Do more with less!
Focus on needs!
“An image should only include the executable and libraries required by the app itself; all other OS functionality is provided by the OS kernel within the underlying host OS.” -NIST-
docker-slim build \
--include-exe cut --include-exe sed \
--include-path /etc/pki \
--http-probe \
--show-clogs \
rh-sso/keycloak-gatekeeper70
Project | Parent | origin | slim | x |
---|---|---|---|---|
Keycloak Gatekeeper | CentOS | 200 | 20 | 10 |
Keystore | Distroless | 78.8 | 65.3 | 1.2 |
CentOS | 248 | 65.7 | 3.8 |
distribution agnostic
reduce surface attack
limit parent contagion
scanner detection
docker in docker
Distroless
docker-slim
free and open-source implementation of Java SE.
high performance, scalable, JVM implementation that is fully compliant with the Java Virtual Machine Specification.
next generation Hotspot VM.
Native image
OpenJDK 8
OpenJDK 11
OpenJ9
GraalVM
# JDK11
sdk use java 11.0.4.j9-adpt && du -hcs $JAVA_HOME
# 300M /java/11.0.4.j9-adpt
# Compile
javac CountUppercase.java
# Deps
jdeps --print-module-deps CountUppercase.class
# Generate distribution
jlink --no-header-files --no-man-pages --compress=2 --strip-debug \
--add-modules $(jdeps --print-module-deps CountUppercase.class) \
--output java-base
# Custom distribution
ls java-base/ && du -hcs
# bin conf legal lib release -> java-base/ 39M
JAVA_HOME=$PWD/java-base
Native?
-import io.micronaut.http.annotation.Controller;
+import javax.inject.Inject;
-@Controller("/conferences")
+@Path("/conferences")
+@Produces(MediaType.APPLICATION_JSON)
public class ConferenceController {
- private final ConferenceService conferenceService;
+ @Inject
+ private ConferenceService conferenceService;
- public ConferenceController(ConferenceService conferenceService) {
- this.conferenceService = conferenceService;
- }
- @Get("/random")
- public Conference randomConf() {
+ @Path("/random")
+ @GET
+ public Conference randomConf() {
return conferenceService.randomConf();
}
}
-import io.micronaut.http.annotation.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
-@Controller("/conferences")
+@RestController
public class ConferenceController {
+ @Autowired
+ private ConferenceService conferenceService;
- private final ConferenceService conferenceService;
- public ConferenceController(ConferenceService conferenceService) {
- this.conferenceService = conferenceService;
- }
-
- @Get("/random")
- public Conference randomConf() {
+ @RequestMapping("/conferences/random")
+ public Conference randomConf() {
return conferenceService.randomConf();
}
}
Supersonic Subatomic Java
Not Supported | Limited |
---|---|
Dynamic Classloading | CDI |
Invoke Dynamic | Reflection * |
Finalizer | Dymanic proxy * |
Security Manager | JNI * |
JVM TI, JMX, … | Static initializer |
Native Windows | |
Native debug |
Quarkus + Microcontainer