Slim Toolkit (DockerSlim)

Overview

Slim Toolkit (formerly DockerSlim) is a comprehensive container optimization and security platform. It analyzes Docker containers, removes unnecessary components, optimizes layer structure, and applies security best practices. Reduces image sizes by 30-98% while improving security posture through minimal container footprints.

Installation

macOS

# Homebrew
brew install slimtoolkit

# Manual download
curl -L https://downloads.slim.dev/releases/slim-latest-darwin.tar.gz | tar -xz
sudo mv slim /usr/local/bin/

Linux (x86_64)

# Download latest release
curl -L https://downloads.slim.dev/releases/slim-latest-linux.tar.gz | tar -xz
sudo mv slim /usr/local/bin/

# Verify installation
slim --version

Docker

# Run Slim in container
docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock \
  slimtoolkit/slim:latest slim --help

# Create alias
alias slim='docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock slimtoolkit/slim:latest slim'

Build from Source

git clone https://github.com/slimtoolkit/slim.git
cd slim
make build
./bin/slim --version

Core Commands

Command	Purpose	Usage
build	Create optimized image via profiling	Most common, produces XL images
xray	Inspect image layers and structure	Analyze before optimization
profile	Generate profiling data	Detailed runtime analysis
lint	Check image for security issues	Detect common misconfigurations
update	Interactive image updates	Manual layer modifications
run	Execute and profile container	Test application during build

Building Optimized Images

Basic Image Optimization

# Simple build and optimize
slim build my-app:latest

# Build with custom output name
slim build --target my-app:latest --tag my-app:slim

# Keep intermediate images for debugging
slim build --keep-tmp-artifacts my-app:latest

# Verbose output
slim build -v my-app:latest

Profiled Build Workflow

# Build with explicit profiling
slim build --http-probe my-app:latest

# Build without HTTP probing
slim build --http-probe=false my-app:latest

# Custom HTTP probe endpoint
slim build --http-probe-cmd="curl http://localhost:8080/health" my-app:latest

# Extended profiling period
slim build --exec-timeout 120s my-app:latest

Image Size Optimization Techniques

# Remove build artifacts
slim build --remove-file-artifacts my-app:latest

# Remove intermediate layers
slim build --remove-intermediate-artifacts my-app:latest

# Preserve specific paths (don't remove)
slim build --preserve "/opt/app/*" --preserve "/etc/config" my-app:latest

# Include specific files in final image
slim build --include-path "/app/certs" my-app:latest

# Remove shell access for security
slim build --remove-shell my-app:latest

Advanced Build Options

# Custom build tag and preserve changes
slim build --target my-app:1.0 --tag my-app:1.0-slim \
  --preserve-path "/var/lib/app" my-app:1.0

# Exclude non-essential packages during analysis
slim build --exclude-patterns "/usr/share/doc,/usr/share/man" my-app:latest

# Keep system runtime but remove development tools
slim build --remove-dev-tools my-app:latest

# Custom working directory in output
slim build --output-image my-app-optimized my-app:latest

Image Analysis and Inspection

XRay - Layer Analysis

# Inspect image structure
slim xray my-app:latest

# Generate HTML report
slim xray --report my-app:latest

# Detailed layer breakdown
slim xray -v my-app:latest

# Compare original and optimized
slim xray my-app:latest
slim xray my-app:slim

Image Linting

# Check security best practices
slim lint my-app:latest

# Verbose lint output
slim lint -v my-app:latest

# Generate lint report
slim lint --report lint_results.json my-app:latest

# Check for specific issues
slim lint --fail-on security-issues my-app:latest

Profile Analysis

# Generate detailed profile
slim profile my-app:latest

# Save profile data
slim profile --output-profile profile.json my-app:latest

# Profile with custom entry point
slim profile --entrypoint "/app/main.sh" my-app:latest

# Extended profiling session
slim profile --duration 300s my-app:latest

Docker Container Integration

Building from Dockerfiles

# Dockerfile optimization workflow
docker build -t my-app:latest .
slim build my-app:latest

# Rename original and use slim version
docker tag my-app:slim my-app:latest

Multi-Stage Build Integration

# Original multi-stage Dockerfile
FROM golang:1.21 AS builder
WORKDIR /app
COPY . .
RUN go build -o myapp

FROM alpine:latest
COPY --from=builder /app/myapp /usr/local/bin/
ENTRYPOINT ["myapp"]

# Build then optimize
docker build -t my-app:latest .
slim build my-app:latest
# Result: my-app:slim with optimized runtime

Container Runtime Profiling

# Build with HTTP probing
slim build \
  --http-probe-cmd "curl http://localhost:8080" \
  --exec-timeout 60s \
  my-app:latest

# Build with custom startup time
slim build \
  --startup-time 30s \
  --http-probe my-app:latest

Security Hardening

Removing Attack Surface

# Remove shell (no /bin/sh, /bin/bash)
slim build --remove-shell my-app:latest

# Remove package managers
slim build --remove-pkgmanager my-app:latest

# Remove sudo and privileged tools
slim build --remove-sudo my-app:latest

# Comprehensive hardening
slim build \
  --remove-shell \
  --remove-pkgmanager \
  --remove-sudo \
  my-app:latest

Security Analysis

# Analyze security posture
slim lint --severity high my-app:latest

# Report on common vulnerabilities
slim xray --report security my-app:latest

# Check rootless compatibility
slim lint --check-rootless my-app:latest

Custom Security Rules

# Preserve critical directories
slim build \
  --preserve "/etc/ssl/certs" \
  --preserve "/app/secrets" \
  --remove-shell \
  my-app:latest

Batch Processing

Optimize Multiple Images

# Script for optimizing image repository
#!/bin/bash
for image in $(docker images --format "{{.Repository}}:{{.Tag}}"); do
  echo "Optimizing $image"
  slim build "$image"
  docker tag "${image%:*}:slim" "${image%:*}:slim-$(date +%s)"
done

CI/CD Integration

# GitHub Actions example
name: Build and Optimize
on: [push]
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Build Docker image
        run: docker build -t my-app:latest .
      
      - name: Optimize with Slim
        run: |
          curl -L https://downloads.slim.dev/releases/slim-latest-linux.tar.gz | tar -xz
          ./slim build my-app:latest
      
      - name: Push optimized image
        run: docker push my-app:slim

Comparative Analysis

Before and After Optimization

# Original image
docker build -t my-app:original .
docker images my-app:original

# Optimized image
slim build my-app:original
docker images my-app:slim

# Size comparison
echo "Original: $(docker images my-app:original --format '{{.Size}}')"
echo "Optimized: $(docker images my-app:slim --format '{{.Size}}')"

Report Generation

# Generate comprehensive report
slim build \
  --report optimization_report.html \
  --preserve /app/logs \
  my-app:latest

# Layer-by-layer comparison
slim xray --report detailed_analysis.html my-app:latest

# Security assessment
slim lint --report security_audit.json my-app:latest

Advanced Workflows

Development to Production Pipeline

# 1. Development image (full, with tools)
docker build -t my-app:dev .

# 2. Production image (optimized)
slim build \
  --remove-shell \
  --remove-pkgmanager \
  --tag my-app:prod \
  my-app:dev

# 3. Verify functionality
docker run --rm my-app:prod /app/myapp --version

# 4. Push to registry
docker push my-app:prod

Kubernetes Deployment Optimization

# Build and optimize for K8s
slim build \
  --remove-shell \
  --preserve "/etc/ssl/certs" \
  --tag my-app:k8s \
  my-app:latest

# Create deployment YAML
cat > deployment.yaml << EOF
apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
spec:
  template:
    spec:
      containers:
      - name: my-app
        image: my-app:k8s
        securityContext:
          readOnlyRootFilesystem: true
          runAsNonRoot: true
EOF

Debugging Optimized Images

# Keep debugging tools in optimized image
slim build \
  --preserve "/usr/bin/strace" \
  --preserve "/usr/bin/curl" \
  --tag my-app:debug \
  my-app:latest

# Analyze what was removed
slim xray my-app:latest > analysis.txt
diff <(docker inspect my-app:original) <(docker inspect my-app:slim)

Performance Metrics

Size Reduction Examples

# Node.js application (typical reduction)
# Original: 800MB → Optimized: 80MB (90% reduction)
slim build node-app:latest

# Python application
# Original: 500MB → Optimized: 50MB (90% reduction)
slim build python-app:latest

# Go application (usually already small)
# Original: 200MB → Optimized: 10MB (95% reduction)
slim build go-app:latest

Startup Time Improvements

# Measure startup time impact
time docker run --rm my-app:original /app/start.sh
time docker run --rm my-app:slim /app/start.sh

# Typical improvement: 20-40% faster startup

Best Practices

1. Preserve Essential Paths: Always explicitly preserve application directories
2. Test Thoroughly: Run application suite tests on optimized image before production
3. Security First: Use --remove-shell and --remove-pkgmanager for production
4. Monitor Metrics: Track size reduction and startup performance
5. Iterative Optimization: Identify unused libraries and remove progressively
6. Documentation: Keep notes on preserved paths for future builds

Troubleshooting

Application Fails in Optimized Image

# Identify missing dependencies
slim build --keep-tmp-artifacts my-app:latest
docker inspect slim-state.log

# Preserve additional paths and rebuild
slim build --preserve "/usr/lib/specific-lib" my-app:latest

Size Reduction Too Aggressive

# Preserve development tools for debugging
slim build --preserve "/usr/bin/*" my-app:latest

# Manual adjustment
docker import slim-state.log my-app:adjusted

Build Process Hangs

# Reduce timeout
slim build --exec-timeout 30s my-app:latest

# Disable HTTP probing
slim build --http-probe=false my-app:latest

Related Tools

• DockerSlim Plugins: IDE integrations for VS Code and IntelliJ
• Trivy: Vulnerability scanning for container images
• Kaniko: Build containers without Docker daemon
• Podman: Container engine alternative with similar workflows
• Syft: Software composition analysis for containers

References

• Slim Documentation: https://docs.slimtoolkit.org/
• GitHub Repository: https://github.com/slimtoolkit/slim
• Docker Best Practices: https://docs.docker.com/develop/dev-best-practices/
• OWASP Container Security: https://cheatsheetseries.owasp.org/cheatsheets/Container_Security_Cheat_Sheet.html