There are many ways to build and protect containers, but Slim.ai has its own. His CEO of Slim.ai, John Amaral, describes the company’s approach as “slimming.” This removes unnecessary code and minimizes the production code footprint. It also inherently reduces the complexity of the software his supply his chain, the attack surface of the software, and the overall risk.
You could always do this manually. But if you’ve tried this, you know it’s a tedious and painful process. Slim.ai uses a container-optimized Software-as-a-Service (SaaS) workflow to make it quick and easy to create production-ready containers with minimal effort. This allows the user to slim down the container in her web environment for ease of use and consistency. Slimming an image this way only takes a few minutes. Even better, once done, it creates a repeatable, traceable process that you can use every time you change your code.
If that sounds familiar, it should. It’s basically like a hosted DockerSlim, now the company’s flagship open source project, SlimToolkit. This minimizes containers with a convenient UI instead of a set of CLI flags and runs on Slim.ai’s build server integrated with multiple container registries and his CI platform.
By both names, this popular developer program “slims” the attack surface of containers by optimizing and securing them by analyzing code and discarding unnecessary code. You can also reduce the size of your container up to 30x.
Most container Linux distributions such as Microsoft’s Common Base Linux (CBL)-Mariner, Flatcar Container Linux, Red Hat Enterprise Linux CoreOS (RHCOS), and RancherOS are small in size, but focus on allowing attacks to be coordinated. is not placed. surface.
Others such as Alpine Linux and Chainguard Wolfi minimize the attack surface by minimizing the base image. Wolfi also includes a Software Bill of Materials (SBOM) and signatures.
Slim.ai takes a different approach. Start building containers using your Linux distribution, software chain, libraries, and language of choice. Next, optimize and secure your containers by analyzing your application and throwing out everything you don’t need. result? You can build containers quickly using familiar tools and ship images with a low attack surface.
Which approach is best? These are all new approaches. May the best method for you win your job.
Amaral said:
But open source projects don’t scale. So about his Slim.ai service in beta, Amaral continues.
Basics of Slim.ai
This is done by integrating the Slim.ai service with container registries, continuous integration/continuous deployment (CI/CD) pipelines, and tools, so you can automate and integrate existing workflows and software to production environments quickly.
Current and planned integrations include Docker, AWS Elastic Container Registry (ECR), Google Container Registry (GCR), GitHub, DigitalOcean, and Quay registries, Jenkins, GitLab, and the GitHub CI/CD platform. By using multiple open source vulnerability scanners in your container of choice, you can find security issues before they occur.
Slim.ai works with various languages and Linux distributions. These include Node.js, Python, Ruby, Java, Go, Rust, Elixir, PHP running on Ubuntu, Debian, CentOS, Alpine, and even Distroless.
Not only does it protect your application by slimming down unnecessary and potentially vulnerable code, it also saves container space. For example, the Node.js application image running on Debian 11 Bullseye is shrunk from the default 371MB image to just 42MB, and the Python image on CentOS 7 is shrunk from 647MB to 23MB. It costs very little in storage space, but the less resources spent on processing and networking, the more it costs. On top of that, developer time always costs a lot of money. Large containers take longer to push, pull, scan, verify, and inspect. These inefficiencies add up quickly when programmers work with many containers simultaneously.
How Slim.ai Works
The process looks like this: First, create containers and pull them into the Slim platform to take advantage of Slim’s developer tools. This is where the original image vulnerability report is generated and stored.
Slim’s optimization engine then automatically reduces containers to just what you need. You can use your own fine-grained configuration or use Slim’s recommendations.
This slimming process not only removes unused parts, but also unknowable vulnerabilities. The ultimate goal of container slimming is to achieve the smallest possible footprint (read: attack face) to complete the job. In other words, less risk and better software.
Renowned Kubernetes expert Kelsey Hightower jokingly said that the safest way to ship code is to “write nothing. — As Amaral wrote, “The only way she meets Kelsey’s cynical admonition that the most secure software is the software that never ships is slimming down.”
Once that’s done, run a post-optimization analysis. This details which files, packages, and vulnerabilities have been removed and what remains in the final slimmed image.
This approach has other advantages as well. Programmers don’t have to be container experts. The Slim.ai platform provides a before and after view of the developer’s container so you can see what has been removed. This is a powerful tool for both optimization and debugging.
Also, developers don’t have to be security experts. When Slim.ai “slims” a container, it doesn’t just remove the unnecessary. It also helps you easily lock down unnecessary ports or files you always care about with special privileges.
Slim.ai Software as a Service (SaaS) also shows the ports, user information, and environment variables present in the container. These often lead to vulnerabilities and can turn into security holes. Teams only need to know that these should be locked down or minimized. For example, I don’t know how to lock down an entire container using SELinux in and out.
Another Slim.ai win is that in the emerging multi-cloud world, workloads are moved for optimization and have the best price and speed for deployment. A small Slim.ai container can be easily moved from one cloud to another. The service also provides a meta-repository of the most popular container registries in one place. This allows both developers and customer managers to have her single view of the commercial container landscape. The end result is that developers save time, money, and energy by using existing knowledge and tools. So with Slim.AI, everyone wins.
