The document discusses the inefficiencies in container start times due to excessive package pulling and unused files from base images, leading to vulnerabilities. It proposes utilizing distroless techniques and various tools to analyze and optimize container images, resulting in significant reductions in image size and deployment times. A successful demo showcased a drastic reduction in data transfer rates and improved efficiency in Kubernetes deployments.

1. Improving cold start with
Distroless techniques
Victor Morales
@electrocucaracha

2. Problem statement
• An analysis shows that pulling packages accounts for 76% of container start
time, but only 6.4% of that data is read. [1]
• Data transferred between Amazon ECR and other services in different Regions
will be charged at Internet Data Transfer rates on both sides of the transfer. [2]
• One of the downsides of using base images is that they sometimes introduce
files that are required for initial setup or startup but are never touched or even
seen later on, i.e., unused config files. This has been the cause of some CVEs
over the years… [3]
[1] https://www.usenix.org/conference/fast16/technical-sessions/presentation/harter
[2] https://aws.amazon.com/blogs/containers/understanding-data-transfer-costs-for-aws-container-services/
[3] https://www.armosec.io/blog/vulnerability-base-images-cve/

3. Proposal
• Analyze existing tools for Container Image analysis.
• Dive
• Trivy
• Docker-squash
• Kubelet Serialize Image pulls
• Java Ecosystem alternatives – jdeps & jlink
• Demo – Setup
• Measure data transfer from Container Registry to Kubernetes Worker Nodes.
• Apply Distroless techniques to the Container Image.
• Wrap up

4. dive
A tool for exploring a docker image, layer contents,
and discovering ways to shrink the size of your
Docker/OCI image.
https://github.com/wagoodman/dive

5. A comprehensive and versatile security
scanner.
https://github.com/aquasecurity/trivy

6. docker-squash
Python tools for squashing last n layers from an image
https://github.com/goldmann/docker-squash

7. Kubelet Serialize Image
Pulls
https://medium.com/@muthanagavamsi/lets-speed-up-kube
rnetes-29d3bfa1eb4

8. Java Ecosystem alternatives – jdeps & jlink
Jdeps (Analyze your Java Classes Dependencies)
Shows the package-level or class-level dependencies of Java class
files. The input class can be a path name to a .class file, a directory, a
JAR file, or it can be a fully qualified class name to analyze all class
files.
https://dev.java/learn/jvm/tools/core/jdeps/
Jlink (Assemble and Optimize a Set of Modules)
Assemble and optimize a set of modules, and their dependencies
into a custom runtime image.
https://dev.java/learn/jvm/tools/core/jlink/

9. Demo
https://github.com/electrocucaracha/k8s-Distroless-demo/

10. Virtual Machine
kind (172.80.1.0/24)
k8s-control-plane
k8s-worker k8s-worker2 k8s-worker3 k8s-worker4 k8s-worker5 k8s-worker6
scripts_default
(172.80.0.0/24)
scripts-web-server-1
scripts-registry-1

11. Demo – Setup (Nginx virtual host traffic status module)
https://github.com/vozlt/nginx-module-vts
https://github.com/electrocucaracha/k8s-Distroless-demo/blob/master/scripts/nginx/Dockerfile

12. Demo – Setup (Connect Kubernetes to Local
Registry)
https://kind.sigs.k8s.io/docs/user/local-registry/

14. Wrap up
• Successfully reduced image size from
842MB to just 39.5MB.
• Lowered deployment time significantly,
from 44.78 seconds to 10.38 seconds.
• Achieved +23x reduction in data transfer
from the private local registry to the
seven Kubernetes worker nodes.