On Thu, Apr 1, 2021 at 2:36 PM Neal Gompa <ngompa13@xxxxxxxxx> wrote: > > On Thu, Apr 1, 2021 at 2:23 PM Ben Cotton <bcotton@xxxxxxxxxx> wrote: > > > > https://fedoraproject.org/wiki/Changes/SmallerContainerBase > > > > == Summary == > > This change proposes to remove 3 packages (sssd-client, util-linux, > > shadow-utils) from the Container Base Image (including the minimal > > image). The Fedora Base Image is still quite large compared to other > > distributions and the tools offered by these packages are not > > essential in base image. > > > > == Owner == > > * Name: [[User:cverna| Clément Verna]] > > * Email: <cverna-at-fedoraproject.org> > > > > > > == Detailed Description == > > This is a proposal to make the Fedora Container Base image smaller by > > remove the following 3 packages: > > * sssd-client > > * util-linux > > * shadow-utils > > > > Current size of the base image and minimal base image : > > {| class="wikitable" > > |- > > ! REPOSITORY !! TAG !! IMAGE ID !! CREATED !! SIZE > > |- > > | registry.fedoraproject.org/fedora || 34 || eede0db319cc || 2 days > > ago || 187 MB > > |- > > | registry.fedoraproject.org/fedora-minimal || 34 || 4ff120184ee4 || > > 2 days ago || 122 MB > > |} > > > > The installed size of each package is : > > > > {| class="wikitable" > > |- > > ! Package !! Installed Size > > |- > > | util-linux || 13018140 > > |- > > | shadow-utils || 3876259 > > |- > > | sssd-client || 317948 > > |} > > > > Removing these packages would allow to gain around 17MB in both images. > > > > Each of these packages provides useful tools but the main goal of the > > base image is for building layered images. Each of these packages can > > easily be added in a layered image if needed. > > > > More info and discussion happened for each package in the Container SIG tracker > > > > sssd-client : https://pagure.io/ContainerSIG/container-sig/issue/44 > > > > util-linux : https://pagure.io/ContainerSIG/container-sig/issue/45 > > > > shadow-utils : https://pagure.io/ContainerSIG/container-sig/issue/46 > > > > > > == Benefit to Fedora == > > Reducing the size of the base image makes it a more interesting choice > > for users to build layered images using Fedora. The base image is also > > heavily used by CI systems so reducing the size makes it faster to be > > pulled. > > Removing packages from the base image also reduces the number of CVEs > > our users have to care about. > > > > > > == Scope == > > * Proposal owners: > > Explicitly remove the 3 packages from the base image kickstart : > > https://pagure.io/fedora-kickstarts/blob/main/f/fedora-container-base.ks > > > > * Release engineering: > > Approve and Merge the kickstart change. > > > > * Policies and guidelines: N/A (not needed for this Change) > > > > * Trademark approval: N/A (not needed for this Change) > > > > * Alignment with Objectives: N/A > > > > == Upgrade/compatibility impact == > > > > Some layered images that relied on these packages being provided by > > the base image will fail to build. These images will now have to make > > sure to install the required package in their Container/Dockerfile. > > > > In most cases that will results in adding the following : > > > > RUN dnf -y install sssd-client shadow-utils util-linux && dnf clean all > > > > > > == How To Test == > > Once implemented, one can test this change by pulling the rawhide > > image and verify that none of the above packages are present in the > > image. > > > > == User Experience == > > See Upgrade/compatibility impact > > > > == Dependencies == > > > > == Contingency Plan == > > Kickstart changes can simply be reverted and packages added back in > > the base image. > > > > The only one of these I have a major problem with removing is > shadow-utils. Without those tools, it's impossible to create and > modify users, and that's an extremely common pattern for containers. I > also don't think freeing 4MB on the unpacked rootfs is much of a gain > for the pain you're about to cause by dropping shadow-utils from the > base image. The overhead of having to install that makes it > considerably less attractive to use. > > Unless OpenShift and RKE recently changed so that containers can run > as root by default (as of yesterday, they didn't), this is solidly a > bad idea, since it makes it much more unintuitive to set up secure > containers conforming with the guidelines for these Kubernetes > platforms. > Of course, I mean here container inner environments running with a root user context. At least with OpenShift, containers that are not adapted to run non-root tend to fail by default, in my experience and testing. -- 真実はいつも一つ!/ Always, there's only one truth! _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
