0:00 Introduction and the Problem

0:00 Are your container images too big? Are your container images insecure? The sad truth is for most people, the answer is yes and yes. The challenge is that making small, slim, secure container images requires a lot of understanding and knowledge of container layers and optimizing those layers. But what if there was an easier way? Today, we're gonna take a look at Slim Toolkit by Slim AI. This is an auto magical tool for taking your existing container image pipelines and making them more secure and smaller. Let's take a look. Let's start with the test from a Slim Toolkit website. First, docker

0:44 Demo: Slimming NGINX (HTTP Probe)

0:48 image pull nginx 1.19. This is pulling down a version of the NGINX image. And if we run an image LS, we'll see that this is a 33 33 meg in size. We can do a Slim build NGINX one nineteen using the name of the container image already available on the Docker daemon. This is now entering HTTP probe mode. This means that they have a special sensor probe that queries the container on web ports and tries to detect which passer available and hits them to understand the runtime components of your container image. Kinda cool. Right? Well, let's run docker image l s now.

1:38 And you'll see we have a new nginx dot slim that is 12 meg, under 12 meg. But the question is, does it work? Let's do docker container run dash r m to clean up nginx.slim latest. And so that I can hit this on my local machine, let's publish the port like so. We're now running NGINX and the Slim container exposing as port 80 on port eighty eighty on the host. So let's add the port binding to my browser and there you have it. We're now on NGINX homepage served by a Slim Toolkit slimmed and hardened and

2:24 secured container image. Let's kick it up a little bit and try Slim Toolkit on a real Rust project that I'm a big fan of called dog. Dog is a dag replacement for doing DNS queries. It's super awesome. Go check it out. I've already cloned dog to this local directory. And now we can do docker image build and we'll call this dog latest in the current directory. This may take just a moment, so bear with me. So when we run Docker image l s, grep for dog, we can see that the dog image is 97.5 meg. So let's build the Slim Toolkit version.

2:27 Demo: Slimming a Rust CLI (dog)

3:09 First, we need to provide a small script, which I call exec dot s h, which will use the application that we're building the Slim image for. It's best to try and get a well rounded set of commands that use most of the features so that the sensor has the ability to give you an image with the least margin of error. Here, I'm just telling dog to do three different types of DNS lookup. I actually don't think this case it helps or expands the functionality of the command, but you never know. Now we could do Slim Build

3:46 and turn off the http probe and turn on the exec file probe like so, telling it the image that we wish to build. In this case, dog latest, which again is 97.5 meg. We can see from the output here that our exec script ran and then Slim optimized after inspecting our image. So now if we run docker image l s again, grepping for dog, we'll see that our dog latest image at 97.5 meg has been reduced to under 10. That is a huge saving. But the question is, does it work? Let's try Docker container, clean up after ourselves,

4:39 doc.slim latest, where we wish to run a NS lookup on Rawkode.studio. And don't forget to pass in the command itself. And we get the NS records. We can now say, do a CNAME lookup on community.rawkode.academy, or even google.com. It looks like our dog command works. So for our last trick, I'm taking a real production application. This is the Rawkode Academy website. I've cloned it to a directory here. Now the things you need to know are one, this application has never had a Dockerfile before. I've dropped one into the directory that I literally found by googling for astro build Dockerfile.

5:16 Demo: Slimming a Website (Unoptimized)

5:41 It was the first hit in the astro docs. What's important here is this image is 100% unoptimized. I know this is not a Dockerfile I should be using for production. Why? Well, I'm using Node LTS, which is fine, but probably we should be using Alpine to keep our footprint small. I think copying the entire working directory rather than copying in the package dot JSON. Doing the NPM install, copying in the rest, performing in a build step, copying the static assets, blah blah blah blah blah. I shouldn't need to know all this stuff. Most people don't.

6:26 We then just tell it to run the application from the desk folder like nobody is watching. And if you do a build of this Dockerfile and do an LS and I'll just filter for only this, we have a container image at a whopping 1.4 gig. Now I have written articles on how to avoid this situation, but what I'm about to show you is magic. You don't need to optimize anything. Docker Slim will do it for you. To see what our applications should look like, let's run the big image. We do docker container run dash dash r

7:07 m to clean it up when we're finished. We have a port mount and port eighty eighty just like before. This time to port 3,000 within the container. And then we provide the image name. Now we can open a previous NGINX page and refresh. And we get the Rawkode Academy website. We can click on services, shows, community, which is an external link, and so forth. So let's try the slim version. First thing we need to do is slim build. And then pass website latest. By default, Slim is going to use the HTTP probe. And by default,

8:07 that probe is going to check every page for links to other pages on your website and try to discover as much as possible. So let's give that a moment to finish. And done. Let's take a look at the image sizes. Gripping for the websites alone. As you can see, our original image was over one gig pushing towards two. Here, our Slim image is a hundred meg. So it begs the question, does it work? Let's copy our Docker run command and this time we'll do website dot Slim. Then let's jump back and refresh. And that is looking

8:58 not too bad. Let's click on services and shows and even Rawkode Live. Hey, that is pretty sweet. So Slim Toolkit is a pretty amazing tool. You don't need to fight with Docker files anymore. You don't need to grok and understand and balance and juggle the layers to get the output that you need. With just a few commands, the Slim Toolkit can take your huge or maybe just chunky container images and spit out a secure and slim alternative. So go check it out. We'll see you soon.