“Perfection is achieved, not when there is nothing more to add, but when there is nothing left to take away.”
Antoine de Saint-Exupery, the French novelist penned this statement back in the early 1900’s. His statement always makes me think of the early sculptors who would start with a big block of marble and chip away at the block until their vision emerged.
Manufacturing of metal parts and other machined items work in very similar ways, take a big block of metal and mill it down until you get your desired part. This method of “Subtractive” manufacturing takes lots of time, generates waste and constrains the part design. Some parts must be split into multiple separate components due to “impossible” shapes where the cutting head cannot reach.(typically “inside” the part).
Virtual Machines are analogous to this big block of material. You install a monolithic operating system, then chip away at it trying to make it secure and performant. Like that milling process, removing some of the “big uglies” can be easy, but getting rid of all the “small extra” stuff is extremely difficult. The resulting image is big (GB+), requires administration, and patching, a real long term commitment.
The adoption of three dimensional printing technologies ushered in “Additive” manufacturing, enabling the “printing” of “impossible” things ranging from bridges to rocket engines. What you “print” is limited only by the size of the printer and the material supported by the printhead.
Containers adopt this “additive” manufacturing approach. Just pick the libraries your code needs, nothing more.. The image is small and immutable, and if we did this right you can’t even SSH into your container. The goal here is to never patch and never “manage” this container. When the container needs to be patched, you create a new one! This shift to minimum necessary enabling libraries, allows us to start “printing” software containers with the same functionality but smaller threat surfaces. The elimination of the full fledged operating system reduces your threat surface considerably. By including only 10% of the operating system, you should only see about 10% of the vulnerabilities and zero days!