Slim Toolkit (DockerSlim)

Overview

Slim Toolkit (formerly DockerSlim) is a comprehensive container optimization and security platform. It analyzes Docker containers, removes unnecessary components, optimizes layer structure, and applies security best practices. Reduces image sizes by 30-98% while improving security posture through minimal container footprints.

Installation

macOS

# Homebrew
brew install slimtoolkit

# Manual download
curl -L https://downloads.slim.dev/releases/slim-latest-darwin.tar.gz | tar -xz
sudo mv slim /usr/local/bin/

Linux (x86_64)

# Download latest release
curl -L https://downloads.slim.dev/releases/slim-latest-linux.tar.gz | tar -xz
sudo mv slim /usr/local/bin/

# Verify installation
slim --version

Docker

# Run Slim in container
docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock \
  slimtoolkit/slim:latest slim --help

# Create alias
alias slim='docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock slimtoolkit/slim:latest slim'

Build from Source

git clone https://github.com/slimtoolkit/slim.git
cd slim
make build
./bin/slim --version

Core Commands

Command	Purpose	Usage
`build`	Create optimized image via profiling	Most common, produces XL images
`xray`	Inspect image layers and structure	Analyze before optimization
`profile`	Generate profiling data	Detailed runtime analysis
`lint`	Check image for security issues	Detect common misconfigurations
`update`	Interactive image updates	Manual layer modifications
`run`	Execute and profile container	Test application during build

Building Optimized Images

Basic Image Optimization

# Simple build and optimize
slim build my-app:latest

# Build with custom output name
slim build --target my-app:latest --tag my-app:slim

# Keep intermediate images for debugging
slim build --keep-tmp-artifacts my-app:latest

# Verbose output
slim build -v my-app:latest

Profiled Build Workflow

# Build with explicit profiling
slim build --http-probe my-app:latest

# Build without HTTP probing
slim build --http-probe=false my-app:latest

# Custom HTTP probe endpoint
slim build --http-probe-cmd="curl http://localhost:8080/health" my-app:latest

# Extended profiling period
slim build --exec-timeout 120s my-app:latest

Image Size Optimization Techniques

# Remove build artifacts
slim build --remove-file-artifacts my-app:latest

# Remove intermediate layers
slim build --remove-intermediate-artifacts my-app:latest

# Preserve specific paths (don't remove)
slim build --preserve "/opt/app/*" --preserve "/etc/config" my-app:latest

# Include specific files in final image
slim build --include-path "/app/certs" my-app:latest

# Remove shell access for security
slim build --remove-shell my-app:latest

Advanced Build Options

# Custom build tag and preserve changes
slim build --target my-app:1.0 --tag my-app:1.0-slim \
  --preserve-path "/var/lib/app" my-app:1.0

# Exclude non-essential packages during analysis
slim build --exclude-patterns "/usr/share/doc,/usr/share/man" my-app:latest

# Keep system runtime but remove development tools
slim build --remove-dev-tools my-app:latest

# Custom working directory in output
slim build --output-image my-app-optimized my-app:latest

Image Analysis and Inspection

XRay - Layer Analysis

# Inspect image structure
slim xray my-app:latest

# Generate HTML report
slim xray --report my-app:latest

# Detailed layer breakdown
slim xray -v my-app:latest

# Compare original and optimized
slim xray my-app:latest
slim xray my-app:slim

Image Linting

# Check security best practices
slim lint my-app:latest

# Verbose lint output
slim lint -v my-app:latest

# Generate lint report
slim lint --report lint_results.json my-app:latest

# Check for specific issues
slim lint --fail-on security-issues my-app:latest

Profile Analysis

# Generate detailed profile
slim profile my-app:latest

# Save profile data
slim profile --output-profile profile.json my-app:latest

# Profile with custom entry point
slim profile --entrypoint "/app/main.sh" my-app:latest

# Extended profiling session
slim profile --duration 300s my-app:latest

Docker Container Integration

Building from Dockerfiles

# Dockerfile optimization workflow
docker build -t my-app:latest .
slim build my-app:latest

# Rename original and use slim version
docker tag my-app:slim my-app:latest

Multi-Stage Build Integration

# Original multi-stage Dockerfile
FROM golang:1.21 AS builder
WORKDIR /app
COPY . .
RUN go build -o myapp

FROM alpine:latest
COPY --from=builder /app/myapp /usr/local/bin/
ENTRYPOINT ["myapp"]

# Build then optimize
docker build -t my-app:latest .
slim build my-app:latest
# Result: my-app:slim with optimized runtime

Container Runtime Profiling

# Build with HTTP probing
slim build \
  --http-probe-cmd "curl http://localhost:8080" \
  --exec-timeout 60s \
  my-app:latest

# Build with custom startup time
slim build \
  --startup-time 30s \
  --http-probe my-app:latest

Security Hardening

Removing Attack Surface

# Remove shell (no /bin/sh, /bin/bash)
slim build --remove-shell my-app:latest

# Remove package managers
slim build --remove-pkgmanager my-app:latest

# Remove sudo and privileged tools
slim build --remove-sudo my-app:latest

# Comprehensive hardening
slim build \
  --remove-shell \
  --remove-pkgmanager \
  --remove-sudo \
  my-app:latest

Security Analysis

# Analyze security posture
slim lint --severity high my-app:latest

# Report on common vulnerabilities
slim xray --report security my-app:latest

# Check rootless compatibility
slim lint --check-rootless my-app:latest

Custom Security Rules

# Preserve critical directories
slim build \
  --preserve "/etc/ssl/certs" \
  --preserve "/app/secrets" \
  --remove-shell \
  my-app:latest

Batch Processing

Optimize Multiple Images

# Script for optimizing image repository
#!/bin/bash
for image in $(docker images --format "{{.Repository}}:{{.Tag}}"); do
  echo "Optimizing $image"
  slim build "$image"
  docker tag "${image%:*}:slim" "${image%:*}:slim-$(date +%s)"
done

CI/CD Integration

# GitHub Actions example
name: Build and Optimize
on: [push]
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Build Docker image
        run: docker build -t my-app:latest .
      
      - name: Optimize with Slim
        run: |
          curl -L https://downloads.slim.dev/releases/slim-latest-linux.tar.gz | tar -xz
          ./slim build my-app:latest
      
      - name: Push optimized image
        run: docker push my-app:slim

Comparative Analysis

Before and After Optimization

# Original image
docker build -t my-app:original .
docker images my-app:original

# Optimized image
slim build my-app:original
docker images my-app:slim

# Size comparison
echo "Original: $(docker images my-app:original --format '{{.Size}}')"
echo "Optimized: $(docker images my-app:slim --format '{{.Size}}')"

Report Generation

# Generate comprehensive report
slim build \
  --report optimization_report.html \
  --preserve /app/logs \
  my-app:latest

# Layer-by-layer comparison
slim xray --report detailed_analysis.html my-app:latest

# Security assessment
slim lint --report security_audit.json my-app:latest

Advanced Workflows

Development to Production Pipeline

# 1. Development image (full, with tools)
docker build -t my-app:dev .

# 2. Production image (optimized)
slim build \
  --remove-shell \
  --remove-pkgmanager \
  --tag my-app:prod \
  my-app:dev

# 3. Verify functionality
docker run --rm my-app:prod /app/myapp --version

# 4. Push to registry
docker push my-app:prod

Kubernetes Deployment Optimization

# Build and optimize for K8s
slim build \
  --remove-shell \
  --preserve "/etc/ssl/certs" \
  --tag my-app:k8s \
  my-app:latest

# Create deployment YAML
cat > deployment.yaml << EOF
apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
spec:
  template:
    spec:
      containers:
      - name: my-app
        image: my-app:k8s
        securityContext:
          readOnlyRootFilesystem: true
          runAsNonRoot: true
EOF

Debugging Optimized Images

# Keep debugging tools in optimized image
slim build \
  --preserve "/usr/bin/strace" \
  --preserve "/usr/bin/curl" \
  --tag my-app:debug \
  my-app:latest

# Analyze what was removed
slim xray my-app:latest > analysis.txt
diff <(docker inspect my-app:original) <(docker inspect my-app:slim)

Performance Metrics

Size Reduction Examples

# Node.js application (typical reduction)
# Original: 800MB → Optimized: 80MB (90% reduction)
slim build node-app:latest

# Python application
# Original: 500MB → Optimized: 50MB (90% reduction)
slim build python-app:latest

# Go application (usually already small)
# Original: 200MB → Optimized: 10MB (95% reduction)
slim build go-app:latest

Startup Time Improvements

# Measure startup time impact
time docker run --rm my-app:original /app/start.sh
time docker run --rm my-app:slim /app/start.sh

# Typical improvement: 20-40% faster startup

Best Practices

Preserve Essential Paths: Always explicitly preserve application directories
Test Thoroughly: Run application suite tests on optimized image before production
Security First: Use --remove-shell and --remove-pkgmanager for production
Monitor Metrics: Track size reduction and startup performance
Iterative Optimization: Identify unused libraries and remove progressively
Documentation: Keep notes on preserved paths for future builds

Troubleshooting

Application Fails in Optimized Image

# Identify missing dependencies
slim build --keep-tmp-artifacts my-app:latest
docker inspect slim-state.log

# Preserve additional paths and rebuild
slim build --preserve "/usr/lib/specific-lib" my-app:latest

Size Reduction Too Aggressive

# Preserve development tools for debugging
slim build --preserve "/usr/bin/*" my-app:latest

# Manual adjustment
docker import slim-state.log my-app:adjusted

Build Process Hangs

# Reduce timeout
slim build --exec-timeout 30s my-app:latest

# Disable HTTP probing
slim build --http-probe=false my-app:latest

DockerSlim Plugins: IDE integrations for VS Code and IntelliJ
Trivy: Vulnerability scanning for container images
Kaniko: Build containers without Docker daemon
Podman: Container engine alternative with similar workflows
Syft: Software composition analysis for containers

References

Slim Documentation: https://docs.slimtoolkit.org/
GitHub Repository: https://github.com/slimtoolkit/slim
Docker Best Practices: https://docs.docker.com/develop/dev-best-practices/
OWASP Container Security: https://cheatsheetseries.owasp.org/cheatsheets/Container_Security_Cheat_Sheet.html