Slimming Down Images

by | Feb 22, 2017

Oracle just announced a new container image: Oracle Linux 7-Slim.

Their goal was to create a more lean image and improve security in the process, since reducing the footprint of the container also reduces the attack surface.

You can check out that image here using Anchore Navigator where you can see that the image weighs in at a little over 100MB, compared to the standard Oracle Linux image which is over twice that size. While that’s nowhere near as small as Alpine, which is a miniscule 4MB, Oracle’s base image is much smaller than the other major Linux distros.

The Anchore service, which powers the Navigator, tracks the most popular images on DockerHub along with images requested by registered users, so when a new image is published we pull down the image and perform our detailed analysis. From that data we can tell that Oracle does a good job of regularly updating their base image and usually this image has no security vulnerabilities (CVEs) as it’s updated frequently. You can subscribe to any image on the Navigator to receive notifications when the TAGs are updated – for example when Oracle updated their standard image on the 21st of February all users who subscribed to that image received email notification.

Last month we blogged about how you can use Anchore to compare images to see what has changed so today we took a look at the new Oracle slim image to see how Oracle shaved around 100MB off the image.

For those who want to follow along you can use the following command:

# anchore query --image=oraclelinux show-pkg-diffs oraclelinux:7-slim

Package Oracle Linux Oracle Linux Slim
procps-ng 3.3.10-10.el7 Not Installed
openssh-clients 6.6.1p1-33.el7_3 Not Installed
libuser 0.60-7.el7_1 Not Installed
oracle-logos 70.0.3-4.0.7.el7 Not Installed
tar 1.26-31.el7 Not Installed
json-c 0.11-4.el7_0 Not Installed
iputils 20160308-8.el7 Not Installed
pygobject2 2.28.6-11.el7 Not Installed
rhnsd 5.0.13-5.0.1.el7 Not Installed
rhn-check 2.0.2-8.0.4.el7 Not Installed
xz 5.2.2-1.el7 Not Installed
iproute 3.10.0-74.0.1.el7 Not Installed
libmnl 1.0.3-7.el7 Not Installed
python-hwdata 1.7.3-4.el7 Not Installed
rsyslog 7.4.7-16.0.1.el7 Not Installed
bind-license 9.9.4-38.el7_3.2 Not Installed
pam 1.1.8-18.el7 Not Installed
acl 2.2.51-12.el7 Not Installed
dbus-glib 0.100-7.el7 Not Installed
cracklib-dicts 2.9.0-11.el7 Not Installed
vim-minimal 7.4.160-1.el7_3.1 Not Installed
systemd 219-30.0.1.el7_3.6 Not Installed
libpwquality 1.2.3-4.el7 Not Installed
libnetfilter_conntrack 1.0.4-2.el7 Not Installed
python-dmidecode 3.10.13-11.el7 Not Installed
newt-python 0.52.15-4.el7 Not Installed
hostname 3.13-3.el7 Not Installed
libestr 0.1.9-2.el7 Not Installed
device-mapper 1.02.135-1.el7_3.2 Not Installed
rhnlib 2.5.65-2.0.1.el7 Not Installed
passwd 0.79-4.el7 Not Installed
yum-rhn-plugin 2.0.1-6.0.1.el7 Not Installed
kpartx 0.4.9-99.el7_3.1 Not Installed
libblkid 2.23.2-33.0.1.el7 Not Installed
dracut 033-463.0.1.el7 Not Installed
python-gudev 147.2-7.el7 Not Installed
policycoreutils 2.5-11.0.1.el7_3 Not Installed
cracklib 2.9.0-11.el7 Not Installed
iptables 1.4.21-17.el7 Not Installed
fipscheck 1.4.1-5.el7 Not Installed
yum-plugin-ulninfo 0.2-13.el7 Not Installed
dbus-libs 1.6.12-17.0.1.el7 Not Installed
kmod 20-9.el7 Not Installed
openssh-server 6.6.1p1-33.el7_3 Not Installed
GeoIP 1.5.0-11.el7 Not Installed
systemd-libs 219-30.0.1.el7_3.6 Not Installed
python-ethtool 0.8-5.el7 Not Installed
bind-libs-lite 9.9.4-38.el7_3.2 Not Installed
libutempter 1.1.6-4.el7 Not Installed
device-mapper-libs 1.02.135-1.el7_3.2 Not Installed
sysvinit-tools 2.88-14.dsf.el7 Not Installed
m2crypto 0.21.1-17.el7 Not Installed
hardlink 1.0-19.el7 Not Installed
libgudev1 219-30.0.1.el7_3.6 Not Installed
dbus-python 1.1.1-9.el7 Not Installed
dhcp-libs 4.2.5-47.0.1.el7 Not Installed
slang 2.2.4-11.el7 Not Installed
util-linux 2.23.2-33.0.1.el7 Not Installed
usermode 1.111-5.el7 Not Installed
libnl 1.1.4-3.el7 Not Installed
newt 0.52.15-4.el7 Not Installed
dhclient 4.2.5-47.0.1.el7 Not Installed
libnfnetlink 1.0.1-4.el7 Not Installed
qrencode-libs 3.4.1-3.el7 Not Installed
rootfiles 8.1-11.el7 Not Installed
elfutils-libs 0.166-2.el7 Not Installed
libedit 3.0-12.20121213cvs.el7 Not Installed
tcp_wrappers-libs 7.6-77.el7 Not Installed
pyOpenSSL 0.13.1-3.el7 Not Installed
openssh 6.6.1p1-33.el7_3 Not Installed
dbus 1.6.12-17.0.1.el7 Not Installed
libuuid 2.23.2-33.0.1.el7 Not Installed
logrotate 3.8.6-12.el7 Not Installed
dhcp-common 4.2.5-47.0.1.el7 Not Installed
cryptsetup-libs 1.7.2-1.el7 Not Installed
libmount 2.23.2-33.0.1.el7 Not Installed
initscripts 9.49.37-1.0.1.el7 Not Installed
kmod-libs 20-9.el7 Not Installed
rhn-client-tools 2.0.2-8.0.4.el7 Not Installed
hwdata 0.252-8.4.el7 Not Installed
gzip 1.5-8.el7 Not Installed
fipscheck-lib 1.4.1-5.el7 Not Installed
libselinux-utils 2.5-6.el7 Not Installed
binutils 2.25.1-22.base.el7 Not Installed
rhn-setup 2.0.2-8.0.4.el7 Not Installed

Here you can see that 85 packages were removed from the standard image. Some of the removals are obvious optimizations – removing unneeded utilities and libraries and others are notable as they highlight some interesting issues in the regular image – for example openssh-server has been removed – which you might argue has no business being installed in a container image in the first place.

There are other changes such as the remove of dbus and kmod that really go to highlight how many containers are being built today. I’d argue that in many cases organizations aren’t deploying microservices they are deploying microVMs. Many images look like a whole operating system but just packaged up in a Docker image. There’s a lot of other fat that can be trimmed from most containers – for example take a look at the contents of this image: navigate to the contents tab, look at the files view and filter for /bin and while you scroll through the 51 pages ask if these binaries are really needed in your image.

There’s a lot of work still to be done by most Linux distro vendors to build more efficient and more secure images. Removing selected RPMs and DEBs helps but the size and scope of many of the operating system packages still leads to more content being installed that is required.

One cautionary note:

While size certainly does matter it should not be your only consideration in selecting a base image to use from DockerHub or any other registry.

Ensure that the image is well maintained – for example check that it gets updated frequently enough to meet your needs. Is the content coming from known-good sources? You certainly don’t want to bring in packages from an unknown origin. Are the operating system packages being maintained and tested including security fixes with published CVE security feeds, is the default out-of-the-box configuration secure?

Anchore can help you answer those questions – whether it’s by using the Navigator to pre-screen images for security issues and to view update history or by building custom policies that define your own rules for certifying your containers.

Get Started Free with the Anchore Navigator

TRY THE NAVIGATOR