The how, what, and why of Slim's new Container Optimization workflow.
What is Container Optimization?
Containers used in development tend to be large (1 GB+) and include tooling – like shells and package managers – that make them unsafe to use in production contexts. Container optimization, also known as “container slimming” or “container hardening”, is a process by which you make containers ready for production.
Manually slimming a container can take hours and be highly specialized. One of our goals at Slim.AI is to make it easy for any developer to quickly create a production-ready container with minimal effort.
Our Container Optimization workflow allows users to slim containers in an easy-to-use and consistent web environment. Slimming images via the Slim SaaS takes only minutes, and creates a repeatable, trackable process that can be used every time you make a code change.
It's essentially like hosted DockerSlim, enabling you to minify your containers through a convenient UI, instead of the CLI flags, and running on Slim.AI’s build servers.
Make a free account on the Slim Developer Platform to access the Container Optimization workflow.
Why should I optimize my containers?
Research has shown that 20% of all vulnerabilities in the most popular public containers are at high or critical severity. So if you're a consumer of public containers and you're not optimizing, you’re accepting additional, unnecessary attack risks into your software supply chain.
Slim's Container Optimization workflow minimizes your attack surface and gives you detailed visibility into exactly what you’re running, so you can eliminate what you don’t need.
If the extra risk isn't enough to convince you, consider this: A 1GB container takes approximately 6X longer to scan than a 200 MB container. For a typical development team, this could conservatively mean 160 wasted hours per year. We bet you'd rather be doing more meaningful coding work.
In this next section, come along with us for a step-by-step view of the Container Optimization workflow.
Container Optimization Tutorial
Once you're logged into the Slim Developer Platform, you'll have the option to follow along with our demo (optimizing a custom app built in Nuxt) or you can search for a container to optimize (we're connected to the world’s largest public registries).
1. Choose the details for your new optimized container.
You’ll choose a location and namespace, add a name for your container and tag it.
Under these fields, you’ll have the option to view the optimization history, which can be useful if you’ve optimized the same image multiple times.
2. Choose your application type.
You'll be able to choose from a NuxtJS application, a server application, or a CLI application.
3. Choose folders and files.
Next, you’ll be able to cherry-pick any files or folders to include, but not optimize, in the new container.
If your container needs a database or has dependencies, you have the option to include a Docker Compose file.
4. Add or edit environment variables.
On the next screen, you’ll see the environment variables; you can override them if needed or add a variable if needed.
5. Add any open ports.
Next, you’ll see the networking ports that the container has open. Generally, we recommend reusing the defaults that are defined by the container. Our system will attempt to auto-detect these.
6. Review your configuration.
On the final screen, you have an opportunity to review your configuration before running the optimization. Note that clicking Next on this screen will trigger the container optimization to run.
7. Discover your results!
In a few moments, the output summary will populate.
The Overview gives you the size difference between the original and the new optimized container. You’ll be able to not only download your new optimized container, but also to individually inspect the Vulnerabilities Diff, the Image Metadata Diff, File System Overlay, Unified Diff and Dockerfile Diff.
Vulnerabilities Diff - Allows you to see the concrete security risks resulting from unused files and bloat. Using two popular open source scanners, Grype and Trivy, we show a detailed breakdown of vulnerabilities by scanner and risk level. The vulnerability in-line comparison flags vulnerabilities that have an available fix, so you can start with some quick wins. Learn more about the Vulnerabilities Diff >
Image Metadata Diff - The overview from the scanned images, side by side.
File System Overlay - A fully explorable and exportable file-by-file breakdown of everything removed during the hardening process.
Dockerfile Diff - The generated Dockerfile, before and after container optimization.
To better understand each of these diffs, read our dedicated Container Diff article next.