Explore and analyze a Docker container using the DockerSlim xray command
Prerequisites to complete this example
- Basic knowledge of Linux commands and a terminal
- Docker Desktop installed on your host machine.
- A text editor or browser to view .JSON files
Download and test DockerSlim
- Download DockerSlim from here: https://dockersl.im/
Note: This example was developed on macOS. The code in this article is shared in screenshots —please visit https://johnslimai.github.io to copy & paste.
- Create a folder and copy the files from the DockerSlim download into the folder. My folder looks like this.
- Run DockerSlim to check if it’s working.
docker-slim help into a terminal window.
Note: I added the folder path I created to the /etc/paths file. If the directory where you extracted the binaries is not in your PATH then you’ll need to run your docker-slim commands from that directory. You can type
./docker-slim help to run DockerSlim in this case.
- DockerSlim has a cool menu driven command line. To try that:
docker-slim into a terminal window then type help at the interactive prompt
We use the xray command for this example.
Find a publicly available container on DockerHub to examine with DockerSlim xray
I decided to use a container with nuxt.js and node.js for this example. Nuxt.js is gaining popularity as a web app framework for vue.js. My team has been working with nuxt.js lately, so its interesting to me.
- Open DockerHub and type
nuxtinto the search bar. You can also just click this link:
I selected the first result for simplicity. It’s been downloaded a bunch of times and seems to have nuxt.js and node.js foundations and a decent GitHub page.
- Pull the container using the Docker Pull Command
From a terminal window type
docker pull gerardojunior/nuxtjs
Note: You need Docker Desktop installed on your host to continue this example.
After the pull command completes, check to see that the image is loaded using the
docker images command
Run the DockerSlim xray command on the target container
From a terminal window type
xray --target gerardojunior/nuxtjs:latest
DockerSlim creates a .json report file named
Examine the DockerSlim xray results
- Basic facts about this container found in the xray report
Created date = 2/1/2019 — the image has not been updated in 2 years
Image Size = 69MB
Exposed Ports = 3000/TCP
From the slim.report.json file:
- Exploring the container’s layers listed in the xray report
The report file contains a listing (“image_stack label”) of the docker image layers ordered by layer detailing Dockerfile command(s) that contributed to each layer.
image_stack: array in the slim.report.json file.
This container has a single image. Each Dockerfile command is listed in the
"instructions": array. In the snippet below notice that the "ADD" instruction contibuted to
"layer_index": 0,. Peruse the report to find the total number if layer indices. This container has a total of 8 layers.
The image layer information listed in the
"image_layers": array is useful for understanding what files and consequently what software and related files are in the container. The layer information is organized by index indicated by the
"index": tag. Search for index 0 in the image layers list.
"top": tag and you can view the files contained in layer 0. Layer 0 is comprised of common Linux OS files from the Alpine base image.
Layer 1 contains files associated with node.js. It is the largest layer (56.8MB) and contains the largest single file usr/local/bin/node (36.4MB). This file is the node.js executable binary image.
Layer 2 contains the files associated with the popular package manager Yarn. Yarn is used to configure this container for nuxt.js and also allows developers using this container to easily add and manage packages.
Note: Package managers are good to include in containers for development purposes but should generally be stripped out of production containers to ensure immutability and adhere to production-ready container best practices.
Layers 6,7 and 8
Layers 6,7 and 8 include the container entrypoint definition and the .sh scripts for nuxt.js.
Layer 6 snippet showing the ENTRYPOINT command
Layer 7 snippet showing the nuxt.js entrypoint shell script (opt/tools/entrypoint-nuxtjs.sh)
From this analysis, we can see this container is primarily composed of:
- Remnants of Alpine Linux including the busybox toolkit
- Node.js and related packages
- The Yarn package manager
- Scripts and other tools to configure nuxt.js and set the entry point to invoke nuxt.
If you want to learn lots more about DockerSlim look here:
The full details of the DockerSlim xray command can be found here:
Originally published at https://johnslimai.github.io.