Slim Toolkit (DockerSlim)
Overview
Abschnitt betitelt „Overview“Slim Toolkit (formerly DockerSlim) is a comprehensive container optimization and security platform. It analyzes Docker containers, removes unnecessary components, optimizes layer structure, and applies security best practices. Reduces image sizes by 30-98% while improving security posture through minimal container footprints.
Installation
Abschnitt betitelt „Installation“# Homebrew
brew install slimtoolkit
# Manual download
curl -L https://downloads.slim.dev/releases/slim-latest-darwin.tar.gz | tar -xz
sudo mv slim /usr/local/bin/Linux (x86_64)
Abschnitt betitelt „Linux (x86_64)“# Download latest release
curl -L https://downloads.slim.dev/releases/slim-latest-linux.tar.gz | tar -xz
sudo mv slim /usr/local/bin/
# Verify installation
slim --version# Run Slim in container
docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock \
slimtoolkit/slim:latest slim --help
# Create alias
alias slim='docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock slimtoolkit/slim:latest slim'Build from Source
Abschnitt betitelt „Build from Source“git clone https://github.com/slimtoolkit/slim.git
cd slim
make build
./bin/slim --versionCore Commands
Abschnitt betitelt „Core Commands“| Command | Purpose | Usage |
|---|---|---|
build | Create optimized image via profiling | Most common, produces XL images |
xray | Inspect image layers and structure | Analyze before optimization |
profile | Generate profiling data | Detailed runtime analysis |
lint | Check image for security issues | Detect common misconfigurations |
update | Interactive image updates | Manual layer modifications |
run | Execute and profile container | Test application during build |
Building Optimized Images
Abschnitt betitelt „Building Optimized Images“Basic Image Optimization
Abschnitt betitelt „Basic Image Optimization“# Simple build and optimize
slim build my-app:latest
# Build with custom output name
slim build --target my-app:latest --tag my-app:slim
# Keep intermediate images for debugging
slim build --keep-tmp-artifacts my-app:latest
# Verbose output
slim build -v my-app:latestProfiled Build Workflow
Abschnitt betitelt „Profiled Build Workflow“# Build with explicit profiling
slim build --http-probe my-app:latest
# Build without HTTP probing
slim build --http-probe=false my-app:latest
# Custom HTTP probe endpoint
slim build --http-probe-cmd="curl http://localhost:8080/health" my-app:latest
# Extended profiling period
slim build --exec-timeout 120s my-app:latestImage Size Optimization Techniques
Abschnitt betitelt „Image Size Optimization Techniques“# Remove build artifacts
slim build --remove-file-artifacts my-app:latest
# Remove intermediate layers
slim build --remove-intermediate-artifacts my-app:latest
# Preserve specific paths (don't remove)
slim build --preserve "/opt/app/*" --preserve "/etc/config" my-app:latest
# Include specific files in final image
slim build --include-path "/app/certs" my-app:latest
# Remove shell access for security
slim build --remove-shell my-app:latestAdvanced Build Options
Abschnitt betitelt „Advanced Build Options“# Custom build tag and preserve changes
slim build --target my-app:1.0 --tag my-app:1.0-slim \
--preserve-path "/var/lib/app" my-app:1.0
# Exclude non-essential packages during analysis
slim build --exclude-patterns "/usr/share/doc,/usr/share/man" my-app:latest
# Keep system runtime but remove development tools
slim build --remove-dev-tools my-app:latest
# Custom working directory in output
slim build --output-image my-app-optimized my-app:latestImage Analysis and Inspection
Abschnitt betitelt „Image Analysis and Inspection“XRay - Layer Analysis
Abschnitt betitelt „XRay - Layer Analysis“# Inspect image structure
slim xray my-app:latest
# Generate HTML report
slim xray --report my-app:latest
# Detailed layer breakdown
slim xray -v my-app:latest
# Compare original and optimized
slim xray my-app:latest
slim xray my-app:slimImage Linting
Abschnitt betitelt „Image Linting“# Check security best practices
slim lint my-app:latest
# Verbose lint output
slim lint -v my-app:latest
# Generate lint report
slim lint --report lint_results.json my-app:latest
# Check for specific issues
slim lint --fail-on security-issues my-app:latestProfile Analysis
Abschnitt betitelt „Profile Analysis“# Generate detailed profile
slim profile my-app:latest
# Save profile data
slim profile --output-profile profile.json my-app:latest
# Profile with custom entry point
slim profile --entrypoint "/app/main.sh" my-app:latest
# Extended profiling session
slim profile --duration 300s my-app:latestDocker Container Integration
Abschnitt betitelt „Docker Container Integration“Building from Dockerfiles
Abschnitt betitelt „Building from Dockerfiles“# Dockerfile optimization workflow
docker build -t my-app:latest .
slim build my-app:latest
# Rename original and use slim version
docker tag my-app:slim my-app:latestMulti-Stage Build Integration
Abschnitt betitelt „Multi-Stage Build Integration“# Original multi-stage Dockerfile
FROM golang:1.21 AS builder
WORKDIR /app
COPY . .
RUN go build -o myapp
FROM alpine:latest
COPY --from=builder /app/myapp /usr/local/bin/
ENTRYPOINT ["myapp"]# Build then optimize
docker build -t my-app:latest .
slim build my-app:latest
# Result: my-app:slim with optimized runtimeContainer Runtime Profiling
Abschnitt betitelt „Container Runtime Profiling“# Build with HTTP probing
slim build \
--http-probe-cmd "curl http://localhost:8080" \
--exec-timeout 60s \
my-app:latest
# Build with custom startup time
slim build \
--startup-time 30s \
--http-probe my-app:latestSecurity Hardening
Abschnitt betitelt „Security Hardening“Removing Attack Surface
Abschnitt betitelt „Removing Attack Surface“# Remove shell (no /bin/sh, /bin/bash)
slim build --remove-shell my-app:latest
# Remove package managers
slim build --remove-pkgmanager my-app:latest
# Remove sudo and privileged tools
slim build --remove-sudo my-app:latest
# Comprehensive hardening
slim build \
--remove-shell \
--remove-pkgmanager \
--remove-sudo \
my-app:latestSecurity Analysis
Abschnitt betitelt „Security Analysis“# Analyze security posture
slim lint --severity high my-app:latest
# Report on common vulnerabilities
slim xray --report security my-app:latest
# Check rootless compatibility
slim lint --check-rootless my-app:latestCustom Security Rules
Abschnitt betitelt „Custom Security Rules“# Preserve critical directories
slim build \
--preserve "/etc/ssl/certs" \
--preserve "/app/secrets" \
--remove-shell \
my-app:latestBatch Processing
Abschnitt betitelt „Batch Processing“Optimize Multiple Images
Abschnitt betitelt „Optimize Multiple Images“# Script for optimizing image repository
#!/bin/bash
for image in $(docker images --format "{{.Repository}}:{{.Tag}}"); do
echo "Optimizing $image"
slim build "$image"
docker tag "${image%:*}:slim" "${image%:*}:slim-$(date +%s)"
doneCI/CD Integration
Abschnitt betitelt „CI/CD Integration“# GitHub Actions example
name: Build and Optimize
on: [push]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Build Docker image
run: docker build -t my-app:latest .
- name: Optimize with Slim
run: |
curl -L https://downloads.slim.dev/releases/slim-latest-linux.tar.gz | tar -xz
./slim build my-app:latest
- name: Push optimized image
run: docker push my-app:slimComparative Analysis
Abschnitt betitelt „Comparative Analysis“Before and After Optimization
Abschnitt betitelt „Before and After Optimization“# Original image
docker build -t my-app:original .
docker images my-app:original
# Optimized image
slim build my-app:original
docker images my-app:slim
# Size comparison
echo "Original: $(docker images my-app:original --format '{{.Size}}')"
echo "Optimized: $(docker images my-app:slim --format '{{.Size}}')"Report Generation
Abschnitt betitelt „Report Generation“# Generate comprehensive report
slim build \
--report optimization_report.html \
--preserve /app/logs \
my-app:latest
# Layer-by-layer comparison
slim xray --report detailed_analysis.html my-app:latest
# Security assessment
slim lint --report security_audit.json my-app:latestAdvanced Workflows
Abschnitt betitelt „Advanced Workflows“Development to Production Pipeline
Abschnitt betitelt „Development to Production Pipeline“# 1. Development image (full, with tools)
docker build -t my-app:dev .
# 2. Production image (optimized)
slim build \
--remove-shell \
--remove-pkgmanager \
--tag my-app:prod \
my-app:dev
# 3. Verify functionality
docker run --rm my-app:prod /app/myapp --version
# 4. Push to registry
docker push my-app:prodKubernetes Deployment Optimization
Abschnitt betitelt „Kubernetes Deployment Optimization“# Build and optimize for K8s
slim build \
--remove-shell \
--preserve "/etc/ssl/certs" \
--tag my-app:k8s \
my-app:latest
# Create deployment YAML
cat > deployment.yaml << EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
spec:
template:
spec:
containers:
- name: my-app
image: my-app:k8s
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
EOFDebugging Optimized Images
Abschnitt betitelt „Debugging Optimized Images“# Keep debugging tools in optimized image
slim build \
--preserve "/usr/bin/strace" \
--preserve "/usr/bin/curl" \
--tag my-app:debug \
my-app:latest
# Analyze what was removed
slim xray my-app:latest > analysis.txt
diff <(docker inspect my-app:original) <(docker inspect my-app:slim)Performance Metrics
Abschnitt betitelt „Performance Metrics“Size Reduction Examples
Abschnitt betitelt „Size Reduction Examples“# Node.js application (typical reduction)
# Original: 800MB → Optimized: 80MB (90% reduction)
slim build node-app:latest
# Python application
# Original: 500MB → Optimized: 50MB (90% reduction)
slim build python-app:latest
# Go application (usually already small)
# Original: 200MB → Optimized: 10MB (95% reduction)
slim build go-app:latestStartup Time Improvements
Abschnitt betitelt „Startup Time Improvements“# Measure startup time impact
time docker run --rm my-app:original /app/start.sh
time docker run --rm my-app:slim /app/start.sh
# Typical improvement: 20-40% faster startupBest Practices
Abschnitt betitelt „Best Practices“- Preserve Essential Paths: Always explicitly preserve application directories
- Test Thoroughly: Run application suite tests on optimized image before production
- Security First: Use
--remove-shelland--remove-pkgmanagerfor production - Monitor Metrics: Track size reduction and startup performance
- Iterative Optimization: Identify unused libraries and remove progressively
- Documentation: Keep notes on preserved paths for future builds
Troubleshooting
Abschnitt betitelt „Troubleshooting“Application Fails in Optimized Image
Abschnitt betitelt „Application Fails in Optimized Image“# Identify missing dependencies
slim build --keep-tmp-artifacts my-app:latest
docker inspect slim-state.log
# Preserve additional paths and rebuild
slim build --preserve "/usr/lib/specific-lib" my-app:latestSize Reduction Too Aggressive
Abschnitt betitelt „Size Reduction Too Aggressive“# Preserve development tools for debugging
slim build --preserve "/usr/bin/*" my-app:latest
# Manual adjustment
docker import slim-state.log my-app:adjustedBuild Process Hangs
Abschnitt betitelt „Build Process Hangs“# Reduce timeout
slim build --exec-timeout 30s my-app:latest
# Disable HTTP probing
slim build --http-probe=false my-app:latestRelated Tools
Abschnitt betitelt „Related Tools“- DockerSlim Plugins: IDE integrations for VS Code and IntelliJ
- Trivy: Vulnerability scanning for container images
- Kaniko: Build containers without Docker daemon
- Podman: Container engine alternative with similar workflows
- Syft: Software composition analysis for containers
References
Abschnitt betitelt „References“- Slim Documentation: https://docs.slimtoolkit.org/
- GitHub Repository: https://github.com/slimtoolkit/slim
- Docker Best Practices: https://docs.docker.com/develop/dev-best-practices/
- OWASP Container Security: https://cheatsheetseries.owasp.org/cheatsheets/Container_Security_Cheat_Sheet.html