to multiple scanners, SBOM generation, reachability analysis, enhanced container intelligence, and dedicated support.