Lean and Mean Docker containers
Moby
Our great sponsors
Lean and Mean Docker containers | Moby | |
---|---|---|
38 | 209 | |
18,071 | 67,540 | |
1.5% | 0.4% | |
9.1 | 10.0 | |
4 days ago | 7 days ago | |
Go | Go | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Lean and Mean Docker containers
-
An Overview of Kubernetes Security Projects at KubeCon Europe 2023
Slim.ai presents the data in a more user friendly way than many of the other tools in this post. On top of its open source SlimToolkit for identifying the contents of an image, Slim.ai uses Trivy for vulnerability scanning.
-
Tips for reducing Docker image size
What about https://github.com/slimtoolkit/slim?
-
Standard container sizes
Anyone tried using https://github.com/docker-slim/docker-slim To minify an image?..
- A practical approach to structuring Golang applications
-
M1: Docker doesn't find shared x64 shared objects even though platform was specified
Distroless images are better left for people with serious need for lightweight images and good Linux knowledge because they require lot of planning with the build so that they stay light and work. If you need lighter images but docker isn't your main tool and you can't afford to take hours and hours of practicing different build strategies you can check docker-slim (https://dockersl.im/). With this tool you can easily size down the images.
-
I deleted 78% of my Redis container and it still works
Maybe this would help in that regard: https://github.com/docker-slim/docker-slim
-
Are there tools that tell you if you can optimize your dockerfiles?
I have heard of slim.ai, there core tool is open source https://github.com/docker-slim/docker-slim
- We're optimizing our Docker image and we're pretty happy with how it's going: 3.37GB > 1.13GB. Next stop, a single Docker image Budibase deployment 🚀
-
Ask HN: Who is hiring? (April 2022)
* We have a lightweight engineering process based on trust, self-alignment and visibility.
Email me at [email protected] if you'd like to learn more.
P.S.
Take a look at DockerSlim ( https://github.com/docker-slim/docker-slim ) if you are interested in working on the open source project that powers our SaaS.
-
Down With the Sickness
In last weeks blog I talked about what my plan was for release 2.9. My main areas of concern was finishing the migration to make use of the images stored in our Docker registry. The other area I was planning on taking on was to slim down those images in the registry by using Docker-Slim.
Moby
-
Exploring Podman: A More Secure Docker Alternative
> Podman is designed to help with this by providing stronger default security settings compared to Docker. Features like rootless containers, user namespaces, and seccomp profiles, while available in Docker, aren't enabled by default and often require extra setup.
Seccomp has been enabled by default since 2015: https://github.com/moby/moby/pull/18780
It is true that Rootless isn't enabled by default but its "extra setup" can be done with a single command (`dockerd-rootless-setuptool.sh install`)
-
OpenZFS 2.2: Block Cloning, Linux Containers, BLAKE3
Perhaps.
Thing is, https://github.com/moby/moby/blob/670bc0a46c4ca03b75f1e72f73... is using https://github.com/mistifyio/go-zfs which features code like `out, err := zfsOutput("get", "-H", key, d.Name)` (Source: https://github.com/mistifyio/go-zfs/blob/master/zfs.go#L315) to get a single zfs property.
Somebody chose to use a library as abstraction that looks good but is implemented as a MVP (nothing wrong with that). "In the future, we hope to work directly with libzfs" should have raised an alarm somewhere, though.
-
The Twelve-Factor App
AppArmor can restrict /proc and this is even used by docker: https://github.com/moby/moby/blob/master/contrib/apparmor/te...
- macOS Containers v0.0.1
-
Build Your Own Docker with Linux Namespaces, Cgroups, and Chroot
Docker by default also applies a seccomp system call whitelist per [1] and restricts capabilities per [2], amongst numerous other default hardening practices that are applied. If a Docker container really had a need to call the "reboot" system call, this permission could be explicitly added.
More complex sandboxing techniques include opening handles for sockets, pipes, files, etc and then hardening seccomp filters on top to prevent any new handles being opened. In this way, some containers can read/write defined files on a volume without having any ability to otherwise interact with file systems such as opening new files (all file system related system calls could be disabled).
[1] https://github.com/moby/moby/blob/master/profiles/seccomp/de...
[2] https://docs.docker.com/engine/security/#linux-kernel-capabi...
-
Jails on FreeBSD
Docker has to run as root, or use otherwise insecure methods ("rootless" is a sham, it requires suid binaries and CVE ridden unprivileged user namespaces).
I agree with ports, working[0][1][2] on it.
-
Pigz: Parallel gzip for modern multi-processor, multi-core machines
Useful with Docker, see https://github.com/moby/moby/pull/35697
I’ve integrated pigz into different build and CI pipelines a few times. Don’t expect wonders since some steps still need to run serially, but a few seconds here and there might still add up to a few minutes on a large build.
-
Docker developers discuss changes in how ports are to be forwarded into containers
Link to the GitHub discussion: https://github.com/moby/moby/discussions/45524
-
New Docker Goodies: Init and Watch
With 4.19.0 release, the Docker engine and CLI are updated to Moby 23.0. That brings a lot of new stuff. One of the things that can be confusing on start is that docker build is now an alias for docker buildx build. The reason is that Buildx and BuildKit are default builders on Linux and OSX. You will notice differences when building images. You'll see switching blue and white lines in the short demos above. White lines are tasks in progress, while blue ones are completed tasks. As well you'll see that Buildx is trying to run tasks in parallel.
-
What are some recent or significant updates and changes you did to your initial Arch install?
Added btrfs subvol for var lib docker and changed dockers storage driver to overlay2, ugh. https://github.com/moby/moby/issues/39815
What are some alternatives?
podman - Podman: A tool for managing OCI containers and pods.
containerd - An open and reliable container runtime
nerdctl - contaiNERD CTL - Docker-compatible CLI for containerd, with support for Compose, Rootless, eStargz, OCIcrypt, IPFS, ...
docker-openwrt - OpenWrt running in Docker
ofelia - A docker job scheduler (aka. crontab for docker)
k3d - Little helper to run CNCF's k3s in Docker
Packer - Packer is a tool for creating identical machine images for multiple platforms from a single source configuration.
minideb - A small image based on Debian designed for use in containers
rancher - Complete container management platform
kubernetes - Production-Grade Container Scheduling and Management
Go random string generator - Flexible and customizable random string generator
dive - A tool for exploring each layer in a docker image