You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+11-6Lines changed: 11 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,9 +6,9 @@ Just because the hack day is over doesn't mean the project is done :-) The proje
6
6
7
7
IRC (freenode): \#dockerslim
8
8
9
-
## WIP
9
+
## NEW
10
10
11
-
Docker 1.10 updates haven't been merged yet. Use Docker 1.8 or 1.9.
11
+
Official seccomp support Docker 1.10
12
12
13
13
## DEMO VIDEO
14
14
@@ -54,7 +54,7 @@ Yes! Either way, you should test your Docker images.
54
54
55
55
You don't need to read the language spec and lots of books :-) Go through the [Tour of Go](https://tour.golang.org/welcome/1) and optionally read [50 Shades of Go](http://devs.cloudimmunity.com/gotchas-and-common-mistakes-in-go-golang/) and you'll be ready to contribute!
56
56
57
-
### What's the best application for DockerSlim
57
+
### What's the best application for DockerSlim?
58
58
59
59
DockerSlim will work for any dockerized application; however, DockerSlim automates app interactions for applications with an HTTP API. You can use DockerSlim even if your app doesn't have an HTTP API. You'll need to interact with your application manually to make sure DockerSlim can observe your application behavior.
60
60
@@ -72,7 +72,7 @@ Example: `./docker-slim info 6f74095b68c9`
72
72
73
73
The demo run on Mac OS X, but you can build a linux version. Note that these steps are different from the steps in the demo video.
74
74
75
-
0. Get the docker-slim [binaries](https://github.com/cloudimmunity/docker-slim/releases/download/v1.9/dist_mac.zip). Unzip them and optionally add their directory to your PATH environment variable if you want to use the app from other locations.
75
+
0. Get the docker-slim [binaries](https://github.com/cloudimmunity/docker-slim/releases/download/v1.11/dist_mac.zip). Unzip them and optionally add their directory to your PATH environment variable if you want to use the app from other locations.
76
76
77
77
The extracted directory contains two binaries:
78
78
@@ -128,10 +128,15 @@ If you'd like to see the artifacts without running `docker-slim` you can take a
128
128
* a reverse engineered Dockerfile (`Dockerfile.fat`)
129
129
* a container report file (`creport.json`)
130
130
* a sample AppArmor profile (which will be named based on your original image name)
131
-
* and a sample Seccomp profile (for the upcoming Docker release)
131
+
* and a sample Seccomp profile
132
132
133
133
If you don't want to create a minified image and only want to "reverse engineer" the Dockerfile you can use the `info` command.
134
134
135
+
## USING AUTO-GENERATED SECCOMP PROFILES
136
+
137
+
You can use the generated profile with your original image or with the minified image DockerSlim created:
138
+
139
+
`docker run --security-opt seccomp:path_to/my-sample-node-app-seccomp.json -p 8000:8000 my/sample-node-app.slim`
135
140
136
141
## BUILD PROCESS
137
142
@@ -249,7 +254,7 @@ The minified `sample_app` docker image now works! We turned a 430MB node.js app
249
254
* Refactor the time-based container monitoring phase [DONE].
250
255
* Automated interaction with the target container (requires app code analysis) [WIP;DONE - simple version].
251
256
* Auto-generate AppArmor profiles [WIP].
252
-
* Auto-generate Seccomp filters [WIP].
257
+
* Auto-generate Seccomp filters [USABLE :)].
253
258
* Split "monitor" from "launcher" (as it's supposed to work :-))
254
259
* Add scripting language dependency discovery to the "scanner" app.
255
260
* Support additional command line parameters to specify CMD, VOLUME, ENV info.
0 commit comments