Auditing your Docker instance down to a ‘Bare Necessity’ footprint

Docker is an interesting piece of software that revolutionized Devops world. By bundling everything that your app need to run in to a single container, Docker makes it easy to build and deploy application to multiple servers. However, standard Docker image can be unnecessarily heavy for your purpose. So we worked on an algorithm that watches how your Docker instance is being used by your application and strips away stuff that are not used. We got a 80% per cent reduction in size! Read on to see how.

Benefits

Docker has many benefits and some of them are:

  1. . Cross Machine Compatibility: Application and all of its dependencies can be bundled to a self contained single docker container. This container can run on any server that has docker daemon running.
  2. Rapid application deployment: Since application and its dependencies are already installed in the container there is no need of any post deployment steps. This makes deployment very fast.
  3. Version control and Reuse: You can keep track changes to docker container with built in version control system. And once built docker images can be reused in any other docker images.
  4. Easy maintenance: Docker makes its easy to handle with application dependencies and other problems occurs in deployment process

The “Big” Problem

The main issue of working with docker is the huge size docker images. A plain installation of Redis server docker image will be around of 111.1 MB. A single `apt-get install build-essential` will add more than 100MB to your docker image. A normal Java project with dependecies like JDK, Tomcat, MySQL can easly grow up to 1GB. Not good ☹

Large images is a real problem when you start pushing docker images to a remote central registry. each layer in the docker image will create separate request to registry and large layers can take long time to transfer.

Workaround/Hack or Solution?

Just keep only the files and libraries that your application needs and strip out all other unwanted stuff. Okay, how do we do that?

Okay, Lets try to make the smallest image of redis-server

This is the official docker image of redis . You can just pull it from docker hub using `docker pull redis`. We are going use a C program to find out the files and libraries just needed to run the redis server.

Build it to a static binary

gcc main.c — static -o fanotify-profiler

Run the official redis docker image with our profiler as the main process.

docker run — name profiler_redis_server — volume $PWD:/src — cap-add SYS_ADMIN -it redis /src/fanotify-profiler > out.txt

Run the profiler

docker exec -it profiler_redis_server redis-server

Wait for few seconds and once its properly started then just kill it.

docker kill profiler_redis_server

This will give us what we need:

So now we know what are the files we need to run redis-server. Lets make new tiny image using these files

Run the shell script

wow!. From 111.1 MB to 13.83 MB . That’s almost less than 88%. Cool.

And the final result