In "Clap for Tinkerbell!" we discussed how PXE booting (pulling a bootable image across the network at server startup) might provide unprecedented levels of responsiveness in systems deployment and redeployment, with significant concomitant benefits in business continuity and server security (through rapid patch propagation). One synergistic technique that can be used in conjunction with pixie booting is server image management - manipulation of operating systems images to improve security and shrink server-image footprints.

Image management currently usually means creating and maintaining a catalog of server disk image masters that can then be deployed to servers, by hand or with a provisioning system.

Unfortunately, most operating system installations - whether Solaris, Linux or (especially) Windows - include myriad drivers, libraries, and applications that a particular server instance will not need or ever use in the work for which it is deployed. In other words, each copy of each image carries a lot of excess baggage.

More complete and aggressive management of server images can unlock great benefits in terms of both space savings and improved security profiles. Systems administrators can strip out unused components and applications without losing any needed functions, in many cases dropping gigabytes of material. Trimming a multi-gigabyte image down to under 100 megabytes adds up to immense space savings quickly when applied to thousands of server image instances. Saving space means lowering power and cooling loads, too, or at least slowing their growth.

A smaller image means faster boot times, of course, with or without PXE, and that has good implications for dynamic reallocation of resources as well as for failover and availability.

In a rapidly virtualizing world, slimmer boot images also mean lower overhead for each virtual machine laid onto a host, allowing administrators to stack virtual machines more deeply.

A stripped-down image means better security, as well: a library or driver you don’t have is one you needn’t patch and through which you can’t be compromised.

Data center and server managers we have spoken to in our research have pursued this image-stripping strategy all the way to the point of deploying an embedded version of an operating system rather than a typical multi-purpose server version, so that they can concentrate on adding what they need rather than taking away what they don’t.