Micropacker-for-containers is a proof of concept that started in the VMware Product Security team as a hardening exercise. Over time, it has matured to allow you to easily pack a microcontainer starting from a standard container. Don’t be scared of the word “microcontainer”—it works and basically is just like a normal container. It is considered a “special” container since it packs only the absolute minimum set of files and libraries required for an application to run.
To do so, microcontainers are usually based on an extremely lightweight, or even completely empty, “starting image” on top of which the application is added. For people familiar with containers lingo, this translates to a Dockerfile “FROM” tag referencing a minimal base image like the ones provided by Google in the distroless project, or “scratch,” the empty one. The concept of microcontainers is quite interesting, as there are few obvious advantages when starting to package applications in this way:
- A significant reduction in image size
- A better understanding of the dependencies between your application and the operating system libraries and files
- Less noisy third-party version checks by your security team, as microcontainers won’t contain any unneeded and eventually obsolete or vulnerable libraries
- Makes “command injections” and “post-exploitation” significantly harder from a security perspective by having less attack surface available
While the advantages are clear, the process of packaging a microcontainer can be quite unforgiving—it is not always easy to discover all the files an application needs before running it, leading to errors and frustration while running tests over and over again and fixing your image until you can get a functioning microcontainer.
If you want to know more about the underlying problem causing this and how it’s being addressed, visit our README page. By leveraging the information gathered by the Linux kernel, micropacker-for-containers aims to give you a perfectly functioning microcontainer after running all your tests once and without needing to fix your image manually. If you are a security engineer or a containers enthusiast, you should definitely check it out! Bugs and suggestions are welcome on GitHub as well.