Reducing container image size improves security, speeds up cold starts, and cuts network transfer costs. Yet in development workflows, it’s easy to inherit bloated base images or copy templates full of unused tools. To build minimal, production-ready OCI images, we need visibility into what a container actually uses at runtime

This talk presents a lightweight method for profiling file access inside containers using eBPF, Podman, and OCI lifecycle hooks. By leveraging the prestart hook, we can gain access to the container’s initial PID, allowing an eBPF program to trace all file opens. Tracepoint and LSM (Linux Security Module) eBPF programs are combined to capture the absolute path of each opened file.

In this presentation, we will show how this approach can allow us to distinguish required files from bloat, validate dependencies, and reduce container image size, resulting in smaller, faster, and more secure OCI images.