Slim Toolkit (DockerSlim)
Overview
Sección titulada «Overview»Slim Toolkit (formerly DockerSlim) is a comprehensive container optimization and security platform. It analyzes Docker containers, removes unnecessary components, optimizes layer structure, and applies security best practices. Reduces image sizes by 30-98% while improving security posture through minimal container footprints.
Installation
Sección titulada «Installation»# Homebrew
brew install slimtoolkit
# Manual download
curl -L https://downloads.slim.dev/releases/slim-latest-darwin.tar.gz | tar -xz
sudo mv slim /usr/local/bin/Linux (x86_64)
Sección titulada «Linux (x86_64)»# Download latest release
curl -L https://downloads.slim.dev/releases/slim-latest-linux.tar.gz | tar -xz
sudo mv slim /usr/local/bin/
# Verify installation
slim --version# Run Slim in container
docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock \
slimtoolkit/slim:latest slim --help
# Create alias
alias slim='docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock slimtoolkit/slim:latest slim'Build from Source
Sección titulada «Build from Source»git clone https://github.com/slimtoolkit/slim.git
cd slim
make build
./bin/slim --versionCore Commands
Sección titulada «Core Commands»| Command | Purpose | Usage |
|---|---|---|
build | Create optimized image via profiling | Most common, produces XL images |
xray | Inspect image layers and structure | Analyze before optimization |
profile | Generate profiling data | Detailed runtime analysis |
lint | Check image for security issues | Detect common misconfigurations |
update | Interactive image updates | Manual layer modifications |
run | Execute and profile container | Test application during build |
Building Optimized Images
Sección titulada «Building Optimized Images»Basic Image Optimization
Sección titulada «Basic Image Optimization»# Simple build and optimize
slim build my-app:latest
# Build with custom output name
slim build --target my-app:latest --tag my-app:slim
# Keep intermediate images for debugging
slim build --keep-tmp-artifacts my-app:latest
# Verbose output
slim build -v my-app:latestProfiled Build Workflow
Sección titulada «Profiled Build Workflow»# Build with explicit profiling
slim build --http-probe my-app:latest
# Build without HTTP probing
slim build --http-probe=false my-app:latest
# Custom HTTP probe endpoint
slim build --http-probe-cmd="curl http://localhost:8080/health" my-app:latest
# Extended profiling period
slim build --exec-timeout 120s my-app:latestImage Size Optimization Techniques
Sección titulada «Image Size Optimization Techniques»# Remove build artifacts
slim build --remove-file-artifacts my-app:latest
# Remove intermediate layers
slim build --remove-intermediate-artifacts my-app:latest
# Preserve specific paths (don't remove)
slim build --preserve "/opt/app/*" --preserve "/etc/config" my-app:latest
# Include specific files in final image
slim build --include-path "/app/certs" my-app:latest
# Remove shell access for security
slim build --remove-shell my-app:latestAdvanced Build Options
Sección titulada «Advanced Build Options»# Custom build tag and preserve changes
slim build --target my-app:1.0 --tag my-app:1.0-slim \
--preserve-path "/var/lib/app" my-app:1.0
# Exclude non-essential packages during analysis
slim build --exclude-patterns "/usr/share/doc,/usr/share/man" my-app:latest
# Keep system runtime but remove development tools
slim build --remove-dev-tools my-app:latest
# Custom working directory in output
slim build --output-image my-app-optimized my-app:latestImage Analysis and Inspection
Sección titulada «Image Analysis and Inspection»XRay - Layer Analysis
Sección titulada «XRay - Layer Analysis»# Inspect image structure
slim xray my-app:latest
# Generate HTML report
slim xray --report my-app:latest
# Detailed layer breakdown
slim xray -v my-app:latest
# Compare original and optimized
slim xray my-app:latest
slim xray my-app:slimImage Linting
Sección titulada «Image Linting»# Check security best practices
slim lint my-app:latest
# Verbose lint output
slim lint -v my-app:latest
# Generate lint report
slim lint --report lint_results.json my-app:latest
# Check for specific issues
slim lint --fail-on security-issues my-app:latestProfile Analysis
Sección titulada «Profile Analysis»# Generate detailed profile
slim profile my-app:latest
# Save profile data
slim profile --output-profile profile.json my-app:latest
# Profile with custom entry point
slim profile --entrypoint "/app/main.sh" my-app:latest
# Extended profiling session
slim profile --duration 300s my-app:latestDocker Container Integration
Sección titulada «Docker Container Integration»Building from Dockerfiles
Sección titulada «Building from Dockerfiles»# Dockerfile optimization workflow
docker build -t my-app:latest .
slim build my-app:latest
# Rename original and use slim version
docker tag my-app:slim my-app:latestMulti-Stage Build Integration
Sección titulada «Multi-Stage Build Integration»# Original multi-stage Dockerfile
FROM golang:1.21 AS builder
WORKDIR /app
COPY . .
RUN go build -o myapp
FROM alpine:latest
COPY --from=builder /app/myapp /usr/local/bin/
ENTRYPOINT ["myapp"]# Build then optimize
docker build -t my-app:latest .
slim build my-app:latest
# Result: my-app:slim with optimized runtimeContainer Runtime Profiling
Sección titulada «Container Runtime Profiling»# Build with HTTP probing
slim build \
--http-probe-cmd "curl http://localhost:8080" \
--exec-timeout 60s \
my-app:latest
# Build with custom startup time
slim build \
--startup-time 30s \
--http-probe my-app:latestSecurity Hardening
Sección titulada «Security Hardening»Removing Attack Surface
Sección titulada «Removing Attack Surface»# Remove shell (no /bin/sh, /bin/bash)
slim build --remove-shell my-app:latest
# Remove package managers
slim build --remove-pkgmanager my-app:latest
# Remove sudo and privileged tools
slim build --remove-sudo my-app:latest
# Comprehensive hardening
slim build \
--remove-shell \
--remove-pkgmanager \
--remove-sudo \
my-app:latestSecurity Analysis
Sección titulada «Security Analysis»# Analyze security posture
slim lint --severity high my-app:latest
# Report on common vulnerabilities
slim xray --report security my-app:latest
# Check rootless compatibility
slim lint --check-rootless my-app:latestCustom Security Rules
Sección titulada «Custom Security Rules»# Preserve critical directories
slim build \
--preserve "/etc/ssl/certs" \
--preserve "/app/secrets" \
--remove-shell \
my-app:latestBatch Processing
Sección titulada «Batch Processing»Optimize Multiple Images
Sección titulada «Optimize Multiple Images»# Script for optimizing image repository
#!/bin/bash
for image in $(docker images --format "{{.Repository}}:{{.Tag}}"); do
echo "Optimizing $image"
slim build "$image"
docker tag "${image%:*}:slim" "${image%:*}:slim-$(date +%s)"
doneCI/CD Integration
Sección titulada «CI/CD Integration»# GitHub Actions example
name: Build and Optimize
on: [push]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Build Docker image
run: docker build -t my-app:latest .
- name: Optimize with Slim
run: |
curl -L https://downloads.slim.dev/releases/slim-latest-linux.tar.gz | tar -xz
./slim build my-app:latest
- name: Push optimized image
run: docker push my-app:slimComparative Analysis
Sección titulada «Comparative Analysis»Before and After Optimization
Sección titulada «Before and After Optimization»# Original image
docker build -t my-app:original .
docker images my-app:original
# Optimized image
slim build my-app:original
docker images my-app:slim
# Size comparison
echo "Original: $(docker images my-app:original --format '{{.Size}}')"
echo "Optimized: $(docker images my-app:slim --format '{{.Size}}')"Report Generation
Sección titulada «Report Generation»# Generate comprehensive report
slim build \
--report optimization_report.html \
--preserve /app/logs \
my-app:latest
# Layer-by-layer comparison
slim xray --report detailed_analysis.html my-app:latest
# Security assessment
slim lint --report security_audit.json my-app:latestAdvanced Workflows
Sección titulada «Advanced Workflows»Development to Production Pipeline
Sección titulada «Development to Production Pipeline»# 1. Development image (full, with tools)
docker build -t my-app:dev .
# 2. Production image (optimized)
slim build \
--remove-shell \
--remove-pkgmanager \
--tag my-app:prod \
my-app:dev
# 3. Verify functionality
docker run --rm my-app:prod /app/myapp --version
# 4. Push to registry
docker push my-app:prodKubernetes Deployment Optimization
Sección titulada «Kubernetes Deployment Optimization»# Build and optimize for K8s
slim build \
--remove-shell \
--preserve "/etc/ssl/certs" \
--tag my-app:k8s \
my-app:latest
# Create deployment YAML
cat > deployment.yaml << EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
spec:
template:
spec:
containers:
- name: my-app
image: my-app:k8s
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
EOFDebugging Optimized Images
Sección titulada «Debugging Optimized Images»# Keep debugging tools in optimized image
slim build \
--preserve "/usr/bin/strace" \
--preserve "/usr/bin/curl" \
--tag my-app:debug \
my-app:latest
# Analyze what was removed
slim xray my-app:latest > analysis.txt
diff <(docker inspect my-app:original) <(docker inspect my-app:slim)Performance Metrics
Sección titulada «Performance Metrics»Size Reduction Examples
Sección titulada «Size Reduction Examples»# Node.js application (typical reduction)
# Original: 800MB → Optimized: 80MB (90% reduction)
slim build node-app:latest
# Python application
# Original: 500MB → Optimized: 50MB (90% reduction)
slim build python-app:latest
# Go application (usually already small)
# Original: 200MB → Optimized: 10MB (95% reduction)
slim build go-app:latestStartup Time Improvements
Sección titulada «Startup Time Improvements»# Measure startup time impact
time docker run --rm my-app:original /app/start.sh
time docker run --rm my-app:slim /app/start.sh
# Typical improvement: 20-40% faster startupBest Practices
Sección titulada «Best Practices»- Preserve Essential Paths: Always explicitly preserve application directories
- Test Thoroughly: Run application suite tests on optimized image before production
- Security First: Use
--remove-shelland--remove-pkgmanagerfor production - Monitor Metrics: Track size reduction and startup performance
- Iterative Optimization: Identify unused libraries and remove progressively
- Documentation: Keep notes on preserved paths for future builds
Troubleshooting
Sección titulada «Troubleshooting»Application Fails in Optimized Image
Sección titulada «Application Fails in Optimized Image»# Identify missing dependencies
slim build --keep-tmp-artifacts my-app:latest
docker inspect slim-state.log
# Preserve additional paths and rebuild
slim build --preserve "/usr/lib/specific-lib" my-app:latestSize Reduction Too Aggressive
Sección titulada «Size Reduction Too Aggressive»# Preserve development tools for debugging
slim build --preserve "/usr/bin/*" my-app:latest
# Manual adjustment
docker import slim-state.log my-app:adjustedBuild Process Hangs
Sección titulada «Build Process Hangs»# Reduce timeout
slim build --exec-timeout 30s my-app:latest
# Disable HTTP probing
slim build --http-probe=false my-app:latestRelated Tools
Sección titulada «Related Tools»- DockerSlim Plugins: IDE integrations for VS Code and IntelliJ
- Trivy: Vulnerability scanning for container images
- Kaniko: Build containers without Docker daemon
- Podman: Container engine alternative with similar workflows
- Syft: Software composition analysis for containers
References
Sección titulada «References»- Slim Documentation: https://docs.slimtoolkit.org/
- GitHub Repository: https://github.com/slimtoolkit/slim
- Docker Best Practices: https://docs.docker.com/develop/dev-best-practices/
- OWASP Container Security: https://cheatsheetseries.owasp.org/cheatsheets/Container_Security_Cheat_Sheet.html