I had a situation where I had to build an app from SDCard image (block device) and containerize it.
Since image was over 7 GiB I had to somehow remove all unused files from it to keep it as slim as possible.
To do that I decided to utilize auditd and monitor all files touched when executable was started and was running for some time. Once the operation was completed, we just need to extract file paths.
apt-get install auditd -y
systemctl start auditd;
# Record all access to files
auditctl -w / -k touched-files
# Run app
/bin/some-app
# Remove logging
auditctl -W / -k touced-files
# Gather files & directories which were used
grep -F 'type=PATH' /var/log/audit/audit.log |grep -oE 'name="[^"]+"'|cut -d'"' -f2|sort|uniq > /files-to-keep.txtOnce we have files-to-keep.txt file ready, we need to copy the file into the docker and run the following command to remove everything else (and make the docker slim).
cat /tmp/files-to-keep.txt | xargs realpath -q -- > /tmp/files-to-keep-realpaths.txt
echo "/lib/ld-linux-aarch64.so.1" >> /tmp/files-to-keep-realpaths.txt
cat /tmp/files-to-keep-realpaths.txt /tmp/files-to-keep.txt| sort > files-to-keep
find / -mount -type f |sort > all-files
comm files-to-keep all-files -13 > files-to-delete
cat files-to-delete |grep -vE 'ld-linux|find|xargs|grep|du' | xargs -n 500 rm -Rf -- Once we have prepared the container, we need to exit it and save the image to keep only the files, and than re-import it to use only a single layer.
docker export d48d4cd2a9fe -o reduced-container.tar
docker import reduced-container.tar reduced-container
docker image list|grep reduced