You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
-[Is it safe for production use?](#is-it-safe-for-production-use)
106
107
-[How can I contribute if I don't know Go?](#how-can-i-contribute-if-i-dont-know-go)
@@ -128,16 +129,17 @@ Note: The examples are in a separate repository: [https://github.com/docker-slim
128
129
129
130
## RECENT UPDATES
130
131
131
-
Latest version: 1.28.1 (3/9/2020)
132
+
Latest version: 1.29.0 (3/18/2020)
133
+
134
+
This is a UX release that introduces an interactive mode to make it easier to run `docker-slim` when you don't know all available flags. Usage `<tab>` and `<space>` buttons to navigate the interactive prompt. For more info about the latest release see the [`CHANGELOG`](CHANGELOG.md). For more info about the interactive prompt see [`go-prompt`](https://github.com/c-bata/go-prompt).
132
135
133
-
This release enhances the `xray` command to show the detailed container image information including its layers and their files and directories. For more info about the latest release see the [`CHANGELOG`](CHANGELOG.md).
134
136
135
137
## INSTALLATION
136
138
137
139
1. Download the zip package for your platform.
138
-
-[Latest Mac binaries](https://downloads.dockerslim.com/releases/1.28.1/dist_mac.zip)
139
-
-[Latest Linux binaries](https://downloads.dockerslim.com/releases/1.28.1/dist_linux.tar.gz)
140
-
-[Latest Linux ARM binaries](https://downloads.dockerslim.com/releases/1.28.1/dist_linux_arm.tar.gz)
140
+
-[Latest Mac binaries](https://downloads.dockerslim.com/releases/1.29.0/dist_mac.zip)
141
+
-[Latest Linux binaries](https://downloads.dockerslim.com/releases/1.29.0/dist_linux.tar.gz)
142
+
-[Latest Linux ARM binaries](https://downloads.dockerslim.com/releases/1.29.0/dist_linux_arm.tar.gz)
141
143
2. Unzip the package.
142
144
3. Add the location where you unzipped the package to your PATH environment variable (optional).
143
145
@@ -147,104 +149,29 @@ To use the Docker image distribution just start using the `dslim/docker-slim` co
147
149
148
150
The OS-specific installers for `docker-slim` will be available soon (there's already a couple of community `Homebrew` formulas for Mac and Linux, but they need to be enhanced to work properly).
*`xray` - do static analysis for the target container image (including 'reverse engineering' the Dockerfile for the image)
157
161
*`profile` - do `xray` plus dynamic container analysis
158
162
*`build` - do `profile` plus an ability to create a new optimized image along with the security profiles
159
163
*`version` - show the version information
160
164
*`update` - update `docker-slim` to the latest version
165
+
*`help` - show the available commands and global flags
161
166
162
167
Example: `docker-slim build my/sample-app`
163
168
164
-
See the `USAGE DETAILS` section for more details. You can also get additional information about the parameters running `docker-slim`. Run `docker-slim` without any parameters and you'll get a high level overview of the available commands. Run a `docker-slim` command without any parameters and you'll get more information about that command (e.g., `docker-slim build`).
165
-
166
-
## QUICK SECCOMP EXAMPLE
167
-
168
-
If you want to auto-generate a Seccomp profile AND minify your image use the `build` command. If you only want to auto-generate a Seccomp profile (along with other interesting image metadata) use the `profile` command.
169
-
170
-
Step one: run DockerSlim
171
-
172
-
`docker-slim build your-name/your-app`
173
-
174
-
Step two: use the generated Seccomp profile
175
-
176
-
`docker run --security-opt seccomp:<docker-slim directory>/.images/<YOUR_APP_IMAGE_ID>/artifacts/your-name-your-app-seccomp.json <your other run params> your-name/your-app`
177
-
178
-
Feel free to copy the generated profile :-)
179
-
180
-
You can use the generated Seccomp profile with your original image or with the minified image.
181
-
182
-
## USING AUTO-GENERATED SECCOMP PROFILES
183
-
184
-
You can use the generated profile with your original image or with the minified image DockerSlim created:
185
-
186
-
`docker run -it --rm --security-opt seccomp:path_to/my-sample-node-app-seccomp.json -p 8000:8000 my/sample-node-app.slim`
169
+
See the `USAGE DETAILS` section for more details. You can also get additional information about the parameters running `docker-slim`.
187
170
188
-
## ORIGINAL DEMO VIDEO
171
+
Run `docker-slim help` to get a high level overview of the available commands. Run a `docker-slim` command without any parameters and you'll get more information about that command (e.g., `docker-slim build`).
If you run `docker-slim` without any parameters you'll get an interactive prompt that will provide suggestions about the available commands and flags. `Tabs` are used to show the available options, to autocomplete the parameters and to navigate the option menu (which you can also do with Up and Down arrows). `Spaces` are used to move to the next parameter and `Enter` is used to run the command. For more info about the interactive prompt see [`go-prompt`](https://github.com/c-bata/go-prompt).
191
174
192
-
[Demo video on YouTube](https://youtu.be/uKdHnfEbc-E)
193
-
194
-
## DEMO STEPS
195
-
196
-
The demo runs on Mac OS X, but you can build a linux version. Note that these steps are different from the steps in the demo video.
197
-
198
-
1. Get the docker-slim [Mac](https://downloads.dockerslim.com/releases/1.28.1/dist_mac.zip), [Linux](https://downloads.dockerslim.com/releases/1.28.1/dist_linux.tar.gz) or [Linux ARM](https://downloads.dockerslim.com/releases/1.28.1/dist_linux_arm.tar.gz) binaries. Unzip them and optionally add their directory to your PATH environment variable if you want to use the app from other locations.
199
-
200
-
The extracted directory contains two binaries:
201
-
202
-
*`docker-slim` <- the main application
203
-
*`docker-slim-sensor` <- the sensor application used to collect information from running containers
204
-
205
-
2. Clone the `examples` repo to use the sample apps (note: the examples have been moved to a separate repo). You can skip this step if you have your own app.
3. Create a Docker image for the sample node.js app in `examples/node_ubuntu`. You can skip this step if you have your own app.
210
-
211
-
`cd examples/node_ubuntu`
212
-
213
-
`eval "$(docker-machine env default)"` <- optional (depends on how Docker is installed on your machine and what kind of Docker version you are using); if the Docker host is not running you'll need to start it first: `docker-machine start default`; see the `Docker connect options` section for more details.
214
-
215
-
`docker build -t my/sample-node-app .`
216
-
217
-
4. Run `docker-slim`:
218
-
219
-
`./docker-slim build my/sample-node-app` <- run it from the location where you extraced the docker-slim binaries (or update your PATH env var to include the `docker-slim` bin directory)
220
-
221
-
DockerSlim creates a special container based on the target image you provided. It also creates a resource directory where it stores the information it discovers about your image: `<docker-slim directory>/.images/<TARGET_IMAGE_ID>`.
222
-
223
-
By default, `docker-slim` will run its http probe against the temporary container. If you are minifying a command line tool that doesn't expose any web service interface you'll need to explicitly disable http probing (by setting `--http-probe=false`).
224
-
225
-
5. Use curl (or other tools) to call the sample app (optional)
226
-
227
-
`curl http://<YOUR_DOCKER_HOST_IP>:<PORT>`
228
-
229
-
This is an optional step to make sure the target app container is doing something. Depending on the application it's an optional step. For some applications it's required if it loads new application resources dynamically based on the requests it's processing (e.g., Ruby or Python).
230
-
231
-
You'll see the mapped ports printed to the console when `docker-slim` starts the target container. You can also get the port number either from the `docker ps` or `docker port <CONTAINER_ID>` commands. The current version of DockerSlim doesn't allow you to map exposed network ports (it works like `docker run … -P`).
232
-
233
-
6. Press <enter> and wait until `docker-slim` says it's done
234
-
235
-
By default or when http probing is enabled explicitly `docker-slim` will continue its execution once the http probe is done running. If you explicitly picked a different `continue-after` option follow the expected steps. For example, for the `enter``continue-after` option you must press the `enter` button on your keyboard.
236
-
237
-
If http probing is enabled (when `http-probe` is set) and if `continue-after` is set to `enter` and you press the `enter` key before the built-in HTTP probe is done the probe might produce an EOF error because `docker-slim` will shut down the target container before all probe commands are done executing. It's ok to ignore it unless you really need the probe to finish.
238
-
239
-
7. Once DockerSlim is done check that the new minified image is there
240
-
241
-
`docker images`
242
-
243
-
You should see `my/sample-node-app.slim` in the list of images. Right now all generated images have `.slim` at the end of its name.
244
-
245
-
8. Use the minified image
246
-
247
-
`docker run -it --rm --name="slim_node_app" -p 8000:8000 my/sample-node-app.slim`
248
175
249
176
## USAGE DETAILS
250
177
@@ -280,11 +207,15 @@ To get more command line option information run `docker-slim` without any parame
280
207
281
208
To disable the version checks set the global `--check-version` flag to `false` (e.g., `--check-version=false`) or you can use the `DSLIM_CHECK_VERSION` environment variable.
282
209
210
+
283
211
### `XRAY` COMMAND OPTIONS
284
212
285
213
*`--changes value` - show layer change details for the selected change type (values: none, all, delete, modify, add)
286
214
*`--layer value` - show details for the selected layer (using layer index or ID)
287
215
*`--remove-file-artifacts` - remove file artifacts when command is done (note: you'll loose the reverse engineered Dockerfile)
216
+
*`--add-image-manifest` - add raw image manifest to the command execution report file
217
+
*`--add-image-config` - add raw image config object to the command execution report file
218
+
288
219
289
220
### `BUILD` COMMAND OPTIONS
290
221
@@ -342,6 +273,7 @@ The `--dockerfile` option makes it possible to build a new minified image direct
342
273
343
274
The `--use-local-mounts` option is used to choose how the `docker-slim` sensor is added to the target container and how the sensor artifacts are delivered back to the master. If you enable this option you'll get the original `docker-slim` behavior where it uses local file system volume mounts to add the sensor executable and to extract the artifacts from the target container. This option doesn't always work as expected in the dockerized environment where `docker-slim` itself is running in a Docker container. When this option is disabled (default behavior) then a separate Docker volume is used to mount the sensor and the sensor artifacts are explicitly copied from the target container.
344
275
276
+
345
277
## RUNNING CONTAINERIZED
346
278
347
279
The current version of `docker-slim` is able to run in containers. It will try to detect if it's running in a containerized environment, but you can also tell `docker-slim` explicitly using the `--in-container` global flag.
@@ -388,6 +320,7 @@ If you want to use TLS without verification:
388
320
389
321
If the Docker environment variables are not set and if you don't specify any Docker connect options `docker-slim` will try to use the default unix socket.
390
322
323
+
391
324
## HTTP PROBE COMMANDS
392
325
393
326
If the HTTP probe is enabled (note: it is enabled by default) it will default to running `GET /` with HTTP and then HTTPS on every exposed port. You can add additional commands using the `--http-probe-cmd` and `--http-probe-cmd-file` options.
Some of the useful debugging commands include `cat /proc/<TARGET_PID>/cmdline`, `ls -l /proc/<TARGET_PID>/cwd`, `cat /proc/1/environ`, `cat /proc/<TARGET_PID>/limits`, `cat /proc/<TARGET_PID>/status` and `ls -l /proc/<TARGET_PID>/fd`.
471
404
405
+
472
406
## MINIFYING COMMAND LINE TOOLS
473
407
474
408
Unless the default CMD instruction in your Dockerfile is sufficient you'll have to specify command line parameters when you execute the `build` command in DockerSlim. This can be done with the `--cmd` option.
@@ -487,6 +421,94 @@ Here's a sample `build` command:
487
421
488
422
It's used to minify the `container-transform` tool. You can get the minified image from [`Docker Hub`](https://hub.docker.com/r/dslim/container-transform.slim/).
489
423
424
+
425
+
## QUICK SECCOMP EXAMPLE
426
+
427
+
If you want to auto-generate a Seccomp profile AND minify your image use the `build` command. If you only want to auto-generate a Seccomp profile (along with other interesting image metadata) use the `profile` command.
428
+
429
+
Step one: run DockerSlim
430
+
431
+
`docker-slim build your-name/your-app`
432
+
433
+
Step two: use the generated Seccomp profile
434
+
435
+
`docker run --security-opt seccomp:<docker-slim directory>/.images/<YOUR_APP_IMAGE_ID>/artifacts/your-name-your-app-seccomp.json <your other run params> your-name/your-app`
436
+
437
+
Feel free to copy the generated profile :-)
438
+
439
+
You can use the generated Seccomp profile with your original image or with the minified image.
440
+
441
+
442
+
## USING AUTO-GENERATED SECCOMP PROFILES
443
+
444
+
You can use the generated profile with your original image or with the minified image DockerSlim created:
445
+
446
+
`docker run -it --rm --security-opt seccomp:path_to/my-sample-node-app-seccomp.json -p 8000:8000 my/sample-node-app.slim`
[Demo video on YouTube](https://youtu.be/uKdHnfEbc-E)
454
+
455
+
456
+
## DEMO STEPS
457
+
458
+
The demo runs on Mac OS X, but you can build a linux version. Note that these steps are different from the steps in the demo video.
459
+
460
+
1. Get the docker-slim [Mac](https://downloads.dockerslim.com/releases/1.29.0/dist_mac.zip), [Linux](https://downloads.dockerslim.com/releases/1.29.0/dist_linux.tar.gz) or [Linux ARM](https://downloads.dockerslim.com/releases/1.29.0/dist_linux_arm.tar.gz) binaries. Unzip them and optionally add their directory to your PATH environment variable if you want to use the app from other locations.
461
+
462
+
The extracted directory contains two binaries:
463
+
464
+
*`docker-slim` <- the main application
465
+
*`docker-slim-sensor` <- the sensor application used to collect information from running containers
466
+
467
+
2. Clone the `examples` repo to use the sample apps (note: the examples have been moved to a separate repo). You can skip this step if you have your own app.
3. Create a Docker image for the sample node.js app in `examples/node_ubuntu`. You can skip this step if you have your own app.
472
+
473
+
`cd examples/node_ubuntu`
474
+
475
+
`eval "$(docker-machine env default)"` <- optional (depends on how Docker is installed on your machine and what kind of Docker version you are using); if the Docker host is not running you'll need to start it first: `docker-machine start default`; see the `Docker connect options` section for more details.
476
+
477
+
`docker build -t my/sample-node-app .`
478
+
479
+
4. Run `docker-slim`:
480
+
481
+
`./docker-slim build my/sample-node-app` <- run it from the location where you extraced the docker-slim binaries (or update your PATH env var to include the `docker-slim` bin directory)
482
+
483
+
DockerSlim creates a special container based on the target image you provided. It also creates a resource directory where it stores the information it discovers about your image: `<docker-slim directory>/.images/<TARGET_IMAGE_ID>`.
484
+
485
+
By default, `docker-slim` will run its http probe against the temporary container. If you are minifying a command line tool that doesn't expose any web service interface you'll need to explicitly disable http probing (by setting `--http-probe=false`).
486
+
487
+
5. Use curl (or other tools) to call the sample app (optional)
488
+
489
+
`curl http://<YOUR_DOCKER_HOST_IP>:<PORT>`
490
+
491
+
This is an optional step to make sure the target app container is doing something. Depending on the application it's an optional step. For some applications it's required if it loads new application resources dynamically based on the requests it's processing (e.g., Ruby or Python).
492
+
493
+
You'll see the mapped ports printed to the console when `docker-slim` starts the target container. You can also get the port number either from the `docker ps` or `docker port <CONTAINER_ID>` commands. The current version of DockerSlim doesn't allow you to map exposed network ports (it works like `docker run … -P`).
494
+
495
+
6. Press <enter> and wait until `docker-slim` says it's done
496
+
497
+
By default or when http probing is enabled explicitly `docker-slim` will continue its execution once the http probe is done running. If you explicitly picked a different `continue-after` option follow the expected steps. For example, for the `enter``continue-after` option you must press the `enter` button on your keyboard.
498
+
499
+
If http probing is enabled (when `http-probe` is set) and if `continue-after` is set to `enter` and you press the `enter` key before the built-in HTTP probe is done the probe might produce an EOF error because `docker-slim` will shut down the target container before all probe commands are done executing. It's ok to ignore it unless you really need the probe to finish.
500
+
501
+
7. Once DockerSlim is done check that the new minified image is there
502
+
503
+
`docker images`
504
+
505
+
You should see `my/sample-node-app.slim` in the list of images. Right now all generated images have `.slim` at the end of its name.
506
+
507
+
8. Use the minified image
508
+
509
+
`docker run -it --rm --name="slim_node_app" -p 8000:8000 my/sample-node-app.slim`
0 commit comments