Challenge, Medium,  on  Containers

Squash a Bloated Container Image to Remove Waste and Leaked Credentials

A colleague containerized the team's Python microservice. During the build, they installed build-essential and libpq-dev to compile native extensions, and copied in a pip.conf file with credentials for the company's private package registry.

Trying to keep the image clean, they later removed both the build tools and the credentials file from the final container filesystem. But did that actually make the image safe and compact?

Explore the image

The image is available at ghcr.io/iximiuz/labs/bloated/app:v1.0.0. It has already been pulled for you, so go ahead and inspect it:

docker history ghcr.io/iximiuz/labs/bloated/app:v1.0.0

Two things should catch your attention:

Squash the image

Your task is to squash (flatten) the image into a clean, compact version where:

  1. The runtime filesystem is preserved - every file that exists in the original container must also exist in the squashed one (and the app must still work).
  2. The image is significantly smaller (the leftover build tools are truly gone).
  3. No credentials appear in any image layer.

Push the squashed image to the playground's container registry as registry.iximiuz.com/squashed/app:v1.0.0.

Hint 1 - How to flatten image layers

Squashing means collapsing all image layers into a single one that represents only the final filesystem state. You can do it with "bare" Docker commands, but it might be really tedious and error-prone.

Luckly, there are tools like crane that can do this for you.

Hint 2 - Using 'crane flatten'

crane (preinstalled in this playground) can flatten an image in one command - crane flatten.

Beware that it operates on registry images, so you'll need the source image in a registry that crane can both pull from and push to.

How to Author Challenges on iximiuz Labs

Instead of providing a subpar online editing experience, iximiuz Labs offers a helper CLI tool called labctl, allowing you to use your favorite text editor (or a full-featured IDE) to write content from the comfort of your local machine.

Install labctl CLI

curl -sf https://labs.iximiuz.com/cli/install.sh | sh

This will download and install the latest version of the labctl CLI. You only need to do this once per workstation.

Authorize labctl

labctl auth login

This will open a browser window asking you to authorize labctl to access your account. You need to do it after a fresh install of labctl and repeat it whenever the auth session expires.

Pull challenge content

labctl content pull challenge squash-bloated-container-image

This will create a local copy of the challenge content in a directory named squash-bloated-container-image. You only need to do this once per challenge.

Stream your changes

labctl content push -fw challenge squash-bloated-container-image

Run this command in a separate terminal to continuously upload your changes to the server while editing the challenge in your favorite text editor or IDE.

You can also use labctl to create, list, and delete your content. Learn more about the available commands: labctl content --help

Start challenge