
Ask HN: How to build a minified Linux kernel for my Docker? - riyakhanna1983
I&#x27;m trying to create a specialized (minified) Linux kernel based on my Dockerfile. Is there a solution that an automatically create a kernel image containing only the absolutely necessary functionality, specific to my Docker configuration? Default kernel shipped with a distro seems to contain a lot of unnecessary functionality, and poses high security risks.
======
shoo
My understanding (perhaps wrong) is that the linux _kernel_ is in the host
machine that is running the docker containers, and is not contained in the
container image you define in the docker file & build into an image with
docker.

So if you don't like how the kernel is configured, that'd require you to
reconfigure the kernel on each host that will run your containers,
independently of what is inside the container. But perhaps your question is
about what is in the container, and not really about the kernel?

Maybe to make your question clearer: what are explicit examples of things that
don't you like about the current configuration that you are trying to change
or disable?

In terms of removing unnecessary stuff from a container image, the
easiest/simplest way to do this probably depends on what application you're
packaging into a container & how it is implemented.

For example, it is possible to build container image for a go application that
starts with an empty "scratch" container base image (ie there's no layer of
distro such as debian, debian-slim or Alpine Linux).

Not sure if this is a great guide but it has an example:
[https://medium.com/@chemidy/create-the-smallest-and-
secured-...](https://medium.com/@chemidy/create-the-smallest-and-secured-
golang-docker-image-based-on-scratch-4752223b7324)

The same approach of starting without a distro as the base layer of the docker
container image won't be as easy for deploying a different application that
does not contain its own dependencies and assumes it can load a bunch of
shared libraries that the distribution provides & read files the distribution
has prepared for it.

~~~
riyakhanna1983
Sorry, I should have made it clearer. Yes, I'm talking about the Linux kernel
on the host that's running Docker containers. If I use the default Ubuntu
kernel, it contains a bunch of unnecessary functionality. Is there a tool that
I can use to configure the host kernel to only contain the absolutely
necessary functionality required by the Docker container image?

~~~
akulbe
In my opinion you're wasting your time. The Ubuntu kernel is very modular to
begin with and only needed functionality for the hardware you're booting on is
going to load anyways.

Just use the stock config and do your Docker work as is. You're going to be
more productive not chasing down this yak-shaving pursuit that will get you
very little benefit to begin with. ¯\\_(ツ)_/¯

~~~
akulbe
And if you really seriously _MUST_ have this optimization you're after… Gentoo
or LFS are probably better suited for the job.

Again, that's a lot of time to waste for very little ROI.

~~~
akulbe
Another one that came to mind… Alpine Linux.

------
stevekemp
Download the kernel source, once unpacked you can configure it to build only
the modules you have currently loaded via "make localmodconfig".

Of course if you've never built a kernel before you'll need to read the
documentation, and you'll probably want to look at the Ubuntu documentation
too - since you'll want to build a .deb package, rather than a raw kernel.
You'll want to search for "ubuntu make-kpkg".

But really you're not going to gain much, except learning. Sure a kernel with
less stuff available might save disk space, but there are easier ways to save
disk-space on Ubuntu systems..

~~~
riyakhanna1983
I'm looking to improve the security posture by stripping the kernel off
unwanted stuff (ebpf, zillion different file systems, drivers) that introduce
CVEs into the kernel.

~~~
stevekemp
There are probably better approaches; for example you could disable loading
modules for code you don't use - without the need to rebuild the whole thing.

I guess it comes down to understanding your threat model.

