DockerSlim (docker-slim): Don't change anything in your Docker container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)

Overview

DSLIM1

Follow Gitter chat Discord chat Download DockerSlim

Minify and Secure Docker containers (free and open source!)

Don't change anything in your Docker container image and minify it by up to 30x making it secure too! Optimizing images isn't the only thing it can do though. It can also help you understand and author better container images.

Keep doing what you are doing. No need to change anything. Use the base image you want. Use the package manager you want. Don't worry about hand optimizing your Dockerfile. You shouldn't have to throw away your tools and your workflow to have small container images.

Don't worry about manually creating Seccomp and AppArmor security profiles. You shouldn't have to become an expert in Linux syscalls, Seccomp and AppArmor to have secure containers. Even if you do know enough about it wasting time reverse engineering your application behavior can be time-consuming.

docker-slim will optimize and secure your containers by understanding your application and what it needs using various analysis techniques. It will throw away what you don't need, reducing the attack surface of your container. What if you need some of those extra things to debug your container? You can use dedicated debugging side-car containers for that (more details below).

docker-slim has been used with Node.js, Python, Ruby, Java, Golang, Rust, Elixir and PHP (some app types) running on Ubuntu, Debian, CentOS, Alpine and even Distroless.

Note that some application stacks do require advanced container probing to make sure that all dynamically loaded components are detected. See the --http-probe* flags for more details to know how you can define custom probe commands. In some cases you might also need to use the --include-path flag to make sure everything your application needs is included (e.g., ubuntu.com python SPA app container image example where the client side template files are explicitly included).

It's also a good idea to use your app/environment tests when you run docker-slim. See the --continue-after flag for more details about integrating your tests with the temporary container docker-slim creates when it's doing its dynamic analysis. Running tests in the target container is also an option, but it does require you to specify a custom ENTRYPOINT/CMD with a custom wrapper to start your app and to execute your tests.

Interactive CLI prompt screencast:

asciicast

Watch this screencast to see how an application image is minified by more than 30x.

asciicast

When docker-slim runs it gives you an opportunity to interact with the temporary container it creates. By default, it will pause and wait for your input before it continues its execution. You can change this behavior using the --continue-after flag.

If your application exposes any web interfaces (e.g., when you have a web server or an HTTP API), you'll see the port numbers on the host machine you will need to use to interact with your application (look for the port.list and target.port.info messages on the screen). For example, in the screencast above you'll see that the internal application port 8000 is mapped to port 32911 on your host.

Note that docker-slim will interact with your application for you if you enable HTTP probing with the --http-probe flag or other related HTTP probe flags. Some web applications built with scripting languages like Python or Ruby require service interactions to load everything in the application. Enable HTTP probing unless it gets in your way.

You can also interact with the temporary container via a shell script or snippet using --exec-file or --exec. For example, you can create a container which is only capable of using curl.

>> docker pull archlinux:latest
...

>> docker-slim build --target archlinux:latest --tag archlinux:curl --http-probe=false --exec "curl checkip.amazonaws.com"
...

>> docker run archlinux:curl curl checkip.amazonaws.com
...

>> docker images
archlinux                 curl                ...        ...         17.4MB
archlinux                 latest              ...        ...         467MB
...

Community

Feel free to join any of these channels or just open a new Github issue if you want to chat or if you need help.

DockerSlim on the Internet

Books:

Minification Examples

You can find the examples in a separate repository: https://github.com/docker-slim/examples

Node.js application images:

  • from ubuntu:14.04 - 432MB => 14MB (minified by 30.85X)
  • from debian:jessie - 406MB => 25.1MB (minified by 16.21X)
  • from node:alpine - 66.7MB => 34.7MB (minified by 1.92X)
  • from node:distroless - 72.7MB => 39.7MB (minified by 1.83X)

Python application images:

  • from ubuntu:14.04 - 438MB => 16.8MB (minified by 25.99X)
  • from python:2.7-alpine - 84.3MB => 23.1MB (minified by 3.65X)
  • from python:2.7.15 - 916MB => 27.5MB (minified by 33.29X)
  • from centos:7 - 647MB => 23MB (minified by 28.57X)
  • from centos/python-27-centos7 - 700MB => 24MB (minified by 29.01X)
  • from python2.7:distroless - 60.7MB => 18.3MB (minified by 3.32X)

Ruby application images:

  • from ubuntu:14.04 - 433MB => 13.8MB (minified by 31.31X)
  • from ruby:2.2-alpine - 319MB => 27MB (minified by 11.88X)
  • from ruby:2.5.3 - 978MB => 30MB (minified by 32.74X)

Golang application images:

  • from golang:latest - 700MB => 1.56MB (minified by 448.76X)
  • from ubuntu:14.04 - 531MB => 1.87MB (minified by 284.10X)
  • from golang:alpine - 258MB => 1.56MB (minified by 165.61X)
  • from centos:7 - 615MB => 1.87MB (minified by 329.14X)

Rust application images:

  • from rust:1.31 - 2GB => 14MB (minified by 147.16X)

JAVA application images:

  • from ubuntu:14.04 - 743.6 MB => 100.3 MB

PHP application images:

  • from php:7.0-cli - 368MB => 26.6MB (minified by 13.85X)

Haskell application images:

  • (Scotty service) from haskell:8 - 2.09GB => 16.6MB (minified by 125.32X)
  • (Scotty service) from haskell:7 - 1.5GB => 21MB (minified by 71X)

Elixir application images:

  • (Phoenix service) from elixir:1.6 - 1.1 GB => 37 MB (minified by 29.25X)

RECENT UPDATES

Latest version: 1.34.0 (1/29/2021)

This release adds more xray command flags in addition to addressing a number of corner cases and bugs.

For more info about the latest release see the CHANGELOG.

INSTALLATION

  1. Download the zip package for your platform.

  2. Unzip the package.

  3. Add the location where you unzipped the package to your PATH environment variable (optional).

If the directory where you extracted the binaries is not in your PATH then you'll need to run your docker-slim commands from that directory.

To use the Docker image distribution just start using the dslim/docker-slim container image.

The OS-specific installers for docker-slim will be available soon (there's already a couple of community Homebrew formulas for Mac and Linux, but they need to be enhanced to work properly).

BASIC USAGE INFO

docker-slim [global flags] [lint|xray|build|profile|update|version|help] [command-specific flags] <IMAGE_ID_OR_NAME>

If you don't specify any command docker-slim will start in the interactive prompt mode.

COMMANDS

  • build - Analyzes, profiles and optimizes your container image generating the supported security profiles. This is the most popular command.
  • xray - Performs static analysis for the target container image (including 'reverse engineering' the Dockerfile for the image). Use this command if you want to know what's inside of your container image and what makes it fat.
  • lint - Analyzes container instructions in Dockerfiles (Docker image support is WIP)
  • profile - Performs basic container image analysis and dynamic container analysis, but it doesn't generate an optimized image.
  • version - Shows the version information.
  • update - Updates docker-slim to the latest version.
  • help - Show the available commands and global flags

Example: docker-slim build my/sample-app

See the USAGE DETAILS section for more details. You can also get additional information about the parameters running docker-slim.

Run docker-slim help to get a high level overview of the available commands. Run a docker-slim command without any parameters and you'll get more information about that command (e.g., docker-slim build).

If you run docker-slim without any parameters you'll get an interactive prompt that will provide suggestions about the available commands and flags. Tabs are used to show the available options, to autocomplete the parameters and to navigate the option menu (which you can also do with Up and Down arrows). Spaces are used to move to the next parameter and Enter is used to run the command. For more info about the interactive prompt see go-prompt.

USAGE DETAILS

docker-slim [global options] command [command options] <target image ID or name>

Commands:

  • lint - Lint the target Dockerfile (or image, in the future)
  • xray - Show what's in the container image and reverse engineer its Dockerfile
  • build - Analyze the target container image along with its application and build an optimized image from it
  • profile - Collect fat image information and generate a fat container report
  • version - Show docker-slim and docker version information
  • update - Update docker-slim
  • help - Show help info

Global options:

  • --report - command report location (target location where to save the executed command results; slim.report.json by default; set it to off to disable)
  • --check-version - check if the current version is outdate
  • --version - print the version
  • --debug - enable debug logs
  • --verbose - enable info logs
  • --log-level - set the logging level ('debug', 'info', 'warn' (default), 'error', 'fatal', 'panic')
  • --log-format - set the format used by logs ('text' (default), or 'json')
  • --log - log file to store logs
  • --host - Docker host address
  • --tls - use TLS connecting to Docker
  • --tls-verify - do TLS verification
  • --tls-cert-path - path to TLS cert files
  • --state-path value - DockerSlim state base path (must set it if the DockerSlim binaries are not in a writable directory!)
  • --archive-state - Archives DockerSlim state to the selected Docker volume (default volume - docker-slim-state). By default, enabled when DockerSlim is running in a container (disabled otherwise). Set it to off to disable explicitly.
  • --in-container - Set it to true to explicitly indicate that DockerSlim is running in a container (if it's not set DockerSlim will try to analyze the environment where it's running to determine if it's containerized)

To get more command line option information run docker-slim without any parameters or select one of the top level commands to get the command-specific information.

To disable the version checks set the global --check-version flag to false (e.g., --check-version=false) or you can use the DSLIM_CHECK_VERSION environment variable.

LINT COMMAND OPTIONS

  • --target - target Dockerfile path (or Docker image, in the future; if you don't use this flag you must specify the target as the argument to the command)
  • --target-type - explicitly specify the command target type (values: dockerfile, image)
  • --skip-build-context - don't try to analyze build context
  • build-context-dir - explicitly specify the build context directory
  • skip-dockerignore - don't try to analyze .dockerignore
  • include-check-label - include checks with the selected label key:value
  • exclude-check-label - exclude checks with the selected label key:value
  • include-check-id - check ID to include
  • include-check-id-file - file with check IDs to include
  • exclude-check-id - check ID to exclude
  • exclude-check-id-file - file with check IDs to exclude
  • show-nohits - show checks with no matches
  • show-snippet - show check match snippet (default value: true)
  • list-checks - list available checks (don't need to specify the target flag if you just want to list the available checks)

XRAY COMMAND OPTIONS

  • --target - Target container image (name or ID)
  • --changes value - Show layer change details for the selected change type (values: none, all, delete, modify, add).
  • --layer value - Show details for the selected layer (using layer index or ID)
  • --remove-file-artifacts - Remove file artifacts when command is done (note: you'll loose the reverse engineered Dockerfile)
  • --add-image-manifest - Add raw image manifest to the command execution report file
  • --add-image-config - Add raw image config object to the command execution report file
  • layer-changes-max - Maximum number of changes to show for each layer
  • all-changes-max - Maximum number of changes to show for all layers
  • add-changes-max - Maximum number of add changes to show for all layers
  • modify-changes-max - Maximum number of modify changes to show for all layers
  • delete-changes-max - Maximum number of delete changes to show for all layers

Change Types:

  • none - Don't show any file system change details in image layers (the top changes from the corresponding layer are still shown)
  • all - Show all file system change details in image layers
  • delete - Show only delete file system change details in image layers
  • modify - Show only modify file system change details in image layers
  • add - Show only 'add' file system change details in image layers

In the interactive CLI prompt mode you must specify the target image using the --target flag while in the traditional CLI mode you can use the --target flag or you can specify the target image as the last value in the command.

BUILD COMMAND OPTIONS

  • --target - Target container image (name or ID)
  • --http-probe - Enables HTTP probing (ENABLED by default; you have to disable the probe if you don't need it by setting the flag to false)
  • --http-probe-cmd - Additional HTTP probe command [can use this flag multiple times]
  • --http-probe-cmd-file - File with user defined HTTP probe commands
  • --http-probe-retry-count - Number of retries for each HTTP probe (default value: 5)
  • --http-probe-retry-wait - Number of seconds to wait before retrying HTTP probe (doubles when target is not ready; default value: 8)
  • --http-probe-ports - Explicit list of ports to probe (in the order you want them to be probed; excluded ports are not probed!)
  • --http-probe-full - Do full HTTP probe for all selected ports (if false, finish after first successful scan; default value: false)
  • --http-probe-exit-on-failure - Exit when all HTTP probe commands fail (default value: true)
  • --http-probe-crawl - Enable crawling for the default HTTP probe command (default value: true)
  • --http-crawl-max-depth - Max depth to use for the HTTP probe crawler (default value: 3)
  • --http-crawl-max-page-count - Max number of pages to visit for the HTTP probe crawler (default value: 1000)
  • --http-crawl-concurrency - Number of concurrent workers when crawling an HTTP target (default value: 10)
  • --http-max-concurrent-crawlers - Number of concurrent crawlers in the HTTP probe (default value: 1)
  • http-probe-apispec - Run HTTP probes for API spec where the value represents the target path where the spec is available (supports Swagger 2.x and OpenAPI 3.x) [can use this flag multiple times]
  • http-probe-apispec-file - Run HTTP probes for API spec from file (supports Swagger 2.x and OpenAPI 3.x) [can use this flag multiple times]
  • publish-port - Map container port to host port analyzing image at runtime to make it easier to integrate external tests (format => port | hostPort:containerPort | hostIP:hostPort:containerPort | hostIP::containerPort )[can use this flag multiple times]
  • publish-exposed-ports - Map all exposed ports to the same host ports analyzing image at runtime (default value: false)
  • --show-clogs - Show container logs (from the container used to perform dynamic inspection)
  • --show-blogs - Show build logs (when the minified container is built)
  • --copy-meta-artifacts - Copy meta artifacts to the provided location
  • --remove-file-artifacts - Remove file artifacts when command is done (note: you'll loose autogenerated Seccomp and Apparmor profiles unless you copy them with the copy-meta-artifacts flag or if you archive the state)
  • --tag - Use a custom tag for the generated image (instead of the default value: <original_image_name>.slim)
  • --entrypoint - Override ENTRYPOINT analyzing image at runtime
  • --cmd - Override CMD analyzing image at runtime
  • --mount - Mount volume analyzing image (the mount parameter format is identical to the -v mount command in Docker) [can use this flag multiple times]
  • --include-path - Include directory or file from image [can use this flag multiple times] (optionally overwriting the artifact's permissions, user and group information; format: target:octalPermFlags#uid#gid ; see the non-default USER FAQ section for more details)
  • --include-path-file - Load directory or file includes from a file (optionally overwriting the artifact's permissions, user and group information; format: target:octalPermFlags#uid#gid ; see the non-default USER FAQ section for more details)
  • --include-bin value - Include binary from image (executable or shared object using its absolute path)
  • --include-bin-file - Load shared binary file includes from a file (similar to --include-path-file)
  • --include-exe value - Include executable from image (by executable name)
  • --include-exe-file - Load executable file includes from a file (similar to --include-path-file)
  • --include-shell - Include basic shell functionality (default value: false)
  • --path-perms - Set path permissions/user/group in optimized image (format: target:octalPermFlags#uid#gid ; see the non-default USER FAQ section for more details)
  • --path-perms-file - File with path permissions to set (format: target:octalPermFlags#uid#gid ; see the non-default USER FAQ section for more details)
  • --exclude-pattern - Exclude path pattern (Glob/Match in Go and **) from image
  • --exclude-mounts - Exclude mounted volumes from image (default value: true)
  • --env - Override or add ENV analyzing image at runtime [can use this flag multiple times]
  • --label - Override or add LABEL analyzing image at runtime [can use this flag multiple times]
  • --volume - Add VOLUME analyzing image at runtime [can use this flag multiple times]
  • --env - Override ENV analyzing image at runtime [can use this flag multiple times]
  • --workdir - Override WORKDIR analyzing image at runtime
  • --network - Override default container network settings analyzing image at runtime
  • --expose - Use additional EXPOSE instructions analyzing image at runtime [can use this flag multiple times]
  • --link - Add link to another container analyzing image at runtime [can use this flag multiple times]
  • --hostname - Override default container hostname analyzing image at runtime
  • --etc-hosts-map - Add a host to IP mapping to /etc/hosts analyzing image at runtime [can use this flag multiple times]
  • --container-dns - Add a dns server analyzing image at runtime [can use this flag multiple times]
  • --container-dns-search - Add a dns search domain for unqualified hostnames analyzing image at runtime [can use this flag multiple times]
  • --image-overrides - Save runtime overrides in generated image (values is all or a comma delimited list of override types: entrypoint, cmd, workdir, env, expose, volume, label). Use this flag if you need to set a runtime value and you want to persist it in the optimized image. If you only want to add, edit or delete an image value in the optimized image use one of the --new-* or --remove-* flags (define below).
  • --continue-after - Select continue mode: enter | signal | probe | timeout or numberInSeconds (default value: enter)
  • --dockerfile - The source Dockerfile name to build the fat image before it's minified.
  • --use-local-mounts - Mount local paths for target container artifact input and output (off, by default)
  • --use-sensor-volume - Sensor volume name to use (set it to your Docker volume name if you manage your own docker-slim sensor volume).
  • --keep-tmp-artifacts - Keep temporary artifacts when command is done (off, by default).
  • --keep-perms - Keep artifact permissions as-is (true, by default)
  • --run-target-as-user - Run target app (in the temporary container) as USER from Dockerfile (true, by default)
  • --new-entrypoint - New ENTRYPOINT instruction for the optimized image
  • --new-cmd - New CMD instruction for the optimized image
  • --new-expose - New EXPOSE instructions for the optimized image
  • --new-workdir - New WORKDIR instruction for the optimized image
  • --new-env - New ENV instructions for the optimized image
  • --new-label - New LABEL instructions for the optimized image
  • --new-volume - New VOLUME instructions for the optimized image
  • --remove-volume - Remove VOLUME instructions for the optimized image
  • --remove-env - Remove ENV instructions for the optimized image
  • --remove-label - Remove LABEL instructions for the optimized image
  • --remove-expose - Remove EXPOSE instructions for the optimized image
  • --exec - A shell script snippet to run via Docker exec
  • --exec-file - A shell script file to run via Docker exec

In the interactive CLI prompt mode you must specify the target image using the --target flag while in the traditional CLI mode you can use the --target flag or you can specify the target image as the last value in the command.

The --include-path option is useful if you want to customize your minified image adding extra files and directories. The --include-path-file option allows you to load multiple includes from a newline delimited file. Use this option if you have a lot of includes. The includes from --include-path and --include-path-file are combined together. You can also use the --exclude-pattern flag to control what shouldn't be included.

The --continue-after option is useful if you need to script docker-slim. If you pick the probe option then docker-slim will continue executing the build command after the HTTP probe is done executing. If you pick the timeout option docker-slim will allow the target container to run for 60 seconds before it will attempt to collect the artifacts. You can specify a custom timeout value by passing a number of seconds you need instead of the timeout string. If you pick the signal option you'll need to send a USR1 signal to the docker-slim process. The signal option is useful when you want to run your own tests against the temporary container docker-slim creates. Your test automation / CI/CD pipeline will be able to notify docker-slim that it's done running its test by sending the USR1 to it.

The --include-shell option provides a simple way to keep a basic shell in the minified container. Not all shell commands are included. To get additional shell commands or other command line utilities use the --include-exe and/or --include-bin options. Note that the extra apps and binaries might missed some of the non-binary dependencies (which don't get picked up during static analysis). For those additional dependencies use the --include-path and --include-path-file options.

The --dockerfile option makes it possible to build a new minified image directly from source Dockerfile. Pass the Dockerfile name as the value for this flag and pass the build context directory or URL instead of the docker image name as the last parameter for the docker-slim build command: docker-slim build --dockerfile Dockerfile --tag my/custom_minified_image_name . If you want to see the console output from the build stages (when the fat and slim images are built) add the --show-blogs build flag. Note that the build console output is not interactive and it's printed only after the corresponding build step is done. The fat image created during the build process has the .fat suffix in its name. If you specify a custom image tag (with the --tag flag) the .fat suffix is added to the name part of the tag. If you don't provide a custom tag the generated fat image name will have the following format: docker-slim-tmp-fat-image.<pid_of_docker-slim>.<current_timestamp>. The minified image name will have the .slim suffix added to that auto-generated container image name (docker-slim-tmp-fat-image.<pid_of_docker-slim>.<current_timestamp>.slim). Take a look at this python examples to see how it's using the --dockerfile flag.

The --use-local-mounts option is used to choose how the docker-slim sensor is added to the target container and how the sensor artifacts are delivered back to the master. If you enable this option you'll get the original docker-slim behavior where it uses local file system volume mounts to add the sensor executable and to extract the artifacts from the target container. This option doesn't always work as expected in the dockerized environment where docker-slim itself is running in a Docker container. When this option is disabled (default behavior) then a separate Docker volume is used to mount the sensor and the sensor artifacts are explicitly copied from the target container.

RUNNING CONTAINERIZED

The current version of docker-slim is able to run in containers. It will try to detect if it's running in a containerized environment, but you can also tell docker-slim explicitly using the --in-container global flag.

You can run docker-slim in your container directly or you can use the docker-slim container in your containerized environment. If you are using the docker-slim container make sure you run it configured with the Docker IPC information, so it can communicate with the Docker daemon. The most common way to do it is by mounting the Docker unix socket to the docker-slim container. Some containerized environments (like Gitlab and their dind service) might not expose the Docker unix socket to you, so you'll need to make sure the environment variables used to communicate with Docker (e.g., DOCKER_HOST) are passed to the docker-slim container. Note that if those environment variables reference any kind of local host names those names need to be replaced or you need to tell docker-slim about them using the --etc-hosts-map flag. If those environment variables reference local files those local files (e.g., files for TLS cert validation) will need to be copied to a temporary container, so that temporary container can be used as a data container to make those files accessible by the docker-slim container.

When docker-slim runs in a container it will attempt to save its execution state in a separate Docker volume. If the volume doesn't exist it will try to create it (docker-slim-state, by default). You can pick a different state volume or disable this behavior completely by using the global --archive-state flag. If you do want to persist the docker-slim execution state (which includes the seccomp and AppArmor profiles) without using the state archiving feature you can mount your own volume that maps to the /bin/.docker-slim-state directory in the docker-slim container.

By default, docker-slim will try to create a Docker volume for its sensor unless one already exists. If this behavior is not supported by your containerized environment you can create a volume separately and pass its name to docker-slim using the --use-sensor-volume flag.

Here's a basic example of how to use the containerized version of docker-slim: docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock dslim/docker-slim build your-docker-image-name

Here's a GitLab example for their dind .gitlab-ci.yml config file: docker run -e DOCKER_HOST=tcp://$(grep docker /etc/hosts | cut -f1):2375 dslim/docker-slim build your-docker-image-name

Here's a CircleCI example for their remote docker .circleci/config.yml config file (used after the setup_remote_docker step):

docker create -v /dcert_path --name dcert alpine:latest /bin/true
docker cp $DOCKER_CERT_PATH/. dcert:/dcert_path
docker run --volumes-from dcert -e DOCKER_HOST=$DOCKER_HOST -e DOCKER_TLS_VERIFY=$DOCKER_TLS_VERIFY -e DOCKER_CERT_PATH=/dcert_path dslim/docker-slim build your-docker-image-name

DOCKER CONNECT OPTIONS

If you don't specify any Docker connect options docker-slim expects to find the following environment variables: DOCKER_HOST, DOCKER_TLS_VERIFY (optional), DOCKER_CERT_PATH (required if DOCKER_TLS_VERIFY is set to "1")

On Mac OS X you get them when you run eval "$(docker-machine env default)" or when you use the Docker Quickstart Terminal.

If the Docker environment variables are configured to use TLS and to verify the Docker cert (default behavior), but you want to disable the TLS verification you can override the TLS verification behavior by setting the --tls-verify to false:

docker-slim --tls-verify=false build --http-probe=true my/sample-node-app-multi

You can override all Docker connection options using these flags: --host, --tls, --tls-verify, --tls-cert-path. These flags correspond to the standard Docker options (and the environment variables).

If you want to use TLS with verification:

docker-slim --host=tcp://192.168.99.100:2376 --tls-cert-path=/Users/youruser/.docker/machine/machines/default --tls=true --tls-verify=true build --http-probe=true my/sample-node-app-multi

If you want to use TLS without verification:

docker-slim --host=tcp://192.168.99.100:2376 --tls-cert-path=/Users/youruser/.docker/machine/machines/default --tls=true --tls-verify=false build --http-probe=true my/sample-node-app-multi

If the Docker environment variables are not set and if you don't specify any Docker connect options docker-slim will try to use the default unix socket.

HTTP PROBE COMMANDS

If the HTTP probe is enabled (note: it is enabled by default) it will default to running GET / with HTTP and then HTTPS on every exposed port. You can add additional commands using the --http-probe-cmd and --http-probe-cmd-file options.

The --http-probe-cmd option is good when you want to specify a small number of simple commands where you select some or all of these HTTP command options: crawling (defaults to false), protocol, method (defaults to GET), resource (path and query string).

If you only want to use custom HTTP probe command and you don't want the default GET / command added to the command list you explicitly provided you'll need to set --http-probe to false when you specify your custom HTTP probe command. Note that this inconsistency will be addressed in the future releases to make it less confusing.

Possible field combinations:

  • /path - runs GET /path
  • crawl:/path - runs GET /path and then crawls the pages referenced by the target page
  • post:/path - runs POST /path
  • crawl:get:/path - runs GET /path and then crawls the pages referenced by the target page
  • https:get:/path runs GET /path only on https
  • crawl:http:get:/path - runs GET /path and then crawls the pages referenced by the target page

Here are a couple of examples:

Adds two extra probe commands: GET /api/info and POST /submit (tries http first, then tries https): docker-slim build --show-clogs --http-probe-cmd /api/info --http-probe-cmd POST:/submit my/sample-node-app-multi

Adds one extra probe command: POST /submit (using only http): docker-slim build --show-clogs --http-probe-cmd http:POST:/submit my/sample-node-app-multi

The --http-probe-cmd-file option is good when you have a lot of commands and/or you want to select additional HTTP command options.

Available HTTP command options:

  • method - HTTP method to use
  • resource - target resource URL
  • port - port number
  • protocol - http, https, http2, http2c (cleartext version of http2)
  • headers - array of strings with column delimited key/value pairs (e.g., "Content-Type: application/json")
  • body - request body as a string
  • username - username to use for basic auth
  • password - password to use for basic auth
  • crawl - boolean to indicate if you want to crawl the target (to visit all referenced resources)

Here's a probe command file example:

docker-slim build --show-clogs --http-probe-cmd-file probeCmds.json my/sample-node-app-multi

Commands in probeCmds.json:

{
  "commands":
  [
   {
     "resource": "/api/info"
   },
   {
     "method": "POST",
     "resource": "/submit"
   },
   {
     "procotol": "http",
     "resource": "/api/call?arg=one"
   },
   {
     "protocol": "http",
     "method": "POST",
     "resource": "/submit2",
     "body": "key=value"
   }
  ]
}

The HTTP probe command file path can be a relative path (relative to the current working directory) or it can be an absolute path.

For each HTTP probe call docker-slim will print the call status. Example: info=http.probe.call status=200 method=GET target=http://127.0.0.1:32899/ attempt=1 error=none.

You can execute your own external HTTP requests using the target.port.list field in the container info message docker-slim prints when it starts its test container: docker-slim[build]: info=container name=<your_container_name> id=<your_container_id> target.port.list=[<comma_separated_list_of_port_numbers_to_use>] target.port.info=[<comma_separated_list_of_port_mapping_records>]. Example: docker-slim[build]: info=container name=dockerslimk_42861_20190203084955 id=aa44c43bcf4dd0dae78e2a8b3ac011e7beb6f098a65b09c8bce4a91dc2ff8427 target.port.list=[32899] target.port.info=[9000/tcp => 0.0.0.0:32899]. With this information you can run curl or other HTTP request generating tools: curl http://localhost:32899.

The current version also includes an experimental crawling capability. To enable it for the default HTTP probe use the --http-probe-crawl flag. You can also enable it for the HTTP probe commands in your command file using the crawl boolean field.

When crawling is enabled the HTTP probe will act like a web crawler following the links it finds in the target endpoint.

Probing based on the Swagger/OpenAPI spec is another experimental capability. This feature introduces two new flags:

  • http-probe-apispec - value: <path_to_fetch_spec>:<api_endpoint_prefix>
  • http-probe-apispec-file - value: <local_file_path_to_spec>

DEBUGGING MINIFIED CONTAINERS

You can create dedicated debugging side-car container images loaded with the tools you need for debugging target containers. This allows you to keep your production container images small. The debugging side-car containers attach to the running target containers.

Assuming you have a running container named node_app_alpine you can attach your debugging side-car with a command like this: docker run --rm -it --pid=container:node_app_alpine --net=container:node_app_alpine --cap-add sys_admin alpine sh. In this example, the debugging side-car is a regular alphine image. This is exactly what happens with the node_alpine app sample (located in the node_alpine directory of the examples repo) and the run_debug_sidecar.command helper script.

If you run the ps command in the side-car you'll see the application from the target container:

# ps
PID   USER     TIME   COMMAND
    1 root       0:00 node /opt/my/service/server.js
   13 root       0:00 sh
   38 root       0:00 ps

You can access the target container file system through /proc/<TARGET_PID>/root:

# ls -lh /proc/1/root/opt/my/service
total 8
drwxr-xr-x    3 root     root        4.0K Sep  2 15:51 node_modules
-rwxr-xr-x    1 root     root         415 Sep  8 00:52 server.js

Some of the useful debugging commands include cat /proc/<TARGET_PID>/cmdline, ls -l /proc/<TARGET_PID>/cwd, cat /proc/1/environ, cat /proc/<TARGET_PID>/limits, cat /proc/<TARGET_PID>/status and ls -l /proc/<TARGET_PID>/fd.

MINIFYING COMMAND LINE TOOLS

Unless the default CMD instruction in your Dockerfile is sufficient you'll have to specify command line parameters when you execute the build command in DockerSlim. This can be done with the --cmd option.

Other useful command line parameters:

  • --show-clogs - use it if you want to see the output of your container.
  • --mount - use it to mount a volume when DockerSlim inspects your image.
  • --entrypoint - use it if you want to override the ENTRYPOINT instruction when DockerSlim inspects your image.

Note that the --entrypoint and --cmd options don't override the ENTRYPOINT and CMD instructions in the final minified image.

Here's a sample build command:

docker-slim build --show-clogs=true --cmd docker-compose.yml --mount $(pwd)/data/:/data/ dslim/container-transform

It's used to minify the container-transform tool. You can get the minified image from Docker Hub.

QUICK SECCOMP EXAMPLE

If you want to auto-generate a Seccomp profile AND minify your image use the build command. If you only want to auto-generate a Seccomp profile (along with other interesting image metadata) use the profile command.

Step one: run DockerSlim

docker-slim build your-name/your-app

Step two: use the generated Seccomp profile

docker run --security-opt seccomp:<docker-slim directory>/.images/<YOUR_APP_IMAGE_ID>/artifacts/your-name-your-app-seccomp.json <your other run params> your-name/your-app

Feel free to copy the generated profile :-)

You can use the generated Seccomp profile with your original image or with the minified image.

USING AUTO-GENERATED SECCOMP PROFILES

You can use the generated profile with your original image or with the minified image DockerSlim created:

docker run -it --rm --security-opt seccomp:path_to/my-sample-node-app-seccomp.json -p 8000:8000 my/sample-node-app.slim

ORIGINAL DEMO VIDEO

DockerSlim demo

Demo video on YouTube

DEMO STEPS

The demo runs on Mac OS X, but you can build a linux version. Note that these steps are different from the steps in the demo video.

  1. Get the docker-slim Mac, Linux, Linux ARM or Linux ARM64 binaries. Unzip them and optionally add their directory to your PATH environment variable if you want to use the app from other locations.

The extracted directory contains two binaries:

  • docker-slim <- the main application
  • docker-slim-sensor <- the sensor application used to collect information from running containers
  1. Clone the examples repo to use the sample apps (note: the examples have been moved to a separate repo). You can skip this step if you have your own app.

git clone https://github.com/docker-slim/examples.git

  1. Create a Docker image for the sample node.js app in examples/node_ubuntu. You can skip this step if you have your own app.

cd examples/node_ubuntu

eval "$(docker-machine env default)" <- optional (depends on how Docker is installed on your machine and what kind of Docker version you are using); if the Docker host is not running you'll need to start it first: docker-machine start default; see the Docker connect options section for more details.

docker build -t my/sample-node-app .

  1. Run docker-slim:

./docker-slim build my/sample-node-app <- run it from the location where you extraced the docker-slim binaries (or update your PATH env var to include the docker-slim bin directory)

DockerSlim creates a special container based on the target image you provided. It also creates a resource directory where it stores the information it discovers about your image: <docker-slim directory>/.images/<TARGET_IMAGE_ID>.

By default, docker-slim will run its http probe against the temporary container. If you are minifying a command line tool that doesn't expose any web service interface you'll need to explicitly disable http probing (by setting --http-probe=false).

  1. Use curl (or other tools) to call the sample app (optional)

curl http://<YOUR_DOCKER_HOST_IP>:<PORT>

This is an optional step to make sure the target app container is doing something. Depending on the application it's an optional step. For some applications it's required if it loads new application resources dynamically based on the requests it's processing (e.g., Ruby or Python).

You'll see the mapped ports printed to the console when docker-slim starts the target container. You can also get the port number either from the docker ps or docker port <CONTAINER_ID> commands. The current version of DockerSlim doesn't allow you to map exposed network ports (it works like docker run … -P).

  1. Press and wait until docker-slim says it's done

By default or when http probing is enabled explicitly docker-slim will continue its execution once the http probe is done running. If you explicitly picked a different continue-after option follow the expected steps. For example, for the enter continue-after option you must press the enter button on your keyboard.

If http probing is enabled (when http-probe is set) and if continue-after is set to enter and you press the enter key before the built-in HTTP probe is done the probe might produce an EOF error because docker-slim will shut down the target container before all probe commands are done executing. It's ok to ignore it unless you really need the probe to finish.

  1. Once DockerSlim is done check that the new minified image is there

docker images

You should see my/sample-node-app.slim in the list of images. Right now all generated images have .slim at the end of its name.

  1. Use the minified image

docker run -it --rm --name="slim_node_app" -p 8000:8000 my/sample-node-app.slim

FAQ

Is it safe for production use?

Yes! Either way, you should test your Docker images.

How can I contribute if I don't know Go?

You don't need to read the language spec and lots of books :-) Go through the Tour of Go and optionally read 50 Shades of Go and you'll be ready to contribute!

What's the best application for DockerSlim?

DockerSlim will work for any dockerized application; however, DockerSlim automates app interactions for applications with an HTTP API. You can use DockerSlim even if your app doesn't have an HTTP API. You'll need to interact with your application manually to make sure DockerSlim can observe your application behavior.

Can I use DockerSlim with dockerized command line tools?

Yes. The --cmd, --entrypoint, and --mount options will help you minify your image. The container-transform tool is a good example.

Notes:

You can explore the artifacts DockerSlim generates when it's creating a slim image. You'll find those in <docker-slim directory>/.images/<TARGET_IMAGE_ID>/artifacts. One of the artifacts is a "reverse engineered" Dockerfile for the original image. It'll be called Dockerfile.fat.

If you'd like to see the artifacts without running docker-slim you can take a look at the examples/artifacts directory in this repo. It doesn't include any image files, but you'll find:

  • a reverse engineered Dockerfile (Dockerfile.fat)
  • a container report file (creport.json)
  • a sample AppArmor profile (which will be named based on your original image name)
  • and a sample Seccomp profile

If you don't want to create a minified image and only want to "reverse engineer" the Dockerfile you can use the info command.

What if my Docker images uses the USER command?

The current version of DockerSlim does include support for non-default users (take a look at the non-default user examples (including the ElasticSearch example located in the 3rdparty directory) in the examples repo. Please open tickets if something doesn't work for you.

Everything should work as-is, but for the special cases where the current behavior don't work as expected you can adjust what DockerSlim does using various build command parameters: --run-target-as-user, --keep-perms, --path-perms, --path-perms-file (along with the --include-* parameters).

The --run-target-as-user parameter is enabled by default and it controls if the application in the temporary container is started using the identity from the USER instruction in the container's Dockerfile.

The --keep-perms parameter is also enabled by default. It tells DockerSlim to retain the permissions and the ownership information for the files and directories copied to the optimized container image.

The --path-perms and --path-perms-file parameters are similar to the --include-path and --include-path-file parameters. They are used to overwrite the permission and the user/group information for the target files and directories. Note that the target files/directories are expected to be in the optimized container image. If you don't know if the target files/directories will be in the optimized container you'll need to use one of the --include-* parameters (e.g., --include-path-file) to explicitly require those artifacts to be included. You can specify the permissions and the ownership information in the --include-* parameters too (so you don't need to have the --path-* parameters just to set the permissions).

The --path-* and --include-* params use the same format to communicate the permission/owernship info: TARGET_PATH_OR_NAME:PERMS_IN_OCTAL_FORMAT#USER_ID#GROUP_ID.

You don't have to specify the user and group IDs if you don't want to change them.

Here's an example using these parameters to minify the standard nginx image adding extra artifacts and changing their permissions: docker-slim build --include-path='/opt:770#104#107' --include-path='/bin/uname:710' --path-perms='/tmp:700' nginx.

This is what you'll see in the optimized container image:

drwx------  0 0      0           0 Feb 28 22:15 tmp/
-rwx--x---  0 0      0       31240 Mar 14  2015 bin/uname
drwxrwx---  0 104    107         0 Feb 28 22:13 opt/

The uname binary isn't used by nginx, so the --include-path parameter is used to keep it in the optimized image changing its permissions to 710.

The /tmp directory will be included in the optimized image on its own, so the --path-perms parameter is used to change its permissions to 700.

When you set permissions/user/group on a directory the settings are only applied to that directory and not to the artifacts inside. The future versions will allow you to apply the same settings to everything inside the target directory too.

Also note that for now you have to use numeric user and group IDs. The future versions will allow you to use user and group names too.

Nginx fails in my minified image

If you see nginx: [emerg] mkdir() "/var/lib/nginx/body" failed it means your nginx setup uses a non-standard temporary directory. Nginx will fail if the base directory for its temporary folders doesn't exist (they won't create the missing intermediate directories). Normally it's /var/lib/nginx, but if you have a custom config that points to something else you'll need to add an --include-path flag as an extra flag when you run docker-slim.

DockerSlim fails with a 'no permission to read from' error

You can get around this problem by running DockerSlim from a root shell. That way it will have access to all exported files.

DockerSlim copies the relevant image artifacts trying to preserve their permissions. If the permissions are too restrictive the master app might not have sufficient priviledge to access these files when it's building the new minified image.

BUILD PROCESS

Use Go 1.13 or higher to build docker-slim. You can use earlier version of Go, but it can't be lower than Go 1.5.1. Versions prior to 1.5.1 have a Docker/ptrace related bug (Go kills processes if your app is PID 1). When the 'monitor' is separate from the 'launcher' process it will be possible to user older Go versions again.

Tools:

  • license-bill-of-materials - Optional tool to track dependencies and their licenses.
  • golint - Optional tool for code analysis. See https://github.com/golang/lint for more details.

You can install these tools using the tools.get.sh shell script in the scripts directory.

Notes:

  • Make sure you have golint if you intend to run the src.inspect.sh or mac.src.inspect.command scripts.

Build Steps

You have multiple options to build docker-slim:

  • Run make (or ./scripts/docker-builder.run.sh or click on ./scripts/mac/docker-builder.run.command on Macs) from the project directory (builds docker-slim in a Docker container; great if you don't want to install Go on your local machine and if you already have Docker)
  • Run make build (or ./scripts/src.build.sh or click on ./scripts/mac/src.build.command on Macs) to build docker-slim natively (requires Go installed locally)

DESIGN

CORE CONCEPTS

  1. Inspect container metadata (static analysis)
  2. Inspect container data (static analysis)
  3. Inspect running application (dynamic analysis)
  4. Build an application artifact graph
  5. Use the collected application data to build small images
  6. Use the collected application data to auto-generate various security framework configurations.

DYNAMIC ANALYSIS OPTIONS

  1. Instrument the container image (and replace the entrypoint/cmd) to collect application activity data
  2. Use kernel-level tools that provide visibility into running containers (without instrumenting the containers)
  3. Disable relevant namespaces in the target container to gain container visibility (can be done with runC)

SECURITY

The goal is to auto-generate Seccomp, AppArmor, (and potentially SELinux) profiles based on the collected information.

  • AppArmor profiles
  • Seccomp profiles

CHALLENGES

Some of the advanced analysis options require a number of Linux kernel features that are not always included. The kernel you get with Docker Machine / Boot2docker is a great example of that.

DEVELOPMENT PROGRESS

TODO

  • AppArmor profile improvements
  • Better support for command line applications (e.g., ability to specify multiple executions)
  • Discover HTTP endpoints to make the HTTP probe more intelligent.
  • Scripting language dependency discovery in the "scanner" app.
  • Explore additional dependency discovery methods.
  • Build/use a custom Boot2docker kernel with every required feature turned on.
  • "Live" image create mode - to create new images from containers where users install their applications interactively.

The WISHLIST doc includes even more potential improvements.

ORIGINS

DockerSlim was a Docker Global Hack Day #dockerhackday project. It barely worked at the time, but it did get a win in Seattle and it took the second place in the Plumbing category overall :-)

DHD3

Since then it's been improved and it works pretty well for its core use cases. It can be better though. That's why the project needs your help! You don't need to know much about Docker and you don't need to know anything about Go. You can contribute in many different ways. For example, use DockerSlim on your images and open a Github issue documenting your experience even if it worked just fine :-)

MINIFIED DOCKER HUB IMAGES

CONTRIBUTING

If the project sounds interesting or if you found a bug see CONTRIBUTING.md and submit a PR!

LICENSE

Apache License v2, see LICENSE for details.


Go Report Card Codacy Badge

Issues
  • Error in docker-slim build

    Error in docker-slim build

    docker:

    Client: Docker Engine - Community Version: 18.09.0 API version: 1.39 Go version: go1.10.4 Git commit: 4d60db4 Built: Wed Nov 7 00:47:43 2018 OS/Arch: darwin/amd64 Experimental: false

    Server: Docker Engine - Community Engine: Version: 18.09.0 API version: 1.39 (minimum version 1.12) Go version: go1.10.4 Git commit: 4d60db4 Built: Wed Nov 7 00:55:00 2018 OS/Arch: linux/amd64 Experimental: false

    docker-slim version:

    darwin|Tetra|1.22-1-g2b02487|2b02487d633ef0b974978ab1a8a2fed099226ad6|2018-12-27_11:17:50AM (go1.11.4)

    Binary files appeared in /usr/local/bin directory

    After run command docker-slim --debug build --http-probe --include-path /etc/passwd php:7.3-cli fails with error

    The path /usr/local/bin/docker-slim-sensor
    is not shared from OS X and is not known to Docker.
    You can configure shared paths from Docker -> Preferences... -> File Sharing.
    See https://docs.docker.com/docker-for-mac/osxfs/#namespaces for more info.``` 
    
    
    enhancement DONE 
    opened by Smolevich 21
  • docker-slim died, with the following msg: level=fatal msg=

    docker-slim died, with the following msg: level=fatal msg="docker-slim: failure" error="unexpected event type"

    Running docker-slim failed with a 'fatal' error msg. Plz see below for the details:

    Build env: CentOS 7 Docker version: 18.03.0-ce, build 0520e24 Docker-slim version: 1.23 Docker img info: Ubuntu: 16.04 Code in Bash + Python Size = 1.6GB

    Output of docker-slim: $ ./docker-slim build --http-probe img_demo docker-slim[build]: state=started docker-slim[build]: info=params target=img_demo continue.mode=enter docker-slim[build]: state=inspecting.image docker-slim[build]: info=image id=sha256:bbb4e2cdbb403e8a4508a7921647b1df580ea0a00c0b7f3fa59ae540e39f6129 siz e.bytes=1622646238 size.human=1.6 GB docker-slim[build]: state=inspecting.container time="2019-02-04T13:27:42-08:00" level=fatal msg="docker-slim: failure" error="unexpected event type" stack=" goroutine 1 [running]: runtime/debug.Stack(0x3, 0xc0000c0b40, 0xc00000ef00) /usr/local/Cellar/go/1.11.1/libexec/src/runtime/debug/stack.go:24 +0xa7 github.com/docker-slim/docker-slim/pkg/utils/errutils.FailOn(0x8fb8a0, 0xc0000472b0) /Users/q/docker-slim/docker-slim/_gopath/src/github.com/docker-slim/docker-slim/pkg/utils/errutils/er rutils.go:14 +0x51 github.com/docker-slim/docker-slim/internal/app/master/commands.OnBuild(0x0, 0x0, 0x88a600, 0x0, 0x0, 0xc0001 3c0f0, 0x7ffdd0899774, 0x8, 0x0, 0x0, ...) /Users/q/docker-slim/docker-slim/_gopath/src/github.com/docker-slim/docker-slim/internal/app/master/c ommands/build.go:115 +0xc47 github.com/docker-slim/docker-slim/internal/app/master.init.0.func5(0xc000146140, 0x0, 0xc000146140) /Users/q/docker-slim/docker-slim/_gopath/src/github.com/docker-slim/docker-slim/internal/app/master/c li.go:480 +0xd76 github.com/docker-slim/docker-slim/vendor/github.com/codegangsta/cli.HandleAction(0x7f26c0, 0x8a0b00, 0xc0001 46140, 0xc000140000, 0x0) /Users/q/docker-slim/docker-slim/_gopath/src/github.com/docker-slim/docker-slim/vendor/github.com/cod egangsta/cli/app.go:485 +0xc8 github.com/docker-slim/docker-slim/vendor/github.com/codegangsta/cli.Command.Run(0x884f35, 0x5, 0x0, 0x0, 0xc 000047530, 0x1, 0x1, 0x89a23e, 0x3e, 0x0, ...) /Users/q/docker-slim/docker-slim/_gopath/src/github.com/docker-slim/docker-slim/vendor/github.com/cod egangsta/cli/command.go:207 +0x991 github.com/docker-slim/docker-slim/vendor/github.com/codegangsta/cli.(*App).Run(0xc000010ea0, 0xc00000e080, 0 x4, 0x4, 0x0, 0x0) /Users/q/docker-slim/docker-slim/_gopath/src/github.com/docker-slim/docker-slim/vendor/github.com/cod egangsta/cli/app.go:250 +0x6ea github.com/docker-slim/docker-slim/internal/app/master.runCli() /Users/q/docker-slim/docker-slim/_gopath/src/github.com/docker-slim/docker-slim/internal/app/master/c li.go:730 +0x55 github.com/docker-slim/docker-slim/internal/app/master.Run() /Users/q/docker-slim/docker-slim/_gopath/src/github.com/docker-slim/docker-slim/internal/app/master/a pp.go:6 +0x25 main.main() /Users/q/docker-slim/docker-slim/_gopath/src/github.com/docker-slim/docker-slim/cmd/docker-slim/main. go:8 +0x20 " version="linux|Tetra|1.23|8488277befdf57a173acc64973f984caab551ed2|2019-02-03_04:05:17PM (go1.11.1)"

    bug validating fix 
    opened by dforouhari 20
  • Python Request Fails to download

    Python Request Fails to download

    I have created a testing repo to make it easy to find the reason - https://github.com/openedhardware/test_docker_slim

    This repository is pretty simple.. just calls an HTTP endpoint to download a static file in a thread! https://github.com/openedhardware/test_docker_slim/blob/master/main.py

    But I get this error messages:

    [email protected]:~/test_docker_slim$ docker run --privileged -v /data:/data --rm --network host ts.slim
    Starting Testing APP...
    Downloading label file - https://raw.githubusercontent.com/pjreddie/darknet/master/data/coco.names
    Exception in thread Thread-1:
    Traceback (most recent call last):
      File "/usr/local/lib/python3.7/site-packages/urllib3/connection.py", line 160, in _new_conn
        (self._dns_host, self.port), self.timeout, **extra_kw
      File "/usr/local/lib/python3.7/site-packages/urllib3/util/connection.py", line 61, in create_connection
        for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
      File "/usr/local/lib/python3.7/socket.py", line 752, in getaddrinfo
        for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
    OSError: [Errno 16] Device or resource busy
    
    During handling of the above exception, another exception occurred:
    
    Traceback (most recent call last):
      File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", line 677, in urlopen
        chunked=chunked,
      File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", line 381, in _make_request
        self._validate_conn(conn)
      File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", line 976, in _validate_conn
        conn.connect()
      File "/usr/local/lib/python3.7/site-packages/urllib3/connection.py", line 308, in connect
        conn = self._new_conn()
      File "/usr/local/lib/python3.7/site-packages/urllib3/connection.py", line 172, in _new_conn
        self, "Failed to establish a new connection: %s" % e
    urllib3.exceptions.NewConnectionError: <urllib3.connection.HTTPSConnection object at 0x7ff2865661d0>: Failed to establish a new connection: [Errno 16] Device or resource busy
    
    During handling of the above exception, another exception occurred:
    
    Traceback (most recent call last):
      File "/usr/local/lib/python3.7/site-packages/requests/adapters.py", line 449, in send
        timeout=timeout
      File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", line 725, in urlopen
        method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2]
      File "/usr/local/lib/python3.7/site-packages/urllib3/util/retry.py", line 439, in increment
        raise MaxRetryError(_pool, url, error or ResponseError(cause))
    urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='raw.githubusercontent.com', port=443): Max retries exceeded with url: /pjreddie/darknet/master/data/coco.names (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7ff2865661d0>: Failed to establish a new connection: [Errno 16] Device or resource busy'))
    
    During handling of the above exception, another exception occurred:
    
    Traceback (most recent call last):
      File "/usr/local/lib/python3.7/threading.py", line 926, in _bootstrap_inner
        self.run()
      File "main.py", line 15, in run
        r = requests.get(COCO_LABELS_URL)
      File "/usr/local/lib/python3.7/site-packages/requests/api.py", line 76, in get
        return request('get', url, params=params, **kwargs)
      File "/usr/local/lib/python3.7/site-packages/requests/api.py", line 61, in request
        return session.request(method=method, url=url, **kwargs)
      File "/usr/local/lib/python3.7/site-packages/requests/sessions.py", line 530, in request
        resp = self.send(prep, **send_kwargs)
      File "/usr/local/lib/python3.7/site-packages/requests/sessions.py", line 643, in send
        r = adapter.send(request, **kwargs)
      File "/usr/local/lib/python3.7/site-packages/requests/adapters.py", line 516, in send
        raise ConnectionError(e, request=request)
    requests.exceptions.ConnectionError: HTTPSConnectionPool(host='raw.githubusercontent.com', port=443): Max retries exceeded with url: /pjreddie/darknet/master/data/coco.names (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7ff2865661d0>: Failed to establish a new connection: [Errno 16] Device or resource busy'))
    

    Any idea what causes this weird issue?

    Cheers.

    triage 
    opened by openedhardware 16
  • http-probe failure continues building

    http-probe failure continues building

    Hi, I've been playing around with docker-slim for a couple of days now. When I run a docker-slim and check it with my own or the default http-probers after the build, I can see that the probes fail 5 times. After which it stops probing and continues the build. There are some entries in the log of docker-slim telling me the probes failed, but other than that I did not find anything else indicating the slimmed container does NOT work. Now I was wondering, is this the desired flow for this?

    DONE 
    opened by rcomanne 16
  • Node application gets all its dependencies stripped when minified

    Node application gets all its dependencies stripped when minified

    Hey there!

    I'm just getting started with docker-slim, so apologies if my question has been covered already.

    I'm building a Dockerfile for this project (for fun). You can see the latest version of my Dockerfile here.

    Here it is just in case for reference :

    FROM mhart/alpine-node:12 AS builder
    
    RUN apk update && apk add curl bash
    
    WORKDIR /app
    COPY package*.json ./
    RUN yarn install
    COPY . .
    RUN yarn build
    RUN npm prune --production
    RUN curl -sfL https://install.goreleaser.com/github.com/tj/node-prune.sh | bash -s -- -b /usr/local/bin
    RUN /usr/local/bin/node-prune
    
    FROM mhart/alpine-node:12
    
    WORKDIR /app
    COPY --from=builder /app/.next ./.next
    COPY --from=builder /app/components ./components
    COPY --from=builder /app/lib ./lib
    COPY --from=builder /app/node_modules ./node_modules
    COPY --from=builder /app/pages ./pages
    COPY --from=builder /app/public ./public
    COPY --from=builder /app/next.config.js ./next.config.js
    COPY --from=builder /app/LICENSE ./LICENSE
    COPY --from=builder /app/package.json ./package.json
    EXPOSE 3000
    CMD [ "yarn", "start" ]
    

    The latest image I want to slim down can be found on the Docker hub.

    Version of docker-slim is docker-slim version darwin|Transformer|1.29.0|latest|latest

    When running my build command, I cannot seem to probe my port 3000 myself. It seems like consequently, docker-slim strips too much of it and the end result misses a lot of node dependencies, css files and the like.

    This is the command I used since probing is enabled by default:

    $ docker-slim build julienlengrand/carbon.now.sh:latest
    

    All my attempts to reach localhost:3000 result in a 404 (even though somehow probing finishes successfully?).

    Here is the complete log of the run :

    ➜  carbon git:(feature/docker) ✗ docker-slim build julienlengrand/carbon.now.sh:latest
    docker-slim[build]: info=http.probe message='using default probe'
    docker-slim[build]: state=started
    docker-slim[build]: info=params target=julienlengrand/carbon.now.sh:latest continue.mode=probe rt.as.user=true keep.perms=true
    docker-slim[build]: state=image.inspection.start
    docker-slim[build]: info=image id=sha256:a672815ed93fab8e63f6425f79e13b6ecf507655feecebbd5b3feb263de08c6e size.bytes=343045348 size.human=343 MB
    docker-slim[build]: info=image.stack index=0 name='mhart/alpine-node:12' id='sha256:9ee68cad5b56783818ecde758eee8c8130a4882e7ae4e91da9bb75c626ac473d'
    docker-slim[build]: info=image.stack index=1 name='julienlengrand/carbon.now.sh:latest' id='sha256:a672815ed93fab8e63f6425f79e13b6ecf507655feecebbd5b3feb263de08c6e'
    docker-slim[build]: info=image.exposed_ports list='3000'
    docker-slim[build]: state=image.inspection.done
    docker-slim[build]: state=container.inspection.start
    docker-slim[build]: info=container status=created name=dockerslimk_67502_20200520154400 id=9bdbdff0eb783fb2dc0288f969c25d80bf1b033482294b25ea7891af27794317
    docker-slim[build]: info=cmd.startmonitor status=sent
    docker-slim[build]: info=event.startmonitor.done status=received
    docker-slim[build]: info=container name=dockerslimk_67502_20200520154400 id=9bdbdff0eb783fb2dc0288f969c25d80bf1b033482294b25ea7891af27794317 target.port.list=[32779] target.port.info=[3000/tcp => 0.0.0.0:32779] message='YOU CAN USE THESE PORTS TO INTERACT WITH THE CONTAINER'
    docker-slim[build]: state=http.probe.starting message='WAIT FOR HTTP PROBE TO FINISH'
    docker-slim[build]: info=continue.after mode=probe message='no input required, execution will resume when HTTP probing is completed'
    docker-slim[build]: info=prompt message='waiting for the HTTP probe to finish'
    docker-slim[build]: state=http.probe.running
    docker-slim[build]: info=http.probe.ports count=1 targets='32779'
    docker-slim[build]: info=http.probe.commands count=1 commands='GET /'
    docker-slim[build]: info=http.probe.call status=200 method=GET target=http://127.0.0.1:32779/ attempt=1  time=2020-05-20T15:44:13Z
    docker-slim[build]: info=http.probe.summary total=1 failures=0 successful=1
    docker-slim[build]: state=http.probe.done
    docker-slim[build]: info=event message='HTTP probe is done'
    docker-slim[build]: state=container.inspection.finishing
    docker-slim[build]: state=container.inspection.artifact.processing
    docker-slim[build]: state=container.inspection.done
    docker-slim[build]: state=building message='building optimized image'
    docker-slim[build]: state=completed
    docker-slim[build]: info=results status='MINIFIED BY 4.72X [343045348 (343 MB) => 72631258 (73 MB)]'
    docker-slim[build]: info=results  image.name=julienlengrand/carbon.now.sh.slim image.size='73 MB' data=true
    docker-slim[build]: info=results  artifacts.location='/tmp/docker-slim-state/.docker-slim-state/images/a672815ed93fab8e63f6425f79e13b6ecf507655feecebbd5b3feb263de08c6e/artifacts'
    docker-slim[build]: info=results  artifacts.report=creport.json
    docker-slim[build]: info=results  artifacts.dockerfile.original=Dockerfile.fat
    docker-slim[build]: info=results  artifacts.dockerfile.new=Dockerfile
    docker-slim[build]: info=results  artifacts.seccomp=julienlengrand-carbon.now.sh-seccomp.json
    docker-slim[build]: info=results  artifacts.apparmor=julienlengrand-carbon.now.sh-apparmor-profile
    docker-slim[build]: state=done
    docker-slim[build]: info=report file='slim.report.json'
    

    Just let me know if I'm missing anything, I'll keep diving as well on my end.

    Thanks in advance!

    opened by jlengrand 14
  • docker-slim version 1.25.0 fails running in gitlab

    docker-slim version 1.25.0 fails running in gitlab

    Using docker-slim within gitlab ci was no problem with version 1.24.2. With 1.25.0 running docker-slim version fails with no error message (and no output).

    Running with gitlab-runner 11.10.0-rc2 (10efa505)
      on docker-auto-scale fa6cab46
    Using Docker executor with image docker:stable ...
    Starting service docker:dind ...
    Pulling docker image docker:dind ...
    Using docker image sha256:0efc0b6c950098541b41bf0b4b12b127f90cd398d1dbc331701dc8f9b24f3e4a for docker:dind ...
    Waiting for services to be up and running...
    Pulling docker image docker:stable ...
    Using docker image sha256:c76999e4396ca5adc504e83069b6d24ac2b4b08a48c76123664ab6218250cd4b for docker:stable ...
    Running on runner-fa6cab46-project-11304709-concurrent-0 via runner-fa6cab46-srm-1556481828-f94778db...
    Initialized empty Git repository in /builds/khassel/docker-test/.git/
    Fetching changes with git depth set to 1...
    Created fresh repository.
    From https://gitlab.com/khassel/docker-test
     * [new branch]      master     -> origin/master
    Checking out 362031bf as master...
    
    Skipping Git submodules setup
    $ docker info
    Containers: 0
     Running: 0
     Paused: 0
     Stopped: 0
    Images: 0
    Server Version: 18.09.5
    Storage Driver: overlay2
     Backing Filesystem: extfs
     Supports d_type: true
     Native Overlay Diff: true
    Logging Driver: json-file
    Cgroup Driver: cgroupfs
    Plugins:
     Volume: local
     Network: bridge host macvlan null overlay
     Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
    Swarm: inactive
    Runtimes: runc
    Default Runtime: runc
    Init Binary: docker-init
    containerd version: bb71b10fd8f58240ca47fbb579b9d1028eea7c84
    runc version: 2b18fe1d885ee5083ef9f0838fee39b62d653e30
    init version: fec3683
    Security Options:
     seccomp
      Profile: default
    Kernel Version: 4.19.23-coreos-r1
    Operating System: Alpine Linux v3.9 (containerized)
    OSType: linux
    Architecture: x86_64
    CPUs: 1
    Total Memory: 3.608GiB
    Name: 68cd566877fd
    ID: LS3R:JZWZ:PKYU:6Z6Y:FCTF:D2HV:KD4D:4NLR:3QKN:QK6A:2CY4:P7V7
    Docker Root Dir: /var/lib/docker
    Debug Mode (client): false
    Debug Mode (server): false
    Registry: https://index.docker.io/v1/
    Labels:
    Experimental: false
    Insecure Registries:
     127.0.0.0/8
    Live Restore Enabled: false
    Product License: Community Engine
    
    WARNING: API is accessible on http://0.0.0.0:2375 without encryption.
             Access to the remote API is equivalent to root access on the host. Refer
             to the 'Docker daemon attack surface' section in the documentation for
             more information: https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface
    WARNING: bridge-nf-call-iptables is disabled
    WARNING: bridge-nf-call-ip6tables is disabled
    $ apk add --no-cache py-pip curl
    fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/main/x86_64/APKINDEX.tar.gz
    fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/community/x86_64/APKINDEX.tar.gz
    (1/16) Installing nghttp2-libs (1.35.1-r0)
    (2/16) Installing libssh2 (1.8.2-r0)
    (3/16) Installing libcurl (7.64.0-r1)
    (4/16) Installing curl (7.64.0-r1)
    (5/16) Installing libbz2 (1.0.6-r6)
    (6/16) Installing expat (2.2.6-r0)
    (7/16) Installing libffi (3.2.1-r6)
    (8/16) Installing gdbm (1.13-r1)
    (9/16) Installing ncurses-terminfo-base (6.1_p20190105-r0)
    (10/16) Installing ncurses-terminfo (6.1_p20190105-r0)
    (11/16) Installing ncurses-libs (6.1_p20190105-r0)
    (12/16) Installing readline (7.0.003-r1)
    (13/16) Installing sqlite-libs (3.26.0-r3)
    (14/16) Installing python2 (2.7.15-r3)
    (15/16) Installing py-setuptools (40.6.3-r0)
    (16/16) Installing py2-pip (18.1-r0)
    Executing busybox-1.29.3-r10.trigger
    OK: 67 MiB in 31 packages
    $ curl -L -O https://github.com/docker-slim/docker-slim/releases/latest/download/dist_linux.tar.gz
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    
      0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
    100   151    0   151    0     0   1217      0 --:--:-- --:--:-- --:--:--  1217
    
    100   607    0   607    0     0   2709      0 --:--:-- --:--:-- --:--:--  2709
    
    100 4640k  100 4640k    0     0  9375k      0 --:--:-- --:--:-- --:--:-- 9375k
    $ tar -zxvf dist_linux.tar.gz
    dist_linux/
    dist_linux/docker-slim
    dist_linux/docker-slim-sensor
    $ ./dist_linux/docker-slim version
    ERROR: Job failed: exit code 1
    
    bug WIP 
    opened by khassel 14
  • Usage?

    Usage?

    Maybe I'm confused on how this works but I'm trying to run this on an alpine image with a simple command 'echo "hello world"'. Should this work and make this smaller or is there more required to use your tool?

    Simple image from a Dockerfile `FROM alpine

    ENTRYPOINT ["echo","hello world"]`

    docker build -t mine .

    ./docker-slim build mine

    DONE 
    opened by gcstang 14
  • Linux binaries: workdir requires one argument

    Linux binaries: workdir requires one argument

    Thanks for the updated linux binaries!After running the ./docker-slim build command, the build and profile was process was successful, however when building the slim profile, a docker error occurred stating that WORKDIR requires one argument. Error output: INFO[0028] docker-slim: building 'slim' image...
    Step 1 : FROM scratch ---> Step 2 : COPY files / ---> Using cache ---> cbd64cd3ed44 Step 3 : WORKDIR FATA[0052] docker-slim: failure error=WORKDIR requires exactly one argument

    Thanks, pggsx

    bug 
    opened by yairark 13
  • How to enable dynamic HTTP requests?

    How to enable dynamic HTTP requests?

    I have a python container that downloads files from various remote URLs including github & AWS S3.

    Here is my build command:

    docker-slim build --http-probe=false --include-path /usr/local/lib/python3.7/dist-packages/certifi --show-clogs object-detector
    

    I had to manually include the certification path which is used by requests package.

    And used the following command to start the slimified container:

    docker run --privileged --rm -d --network host object-detector.slim
    

    But getting this error

    Error processing line 1 of /usr/local/lib/python3.7/dist-packages/protobuf-3.12.2-py3.7-nspkg.pth:
    
      Traceback (most recent call last):
        File "/usr/lib/python3.7/site.py", line 174, in addpackage
          exec(line)
        File "<string>", line 1, in <module>
        File "<frozen importlib._bootstrap>", line 580, in module_from_spec
      AttributeError: 'NoneType' object has no attribute 'loader'
    
    Remainder of file ignored
    [setupvars.sh] OpenVINO environment initialized
    Error processing line 1 of /usr/local/lib/python3.7/dist-packages/protobuf-3.12.2-py3.7-nspkg.pth:
    
      Traceback (most recent call last):
        File "/usr/lib/python3.7/site.py", line 174, in addpackage
          exec(line)
        File "<string>", line 1, in <module>
        File "<frozen importlib._bootstrap>", line 580, in module_from_spec
      AttributeError: 'NoneType' object has no attribute 'loader'
    
    Remainder of file ignored
    Exception in thread Thread-1:
    Traceback (most recent call last):
      File "/usr/local/lib/python3.7/dist-packages/urllib3/connection.py", line 160, in _new_conn
        (self._dns_host, self.port), self.timeout, **extra_kw
      File "/usr/local/lib/python3.7/dist-packages/urllib3/util/connection.py", line 61, in create_connection
        for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
      File "/usr/lib/python3.7/socket.py", line 748, in getaddrinfo
        for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
    OSError: [Errno 16] Device or resource busy
    
    During handling of the above exception, another exception occurred:
    
    Traceback (most recent call last):
      File "/usr/local/lib/python3.7/dist-packages/urllib3/connectionpool.py", line 677, in urlopen
        chunked=chunked,
      File "/usr/local/lib/python3.7/dist-packages/urllib3/connectionpool.py", line 381, in _make_request
        self._validate_conn(conn)
      File "/usr/local/lib/python3.7/dist-packages/urllib3/connectionpool.py", line 976, in _validate_conn
        conn.connect()
      File "/usr/local/lib/python3.7/dist-packages/urllib3/connection.py", line 308, in connect
        conn = self._new_conn()
      File "/usr/local/lib/python3.7/dist-packages/urllib3/connection.py", line 172, in _new_conn
        self, "Failed to establish a new connection: %s" % e
    urllib3.exceptions.NewConnectionError: <urllib3.connection.HTTPSConnection object at 0x7f9440b91110>: Failed to establish a new connection: [Errno 16] Device or resource busy
    
    During handling of the above exception, another exception occurred:
    
    Traceback (most recent call last):
      File "/usr/local/lib/python3.7/dist-packages/requests/adapters.py", line 449, in send
        timeout=timeout
      File "/usr/local/lib/python3.7/dist-packages/urllib3/connectionpool.py", line 725, in urlopen
        method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2]
      File "/usr/local/lib/python3.7/dist-packages/urllib3/util/retry.py", line 439, in increment
        raise MaxRetryError(_pool, url, error or ResponseError(cause))
    urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='raw.githubusercontent.com', port=443): Max retries exceeded with url: /pjreddie/darknet/master/data/coco.names (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f9440b91110>: Failed to establish a new connection: [Errno 16] Device or resource busy'))
    
    During handling of the above exception, another exception occurred:
    
    Traceback (most recent call last):
      File "/usr/lib/python3.7/threading.py", line 926, in _bootstrap_inner
        self.run()
      File "/usr/src/app/src/main.py", line 62, in run
        model_url=model_url if self.config.get('public_model', True) is False else None)
      File "/usr/src/app/src/utils/models.py", line 160, in download_model
        r = requests.get(COCO_LABELS_URL)
      File "/usr/local/lib/python3.7/dist-packages/requests/api.py", line 76, in get
        return request('get', url, params=params, **kwargs)
      File "/usr/local/lib/python3.7/dist-packages/requests/api.py", line 61, in request
        return session.request(method=method, url=url, **kwargs)
      File "/usr/local/lib/python3.7/dist-packages/requests/sessions.py", line 530, in request
        resp = self.send(prep, **send_kwargs)
      File "/usr/local/lib/python3.7/dist-packages/requests/sessions.py", line 643, in send
        r = adapter.send(request, **kwargs)
      File "/usr/local/lib/python3.7/dist-packages/requests/adapters.py", line 516, in send
        raise ConnectionError(e, request=request)
    requests.exceptions.ConnectionError: HTTPSConnectionPool(host='raw.githubusercontent.com', port=443): Max retries exceeded with url: /pjreddie/darknet/master/data/coco.names (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f9440b91110>: Failed to establish a new connection: [Errno 16] Device or resource busy'))
    

    It downloads raw.githubusercontent.com/pjreddie/darknet/master/data/coco.names which is configured as a constant value.

    What do I have to do to resolve OSError: [Errno 16] Device or resource busy issue?

    Cheers.

    triage 
    opened by openedhardware 12
  • docker-slim can not generate slim container

    docker-slim can not generate slim container

    '''Dockerfile:- FROM centos LABEL maintainer="thatsk" RUN yum install epel-release wget tar unzip ruby ruby-devel gcc make sudo -y RUN echo 'puppet ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers RUN gem install r10k fpm RUN groupadd -g 52 puppet && useradd -ms /bin/bash -u 52 -g 52 puppet && mkdir -p /home/puppet/.ssh ADD puppetssh/ /home/puppet/.ssh ADD r10k.yaml /etc/puppetlabs/r10k/ RUN mkdir -p /var/lib/r10k/cache /etc/puppetlabs/code /etc/puppetlabs/r10k /etc/puppetlabs/code/reference & chown -R puppet:puppet /home/puppet/.ssh && chown -R puppet:puppet /etc/puppetlabs/r10k && chown -R puppet:puppet /var/lib/r10k && chown -R puppet:puppet /etc/puppetlabs/code #Optimizing Docker Size image RUN rm -rf
    /usr/share/man/*
    /usr/include/*
    /usr/share/doc/*
    /usr/share/emacs/*
    /usr/share/xemacs/*
    /usr/share/vim/*
    /usr/share/gettext/*
    /usr/share/gettext-0.19.8/*
    /usr/share/zoneinfo/*
    /usr/share/zsh/* #setting up user password RUN echo "root:e0rtv12" | chpasswd RUN echo "puppet:puppet" | chpasswd #ADDING pulp extension RUN yum install rpm-build java-1.8.0-openjdk-devel -y && mkdir /home/puppet/.pulp && wget -O /etc/yum.repos.d/rhel-pulp.repo https://repos.fedorapeople.org/repos/pulp/pulp/rhel-pulp.repo && yum groupinstall Development tools -y && yum install pulp-docker-admin-extensions pulp-python-admin-extensions pulp-admin-client pulp-rpm-admin-extensions pulp-puppet-admin-extensions -y #Adding pulp server information ADD pulp/admin.conf /home/puppet/.pulp/admin.conf RUN mkdir -p /isilon/devops/puppetlabs && chown -R puppet:puppet /etc/puppetlabs/ USER puppet RUN sudo ln -s /etc/puppetlabs/code /isilon/devops/puppetlabs/code RUN sudo chown -R puppet:puppet /home/puppet/.pulp & sudo chmod -R 0700 /home/puppet/.pulp ENV HOME /home/puppet WORKDIR $HOME

    Go Version:- go version go1.10.1 linux/amd64 Centos:- CentOS Linux release 7.4.1708 (Core) Docker Slim version:- docker-slim --version 2018/04/25 13:24:14 Couldn't set key CPE_NAME, no corresponding struct field found 2018/04/25 13:24:14 Couldn't set key , no corresponding struct field found 2018/04/25 13:24:14 Couldn't set key CENTOS_MANTISBT_PROJECT, no corresponding struct field found 2018/04/25 13:24:14 Couldn't set key CENTOS_MANTISBT_PROJECT_VERSION, no corresponding struct field found 2018/04/25 13:24:14 Couldn't set key REDHAT_SUPPORT_PRODUCT, no corresponding struct field found 2018/04/25 13:24:14 Couldn't set key REDHAT_SUPPORT_PRODUCT_VERSION, no corresponding struct field found 2018/04/25 13:24:14 Couldn't set key , no corresponding struct field found docker-slim version linux|Tetra|1.20|f79fefbb88486f9431fdae5c6f65155fb7b3d39b|2018-03-05_05:20:22AM (go1.10)

    Container:- r10k latest 5daf0cc38ce5 14 minutes ago 949MB

    Full Docker-slim logs:- docker-slim build --http-probe --show-clogs r10k 2018/04/25 13:37:25 Couldn't set key CPE_NAME, no corresponding struct field found 2018/04/25 13:37:25 Couldn't set key , no corresponding struct field found 2018/04/25 13:37:25 Couldn't set key CENTOS_MANTISBT_PROJECT, no corresponding struct field found 2018/04/25 13:37:25 Couldn't set key CENTOS_MANTISBT_PROJECT_VERSION, no corresponding struct field found 2018/04/25 13:37:25 Couldn't set key REDHAT_SUPPORT_PRODUCT, no corresponding struct field found 2018/04/25 13:37:25 Couldn't set key REDHAT_SUPPORT_PRODUCT_VERSION, no corresponding struct field found 2018/04/25 13:37:25 Couldn't set key , no corresponding struct field found docker-slim[build]: state=started docker-slim[build]: info=params target=r10k continue.mode=enter docker-slim[build]: state=inspecting.image docker-slim[build]: info=image id=sha256:5daf0cc38ce5f26fe56ed41ac4e13d45a49f9f20a7b5552cf5ee5a6d375df9b4 size.bytes=949049028 size.human=949 MB docker-slim[build]: state=inspecting.container docker-slim[build]: info=prompt message='press when you are done using the container'

    docker-slim[build]: state=http.probe.starting docker-slim[build]: state=http.probe.done docker-slim: container stdout: docker-slim: container stderr: 2018/04/25 13:37:26 Couldn't set key CPE_NAME, no corresponding struct field found 2018/04/25 13:37:26 Couldn't set key , no corresponding struct field found 2018/04/25 13:37:26 Couldn't set key CENTOS_MANTISBT_PROJECT, no corresponding struct field found 2018/04/25 13:37:26 Couldn't set key CENTOS_MANTISBT_PROJECT_VERSION, no corresponding struct field found 2018/04/25 13:37:26 Couldn't set key REDHAT_SUPPORT_PRODUCT, no corresponding struct field found 2018/04/25 13:37:26 Couldn't set key REDHAT_SUPPORT_PRODUCT_VERSION, no corresponding struct field found 2018/04/25 13:37:26 Couldn't set key , no corresponding struct field found time="2018-04-25T13:37:26Z" level=info msg="sensor: args => []string{"/opt/dockerslim/bin/sensor"}" time="2018-04-25T13:37:26Z" level=info msg="sensor: creating event publisher..." time="2018-04-25T13:37:26Z" level=info msg="sensor: creating cmd server..." time="2018-04-25T13:37:26Z" level=info msg="sensor: waiting for commands..." time="2018-04-25T13:37:26Z" level=info msg="sensor: monitor starting..." time="2018-04-25T13:37:26Z" level=info msg="fanmon: Run" time="2018-04-25T13:37:26Z" level=fatal msg="docker-slim: failure" error="operation not permitted" stack="goroutine 1 [running]: runtime/debug.Stack(0xffffffffffffffff, 0x1, 0x5d7320) /usr/local/go/src/runtime/debug/stack.go:24 +0xa7 github.com/docker-slim/docker-slim/pkg/utils/errutils.FailOn(0x5d7320, 0xc420024120) /Users/q/Desktop/ALL_DSLIM/BUG_DS_ISSUE_44/docker-slim/_gopath/src/github.com/docker-slim/docker-slim/pkg/utils/errutils/errutils.go:14 +0x51 github.com/docker-slim/docker-slim/internal/app/sensor/monitors/fanotify.Run(0x5b61fa, 0x1, 0xc4200f4060, 0x12) /Users/q/Desktop/ALL_DSLIM/BUG_DS_ISSUE_44/docker-slim/_gopath/src/github.com/docker-slim/docker-slim/internal/app/sensor/monitors/fanotify/monitor.go:38 +0x8f github.com/docker-slim/docker-slim/internal/app/sensor.monitor(0xc42005a070, 0xc420062660, 0xc420060360, 0xc42005a0e0, 0xc4200e8420, 0xc42006e7b0, 0xc) /Users/q/Desktop/ALL_DSLIM/BUG_DS_ISSUE_44/docker-slim/_gopath/src/github.com/docker-slim/docker-slim/internal/app/sensor/app.go:47 +0x122 github.com/docker-slim/docker-slim/internal/app/sensor.Run() /Users/q/Desktop/ALL_DSLIM/BUG_DS_ISSUE_44/docker-slim/_gopath/src/github.com/docker-slim/docker-slim/internal/app/sensor/app.go:130 +0x4ec main.main() /Users/q/Desktop/ALL_DSLIM/BUG_DS_ISSUE_44/docker-slim/_gopath/src/github.com/docker-slim/docker-slim/cmd/docker-slim-sensor/main.go:8 +0x20 " version="linux|Tetra|latest|latest|latest (go1.10)" docker-slim: end of container logs ============= docker-slim[build]: state=processing docker-slim: Fat image - Dockerfile instructures: start ==== new image ADD file:f755805244a649eccae3a3e63be291048deeb23e1c5a500d2f92b4eedc452322 in / LABEL org.label-schema.schema-version== 1.0 org.label-schema.name=CentOS Base Image org.label-schema.vendor=CentOS org.label-schema.license=GPLv2 org.label-schema.build-date=20180402 CMD ["/bin/bash"] end of image: centos (id: sha256:e934aafc22064b7322c0250f1e32e5ce93b2d19b356f4537f5864bd102e8531f tags: latest)

    new image LABEL maintainer=thatsk RUN yum install epel-release wget tar unzip ruby ruby-devel gcc make sudo -y RUN echo 'puppet ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers RUN gem install r10k fpm RUN groupadd -g 52 puppet &&
    useradd -ms /bin/bash -u 52 -g 52 puppet &&
    mkdir -p /home/puppet/.ssh ADD dir:1576b0b81797e6ee72d158d2fa1a6bcec8e10bc723312afb9c5acd7eb4c4acc5 in /home/puppet/.ssh ADD file:9176ccd326f4776d9972d4033da634a200a5559785308a443b3fce8e81be6af0 in /etc/puppetlabs/r10k/ RUN mkdir -p /var/lib/r10k/cache /etc/puppetlabs/code /etc/puppetlabs/r10k /etc/puppetlabs/code/reference & chown -R puppet:puppet /home/puppet/.ssh &&
    chown -R puppet:puppet /etc/puppetlabs/r10k &&
    chown -R puppet:puppet /var/lib/r10k &&
    chown -R puppet:puppet /etc/puppetlabs/code RUN rm -rf /usr/share/man/* /usr/include/* /usr/share/doc/* /usr/share/emacs/* /usr/share/xemacs/* /usr/share/vim/* /usr/share/gettext/* /usr/share/gettext-0.19.8/* /usr/share/zoneinfo/* /usr/share/zsh/* RUN echo "root:e0rtv12" | chpasswd RUN echo "puppet:puppet" | chpasswd RUN yum install rpm-build java-1.8.0-openjdk-devel -y &&
    mkdir /home/puppet/.pulp &&
    wget -O /etc/yum.repos.d/rhel-pulp.repo https://repos.fedorapeople.org/repos/pulp/pulp/rhel-pulp.repo &&
    yum groupinstall Development tools -y &&
    yum install pulp-docker-admin-extensions pulp-python-admin-extensions pulp-admin-client pulp-rpm-admin-extensions pulp-puppet-admin-extensions -y ADD file:0c170c80ffcc43e2be6f62a8722194c38d8574922f88eb12c33deee37eb538e3 in /home/puppet/.pulp/admin.conf RUN mkdir -p /isilon/devops/puppetlabs &&
    chown -R puppet:puppet /etc/puppetlabs/ USER puppet RUN sudo ln -s /etc/puppetlabs/code /isilon/devops/puppetlabs/code RUN sudo chown -R puppet:puppet /home/puppet/.pulp & sudo chmod -R 0700 /home/puppet/.pulp ENV HOME=/home/puppet WORKDIR /home/puppet end of image: r10k (id: sha256:5daf0cc38ce5f26fe56ed41ac4e13d45a49f9f20a7b5552cf5ee5a6d375df9b4 tags: latest)

    docker-slim: Fat image - Dockerfile instructures: end ====== docker-slim[build]: info=results status='no data collected (no minified image generated). (version: linux|Tetra|1.20|f79fefbb88486f9431fdae5c6f65155fb7b3d39b|2018-03-05_05:20:22AM (go1.10))' docker-slim[build]: state=exited

    focused error:- time="2018-04-25T13:37:26Z" level=fatal msg="docker-slim: failure" error="operation not permitted" stack="goroutine 1 [running]: runtime/debug.Stack(0xffffffffffffffff, 0x1, 0x5d7320) /usr/local/go/src/runtime/debug/stack.go:24 +0xa7 github.com/docker-slim/docker-slim/pkg/utils/errutils.FailOn(0x5d7320, 0xc420024120) /Users/q/Desktop/ALL_DSLIM/BUG_DS_ISSUE_44/docker-slim/_gopath/src/github.com/docker-slim/docker-slim/pkg/utils/errutils/errutils.go:14 +0x51 github.com/docker-slim/docker-slim/internal/app/sensor/monitors/fanotify.Run(0x5b61fa, 0x1, 0xc4200f4060, 0x12) /Users/q/Desktop/ALL_DSLIM/BUG_DS_ISSUE_44/docker-slim/_gopath/src/github.com/docker-slim/docker-slim/internal/app/sensor/monitors/fanotify/monitor.go:38 +0x8f github.com/docker-slim/docker-slim/internal/app/sensor.monitor(0xc42005a070, 0xc420062660, 0xc420060360, 0xc42005a0e0, 0xc4200e8420, 0xc42006e7b0, 0xc) /Users/q/Desktop/ALL_DSLIM/BUG_DS_ISSUE_44/docker-slim/_gopath/src/github.com/docker-slim/docker-slim/internal/app/sensor/app.go:47 +0x122 github.com/docker-slim/docker-slim/internal/app/sensor.Run() /Users/q/Desktop/ALL_DSLIM/BUG_DS_ISSUE_44/docker-slim/_gopath/src/github.com/docker-slim/docker-slim/internal/app/sensor/app.go:130 +0x4ec main.main() /Users/q/Desktop/ALL_DSLIM/BUG_DS_ISSUE_44/docker-slim/_gopath/src/github.com/docker-slim/docker-slim/cmd/docker-slim-sensor/main.go:8 +0x20 " version="linux|Tetra|latest|latest|latest (go1.10)" docker-slim: end of container logs =============

    bug validating fix 
    opened by thatsk 12
  • Make docker-slim arm64 compatible

    Make docker-slim arm64 compatible

    Signed-off-by: Pablo Caderno [email protected]

    Fixes #155

    [email protected]:~/dist_linux_arm64$ file docker-slim
    docker-slim: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, Go BuildID=WbP5_VoxIUGfc7s61dPC/g9xW7j-Fqi0ieuE2-5C9/28WGfZLcdjMInBoUEk-X/qqJpwONs3u9tG8I95ag3, stripped
    
    
    
    ./docker-slim build kaderno/flask2
    docker-slim[build]: info=http.probe message='using default probe'
    docker-slim[build]: state=started
    docker-slim[build]: info=params target=kaderno/flask2 continue.mode=probe rt.as.user=true keep.perms=true
    docker-slim[build]: state=image.inspection.start
    docker-slim[build]: info=image id=sha256:d74d6390c57a168015518b7531f1455ac366fb920a6a1e1fa412f2dfc2307929 size.bytes=356483459 size.human=356 MB
    docker-slim[build]: info=image.stack index=0 name='arm64v8/ubuntu:latest' id='sha256:1cb4829d62431ae6571f5047f176b5c6a0b7edb3b9b3b76d516a8e11ca118f18'
    docker-slim[build]: info=image.stack index=1 name='kaderno/flask2:latest' id='sha256:d74d6390c57a168015518b7531f1455ac366fb920a6a1e1fa412f2dfc2307929'
    docker-slim[build]: info=image.exposed_ports list='5000'
    docker-slim[build]: state=image.inspection.done
    docker-slim[build]: state=container.inspection.start
    docker-slim[build]: info=container status=created name=dockerslimk_36817_20200707053619 id=def43b1a0a635d64c69c4ec26ef14809993a202f5c29f7c45ba967c99ef87e31
    docker-slim[build]: info=cmd.startmonitor status=sent
    docker-slim[build]: info=event.startmonitor.done status=received
    docker-slim[build]: info=container name=dockerslimk_36817_20200707053619 id=def43b1a0a635d64c69c4ec26ef14809993a202f5c29f7c45ba967c99ef87e31 target.port.list=[32783] target.port.info=[5000/tcp => 0.0.0.0:32783] message='YOU CAN USE THESE PORTS TO INTERACT WITH THE CONTAINER'
    docker-slim[build]: state=http.probe.starting message='WAIT FOR HTTP PROBE TO FINISH'
    docker-slim[build]: info=continue.after mode=probe message='no input required, execution will resume when HTTP probing is completed'
    docker-slim[build]: info=prompt message='waiting for the HTTP probe to finish'
    docker-slim[build]: state=http.probe.running
    docker-slim[build]: info=http.probe.ports count=1 targets='32783'
    docker-slim[build]: info=http.probe.commands count=1 commands='GET /'
    docker-slim[build]: info=http.probe.call status=200 method=GET target=http://127.0.0.1:32783/ attempt=1  time=2020-07-07T05:36:32Z
    docker-slim[build]: info=http.probe.summary total=1 failures=0 successful=1
    docker-slim[build]: state=http.probe.done 
    docker-slim[build]: info=probe.crawler page=0 url=http://127.0.0.1:32783/
    docker-slim[build]: info=probe.crawler.done addr=http://127.0.0.1:32783/
    docker-slim[build]: info=event message='HTTP probe is done'
    docker-slim[build]: state=container.inspection.finishing
    docker-slim[build]: state=container.inspection.artifact.processing
    docker-slim[build]: state=container.inspection.done
    docker-slim[build]: state=building message='building optimized image'
    docker-slim[build]: state=completed
    docker-slim[build]: info=results status='MINIFIED BY 17.69X [356483459 (356 MB) => 20149506 (20 MB)]'
    docker-slim[build]: info=results  image.name=kaderno/flask2.slim image.size='20 MB' data=true
    docker-slim[build]: info=results  artifacts.location='/home/ubuntu/dist_linux_arm64/.docker-slim-state/images/d74d6390c57a168015518b7531f1455ac366fb920a6a1e1fa412f2dfc2307929/artifacts'
    docker-slim[build]: info=results  artifacts.report=creport.json
    docker-slim[build]: info=results  artifacts.dockerfile.original=Dockerfile.fat
    docker-slim[build]: info=results  artifacts.dockerfile.new=Dockerfile
    docker-slim[build]: info=results  artifacts.seccomp=kaderno-flask2-seccomp.json
    docker-slim[build]: info=results  artifacts.apparmor=kaderno-flask2-apparmor-profile
    docker-slim[build]: state=done
    docker-slim[build]: info=version status=OUTDATED local=1.29.0-82-g3c30311 current=1.29.0
    docker-slim[build]: info=message message='Your version of DockerSlim is out of date! Use the "update" command or download the new version from https://dockersl.im/downloads.html'
    docker-slim[build]: info=report file='slim.report.json'
    
    [email protected]:~/dist_linux_arm64$ docker images
    REPOSITORY                  TAG                 IMAGE ID            CREATED              SIZE
    kaderno/flask2.slim         latest              9d06f39bb9fd        About a minute ago   20.1MB
    kaderno/flask2              latest              d74d6390c57a        4 minutes ago        356MB
    kaderno/flask.slim          latest              5e11b0cdabd0        16 minutes ago       19.3MB
    kaderno/flask               latest              4fbad4f22789        18 minutes ago       354MB
    
    [email protected]:~/dist_linux_arm64$ docker run -d -p5000:5000 kaderno/flask2.slim
    3aefc9aed46895360bb55e7aeb2127f92114e743394ff2272169463690d653a9
    [email protected]:~/dist_linux_arm64$ curl localhost:5000
    {
        "hello": "world"
    }
    
    opened by kadern0 11
  • Bump test/bats from `325b211` to `dd2d573`

    Bump test/bats from `325b211` to `dd2d573`

    Bumps test/bats from 325b211 to dd2d573.

    Commits
    • dd2d573 Merge pull request #627 from evancharlton/patch-1
    • eff7ca5 Update CHANGELOG.md
    • b2f5b49 chore: Fix a typo in tutorial
    • 914880e Merge pull request #623 from martin-schulze-vireso/fix/issue_s615_616_teardow...
    • 237b8ff Add changelog entry for #623
    • a541a71 Don't let teardown_file errors eat setup_file errors
    • e222fc6 Merge pull request #622 from bats-core/fix/issue_551_docker_bats_not_found
    • 85fdd70 Add changelog entry for #622
    • 76542f1 Fix syntax
    • 7c0eca7 Docker: Add *-no-faccessat2 tags
    • Additional commits viewable in compare view

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies submodules 
    opened by dependabot[bot] 1
  • docker slim container still running after failure exit

    docker slim container still running after failure exit

    Expected Behavior

    docker slim container should quit after analysis


    Actual Behavior

    It is still running. Every analysis fail and left an running container.

    $ docker ps
    CONTAINER ID   IMAGE                                                       COMMAND                  CREATED          STATUS          PORTS                                                                                          NAMES
    1ac81af314b7   registry.test.pensando.io:5000/pensando/test-infra:2.17.0   "/opt/dockerslim/bin…"   2 minutes ago    Up 2 minutes    0.0.0.0:49166->65501/tcp, :::49166->65501/tcp, 0.0.0.0:49165->65502/tcp, :::49165->65502/tcp   dockerslimk_22990_20220803234535
    206fea95252b   registry.test.pensando.io:5000/pensando/test-infra:2.17.0   "/opt/dockerslim/bin…"   2 minutes ago    Up 2 minutes    0.0.0.0:49164->65501/tcp, :::49164->65501/tcp, 0.0.0.0:49163->65502/tcp, :::49163->65502/tcp   dockerslimk_22792_20220803234519
    7ddb9cd72dd1   registry.test.pensando.io:5000/pensando/test-infra:2.17.0   "/opt/dockerslim/bin…"   3 minutes ago    Up 3 minutes    0.0.0.0:49162->65501/tcp, :::49162->65501/tcp, 0.0.0.0:49161->65502/tcp, :::49161->65502/tcp   dockerslimk_22595_20220803234436
    d4eff8c5599e   registry.test.pensando.io:5000/pensando/test-infra:2.17.0   "/opt/dockerslim/bin…"   3 minutes ago    Up 3 minutes    0.0.0.0:49160->65501/tcp, :::49160->65501/tcp, 0.0.0.0:49159->65502/tcp, :::49159->65502/tcp   dockerslimk_22409_20220803234432
    4fbbde33b3a8   registry.test.pensando.io:5000/pensando/test-infra:2.17.0   "/opt/dockerslim/bin…"   6 minutes ago    Up 6 minutes    0.0.0.0:49158->65501/tcp, :::49158->65501/tcp, 0.0.0.0:49157->65502/tcp, :::49157->65502/tcp   dockerslimk_22162_20220803234205
    5f077dd2282d   registry.test.pensando.io:5000/pensando/test-infra:2.17.0   "/opt/dockerslim/bin…"   6 minutes ago    Up 6 minutes    0.0.0.0:49156->65501/tcp, :::49156->65501/tcp, 0.0.0.0:49155->65502/tcp, :::49155->65502/tcp   dockerslimk_21964_20220803234119
    65e901f86e1a   registry.test.pensando.io:5000/pensando/test-infra:2.17.0   "/opt/dockerslim/bin…"   10 minutes ago   Up 10 minutes   0.0.0.0:49154->65501/tcp, :::49154->65501/tcp, 0.0.0.0:49153->65502/tcp, :::49153->65502/tcp   dockerslimk_21628_20220803233802
    

    Steps to Reproduce the Problem

    This is probably related with our private image and may not be reproduced at your side

    1. run build command. After build, docker ps shows new running docker slim container 2.
    $ ~/bin/dist_linux/docker-slim build registry.test.pensando.io:5000/pensando/test-infra:2.17.0 
    docker-slim: message='join the Gitter channel to ask questions or to share your feedback' info='https://gitter.im/docker-slim/community'
    docker-slim: message='join the Discord server to ask questions or to share your feedback' info='https://discord.gg/9tDyxYS'
    docker-slim: message='Github discussions' info='https://github.com/docker-slim/docker-slim/discussions'
    cmd=build info=param.http.probe message='using default probe'
    cmd=build state=started
    cmd=build info=params target.type='image' target='registry.test.pensando.io:5000/pensando/test-infra:2.17.0' continue.mode='probe' rt.as.user='true' keep.perms='true' tags=''
    cmd=build state=image.inspection.start
    cmd=build info=image id='sha256:4756ac2575092ca210cd75dd6ad778df31fe71f1606c4922ef86f4063d440863' size.bytes='2119981163' size.human='2.1 GB'
    cmd=build info=image.stack index='0' name='registry.test.pensando.io:5000/pensando/test-infra:2.17.0' id='sha256:4756ac2575092ca210cd75dd6ad778df31fe71f1606c4922ef86f4063d440863'
    cmd=build state=image.inspection.done
    cmd=build state=container.inspection.start
    cmd=build info=container name='dockerslimk_22990_20220803234535' id='1ac81af314b7bfdbf845346758cac402f0ca10cf19275377d078f9fde192079a' status='created'
    cmd=build info=container status='running' name='dockerslimk_22990_20220803234535' id='1ac81af314b7bfdbf845346758cac402f0ca10cf19275377d078f9fde192079a'
    cmd=build info=container message='obtained IP address' ip='172.17.0.8'
    cmd=build info=cmd.startmonitor status='sent'
    cmd=build info=event.error status='received' data='SensorError{Op:ptrace.App.trace.app.start,Kind:call.error,Wrapped:{Type=*os.PathError,Info=fork/exec /entrypoint.sh: no such file or directory,Line:218,File:github.com/docker-slim/docker-slim/pkg/monitor/ptrace/ptrace.go}}'
    cmd=build state=exited code=-124 version=linux|Transformer|1.37.6|26a36c88a94c677efd734e874ba081dabb84a224|2022-04-23_06:03:56AM component=container.inspector
    cmd=build info=report file='slim.report.json'
    docker-slim: message='join the Gitter channel to ask questions or to share your feedback' info='https://gitter.im/docker-slim/community'
    docker-slim: message='join the Discord server to ask questions or to share your feedback' info='https://discord.gg/9tDyxYS'
    docker-slim: message='Github discussions' info='https://github.com/docker-slim/docker-slim/discussions'
    

    Specifications

    • Version: The latest binary
    $ ~/bin/dist_linux/docker-slim --version
    docker-slim version linux|Transformer|1.37.6|26a36c88a94c677efd734e874ba081dabb84a224|2022-04-23_06:03:56AM
    [email protected]:~/workspace/golang/src/github.com/pensando/test-infra$
    
    • Platform: Ubuntu AMD64 linux.
    opened by leslie-qiwa 2
  • Error when building againtst tensorflow-serving images

    Error when building againtst tensorflow-serving images

    Description

    When trying to slim down the tensorflow serving image, the docker-slim build command fails.

    Maybe this is user error, but It is not clear from the documentation what should be taken into consideration when trying to build an image.

    Expected Behavior

    Command to succeed


    Actual Behavior

    cmd=build state=http.probe.done warning=no.successful.calls
    cmd=build error=probe.error message='no.successful.calls'
    docker-slim: container stdout:
    docker-slim: container stderr:
    [libprotobuf FATAL external/com_google_protobuf/src/google/protobuf/generated_message_reflection.cc:2345] CHECK failed: file != nullptr:
    terminate called after throwing an instance of 'google::protobuf::FatalException'
      what():  CHECK failed: file != nullptr:
    qemu: uncaught target signal 6 (Aborted) - core dumped
    /usr/bin/tf_serving_entrypoint.sh: line 3:    20 Aborted                 tensorflow_model_server --port=8500 --rest_api_port=8501 --model_name=${MODEL_NAME} --model_base_path=${MODEL_BASE_PATH}/${MODEL_NAME} "[email protected]"
    

    Steps to Reproduce the Problem

    docker-slim build --pull tensorflow/serving:latest
    

    Specifications

    cmd=version info=app version='darwin|Transformer|1.37.6|26a36c88a94c677efd734e874ba081dabb84a224|2022-04-23_06:07:44AM' container=false dsimage=false
    cmd=version info=app outdated=false current=1.37.6 verdict='you have the latest version'
    cmd=version info=app location='/usr/local/bin'
    cmd=version info=host osname='other'
    cmd=version info=host osbuild=21F79
    cmd=version info=host version=' Tue Apr 26 21:08:37 PDT 2022; root:xnu-8020.121.3~4/RELEASE_ARM64_T6000'
    cmd=version info=host release=21.5.0
    cmd=version info=host sysname=darwin
    cmd=version info=docker name=docker-desktop
    cmd=version info=docker kernel_version=5.10.104-linuxkit
    cmd=version info=docker operating_system=Docker Desktop
    cmd=version info=docker ostype=linux
    cmd=version info=docker server_version=20.10.14
    cmd=version info=docker architecture=aarch64
    cmd=version info=dclient api_version=1.41
    cmd=version info=dclient min_api_version=1.12
    cmd=version info=dclient build_time=2022-03-24T01:45:44.000000000+00:00
    cmd=version info=dclient git_commit=87a90dc
    
    opened by miguelvr 0
  • Missing make target in README for containerized build

    Missing make target in README for containerized build

    opened by akankshakumari393 3
  • profile command not running on M1 macs

    profile command not running on M1 macs

    Expected Behavior

    Start profiling a container


    Actual Behavior

    Container failed to start with the following error

    cmd=profile info=container status='created' name='dockerslimk_15864_20220623051144' id='e3169e9807fc621ef310d3caae78dc9f08a17e2b87ebe81ab74316bb971a28a1' 
    time="2022-06-23T08:11:44+03:00" level=fatal msg="docker-slim: failure" error="API error (400): failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: \"/opt/dockerslim/bin/docker-slim-sensor\": stat /opt/dockerslim/bin/docker-slim-sensor: no such file or directory: unknown" stack="goroutine 1 [running]:\nruntime/debug.Stack()\n\truntime/debug/stack.go:24 +0x68\ngithub.com/docker-slim/docker-slim/pkg/util/errutil.FailOn({0x102ff33d8, 0x1400000d0b0})\n\tgithub.com/docker-slim/docker-slim/pkg/util/errutil/errutil.go:28 +0x3c\ngithub.com/docker-slim/docker-slim/pkg/app/master/commands/profile.OnCommand(_, _, {_, _}, _, {_, _}, {_, _}, {_, ...}, ...)\n\tgithub.com/docker-slim/docker-slim/pkg/app/master/commands/profile/handler.go:311 +0x1ce4\ngithub.com/docker-slim/docker-slim/pkg/app/master/commands/profile.glob..func1(0x1400019db00)\n\tgithub.com/docker-slim/docker-slim/pkg/app/master/commands/profile/cli.go:354 +0x15d0\ngithub.com/urfave/cli/v2.(*Command).Run(0x10359d140, 0x1400019c540)\n\tgithub.com/urfave/cli/[email protected]/command.go:163 +0x50c\ngithub.com/urfave/cli/v2.(*App).RunContext(0x14000188680, {0x102ffaac8?, 0x14000038098}, {0x1400019c080, 0x4, 0x4})\n\tgithub.com/urfave/cli/[email protected]/app.go:313 +0x888\ngithub.com/urfave/cli/v2.(*App).Run(...)\n\tgithub.com/urfave/cli/[email protected]/app.go:224\ngithub.com/docker-slim/docker-slim/pkg/app/master/commands.(*InteractiveApp).execute(0x14000095ef0, {0x14000042360?, 0x102ea4301?})\n\tgithub.com/docker-slim/docker-slim/pkg/app/master/commands/cliprompt.go:101 +0x330\ngithub.com/c-bata/go-prompt.(*Prompt).Run(0x1400019e380)\n\tgithub.com/c-bata/[email protected]/prompt.go:85 +0x6f8\ngithub.com/docker-slim/docker-slim/pkg/app/master/commands.(*InteractiveApp).Run(...)\n\tgithub.com/docker-slim/docker-slim/pkg/app/master/commands/cliprompt.go:187\ngithub.com/docker-slim/docker-slim/pkg/app/master.newCLI.func4(0x1400058cd80?)\n\tgithub.com/docker-slim/docker-slim/pkg/app/master/cli.go:172 +0x58\ngithub.com/urfave/cli/v2.(*App).RunContext(0x14000188680, {0x102ffaac8?, 0x14000038098}, {0x14000030200, 0x1, 0x1})\n\tgithub.com/urfave/cli/[email protected]/app.go:322 +0x700\ngithub.com/urfave/cli/v2.(*App).Run(...)\n\tgithub.com/urfave/cli/[email protected]/app.go:224\ngithub.com/docker-slim/docker-slim/pkg/app/master.Run()\n\tgithub.com/docker-slim/docker-slim/pkg/app/master/app.go:15 +0x50\nmain.main()\n\tgithub.com/docker-slim/docker-slim/cmd/docker-slim/main.go:15 +0x1c8\n" version="darwin|Transformer|1.37.5|latest|latest"
    
    

    Steps to Reproduce the Problem

    1. run the profile command on an M1 mac

    Specifications

    cmd=version info=app version='darwin|Transformer|1.37.5|latest|latest' container=false dsimage=false
    cmd=version info=app outdated=true current=1.37.6 verdict='your installed version is OUTDATED (local=1.37.5 current=1.37.6)'
    cmd=version info=app location='/opt/homebrew/bin'
    cmd=version info=host osname='other'
    cmd=version info=host osbuild=21F79
    cmd=version info=host version=' Tue Apr 26 21:08:37 PDT 2022; root:xnu-8020.121.3~4/RELEASE_ARM64_T6000'
    cmd=version info=host release=21.5.0
    cmd=version info=host sysname=darwin
    cmd=version info=docker name=docker-desktop
    cmd=version info=docker kernel_version=5.10.104-linuxkit
    cmd=version info=docker operating_system=Docker Desktop
    cmd=version info=docker ostype=linux
    cmd=version info=docker server_version=20.10.14
    cmd=version info=docker architecture=aarch64
    cmd=version info=dclient api_version=1.41
    cmd=version info=dclient min_api_version=1.12
    cmd=version info=dclient build_time=2022-03-24T01:45:44.000000000+00:00
    cmd=version info=dclient git_commit=87a90dc
    
    opened by adirook 3
  • Fat git-core catalog after slim

    Fat git-core catalog after slim

    Expected Behavior

    Image smaller than fat


    Actual Behavior

    cmd=build info=results status='MINIFIED' by='0.77X' size.original='461 MB' size.optimized='599 MB'


    Steps to Reproduce the Problem

    FROM hashicorp/terraform:latest as terraform
    RUN apk --no-cache --update add bash git python3 py-pip docker
    RUN pip install --no-cache-dir pre-commit
    ENTRYPOINT ["/bin/bash"]
    

    docker-slim build --remove-file-artifacts --preserve-path /usr/libexec/git-core/ --exec "git init" --http-probe=false -target test --tag test-slim

    Fat image:

    bash-5.1# du -shc /usr/libexec/git-core/
    9.4M    /usr/libexec/git-core/
    9.4M    total
    
    

    Slim image:

    bash-5.1# du -shc /usr/libexec/git-core/
    386.5M  /usr/libexec/git-core/
    386.5M  total
    

    Why /usr/libexec/git-core/ don't copy dir from fat image?

    opened by pawelrosada 3
Releases(1.37.5)
  • 1.37.5(Mar 21, 2022)

    New Features

    • Experimental Node.js package include flag (--include-node-package)
    • Experimental Next.js (React.js) app include flags (--include-app-next-*)
    • Experimental Nuxt.js (Vue.js) app include flags (--include-app-nuxt-*)
    • Ability to disable the ptrace data source (--rta-source-ptrace)

    Improvements

    • Various monitoring engine enhancements

    Bug Fixes

    • Healtheck instruction handling fix

    Binaries

    Build them from source or download from a CDN location:

    Source code(tar.gz)
    Source code(zip)
  • 1.37.4(Feb 28, 2022)

    New Features

    • Container probe feature to use one of the compose services to test/probe the target container (--container-probe-compose-svc flag and container.probe continue-after mode)
    • Ability to override the container image name and/or tag when targeting a compose service (--target-compose-svc-image flag)
    • Ability to wait before executing the HTTP probes (--http-probe-start-wait flag)
    • Ability to wait before starting each compose service (--compose-svc-start-wait flag)
    • Basic FastCGI protocol support in HTTP probes (docs TBD)
    • New registry command and a basic pull subcommand
    • --include-new build flag to keep new files created by target during dynamic analysis
    • Supprot for stored global param in slim.config.json

    Improvements

    • Improved containerized CI/CD environments support (sensor-ipc-mode and sensor-ipc-endpoint flags for build and profile)
    • Docker host detection improvements
    • Target container IP detection improvements
    • Not minifying onbuild base images by default
    • Not minifying already minified images
    • Cleanup container resources on exit
    • include-cert-all build flag enabled by default
    • Propagate logging flags to sensor
    • Not using default http probe if custom probes are already defined
    • Many compose related enhancements (volume lookup enhancements, compose image detection and error handling, etc)
    • Various monitoring engine enhancements
    • Migrate from urfave/cli/v1 to urfave/cli/v2
    • Dockerfile reverse engineering enhancements (HEALTHCHECK instruction support, improved RUN instruction reversing when ARGs are also used)

    Bug Fixes

    • Volume mounting bug fixes for compose

    Binaries

    Build them from source or download from a CDN location:

    Source code(tar.gz)
    Source code(zip)
  • 1.37.3(Dec 12, 2021)

    New Features

    • Install command / docker cli plugin install option (preview version)

    Improvements

    • Container and compose link handling enhancements
    • Volume mounting enhancements
    • Static analysis improvements
    • Symlink handling improvements for builds
    • Collecting file check filesystem activity
    • Entrypoint/cmd override handling improvements

    Bug Fixes

    • Volume mounting bug fixes for compose

    Binaries

    Build them from source or download from a CDN location:

    Source code(tar.gz)
    Source code(zip)
  • 1.37.2(Nov 8, 2021)

    New Features

    • Ability to pull images from private registries (--registry-account, --registry-secret, --docker-config-path flags)

    Improvements

    • Additional flags for compose (dep-include-target-compose-svc-deps, compose-env-nohost, compose-env-file, compose-workdir, compose-project-name)
    • Variable substitution support in compose
    • Detect duplicates by default in xray
    • Resource cleanup when the build command exits
    • delete-generated-fat-image flag to cleanup the non-optimized images when docker-slim builds images from source/Dockerfile
    • Improved maintainer info collection for xray

    Bug Fixes

    • Volume mounting bug fixes for compose

    Binaries

    Build them from source or download from a CDN location:

    Source code(tar.gz)
    Source code(zip)
  • 1.37.0(Sep 23, 2021)

    Features

    • Experimental docker-compose support for the build command
    • Include cert flags to make it easier to keep certificate data in the optimized images

    Improvements

    • Install script
    • Original image platform information in optimized images

    Binaries

    Build them from source or download from a CDN location:

    Source code(tar.gz)
    Source code(zip)
  • 1.36.4(Sep 7, 2021)

  • 1.36.1(Jun 21, 2021)

    Improvements

    • Ability to detect additional shells.
    • Saving command report to /tmp directory if it's not possible to save it in the current working directory.
    • Printing tag information for build command.

    Bug Fixes

    • Default continue-after value handling fix (remove probe mode if http probing is disabled).
    • Sensor not exiting when it's trying to copy a directory it already copied.

    Binaries

    Build them from source or download from a CDN location:

    Source code(tar.gz)
    Source code(zip)
  • 1.36.0(Jun 14, 2021)

    New Features

    • Ability to find duplicate files for xray (--detect-duplicates, --show-duplicates)
    • Ability to find all utf8 encoded files for xray using the --detect-utf8 flag (optionally dumping them to console, directory or tar file).
    • Ability to find the files with special permissions (--show-special-perms).
    • Ability to find all installed shells for xray.
    • Container entry information for xray with file detection.
    • Inherited image instructions (aka ONBUILD instructions) for xray.
    • More image level stats for xray.

    Improvements

    • Multiple tags for the build command.
    • --http-probe-off flag for the build command to provide a shortcut to disable HTTP probing.
    • Flexible target image handling to use non-default tags if the latest tag doesn't exist and no explicit tag is provided.

    Binaries

    Build them from source or download from a CDN location:

    Source code(tar.gz)
    Source code(zip)
  • 1.35.0(Apr 15, 2021)

    New Features

    • Console color output (on by default; disable with no-color)
    • Loading http probe request data from separate files
    • Ability to execute external probe commands (--http-probe-exec and --http-probe-exec-file flags)
    • Ability to preserve original files in the target container discarding its test runtime data (--preserve-path and --preserve-path-file)
    • Ability to pull container images if they don't exist locally yet (--pull and --show-plogs)
    • File hashing for xray (--hash-data)
    • Additional flags to control the xray command executions (--top-changes-max, --reuse-saved-image)
    • Ability to match by file path, file data and file hash for xray (--change-path value, --change-data value, --change-data-hash value)

    Improvements

    • Lots of additional container build flags (--tag-fat, --cbo-add-host, --cbo-build-arg, --cbo-label, --cbo-target, --cbo-network, --cbo-cache-from).
    • Additional container runtime flags (--cro-runtime)
    • sigint should kill the running container (#186)

    Bug Fixes

    • Various xray image layer inspection bug fixes

    Binaries

    Build them from source or download from a CDN location:

    Source code(tar.gz)
    Source code(zip)
  • 1.34.0(Jan 29, 2021)

    New Features

    • New xray flags to control what layer change data to include in the generated reports (layer-changes-max, all-changes-max, add-changes-max, modify-changes-max, delete-changes-max)

    Improvements

    • host network flag handling enhancements.
    • Returning non-zero exit codes on failures
    • Additional image checks to catch missing ENTRYPOINT/CMD instructions

    Bug Fixes

    • Fixed container image listing bug that broke the --target value suggestions in the interactive prompt mode.

    Binaries

    Build them from source or download from a CDN location:

    Source code(tar.gz)
    Source code(zip)
  • 1.33.0(Dec 15, 2020)

    New Features

    • Ability to interact with the temporary containers using the new --exec and --exec-file flags (thanks to @nathants).

    Improvements

    • NPM support enhancements
    • Various bug fixes

    Binaries

    Build them from source or download from a CDN location:

    Source code(tar.gz)
    Source code(zip)
  • 1.32.0(Aug 24, 2020)

    New Features

    • Mapping container ports to specific host ports analyzing image at runtime (--publish-port and --publish-exposed-ports flags)

    Improvements

    • seccomp security profile generation capability updates
    • User namespace handling improvements (thanks to @solarnz)

    Binaries

    Build them from source or download from a CDN location:

    Source code(tar.gz)
    Source code(zip)
  • 1.30.0(Jul 27, 2020)

    New Features

    • lint command (initial Dockerfile linting capabilities with a basic set of checks)
    • HTTP probe crawler (automatically probes additional endpoints referenced in the processed targets; see the --http-probe-crawl and related flags)

    Improvements

    • ARM64 support (need more people to test!)
    • --http-probe-exit-on-failure flag to exit execution when all HTTP probe calls fail
    • --include-bin-file and --include-exe-file flags to make it easier to specify multiple binaries and executables loading them from files
    • xray command report enhancements

    Binaries

    Build them from source or download from a CDN location:

    Source code(tar.gz)
    Source code(zip)
  • 1.29.0(Mar 18, 2020)

    New Features

    • Interactive CLI prompt. For more info about the interactive prompt see go-prompt.

    Improvements

    • xray command output improvements
    • Additional image data saved with the xray command reports (--add-image-manifest and --add-image-config flags)

    Binaries

    Build them from source or download from a CDN location:

    Source code(tar.gz)
    Source code(zip)
  • 1.28.1(Mar 10, 2020)

    New Features (includes 1.28.0)

    • xray command enhancements to show the detailed container image information including its layers and their files and directories (initial version).

    Enhancements

    • New xray parameters to control how much to show when it's printing the layer details (--changes value and --layer value)
    • Image history enhancements and more data saved in the xray command reports
    • The --exclude-pattern build parameter to filter/exclude the artifacts in the optimized container.

    Binaries

    Build them from source or download from a CDN location:

    Source code(tar.gz)
    Source code(zip)
  • 1.28.0(Mar 7, 2020)

    Status

    Outdated (use the new 1.28.1 release instead)

    New Features

    • xray command enhancements to show the detailed container image information including its layers and their files and directories (initial version).

    Enhancements

    • The --exclude-pattern build parameter to filter/exclude the artifacts in the optimized container.

    Binaries

    Build them from source or download from a CDN location:

    Source code(tar.gz)
    Source code(zip)
  • 1.27.0(Feb 29, 2020)

    New Features

    • Option to set permissions, user and group information for the artifacts included with the --include-* parameters.
    • Option to overwrite the permissions and ownership info in the optimized image using the new --path-perms and path-perms-file parameters.

    Improvements

    • Option to run the containerized application using user and group information from the USER instruction.
    • Ability to keep the permission and the ownership metadata for the artifacts copied to the optimized container image.
    • Filter leftover PID files.
    • UX enhancements for the containers created using Dockerfiles.
    • Additional debugging information.

    Bug Fixes

    • Support for special install directories on Linux (to prevent failures when docker-slim is trying to save its state).

    Binaries

    Build them from source or download from a CDN location:

    Source code(tar.gz)
    Source code(zip)
  • 1.26.1(Nov 28, 2019)

  • 1.26.0(Nov 17, 2019)

    New Features

    • Run docker-slim in containers.
    • New distribution option (dslim/docker-slim image available in Docker Hub).
    • Archive docker-slim state into a separate Docker volume.

    Improvements

    • Default to continuing docker-slim execution after the http probing step is done when http probing is enabled.
    • Improved IPC.
    • Improved seccomp and metadata artifact copy option.
    • Improved execution report.
    Source code(tar.gz)
    Source code(zip)
    dist_linux.tar.gz(7.64 MB)
    dist_linux_arm.tar.gz(7.09 MB)
    dist_mac.zip(7.81 MB)
  • 1.25.3(Aug 4, 2019)

  • 1.25.2(Jul 21, 2019)

  • 1.25.0(Apr 25, 2019)

    • Experimental ARM32 support
    • Easy way to keep a shell in your image (just pass --include-shell to the build command)
    • Easy way to include additional executables (--include-exe flag) and binary objects (--include-bin flag), which will also include their binary dependencies, so you don't have to explicitly include them all yourself
    • update command - now you can update docker-slim from docker-slim!
    • Current version checks to know if the installed release is out of date

    If you have any questions you can open an issue or you can ask them in the docker-slim Gitter channel.

    Source code(tar.gz)
    Source code(zip)
    dist_linux.tar.gz(4.53 MB)
    dist_linux_1.25.1.tar.gz(4.53 MB)
    dist_linux_arm.tar.gz(7.18 MB)
    dist_mac.zip(4.72 MB)
  • 1.24.2(Mar 23, 2019)

    • Better Mac OS X support - when you install docker-slim to /usr/local/bin or other special/non-shared directories docker-slim will detect it and use the /temp directory to save its artifacts and to mount its sensor.
    • Better Nginx support
    • Many HTTP probe improvements to allow you more control over the probing process (take a look at the new HTTP probe flags in the readme file)
    Source code(tar.gz)
    Source code(zip)
    dist_linux.tar.gz(7.17 MB)
    dist_mac.zip(7.18 MB)
  • 1.24(Mar 10, 2019)

    • Support for non-default users
    • Improved symlink handling (addressing a number of the existing open issues)
    • Better failure monitoring and reporting (so you know better when something fails and what happened)
    • The --include-path-file option to make it easier to load extra files you want to keep in your image
    • CentOS support
    • Additional image layer information
    • HTTP Probe retry improvements
    Source code(tar.gz)
    Source code(zip)
    dist_linux.tar.gz(7.15 MB)
    dist_mac.zip(7.16 MB)
  • 1.22(Sep 8, 2018)

  • 1.21(Aug 25, 2018)

  • 1.20(Mar 5, 2018)

  • 1.19(Feb 4, 2018)

  • 1.18(Aug 9, 2017)

How to systematically secure anything: a repository about security engineering

How to Secure Anything Security engineering is the discipline of building secure systems. Its lessons are not just applicable to computer security. In

Veeral Patel 9.3k Aug 8, 2022
Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.

Lightweight static analysis for many languages. Find bugs and enforce code standards. Semgrep is a fast, open-source, static analysis tool that finds

r2c 6.9k Aug 10, 2022
Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.

Themis provides strong, usable cryptography for busy people General purpose cryptographic library for storage and messaging for iOS (Swift, Obj-C), An

Cossack Labs 1.6k Aug 13, 2022
An easy-to-use XChaCha20-encryption wrapper for io.ReadWriteCloser (even lossy UDP) using ECDH key exchange algorithm, ED25519 signatures and Blake3+Poly1305 checksums/message-authentication for Go (golang). Also a multiplexer.

Quick start Prepare keys (on both sides): [ -f ~/.ssh/id_ed25519 ] && [ -f ~/.ssh/id_ed25519.pub ] || ssh-keygen -t ed25519 scp ~/.ssh/id_ed25519.pub

null 25 May 27, 2022
Scan and analyze OSS dependencies and licenses from compiled Go binaries

golicense - Go Binary OSS License Scanner golicense is a tool that scans compiled Go binaries and can output all the dependencies, their versions, and

Mitchell Hashimoto 627 Jul 27, 2022
mesh-kridik is an open-source security scanner that performs various security checks on a Kubernetes cluster with istio service mesh and is leveraged by OPA (Open Policy Agent) to enforce security rules.

mesh-kridik Enhance your Kubernetes service mesh security !! mesh-kridik is an open-source security scanner that performs various security checks on a

chenk 22 Jul 22, 2022
go-opa-validate is an open-source lib that evaluates OPA (open policy agent) policy against JSON or YAML data.

go-opa-validate go-opa-validate is an open-source lib that evaluates OPA (open policy agent) policy against JSON or YAML data. Installation Usage Cont

chenk 5 Feb 5, 2022
Build & Scan - Container Image

BSImage (build&scan image) Requirements Trivy Docker BSImage (shell script version) Usage of build (shell script version) ./bsimage.sh start <image:ta

Carlos Eduardo Vieira 1 Apr 12, 2022
its a simple backdoor service that im making cuz i think that it could be cool its not finished but this is a cool project

yackdoor its a simple backdoor service that im making cuz i think that it could be cool its not finished but this is a cool project how it looks backd

ranon rat 7 Mar 9, 2022
Messing around with Go lang making a real estate site :)

Real Estate Used as a playground to learn Go lang. Setup is heavily inspired by an article by Michael Okoko. Requirements Migrate must be installed on

Patrique Ouimet 0 Nov 28, 2021
Simple attempt at making a program to Brute Force Gift codes for Roberts Space Industries AKA Star Citizen.

Roberts Space Industries: Gift Generator Simple attempt at making a program to Brute Force Gift codes for Roberts Space Industries AKA Star Citizen. I

SaturnsVoid 2 Nov 2, 2021
WhiteSource Log4j Detect is a free CLI tool that quickly scans your projects to find vulnerable Log4j versions

Log4jDetect WhiteSource Log4j Detect is a free CLI tool that quickly scans your projects to find vulnerable Log4j versions containing the following kn

WhiteSource 140 Jul 19, 2022
EarlyBird is a sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptography methods, key files and more.

EarlyBird is a sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptograp

American Express 502 Aug 9, 2022
Safely wiping your secure data in Golang

Go Wiper You can use this tool like a library or a ready program. If you thought in some times about safely data erasing, you have a great open-source

null 2 Jul 15, 2022
Open Source Web Application Firewall

DEPRECATED This repository started as a good idea but I didn't have enough time or desire to work on it. So, it's left here for historical / education

Ahmet Salih 182 Aug 4, 2022
crowdsec 5.4k Aug 9, 2022
A Go Module to interact with Passbolt, a Open source Password Manager for Teams

go-passbolt A Go Module to interact with Passbolt, a Open source Password Manager for Teams This Module tries to Support the Latest Passbolt Community

Samuel Lorch 10 May 13, 2022
BluePhish: Open-Source Phishing Toolkit (Direct Fork of GoPhish)

BluePhish BluePhish: Open-Source Phishing Toolkit (Direct Fork of GoPhish) Gophish is an open-source phishing toolkit designed for businesses and pene

BlueStone AG 4 Jun 1, 2022
Gitrob: Putting the Open Source in OSINT

Gitrob: Putting the Open Source in OSINT Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github. Gitrob wil

Michael Henriksen 5.4k Aug 9, 2022