PyCon DE & PyData 2025

login

Size matters: Inspecting Docker images for Efficiency and Security
.ical
2025-04-23 , Titanium3

Inspecting Docker images is crucial for building secure and efficient containers. In this session, we will analyze the structure of a Python-based Docker image using various tools, focusing on best practices for minimizing image size and reducing layers with multi-stage builds. We’ll also address common security pitfalls, including proper handling of build and runtime secrets.

While this talk offers valuable insights for anyone working with Docker, it is especially beneficial for Python developers seeking to master clean and secure containerization techniques.

  1. Introduction

    • We start with an example Dockerfile for a Python-based image.
    • We will explore the role of OverlayFS, Docker’s file system for combining layers, to understand how layers stack and how data (or even secrets) can be retrieved from individual layers.

  2. Layer Analysis

    • To gain better understanding of layering, we use simple command-line tools like docker history and docker inspect to examine image layers.
    • We introduce dive, a tool for exploring the contents of each layer.
    • We apply these insights to optimize the image by implementing multi-stage builds to create a smaller image with fewer layers, improving storage efficiency, build speed, and security.
    • We discuss the benefits of Docker’s caching mechanism in reducing build times.

  3. Security Enhancements

    • Given our example image, we will use trivy, a comprehensive security scanner, to scan the example image for vulnerabilities and demonstrate how to address common issues.
    • Finally, we introduce syft for generating SBOMs (Software Bill of Materials) to catalog packages, libraries, and dependencies within the image.

To get the most out of this session, participants are encouraged to clone the session's repository and build the example Docker image beforehand. Doing so will enable you to follow the demo interactively and experiment with the tools and methods presented during the session.

Expected audience expertise: Domain:

Intermediate

 Expected audience expertise: Python:

Novice
The speaker’s profile picture
Irena Grgic

As a clean code enthusiast, Women in Tech advocate, DevOps engineer, and mathematician, I have worked in multiple tech fields. My journey has taken me from roles as a data scientist and machine learning engineer to MLOps, culminating in my current position as the lead DevOps engineer of a computer vision platform with hundreds of active users. I possess a broad range of experience in multiple programming languages, creating fast and structured CI/CD pipelines, deploying entire platforms to Kubernetes, and working with various cloud providers. I am passionate about efficient, well-readable, and easily maintainable code and strongly believe that machine learning products should be developed with the same standards as good software.