
Show HN: Slim – Build and run tiny VMs from Dockerfiles - chrisparnin
https://github.com/ottomatica/slim
======
saurabhnanda
Can someone dumb this down for me? What _exactly_ is going on here?

> slim will build a micro-vm from a Dockerfile. Slim works by building and
> extracting a rootfs from a Dockerfile, and then merging that filesystem with
> a small minimal kernel that runs in RAM.

> This results in a real VM that can boot instantly, while using very limited
> resources. If done properly, slim can allow you to design and build
> immutable unikernels for running services, or build tiny and embedded
> development environments.

~~~
dharmab
Docker images contain a filesystem for an operating system, minus the OS
kernel. This project uses Docker to build a tiny OS, extracts all the files
out of the Docker image, adds a small OS kernel and re-packages that as a VM
image.

~~~
RyanShook
So why was Docker needed to create a lightweight VM? I thought Docker was
supposed to replace VMs.

~~~
aiCeivi9
Working with VM images was PITA, I don't know if anything changed. Having
recipe (Dockerfile) and required files in VCS is useful as reference even when
setting up bare metal machines. So Docker (and Puppet/Ansible) might have
bigger impact on work organisation than on anything else.

~~~
gmuslera
You still have the Dockerfile and the required files in a VCS, but now what
you have running is a full VM instead of a somewhat isolated process sharing
kernel with other containers.

So far so good, for individual/standalone containers. But if you need thightly
integrated containers (sharing networks, volumes, ports and so on) things may
be a bit more complicated. And not sure about Kubernetes. YMMV

------
hardwaresofton
Recently on HN (I think) and related:

\- [https://micromind.me/en/posts/from-docker-container-to-
boota...](https://micromind.me/en/posts/from-docker-container-to-bootable-
linux-disk-image/)

\- [https://godarch.com/](https://godarch.com/)

Really like seeing these new usecases for containers -- would have never
thought to mix the two technologies in this way.

~~~
Koshkin
Well, containers and VMs are two different things (are they not?).

~~~
vkaku
Yes, but the cool thing is definitely the single system image

~~~
rhizome
Not a cluster SSI, though (shared environment, process migration between
instances, etc.), as far as I could gather?

[https://en.wikipedia.org/wiki/Single_system_image](https://en.wikipedia.org/wiki/Single_system_image)

------
vkaku
This is great! I really wish we'd always create a single system image for both
Docker and Physical/VM, preferably with minimal/no-init.

This is very useful when trying to create a basic datacenter specific
distro/deployment, preferably Pixie bootable as well.

------
AlphaSite
On the same vain, there is:
[https://github.com/vmware/vic](https://github.com/vmware/vic) a docker engine
for esx/vsphere.

Note work at VMware but not on this project.

------
lwb
Wait a minute. I thought Docker was useful because you didn't want to run a
whole VM. But this project turns a Dockerfile into a VM specification? Have we
come full circle?

~~~
root_axis
Docker can replace a VM for many use-cases, but there are times when a VM is
still preferable. If you find yourself in such a situation, this tool allows
you to leverage declerative Dockerfiles to build your VM. Pretty handy.

~~~
freedomben
Yep, I could see this being a nice option if you're running something very
security sensitive and want some extra defense by isolating the kernel.

------
hedora
I’d love to see an orchestrator that made switching between bare metal, vm and
containers a simple configuration option.

This is a step in that direction. Cool stuff!

~~~
pcnix
There's this[1], though not exactly what you asked for.

[1] - [https://github.com/firecracker-microvm/firecracker-
container...](https://github.com/firecracker-microvm/firecracker-containerd)

------
gravypod
Would be really cool to use this to predictably build images for booting from
PXE.

~~~
wmf
Try LinuxKit.

------
dastx
Why does everything in node have to have all the dependencies in the world?

``` @sindresorhus/is JSONStream ansi-regex ansi-styles archive-type argparse
asn1 async balanced-match base64-js bcrypt-pbkdf bl bluebird brace-expansion
buffer buffer-alloc buffer-alloc-unsafe buffer-crc32 buffer-fill buffer-from
cacheable-request camelcase caw chalk chownr cliui clone-response color-
convert color-name commander concat-map concat-stream config-chain content-
disposition core-util-is cross-spawn debug decamelize decode-uri-component
decompress decompress-response decompress-tar decompress-tarbz2 decompress-
targz decompress-unzip docker-modem dockerode download duplexer3 emoji-regex
end-of-stream escape-string-regexp esprima execa ext-list ext-name fd-slicer
file-type filename-reserved-regex filenamify find-up from2 fs-constants fs-
extra fs-minipass fs.realpath get-caller-file get-proxy get-stream glob got
graceful-fs graceful-readlink has-flag has-symbol-support-x has-to-string-
tag-x hasbin http-cache-semantics ieee754 inflight inherits ini into-stream
invert-kv ip is-fullwidth-code-point is-natural-number is-object is-plain-obj
is-port-available is-retry-allowed is-stream isarray isexe isurl js-yaml json-
buffer jsonfile jsonparse keyv lcid locate-path lodash lowercase-keys make-dir
map-age-cleaner md5-file mem mime-db mimic-fn mimic-response minimatch
minimist minipass minizlib mkdirp ms mustache nice-try node-virtualbox
normalize-url npm-conf npm-run-path object-assign once os-locale p-cancelable
p-defer p-event p-finally p-is-promise p-limit p-locate p-timeout p-try path-
exists path-is-absolute path-key pend pify pinkie pinkie-promise prepend-http
process-nextick-args progress proto-list pump query-string readable-stream
require-directory require-main-filename responselike safe-buffer safer-buffer
scp2 seek-bzip semver set-blocking shebang-command shebang-regex signal-exit
simple-git sort-keys sort-keys-length split-ca sprintf-js ssh2 ssh2-streams
streamsearch strict-uri-encode string-width string_decoder strip-ansi strip-
dirs strip-eof strip-outer sudo-prompt supports-color tar tar-fs tar-stream
through timed-out to-buffer trim-repeated tunnel-agent tweetnacl typedarray
unbzip2-stream universalify url-parse-lax url-to-options util-deprecate uuid
which which-module wrap-ansi wrappy xtend y18n yallist yargs yargs-parser
yauzl ```

~~~
ManuelKiessling
Yesterday a friend of mine told me about how they got a Node.js application
from a vendor that was about 3 MiB, and after running npm install, it was over
1 GiB.

I half-jokingly said that Node apps are the new ZIP bombs.

~~~
hn23
good luck to your friend with repeatable installations :P

~~~
JustSomeNobody
If you need repeatable installations, wouldn't node be the wrong tool? I mean,
you'd have to freeze everything yourself and then those libraries become
_your_ problem. Ugh. That's a hell nobody wants.

~~~
chrisbroadfoot
To be pedantic, it's "wouldn't npm be the wrong tool" (it isn't, necessarily,
I believe lockfiles provide you with reproducible builds)

Vendoring/copying them is another way to achieve this (and means you don't
need to depend on npm or its lockfiles).

Regardless, those libraries are your problem whether you vendor/copy them or
not.

Read more: [https://research.swtch.com/deps](https://research.swtch.com/deps)

------
tomglynch
This has good potential, what are the limitations on the VM?

~~~
chrisparnin
Some limitations in terms of the vms and providers:

* If the size of the initrd is too large, it cannot properly unpack into vm's RAM --- size of RAM must be increased accordingly. We could also change [boot params]([https://www.lightofdawn.org/blog/?viewDetailed=00128](https://www.lightofdawn.org/blog/?viewDetailed=00128)), or use shared disks, etc.

* For hyperkit, apple's vmnet requires sudo to create a bridge interface on host. We've played with a version that use's vpnkit and port forwarding (like linuxkit/Docker for Mac), but this adds lots of complexity in image, and opted for the simpler approach.

* We would like a better template mechanism for reusing base images and extending. Right now, we support using base image reuse, with extensions through docker buildargs---ideally, we would want something like %include support in Dockerfiles.

* Finally, we're investigating how to make images work well on multiple providers. For example, ubuntu does not play nice with hyperkit out-of-the-box, but works fine for vbox and kvm.

~~~
sansnomme
What about swarm mode and orchestration? Also I presume like LinuxKit, there
will be configs for different clouds e.g. Digital Ocean and AWS run ISOs
slightly differently.

~~~
chrisparnin
Yes, one use-case is making it easier to setup/teardown clusters for local
testing. Two practical scenarios for us: 1) autograding ansible/configuration
scripts, 2) CI for instructions/tutorials that involve clusters/devops:
[https://builds.sr.ht/~ottomatica/job/69644#task-
report](https://builds.sr.ht/~ottomatica/job/69644#task-report)

Cloud-ready images is an important direction, and on the horizon.

------
peterwwillis
If this works, this is fantastic. Getting away from the stupidly complex
abstractions around Docker is a welcome change, especially if we can still
package and deploy immutable images. We already manage containers like tiny
VMs, so ditching the abstractions should simplify life a bit.

~~~
tssva
Have you looked at LXD/LXC? I find it to be a great compromise between the
high overhead of VMs and the complex abstractions around Docker.

~~~
peterwwillis
Yes, it's still just more abstractions. If you look at the way people use ECS,
allocating specific resource limits to each container, it's basically a micro
EC2 node. And for me, the only reason I use containers is to make it easier to
package and run applications immutably. If I can do that without
"containerisms", all the better. It also seems like VMs would solve a good
deal of multi-tenancy issues.

------
ajsharp
This is cool. For dev, the docker runtime consumes an enormous amount of host
system resources. Even with a 16gb RAM host machine, docker is really resource
heavy for a development environment. If this can cut down on host system
resource usage, that's a major win.

~~~
kristianp
Are you on a non linux host? I assume docker is a lot less heavy on resources
on linux than on mac&win.

~~~
freedomben
they have to be. Docker is extremely light weight on a linux host.

~~~
GordonS
I assume they are running it on Windows - I've been running Docker Desktop on
Windows for years, and it's backed by a Hyper-V Linux VM, which does seem to
use a lot more CPU than running Docker on Linux.

------
dlespiau
Yet another different take: footloose – Containers that look like Virtual
Machines!

[https://github.com/weaveworks/footloose](https://github.com/weaveworks/footloose)

(Disclamer: I'm the author of footloose)

------
40four
This sounds interesting, I want to look into it further. However, my immediate
thought is what about the naming conflict with the very popular PHP framework?

[http://www.slimframework.com/](http://www.slimframework.com/)

------
Hortinstein
this is great! This might have saved me some time I was planning on spending
to learn packer. I have a docker based project and I wanted to add VM
generation to the CI pipeline.

Really excited to play with this tonight

------
pard68
Can slim be used to create an iso? So:

Dockerfile > slim > iso

~~~
PhilippGille
From the GitHub README:

> `$ slim build images/alpine3.8-simple`

> This will add a bootable iso in the slim registry.

------
sealthedeal
What would an ideal re-world scenario look like for using these micro vms?

~~~
pcnix
Docker containers don't have a robust security boundary, due to the kernel
sharing that they do. These micro VMs combine the low resource cost of a
container with the solid security boundary of a VM, which is very useful in a
multi tenant architecture.

AWS Fargate and AWS Lambda run entirely on micro VMs.

------
buildbuildbuild
I’m curious how this approach compares with Kata Containers. Very cool.

------
JustSomeNobody
Are we just going in circles now?

Why not just start with a tiny vm and call it a day?

~~~
yjftsjthsd-h
Tooling matters. Building and managing VMs has, historically, been more work.

~~~
eeZah7Ux
Debootstrap has been doing the work with pretty much one command for 10+
years.

------
ph0rque
Does this allow for a docker image to be run inside a browser tab?

~~~
pas
Naturally. With this and a bit of hacking:
[https://bellard.org/jslinux/](https://bellard.org/jslinux/)

~~~
ph0rque
Forgive my lack of technical depth, but is it actually running client-side, in
the memory allocated to my newly-opened browser tab, or on bellard.org's
server and syncing the input/output to my browser?

~~~
cbluth
Technical depth? Did you click the link?

> Run Linux or other Operating Systems in your browser!

It runs in your browser.

If you clicked the link you would also see demo links that run in your
browser.

~~~
pas
No need to be abrasive, many companies offer things "in your browser" yet they
merely send you the frontend and instruct your browser to connect to their
backend.

Such as gaming SaaS thingies.

------
robbomacrae
Thank you!! I always wanted to have a way of quickly ssh'ing into my docker
image with some sort of virtual box implementation so I could poke around. I
always felt the debug tools lacking. This is perfect. Can't wait to try it
out!

~~~
nine_k
Here comes!

Getting shell in a new copy of container:

docker run -it --entrypoint=/bin/sh ${container}

Running shell inside a running container:

docker exec -it ${container} /bin/sh

Running sshd inside a container to let you peek inside is bad taste, and bad
security, too.

------
smattiso
What would it take to get this running on iOS and Android?

~~~
seabrookmx
You'd never be able to run this on iOS. It's far too locked down.

You might be able to add QEMU support to this, and then run it on an Android
device if you have root. But it would perform terribly because mobile chips
generally don't have virtualization extensions and ARM as a virtualization
host is a pretty immature platform.

TL;DR - far too much to be practical.

------
IloveHN84
Why JavaScript instead of something more performant?

~~~
pjc50
Normally the language for doing this kind of system building would be ..
Bourne shell. Or Perl/Python.

~~~
GordonS
I was actually expecting Bash scripts before I looked at the GitHub repo.

TBH, I think the code would be a lot simpler if it was just Bash.

------
idlewords
Stuff used to boot off of a floppy disk!

~~~
shereadsthenews
Used to have self-replicating persistent malware hidden inside filed that fit
on floppy disks.

~~~
yjftsjthsd-h
And now we have compromised NPM packages and Dockerhub accounts. What's your
point?

~~~
shereadsthenews
My point is people used to be able to program computers and now it's all
embedded browsers all the way down which is why the recommended way to install
ubuntu from macos involves downloading and running (as root!) a 330MB electron
app.

------
nerd7473
A neat idea

