mvanholsteijn/strip-docker-image mvanholsteijn/strip-docker-image

  • Stars
    star
    334
  • Rank 126,264 (Top 3 %)
  • Language
    Shell
  • License
    Apache License 2.0
  • Created over 9 years ago
  • Updated over 3 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
mvanholsteijn/strip-docker-image
github

mvanholsteijn

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Utility to strip Docker images to their bare minimum size.

Minimizing the size of standard docker images

This utilities strips everything you do not need from an image and create a new image with just the bare necessities.

Synopsis

strip-docker-image 	-i image-name
			-t target-image-name
			[-p package]
			[-f file]
			[-x expose-port]
			[-v]

Options

-i image-name		to strip
-t target-image-name	the image name of the stripped image
-p package		package to include from image, multiple -p allowed.
-f file			file to include from image, multiple -f allowed.
-x port			to expose.
-v			verbose.

Description

creates a new Docker image which contains only selected packages and files from the source image.

Why is this useful?

  1. It minimizes the size of your docker images, which speeds up load times
  2. It minimizes the attack surface: if you get in the container, there is nothing there..

Example

The following example strips the nginx installation from the default NGiNX docker image,

strip-docker-image -i nginx -t stripped-nginx  \
				   -x 80 \
				   -p nginx  \
				   -f /etc/passwd \
				   -f /etc/group \
				   -f '/lib/*/libnss*' \
				   -f /bin/ls \
				   -f /bin/cat \
				   -f /bin/sh \
				   -f /bin/mkdir \
				   -f /bin/ps \
				   -f /var/run \
				   -f /var/log/nginx \
				   -f /var/cache/nginx

Aside from the nginx package, I have added the files /etc/passwd, /etc/group and /lib//libnss shared libraries are necessary for getpwnam() to work correctly.

The directories /var/run, /var/log/nginx and /var/cache/nginx are required for NGiNX to operate.

In addition, I added the /bin/sh and a few handy utilities, just to be able to snoop around a little bit..

The stripped image has now shrunk to an incredible 5.4% of the original 132.8 Mb to just 7.3Mb and is still fully operational!

$ docker images | grep nginx
stripped-nginx                     latest              d61912afaf16        21 seconds ago      7.297 MB
nginx                              1                   319d2015d149        12 days ago         132.8 MB
nginx                              1.9                 319d2015d149        12 days ago         132.8 MB
nginx                              1.9.2               319d2015d149        12 days ago         132.8 MB

Just run the nginx container as you normally would!

docker run --name nginx -P -d --entrypoint /usr/sbin/nginx stripped-nginx  -g "daemon off;"
docker run --link nginx:stripped cargonauts/toolbox-networking curl -s -D - http://stripped

Caveats

This utility requires bash, tar, readlink, ldd, and either dpkg or rpm to be installed in the container.

Note that on systems with rpm, you must specify full package names when using the -p switch, e.g. -p nginx-1.8.0-1.el7.ngx.x86_64

More Repositories

1

docker-makefile

Makefile for building docker repository releases
Python
227
star
2

aws-visualizer

A visualizer of the network of security group dependencies in an AWS VPC.
Python
84
star
3

ecs-docker-run

A simple command line utility to run docker images on Amazon ECS.
Shell
65
star
4

coreos-container-platform-as-a-service

Automated provisioning and deployment of an CoreOS cluster and sample application
HTML
17
star
5

docker-service-registrator-kong

A docker service registrator for the Kong API Gateway
Python
14
star
6

sample_nodejs_cf

Sample Node.js application for demonstration Cloud Foundry features.
Shell
12
star
7

weblogic

WebLogic startup script for Linux
Shell
10
star
8

docker-service-registrator-route53

Docker service registrator for Route53
Python
8
star
9

paas-monitor

An application to observe the behaviour of PaaS platforms.
Go
7
star
10

kong-plugin-upstream-basic-auth

A Kong API Gateway plugin for inserting a basic authentication header per consumer to the upstream service
Lua
6
star
11

fleet-units-coreos-platform

The fleet unit files that make up our platform based on Consul and the registrator
3
star
12

aws-rds-service-broker

Configurable Cloud Foundry Service Broker for Amazon RDS
JavaScript
2
star
13

fleetappctl

Command line utility for the deployment of applications to CoreOS consisting of a collection of fleet files
Shell
2
star
14

coreos-loggly

CoreOS to loggly setup
2
star
15

coreos-prometheus-monitor

Out of the box monitoring for a CoreOS / Consul platform using Prometheus
1
star
16

shellinabox-container

A container for shellinabox
Shell
1
star
17

spring-paas-petstore

A git copy of the subversion from http://spring-petstore.googlecode.com/svn/trunk/ for PaaS demonstration purposes
Java
1
star
18

bare-bone-service-broker

A skeleton service broker for Cloud Foundry
Shell
1
star
19

jwt-generator

A JWT token generator using your RSA private key
Makefile
1
star
20

s3-reverse-proxy

An reverse proxy for an S3 bucket
Shell
1
star
21

aws-sg-revoker

Generates revoke access permission from security groups to public IP addresses outside of your AWS account
Shell
1
star
22

configurator

The configurator is a utility to allows you to recursively modify an deployment unit to tailor it for a particular environment (directory, jar, war, zip,ear, rar, sar).
1
star