Cimplifier: Automatically debloating containers

Vaibhav Rastogi, Drew Davidson, Lorenzo De Carli, Somesh Jha, Patrick Drew McDaniel

Research output: Chapter in Book/Report/Conference proceedingConference contribution

6 Citations (Scopus)

Abstract

Application containers, such as those provided by Docker, have recently gained popularity as a solution for agile and seamless software deployment. These light-weight virtualization environments run applications that are packed together with their resources and configuration information, and thus can be deployed across various software platforms. Unfortunately, the ease with which containers can be created is oftentimes a double-edged sword, encouraging the packaging of logically distinct applications, and the inclusion of significant amount of unnecessary components, within a single container. These practices needlessly increase the container size-sometimes by orders of magnitude. They also decrease the overall security, as each included component-necessary or not- may bring in security issues of its own, and there is no isolation between multiple applications packaged within the same container image. We propose algorithms and a tool called Cimplifier, which address these concerns: given a container and simple user-defined constraints, our tool partitions it into simpler containers, which (i) are isolated from each other, only communicating as necessary, and (ii) only include enough resources to perform their functionality. Our evaluation on real-world containers demonstrates that Cimplifier preserves the original functionality, leads to reduction in image size of up to 95%, and processes even large containers in under thirty seconds.

Original languageEnglish (US)
Title of host publicationESEC/FSE 2017 - Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering
EditorsAndrea Zisman, Eric Bodden, Wilhelm Schafer, Arie van Deursen
PublisherAssociation for Computing Machinery
Pages476-486
Number of pages11
ISBN (Electronic)9781450351058
DOIs
StatePublished - Aug 21 2017
Event11th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, ESEC/FSE 2017 - Paderborn, Germany
Duration: Sep 4 2017Sep 8 2017

Publication series

NameProceedings of the ACM SIGSOFT Symposium on the Foundations of Software Engineering
VolumePart F130154

Other

Other11th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, ESEC/FSE 2017
CountryGermany
CityPaderborn
Period9/4/179/8/17

Fingerprint

Containers
Packaging

All Science Journal Classification (ASJC) codes

  • Software

Cite this

Rastogi, V., Davidson, D., De Carli, L., Jha, S., & McDaniel, P. D. (2017). Cimplifier: Automatically debloating containers. In A. Zisman, E. Bodden, W. Schafer, & A. van Deursen (Eds.), ESEC/FSE 2017 - Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering (pp. 476-486). (Proceedings of the ACM SIGSOFT Symposium on the Foundations of Software Engineering; Vol. Part F130154). Association for Computing Machinery. https://doi.org/10.1145/3106237.3106271
Rastogi, Vaibhav ; Davidson, Drew ; De Carli, Lorenzo ; Jha, Somesh ; McDaniel, Patrick Drew. / Cimplifier : Automatically debloating containers. ESEC/FSE 2017 - Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering. editor / Andrea Zisman ; Eric Bodden ; Wilhelm Schafer ; Arie van Deursen. Association for Computing Machinery, 2017. pp. 476-486 (Proceedings of the ACM SIGSOFT Symposium on the Foundations of Software Engineering).
@inproceedings{109ad798c3c443408664b3c70ff6d54a,
title = "Cimplifier: Automatically debloating containers",
abstract = "Application containers, such as those provided by Docker, have recently gained popularity as a solution for agile and seamless software deployment. These light-weight virtualization environments run applications that are packed together with their resources and configuration information, and thus can be deployed across various software platforms. Unfortunately, the ease with which containers can be created is oftentimes a double-edged sword, encouraging the packaging of logically distinct applications, and the inclusion of significant amount of unnecessary components, within a single container. These practices needlessly increase the container size-sometimes by orders of magnitude. They also decrease the overall security, as each included component-necessary or not- may bring in security issues of its own, and there is no isolation between multiple applications packaged within the same container image. We propose algorithms and a tool called Cimplifier, which address these concerns: given a container and simple user-defined constraints, our tool partitions it into simpler containers, which (i) are isolated from each other, only communicating as necessary, and (ii) only include enough resources to perform their functionality. Our evaluation on real-world containers demonstrates that Cimplifier preserves the original functionality, leads to reduction in image size of up to 95{\%}, and processes even large containers in under thirty seconds.",
author = "Vaibhav Rastogi and Drew Davidson and {De Carli}, Lorenzo and Somesh Jha and McDaniel, {Patrick Drew}",
year = "2017",
month = "8",
day = "21",
doi = "10.1145/3106237.3106271",
language = "English (US)",
series = "Proceedings of the ACM SIGSOFT Symposium on the Foundations of Software Engineering",
publisher = "Association for Computing Machinery",
pages = "476--486",
editor = "Andrea Zisman and Eric Bodden and Wilhelm Schafer and {van Deursen}, Arie",
booktitle = "ESEC/FSE 2017 - Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering",

}

Rastogi, V, Davidson, D, De Carli, L, Jha, S & McDaniel, PD 2017, Cimplifier: Automatically debloating containers. in A Zisman, E Bodden, W Schafer & A van Deursen (eds), ESEC/FSE 2017 - Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering. Proceedings of the ACM SIGSOFT Symposium on the Foundations of Software Engineering, vol. Part F130154, Association for Computing Machinery, pp. 476-486, 11th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, ESEC/FSE 2017, Paderborn, Germany, 9/4/17. https://doi.org/10.1145/3106237.3106271

Cimplifier : Automatically debloating containers. / Rastogi, Vaibhav; Davidson, Drew; De Carli, Lorenzo; Jha, Somesh; McDaniel, Patrick Drew.

ESEC/FSE 2017 - Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering. ed. / Andrea Zisman; Eric Bodden; Wilhelm Schafer; Arie van Deursen. Association for Computing Machinery, 2017. p. 476-486 (Proceedings of the ACM SIGSOFT Symposium on the Foundations of Software Engineering; Vol. Part F130154).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Cimplifier

T2 - Automatically debloating containers

AU - Rastogi, Vaibhav

AU - Davidson, Drew

AU - De Carli, Lorenzo

AU - Jha, Somesh

AU - McDaniel, Patrick Drew

PY - 2017/8/21

Y1 - 2017/8/21

N2 - Application containers, such as those provided by Docker, have recently gained popularity as a solution for agile and seamless software deployment. These light-weight virtualization environments run applications that are packed together with their resources and configuration information, and thus can be deployed across various software platforms. Unfortunately, the ease with which containers can be created is oftentimes a double-edged sword, encouraging the packaging of logically distinct applications, and the inclusion of significant amount of unnecessary components, within a single container. These practices needlessly increase the container size-sometimes by orders of magnitude. They also decrease the overall security, as each included component-necessary or not- may bring in security issues of its own, and there is no isolation between multiple applications packaged within the same container image. We propose algorithms and a tool called Cimplifier, which address these concerns: given a container and simple user-defined constraints, our tool partitions it into simpler containers, which (i) are isolated from each other, only communicating as necessary, and (ii) only include enough resources to perform their functionality. Our evaluation on real-world containers demonstrates that Cimplifier preserves the original functionality, leads to reduction in image size of up to 95%, and processes even large containers in under thirty seconds.

AB - Application containers, such as those provided by Docker, have recently gained popularity as a solution for agile and seamless software deployment. These light-weight virtualization environments run applications that are packed together with their resources and configuration information, and thus can be deployed across various software platforms. Unfortunately, the ease with which containers can be created is oftentimes a double-edged sword, encouraging the packaging of logically distinct applications, and the inclusion of significant amount of unnecessary components, within a single container. These practices needlessly increase the container size-sometimes by orders of magnitude. They also decrease the overall security, as each included component-necessary or not- may bring in security issues of its own, and there is no isolation between multiple applications packaged within the same container image. We propose algorithms and a tool called Cimplifier, which address these concerns: given a container and simple user-defined constraints, our tool partitions it into simpler containers, which (i) are isolated from each other, only communicating as necessary, and (ii) only include enough resources to perform their functionality. Our evaluation on real-world containers demonstrates that Cimplifier preserves the original functionality, leads to reduction in image size of up to 95%, and processes even large containers in under thirty seconds.

UR - http://www.scopus.com/inward/record.url?scp=85030754519&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85030754519&partnerID=8YFLogxK

U2 - 10.1145/3106237.3106271

DO - 10.1145/3106237.3106271

M3 - Conference contribution

AN - SCOPUS:85030754519

T3 - Proceedings of the ACM SIGSOFT Symposium on the Foundations of Software Engineering

SP - 476

EP - 486

BT - ESEC/FSE 2017 - Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering

A2 - Zisman, Andrea

A2 - Bodden, Eric

A2 - Schafer, Wilhelm

A2 - van Deursen, Arie

PB - Association for Computing Machinery

ER -

Rastogi V, Davidson D, De Carli L, Jha S, McDaniel PD. Cimplifier: Automatically debloating containers. In Zisman A, Bodden E, Schafer W, van Deursen A, editors, ESEC/FSE 2017 - Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering. Association for Computing Machinery. 2017. p. 476-486. (Proceedings of the ACM SIGSOFT Symposium on the Foundations of Software Engineering). https://doi.org/10.1145/3106237.3106271