docker-slim

Start DockerSlim on interactive mode

$ docker-slim

$ docker-slim xray --target [image:tag]

$ docker-slim lint --target [path/to/Dockerfile]

$ docker-slim build [image:tag]

$ docker-slim [subcommand] --help

docker-slim <command> [options] <image_name>
Example: docker-slim build --http-probe myapp:latest

build
    The primary command to optimize a Docker image, producing a smaller version.

xray
    Analyzes a Docker image to show its contents and dependencies without slimming.

-t, --tag <new_tag>
    Specifies the tag for the new, optimized Docker image.

--http-probe
    Enables HTTP probing during analysis, ideal for web applications to discover dependencies.

--exec <command>
    Executes a specific command inside the container to profile its runtime behavior.

--include-path <path>
    Forces the inclusion of a specified file or directory path into the final image.

--exclude-path <path>
    Forces the exclusion of a specified file or directory path from the final image.

--dry-run
    Performs analysis and displays the optimization plan without building the new image.

--pull
    Pulls the target Docker image from the registry if not available locally.

--from-dockerfile <path>
    Specifies a Dockerfile path to build the base image before slimming.

docker-slim is an open-source command-line utility designed to automatically reduce the size of Docker images without altering the application's code or behavior. It achieves this by performing a multi-stage analysis:
First, it runs the original container, monitors its activity (such as file system access, network connections, and executed commands), and identifies all dynamically linked libraries and other dependencies used by the application during runtime. After this comprehensive analysis, it constructs a new, optimized Docker image that contains only the essential components discovered during the profiling phase.
This process dramatically reduces the image's attack surface, improves startup times, and minimizes resource consumption, leading to more efficient and secure deployments. It is versatile, working across various programming languages and frameworks by observing the actual runtime footprint rather than relying on static analysis or language-specific package managers.

docker-slim relies on runtime profiling, meaning if an application path is not executed during profiling (e.g., a rarely used error handler), its dependencies might be removed.
It requires a running Docker daemon and root privileges to function correctly.
Complex applications or those with dynamic library loading might require careful configuration of --exec or --include-path to ensure all necessary components are retained.
It's generally less effective on already minimal base images like 'scratch' or 'distroless'.

docker-slim operates by monitoring the target container's behavior during its execution. It observes file system access, network connections, and executed processes to determine precisely which files and libraries are actively used by the application. This dynamic analysis allows it to create a highly optimized image containing only the essential components, unlike static analysis which can miss dynamic dependencies.

Reducing Docker image size offers multiple benefits:
Enhanced Security: A smaller attack surface due to fewer unnecessary components.
Improved Performance: Faster image pulls, reduced startup times, and lower resource consumption.
Cost Savings: Less storage required and reduced data transfer costs, especially in cloud environments.

docker-slim was created by Dmitry Fillin and first released around 2017-2018. Its development was driven by the common challenge of 'fat' Docker images, which often contain numerous unnecessary files and libraries, increasing their attack surface and deployment overhead. By providing an automated solution for image optimization, it quickly gained traction within the containerization community. It remains an active open-source project, continuously updated to support new Docker features and runtime environments.

docker(1), docker inspect(1), dive(1)