FEAST 24 Workshop Technical Program
Authors:
Jonathan Dorn, Denis Gopan, Deby Katz, Lucja Kot, Junghee Lim, Adam Seitz, Thomas Wahl
Abstract. Software containers, such as those built using Docker, are often equipped with a comprehensive set of capabilities, to allow a diverse group of users to run the same container for their individual purposes. This intent inevitably leads to bloat in the container: software components that are not required for a specific user’s needs. The resulting excessive size may cause problems distributing container images via a network. Once unpacked and run, container bloat also increases the software’s attack surface.
In this talk, we first sketch our ongoing efforts on building a tool called Dykondo for debloating an existing container image. In addition to the (bloated) image, Dykondo takes as input a description of the use case for which to specialize the container. It then removes (portions of) files from the container that are not required to support the use case.
In the second part of the talk, we discuss a different approach to the problem of keeping containers small, namely building—automatically—a customized, compact container from the outset. Inputs are the target program’s software packages, a use-case description as before, and metadata that describes how the individual packages are configured, as well as how they are integrated to build the general-purpose program. No container image has been constructed so far. The output is a revised set of metadata that, when used in the build process, gives rise to a compact container image, with no more functionality included than what is required for the use case. This approach can be viewed as compact-container synthesis, while Dykondo currently implements a (size) repair strategy.
We compare the two approaches to achieving compact containers with respect to various criteria. We conclude that the synthesis approach may be able to provide greater flexibility, but requires some amount of trust between the involved parties. For cases where such trust is not warranted, we propose a hybrid approach that involves both synthesis and repair.