Re: F35 Change proposal: Smaller Container Base Image (remove sssd-client, util-linux, shadow-utils) (Self-Contained Change)

On 5/20/21 15:58, Colin Walters wrote: On Thu, May 20, 2021, at 8:21 AM, Daniel P. Berrangé wrote: Lets say the Fedora base image is refreshed with updated RPMs on a weekly basis. Each application republishes their app containers on an arbitrarily different schedule, maybe fortnightly,

Re: F35 Change proposal: Smaller Container Base Image (remove sssd-client, util-linux, shadow-utils) (Self-Contained Change)

On Thu, 2021-05-20 at 15:58 -0400, Colin Walters wrote: > > On Thu, May 20, 2021, at 8:21 AM, Daniel P. Berrangé wrote: > > > Lets say the Fedora base image is refreshed with updated RPMs on a weekly > > basis. Each application republishes their app containers on an arbitrarily > > different

Re: F35 Change proposal: Smaller Container Base Image (remove sssd-client, util-linux, shadow-utils) (Self-Contained Change)

On Thu, May 20, 2021, at 8:21 AM, Daniel P. Berrangé wrote: > Lets say the Fedora base image is refreshed with updated RPMs on a weekly > basis. Each application republishes their app containers on an arbitrarily > different schedule, maybe fortnightly, monthly, whatever. Thus out of > 10

Re: F35 Change proposal: Smaller Container Base Image (remove sssd-client, util-linux, shadow-utils) (Self-Contained Change)

On 5/20/21 08:21, Daniel P. Berrangé wrote: On Wed, May 19, 2021 at 04:37:55PM -0400, Daniel Walsh wrote: The sad thing with these types of slimming is that it is horrible in production use case. I often describe layered images in the form of a wedding cake, where you have a large base and

Re: F35 Change proposal: Smaller Container Base Image (remove sssd-client, util-linux, shadow-utils) (Self-Contained Change)

On Mon, May 17, 2021, at 6:05 AM, Karel Zak wrote: > On Thu, Apr 01, 2021 at 02:22:31PM -0400, Ben Cotton wrote: > > https://fedoraproject.org/wiki/Changes/SmallerContainerBase > > > > == Summary == > > This change proposes to remove 3 packages (sssd-client, util-linux, > > shadow-utils) from

Re: F35 Change proposal: Smaller Container Base Image (remove sssd-client, util-linux, shadow-utils) (Self-Contained Change)

On Wed, May 19, 2021 at 04:37:55PM -0400, Daniel Walsh wrote: > > The sad thing with these types of slimming is that it is horrible in > production use case. > > I often describe layered images in the form of a wedding cake, where you > have a large base > > and then smaller  mid section say

Re: F35 Change proposal: Smaller Container Base Image (remove sssd-client, util-linux, shadow-utils) (Self-Contained Change)

On Thu, May 20, 2021 at 3:17 AM Miroslav Lichvar wrote: > > On Wed, May 19, 2021 at 09:34:16AM +0100, Daniel P. Berrangé wrote: > > FWIW, there's also debian:stable-slim at 72 MB > > > > > registry.opensuse.org/opensuse/leaplatest 1a798c6c690f 5 > > > days ago108 MB > > >

Re: F35 Change proposal: Smaller Container Base Image (remove sssd-client, util-linux, shadow-utils) (Self-Contained Change)

On Wed, May 19, 2021 at 09:34:16AM +0100, Daniel P. Berrangé wrote: > FWIW, there's also debian:stable-slim at 72 MB > > > registry.opensuse.org/opensuse/leaplatest 1a798c6c690f 5 > > days ago108 MB > > docker.io/library/ubuntu latest 7e0aa2d69a15 3 > >

Re: F35 Change proposal: Smaller Container Base Image (remove sssd-client, util-linux, shadow-utils) (Self-Contained Change)

On Wed, 19 May 2021 at 12:28, Peter Oliver wrote: > > IMHO even then we would need the default "fedora" image to be the > > minimal one, as that's what a casual user will compare, unless they > > happen to know "fedora-minimal" exists. > > I notice that fedora-minimal is absent from Docker Hub,

Re: F35 Change proposal: Smaller Container Base Image (remove sssd-client, util-linux, shadow-utils) (Self-Contained Change)

On 5/19/21 04:34, Daniel P. Berrangé wrote: On Wed, May 19, 2021 at 09:04:08AM +0200, Clement Verna wrote: On Mon, 17 May 2021 at 16:40, Frank Ch. Eigler wrote: Daniel P. Berrangé writes: The container runtime in the host OS will have configured most mount points before the container

Re: F35 Change proposal: Smaller Container Base Image (remove sssd-client, util-linux, shadow-utils) (Self-Contained Change)

> IMHO even then we would need the default "fedora" image to be the > minimal one, as that's what a casual user will compare, unless they > happen to know "fedora-minimal" exists. I notice that fedora-minimal is absent from Docker Hub, and outdated on Quay.io, by the way.

Re: F35 Change proposal: Smaller Container Base Image (remove sssd-client, util-linux, shadow-utils) (Self-Contained Change)

On Wed, May 19, 2021 at 09:04:08AM +0200, Clement Verna wrote: > On Mon, 17 May 2021 at 16:40, Frank Ch. Eigler wrote: > > > Daniel P. Berrangé writes: > > > > > The container runtime in the host OS will have configured most mount > > > points before the container starts. It would be relatively

Re: F35 Change proposal: Smaller Container Base Image (remove sssd-client, util-linux, shadow-utils) (Self-Contained Change)

On Mon, 17 May 2021 at 16:40, Frank Ch. Eigler wrote: > Daniel P. Berrangé writes: > > > The container runtime in the host OS will have configured most mount > > points before the container starts. It would be relatively uncommon > > for processes inside the container image to need to mount

Re: F35 Change proposal: Smaller Container Base Image (remove sssd-client, util-linux, shadow-utils) (Self-Contained Change)

On Mon, 17 May 2021 at 12:06, Karel Zak wrote: > On Thu, Apr 01, 2021 at 02:22:31PM -0400, Ben Cotton wrote: > > https://fedoraproject.org/wiki/Changes/SmallerContainerBase > > > > == Summary == > > This change proposes to remove 3 packages (sssd-client, util-linux, > > shadow-utils) from the

Re: F35 Change proposal: Smaller Container Base Image (remove sssd-client, util-linux, shadow-utils) (Self-Contained Change)

Daniel P. Berrangé writes: > The container runtime in the host OS will have configured most mount > points before the container starts. It would be relatively uncommon > for processes inside the container image to need to mount additional > volumes later. That's fair, but util-linux contains

Re: F35 Change proposal: Smaller Container Base Image (remove sssd-client, util-linux, shadow-utils) (Self-Contained Change)

On Mon, May 17, 2021 at 12:05:25PM +0200, Karel Zak wrote: > On Thu, Apr 01, 2021 at 02:22:31PM -0400, Ben Cotton wrote: > > https://fedoraproject.org/wiki/Changes/SmallerContainerBase > > > > == Summary == > > This change proposes to remove 3 packages (sssd-client, util-linux, > > shadow-utils)

Re: F35 Change proposal: Smaller Container Base Image (remove sssd-client, util-linux, shadow-utils) (Self-Contained Change)

On Thu, Apr 01, 2021 at 02:22:31PM -0400, Ben Cotton wrote: > https://fedoraproject.org/wiki/Changes/SmallerContainerBase > > == Summary == > This change proposes to remove 3 packages (sssd-client, util-linux, > shadow-utils) from the Container Base Image (including the minimal > image). The

Re: F35 Change proposal: Smaller Container Base Image (remove sssd-client, util-linux, shadow-utils) (Self-Contained Change)

.. snip ... > > Based on the feedback received, I will update the change proposal to > exclude shadow-utils from the packages proposed to be removed. That way we > should be able to move on and at least remove sssd-client and util-linux ;-) > I have updated

Re: F35 Change proposal: Smaller Container Base Image (remove sssd-client, util-linux, shadow-utils) (Self-Contained Change)

On Wed, Apr 7, 2021 at 8:12 AM Clement Verna wrote: > > > > On Tue, 6 Apr 2021 at 12:58, Peter Robinson wrote: >> >> On Tue, Apr 6, 2021 at 11:36 AM Neal Gompa wrote: >> > >> > On Tue, Apr 6, 2021 at 3:23 AM Clement Verna >> > wrote: >> > > >> > > >> > > >> > > On Mon, 5 Apr 2021 at 20:30,

Re: F35 Change proposal: Smaller Container Base Image (remove sssd-client, util-linux, shadow-utils) (Self-Contained Change)

On Tue, 6 Apr 2021 at 12:58, Peter Robinson wrote: > On Tue, Apr 6, 2021 at 11:36 AM Neal Gompa wrote: > > > > On Tue, Apr 6, 2021 at 3:23 AM Clement Verna > wrote: > > > > > > > > > > > > On Mon, 5 Apr 2021 at 20:30, Daniel Walsh wrote: > > >> > > >> On 4/3/21 02:34, Tomasz Torcz wrote: > >

Re: F35 Change proposal: Smaller Container Base Image (remove sssd-client, util-linux, shadow-utils) (Self-Contained Change)

* Neal Gompa: > It's basically required for building containers that will work at > runtime where OpenShift assigns an arbitrary UID. I put something together It avoids the need to edit /etc/passwd to support dynamic user IDs for PID 1. Security

Re: F35 Change proposal: Smaller Container Base Image (remove sssd-client, util-linux, shadow-utils) (Self-Contained Change)

On Tue, Apr 6, 2021 at 11:36 AM Neal Gompa wrote: > > On Tue, Apr 6, 2021 at 3:23 AM Clement Verna wrote: > > > > > > > > On Mon, 5 Apr 2021 at 20:30, Daniel Walsh wrote: > >> > >> On 4/3/21 02:34, Tomasz Torcz wrote: > >> > Dnia Fri, Apr 02, 2021 at 05:30:30PM -0400, Neal Gompa napisał(a): >

Re: F35 Change proposal: Smaller Container Base Image (remove sssd-client, util-linux, shadow-utils) (Self-Contained Change)

On Tue, Apr 6, 2021 at 3:23 AM Clement Verna wrote: > > > > On Mon, 5 Apr 2021 at 20:30, Daniel Walsh wrote: >> >> On 4/3/21 02:34, Tomasz Torcz wrote: >> > Dnia Fri, Apr 02, 2021 at 05:30:30PM -0400, Neal Gompa napisał(a): >> >> On Fri, Apr 2, 2021 at 5:18 PM Lars Seipel wrote: >> >>> On Thu,

Re: F35 Change proposal: Smaller Container Base Image (remove sssd-client, util-linux, shadow-utils) (Self-Contained Change)

On Mon, 5 Apr 2021 at 20:30, Daniel Walsh wrote: > On 4/3/21 02:34, Tomasz Torcz wrote: > > Dnia Fri, Apr 02, 2021 at 05:30:30PM -0400, Neal Gompa napisał(a): > >> On Fri, Apr 2, 2021 at 5:18 PM Lars Seipel wrote: > >>> On Thu, Apr 01, 2021 at 02:36:48PM -0400, Neal Gompa wrote: > Unless

Re: F35 Change proposal: Smaller Container Base Image (remove sssd-client, util-linux, shadow-utils) (Self-Contained Change)

On 4/3/21 02:34, Tomasz Torcz wrote: Dnia Fri, Apr 02, 2021 at 05:30:30PM -0400, Neal Gompa napisał(a): On Fri, Apr 2, 2021 at 5:18 PM Lars Seipel wrote: On Thu, Apr 01, 2021 at 02:36:48PM -0400, Neal Gompa wrote: Unless OpenShift and RKE recently changed so that containers can run as root

Re: F35 Change proposal: Smaller Container Base Image (remove sssd-client, util-linux, shadow-utils) (Self-Contained Change)

Dnia Fri, Apr 02, 2021 at 05:30:30PM -0400, Neal Gompa napisał(a): > On Fri, Apr 2, 2021 at 5:18 PM Lars Seipel wrote: > > > > On Thu, Apr 01, 2021 at 02:36:48PM -0400, Neal Gompa wrote: > > >Unless OpenShift and RKE recently changed so that containers can run > > >as root by default (as of

Re: F35 Change proposal: Smaller Container Base Image (remove sssd-client, util-linux, shadow-utils) (Self-Contained Change)

On Fri, Apr 2, 2021 at 5:18 PM Lars Seipel wrote: > > On Thu, Apr 01, 2021 at 02:36:48PM -0400, Neal Gompa wrote: > >Unless OpenShift and RKE recently changed so that containers can run > >as root by default (as of yesterday, they didn't), this is solidly a > >bad idea, since it makes it much

Re: F35 Change proposal: Smaller Container Base Image (remove sssd-client, util-linux, shadow-utils) (Self-Contained Change)

On Thu, Apr 01, 2021 at 02:36:48PM -0400, Neal Gompa wrote: Unless OpenShift and RKE recently changed so that containers can run as root by default (as of yesterday, they didn't), this is solidly a bad idea, since it makes it much more unintuitive to set up secure containers conforming with the

Re: F35 Change proposal: Smaller Container Base Image (remove sssd-client, util-linux, shadow-utils) (Self-Contained Change)

... snip ... > > The only one of these I have a major problem with removing is > shadow-utils. Without those tools, it's impossible to create and > modify users, and that's an extremely common pattern for containers. I > also don't think freeing 4MB on the unpacked rootfs is much of a gain > for

Re: F35 Change proposal: Smaller Container Base Image (remove sssd-client, util-linux, shadow-utils) (Self-Contained Change)

On Thu, Apr 1, 2021 at 2:36 PM Neal Gompa wrote: > > On Thu, Apr 1, 2021 at 2:23 PM Ben Cotton wrote: > > > > https://fedoraproject.org/wiki/Changes/SmallerContainerBase > > > > == Summary == > > This change proposes to remove 3 packages (sssd-client, util-linux, > > shadow-utils) from the

Re: F35 Change proposal: Smaller Container Base Image (remove sssd-client, util-linux, shadow-utils) (Self-Contained Change)

On Thu, Apr 1, 2021 at 2:23 PM Ben Cotton wrote: > > https://fedoraproject.org/wiki/Changes/SmallerContainerBase > > == Summary == > This change proposes to remove 3 packages (sssd-client, util-linux, > shadow-utils) from the Container Base Image (including the minimal > image). The Fedora Base

F35 Change proposal: Smaller Container Base Image (remove sssd-client, util-linux, shadow-utils) (Self-Contained Change)

https://fedoraproject.org/wiki/Changes/SmallerContainerBase == Summary == This change proposes to remove 3 packages (sssd-client, util-linux, shadow-utils) from the Container Base Image (including the minimal image). The Fedora Base Image is still quite large compared to other distributions and

F35 Change proposal: Smaller Container Base Image (remove sssd-client, util-linux, shadow-utils) (Self-Contained Change)

https://fedoraproject.org/wiki/Changes/SmallerContainerBase == Summary == This change proposes to remove 3 packages (sssd-client, util-linux, shadow-utils) from the Container Base Image (including the minimal image). The Fedora Base Image is still quite large compared to other distributions and