Error trying to run (any) shell command

[AnthonyWC]

Looks like you cannot run any terminal/shell based command (and any application that relies on one)?

docker run --rm -it ansible/nocache.slim:latest ls

docker: Error response from daemon: OCI runtime create failed: container_linux.go:348: starting container process caused "exec: \"ls\": executable file not found in $PATH": unknown.

[tarellel]

I was getting issue,

docker pull ruby:2.6.1
docker-slim build -p -r ruby
# -p is the flag for http-probe
# -r is the command for remove-artifact files

I was able to load into IRB but not shell

docker run -it ruby.slim:latest                                                                                                                                                                                          
irb(main):001:0>

docker run -it ruby.slim:latest sh
# => docker: Error response from daemon: OCI runtime create failed: container_linux.go:344: starting container process caused "exec: \"sh\": executable file not found in $PATH": unknown.

I began to look at a lot of the code and docs. (I could be wrong on this) But it appears that docker-slim not only strips away layers of the container to slim the images, but it also removes a lot the binary files and system links. Mind you this absolutely does slim the images down BIG TIME!!!

After looking at the docs, it appears you can has slim include certain folders in the new slimmed image.

docker-slim build -p -r --include-path="/bin" ruby:2.6.1
# When running this container you'll be able to start it with shell. But you won't be able to issue any shell commands such as - ls
docker run -it ruby.slim:latest sh 
# => ls: error while loading shared libraries: libselinux.so.1: cannot open shared object file: No such file or directory

You may have to take this a few steps farther and see exactly what fat you need to keep from trimming from the image

docker-slim build -p -r --include-path="/bin" --include-path="/sbin" --include-path="/lib" ruby:2.6.1

docker run -it ruby.slim:latest sh
$ ls
# => bin  dev  etc  lib  lib64  proc  sbin  sys  usr

Note: This is based on working with a Debian build.

[hazcod]

I am having issues getting a shell to work on red hat (comparable to centos). While I wish I wouldn't, I need a shell environment to execute two commands (one for generating config files, the other for the actual program) and substitute some environment variables.

Currently, I am still unable to initiate a shell sh (returning standard_init_linux.go:207: exec user process caused "no such file or directory").

My command: docker-slim build --http-probe --include-path="/bin" --include-path="/lib" --include-path="/sbin" <image>

My CMD:

CMD [ "/bin/sh", "-c", "/app/confd -onetime -backend env -confdir /app/conf/ -config-file /app/conf/conf.d/confd.toml && nginx -g 'error_log /dev/stderr;' -p /app -c /app/tmp/nginx.conf" ]

[kcq]

@HazCod This might or might not be shell related... It's great that your CMD instruction calls the shell binary. That's a good start. Have you tried wrapping your command to run confd into a shell script and then invoking the shell in the CMD instruction?

Either way, sounds like you'd benefit from a shortcut command to keep your shell :-) By the way, the latest release (1.24) includes a new flag to load the includes from a file (--include-path-file).

[kcq]

@tarellel Yes, it does remove a lot of binary files. It will remove everything your application doesn't need, so it works better if you already have an application :-) If you have a generic ruby image it won't know what it needs to keep. The --include-path and --include-path-file flags can help you keep extra resources in your images. It's usually recommended to use a sidecar container when you need to do something that's not included in your minified container. Here's an example: docker run --rm -it --pid=container:your_container_name_or_id --net=container:your_container_name_or_id --cap-add sys_admin alpine sh. This docker command will start a container attaching it to your minified container, so you can explore the target container and run shell commands from the sidecar.

Adding a shortcut to include the shell binaries is potential future option.

[kcq]

@AnthonyWC Can you tell me more about what you are trying to do with your container and your expectations. What is this ansible/nocache exactly? I cound't find it on DockerHub for some reason.

[kcq]

@HazCod version 1.25 adds a few new flags to make it easier to have a shell in the minified containers (--include-shell, --include-exe and --include-bin).

[hazcod]

Thank you @kcq ! What was the reason for having both --include-exe and --include-bin?

[kcq]

@HazCod with --include-exe you are including an executable app located in a directory included in the PATH env variable, so you can use the app name without providing its full path (e.g., --include-exe uname). With --include-bin you need to provide the entire path. The --include-bin also works for shared objects (it doesn't have to be an executable app).

[NoelToy]

Hi, am also facing similar kind off issue I have a JAVA-temurin base image which am trying to sliming it using docker-slim and it's reducing the size significantly but the issue is that it's removing many of the libraries, am not able to run ls command, vi command which was actually part of the base image, even it removed JAVA binaries also. Looking into the documentation I have use --include-path and --include-bin but of no use. Could you please help me with resolving this issue?

[kcq]

Hi, am also facing similar kind off issue I have a JAVA-temurin base image which am trying to sliming it using docker-slim and it's reducing the size significantly but the issue is that it's removing many of the libraries, am not able to run ls command, vi command which was actually part of the base image, even it removed JAVA binaries also. Looking into the documentation I have use --include-path and --include-bin but of no use. Could you please help me with resolving this issue?

Everything from the base image will be removed unless your application needs it or you explicitly ask to keep it. The --include-shell flag should allow you to keep a basic shell with a number of read-only commands. It won't keep vi though. The --include-bin flag requires full path to the binary file to keep. The --include-exe flag allows you to keep app by name. The --include-path is used to keep a specific directory or a specific file.

Is this the base image you are using? https://hub.docker.com/_/eclipse-temurin

Here are a few java examples (with spring, vertx and micronaut):

https://github.com/mintoolkit/examples/tree/master/3rdparty/spring-tomcat-war-maven https://github.com/mintoolkit/examples/tree/master/3rdparty/vertx-helloworld-maven https://github.com/mintoolkit/examples/tree/master/3rdparty/micronaut-java-maven

And a couple of older java examples (spring, dropwizard):

https://github.com/mintoolkit/examples/tree/master/java_standard https://github.com/mintoolkit/examples/tree/master/3rdparty/java-xdropwizard

Note that you might also need to specify custom http probes with the --http-probe-cmd flag (or the --http-probe-cmd-file flag that allows you to define more HTTP request parameters).

Here's an example from https://github.com/mintoolkit/examples/blob/master/3rdparty/spring-tomcat-war-maven/_mac/image_slim.command

mint slim --http-probe-cmd='/spring-boot-docker/' spring-tomcat-war-maven

Also make sure you are using the latest release

[NoelToy]

@kcq Thanks for quick reply. Am using https://hub.docker.com/_/eclipse-temurin only. I tried using "--include-exe=ls" also "--include--exe ls" along with docker-slim build command but still no luck, ls command is not working. Let me check on the example git repos that you have shared.