Building and Securing Containers with Slim.ai
There are many ways to build and secure containers, but Slim.ai has its own unique take. Slim.ai CEO John Amaral describes the company’s approach as “slimming.” This minimizes your production code footprint by removing unnecessary code. It also inherently reduces software supply chain complexity, software attack surface and aggregate risk.
You’ve always been able to do this by hand. But if you’ve ever tried it, you know it’s a tedious, painful process. Slim.ai makes it easy to quickly create a production-ready container with minimal effort with its container optimization Software-as-a-Service (SaaS) workflow. It allows users to slim containers in an easy-to-use and consistent web environment. Slimming images this way takes only minutes. Better still, once done it creates a repeatable, trackable process that can be used every time you make a code change.
If that sounds familiar, it should. It’s essentially like a hosted DockerSlim, now SlimToolkit, the company’s flagship open source project. With it, you minimize your containers through a convenient UI, instead of a series of CLI flags, and it runs on Slim.ai’s build servers with integrations into several container registries and CI platforms.
By either name, this popular developer program optimizes and secures your containers by analyzing your code and throwing away unnecessary code, thus “slimming” your containers’ attack surface. It also can reduce the size of your container by up to 30x.
Most container Linux distributions, such as Microsoft’s Common Base Linux (CBL)-Mariner, Flatcar Container Linux, Red Hat Enterprise Linux CoreOS (RHCOS) and RancherOS, are small in size, but they don’t focus on enabling you to trim your attack surfaces.
Others, such as Alpine Linux and Chainguard Wolfi, minimize attack surfaces by cutting the base image down to the bare minimum. Wolfi also includes software bills of materials (SBOMs) and signing.
Slim.ai takes a different approach. You start building your container using your choice of Linux distribution, software chains, libraries and languages. Then it optimizes and secures your containers by analyzing your application and throwing out everything you don’t need. The result? You can build containers quickly using familiar tools and still end up shipping images with tiny attack surfaces.
Which approach is best? These are all newish approaches. May the best method for you win for your work.
As Amaral said, “Currently, tens of thousands of developers and teams use Slim’s open source and free SaaS software to understand what’s in their containers, reduce containers’ attack surface, remove vulnerabilities and ship only the code they need.”
But the open source project doesn’t scale. So with the beta Slim.ai service, Amaral continued, “we’re moving from helping individual developers and small teams to a solution that enables organizations to continuously and automatically achieve these outcomes at scale.”
This is being done by integrating Slim.ai services with your container registries, continuous integration/continuous deployment (CI/CD) pipelines and tools so you can automate and integrate it into existing workflows to quickly deliver secure software into production.
Current and planned integrations include Docker, AWS Elastic Container Registry (ECR), Google Container Registry (GCR), GitHub, DigitalOcean and Quay registries, and the Jenkins, GitLab and GitHub CI/CD platforms. You can use your choice of multiple open source vulnerability scanners on your containers to find security problems before they bite you.
Slim.ai can work with a wide variety of languages and Linux distros. These include Node.js, Python, Ruby, Java, Go, Rust, Elixir, PHP running on Ubuntu, Debian, CentOS, Alpine and even Distroless.
Besides securing applications by slimming out unneeded and potentially vulnerable code, you also save container space. For example, Node.js application images running on Debian 11 Bullseye shrinks from a default 371 megabytes image to a mere 42MB, and a Python image on CentOS 7 reduces from a plump 647MBs to 23MB. While storage space costs next to nothing, the fewer resources spent on processing and networking add up. Besides, developers’ time always costs serious money. Large containers take longer to push, pull, scan, verify and inspect. When your programmers work with dozens of containers simultaneously, those inefficiencies add up quickly.
Slim.ai in Action
The process looks like this. First, you create your containers and pull them into the Slim platform to take advantage of Slim’s developer tools. Here, vulnerability reports are generated and stored for the original image.
Next, Slim’s optimization engine automatically reduces containers to only what they need. You can use your own fine-grained configurations or use Slim’s recommendations.
This slimming process not only removes the pieces you’re not using, but also removes the vulnerabilities you don’t know about. The ultimate goal of container slimming is to create the minimum viable footprint (read: attack surface) to get the job done. In other words: less risk, better software.
Well-known Kubernetes expert Kelsey Hightower, jokingly wrote that the safest way to ship code is to “write nothing; deploy nowhere.” While slimming doesn’t go that far — obviously! — as Amaral wrote, ” Slimming is the only technique that meets Kelsey’s tongue-in-cheek admonition that the safest software is the software you never ship.”
Once that’s done, you run a post-optimization analysis. This details which files, packages and vulnerabilities were removed and which ones remain in your final, slimmed image.
There are other advantages to this approach. You don’t need your programmers to be container experts. The Slim.ai platform provides a before and after view of developers’ containers so they can see what’s been removed. This is a powerful tool for both optimization and debugging.
Your developers also don’t need to be security mavens. When Slim.ai “slims” down containers, it does more than get rid of the cruft. It also can help you easily lock down unneeded ports or those always-worrisome files with special permissions.
The Slim.ai Software as a Service (SaaS) also shows you what ports, user information and environment variables are present in your container. These often lend themselves to vulnerabilities, which can be turned into security holes. Your team only needs to know that these should be locked down or minimized, not, for example, how to use the ins and outs of SELinux to lock down your entire container.
Another Slim.ai win is that in our emerging multicloud world, workloads are moved around for optimization to take advantage of the best pricing and speed for deployment. Small Slim.ai containers can be more easily moved from one cloud to another. The service also provides a meta-repository of the most popular container registries in one place. This gives both your developers and customer managers a single view of the commercial container landscape. The net result is that your developers save time, money and energy by using their existing knowledge and tools. So with Slim.AI, everyone wins.