Oracle just announced a new container image: Oracle Linux 7-Slim.

Their goal was to create a more lean image and improve security in the process, since reducing the footprint of the container also reduces the attack surface.

You can check out that image here using Anchore Navigator where you can see that the image weighs in at a little over 100MB, compared to the standard Oracle Linux image which is over twice that size. While that’s nowhere near as small as Alpine, which is a minuscule 4MB, Oracle’s base image is much smaller than the other major Linux distros.

The Anchore service, which powers the Navigator, tracks the most popular images on DockerHub along with images requested by registered users, so when a new image is published we pull down the image and perform our detailed analysis. From that data we can tell that Oracle does a good job of regularly updating their base image and usually this image has no security vulnerabilities (CVEs) as it’s updated frequently. You can subscribe to any image on the Navigator to receive notifications when the TAGs are updated – for example when Oracle updated their standard image on the 21st of February all users who subscribed to that image received email notification.

Last month we blogged about how you can use Anchore to compare images to see what has changed so today we took a look at the new Oracle slim image to see how Oracle shaved around 100MB off the image.

For those who want to follow along you can use the following command:

# anchore query --image=oraclelinux show-pkg-diffs oraclelinux:7-slim

 

PackageOracle LinuxOracle Linux Slim
procps-ng3.3.10-10.el7Not Installed
openssh-clients6.6.1p1-33.el7_3Not Installed
libuser0.60-7.el7_1Not Installed
oracle-logos70.0.3-4.0.7.el7Not Installed
tar1.26-31.el7Not Installed
json-c0.11-4.el7_0Not Installed
iputils20160308-8.el7Not Installed
pygobject22.28.6-11.el7Not Installed
rhnsd5.0.13-5.0.1.el7Not Installed
rhn-check2.0.2-8.0.4.el7Not Installed
xz5.2.2-1.el7Not Installed
iproute3.10.0-74.0.1.el7Not Installed
libmnl1.0.3-7.el7Not Installed
python-hwdata1.7.3-4.el7Not Installed
rsyslog7.4.7-16.0.1.el7Not Installed
bind-license9.9.4-38.el7_3.2Not Installed
pam1.1.8-18.el7Not Installed
acl2.2.51-12.el7Not Installed
dbus-glib0.100-7.el7Not Installed
cracklib-dicts2.9.0-11.el7Not Installed
vim-minimal7.4.160-1.el7_3.1Not Installed
systemd219-30.0.1.el7_3.6Not Installed
libpwquality1.2.3-4.el7Not Installed
libnetfilter_conntrack1.0.4-2.el7Not Installed
python-dmidecode3.10.13-11.el7Not Installed
newt-python0.52.15-4.el7Not Installed
hostname3.13-3.el7Not Installed
libestr0.1.9-2.el7Not Installed
device-mapper1.02.135-1.el7_3.2Not Installed
rhnlib2.5.65-2.0.1.el7Not Installed
passwd0.79-4.el7Not Installed
yum-rhn-plugin2.0.1-6.0.1.el7Not Installed
kpartx0.4.9-99.el7_3.1Not Installed
libblkid2.23.2-33.0.1.el7Not Installed
dracut033-463.0.1.el7Not Installed
python-gudev147.2-7.el7Not Installed
policycoreutils2.5-11.0.1.el7_3Not Installed
cracklib2.9.0-11.el7Not Installed
iptables1.4.21-17.el7Not Installed
fipscheck1.4.1-5.el7Not Installed
yum-plugin-ulninfo0.2-13.el7Not Installed
dbus-libs1.6.12-17.0.1.el7Not Installed
kmod20-9.el7Not Installed
openssh-server6.6.1p1-33.el7_3Not Installed
GeoIP1.5.0-11.el7Not Installed
systemd-libs219-30.0.1.el7_3.6Not Installed
python-ethtool0.8-5.el7Not Installed
bind-libs-lite9.9.4-38.el7_3.2Not Installed
libutempter1.1.6-4.el7Not Installed
device-mapper-libs1.02.135-1.el7_3.2Not Installed
sysvinit-tools2.88-14.dsf.el7Not Installed
m2crypto0.21.1-17.el7Not Installed
hardlink1.0-19.el7Not Installed
libgudev1219-30.0.1.el7_3.6Not Installed
dbus-python1.1.1-9.el7Not Installed
dhcp-libs4.2.5-47.0.1.el7Not Installed
slang2.2.4-11.el7Not Installed
util-linux2.23.2-33.0.1.el7Not Installed
usermode1.111-5.el7Not Installed
libnl1.1.4-3.el7Not Installed
newt0.52.15-4.el7Not Installed
dhclient4.2.5-47.0.1.el7Not Installed
libnfnetlink1.0.1-4.el7Not Installed
qrencode-libs3.4.1-3.el7Not Installed
rootfiles8.1-11.el7Not Installed
elfutils-libs0.166-2.el7Not Installed
libedit3.0-12.20121213cvs.el7Not Installed
tcp_wrappers-libs7.6-77.el7Not Installed
pyOpenSSL0.13.1-3.el7Not Installed
openssh6.6.1p1-33.el7_3Not Installed
dbus1.6.12-17.0.1.el7Not Installed
libuuid2.23.2-33.0.1.el7Not Installed
logrotate3.8.6-12.el7Not Installed
dhcp-common4.2.5-47.0.1.el7Not Installed
cryptsetup-libs1.7.2-1.el7Not Installed
libmount2.23.2-33.0.1.el7Not Installed
initscripts9.49.37-1.0.1.el7Not Installed
kmod-libs20-9.el7Not Installed
rhn-client-tools2.0.2-8.0.4.el7Not Installed
hwdata0.252-8.4.el7Not Installed
gzip1.5-8.el7Not Installed
fipscheck-lib1.4.1-5.el7Not Installed
libselinux-utils2.5-6.el7Not Installed
binutils2.25.1-22.base.el7Not Installed
rhn-setup2.0.2-8.0.4.el7Not Installed

Here you can see that 85 packages were removed from the standard image. Some of the removals are obvious optimizations – removing unneeded utilities and libraries and others are notable as they highlight some interesting issues in the regular image – for example, openssh-server has been removed – which you might argue has no business being installed in a container image in the first place.

There are other changes such as the removal of dbus and kmod that really go to highlight how many containers are being built today. I’d argue that in many cases organizations aren’t deploying microservices they are deploying microVMs. Many images look like a whole operating system but just packaged up in a Docker image. There’s a lot of other fat that can be trimmed from most containers – for example take a look at the contents of this image: navigate to the contents tab, look at the files view and filter for /bin and while you scroll through the 51 pages ask if these binaries are really needed in your image.

There’s a lot of work still to be done by most Linux distro vendors to build more efficient and more secure images. Removing selected RPMs and DEBs helps but the size and scope of many of the operating system packages still lead to more content being installed that is required.

One cautionary note:

While size certainly does matter it should not be your only consideration in selecting a base image to use from DockerHub or any other registry.

Ensure that the image is well maintained – for example, check that it gets updated frequently enough to meet your needs. Is the content coming from known-good sources? You certainly don’t want to bring in packages from an unknown origin. Are the operating system packages being maintained and tested including security fixes with published CVE security feeds, is the default out-of-the-box configuration secure?

Anchore can help you answer those questions – whether it’s by using the Navigator to pre-screen images for security issues and to view update history or by building custom policies that define your own rules for certifying your containers.