On Thu, Apr 1, 2021 at 2:23 PM Ben Cotton <bcot...@redhat.com> wrote: > > https://fedoraproject.org/wiki/Changes/SmallerContainerBase > > == Summary == > This change proposes to remove 3 packages (sssd-client, util-linux, > shadow-utils) from the Container Base Image (including the minimal > image). The Fedora Base Image is still quite large compared to other > distributions and the tools offered by these packages are not > essential in base image. > > == Owner == > * Name: [[User:cverna| Clément Verna]] > * Email: <cverna-at-fedoraproject.org> > > > == Detailed Description == > This is a proposal to make the Fedora Container Base image smaller by > remove the following 3 packages: > * sssd-client > * util-linux > * shadow-utils > > Current size of the base image and minimal base image : > {| class="wikitable" > |- > ! REPOSITORY !! TAG !! IMAGE ID !! CREATED !! SIZE > |- > | registry.fedoraproject.org/fedora || 34 || eede0db319cc || 2 days > ago || 187 MB > |- > | registry.fedoraproject.org/fedora-minimal || 34 || 4ff120184ee4 || > 2 days ago || 122 MB > |} > > The installed size of each package is : > > {| class="wikitable" > |- > ! Package !! Installed Size > |- > | util-linux || 13018140 > |- > | shadow-utils || 3876259 > |- > | sssd-client || 317948 > |} > > Removing these packages would allow to gain around 17MB in both images. > > Each of these packages provides useful tools but the main goal of the > base image is for building layered images. Each of these packages can > easily be added in a layered image if needed. > > More info and discussion happened for each package in the Container SIG > tracker > > sssd-client : https://pagure.io/ContainerSIG/container-sig/issue/44 > > util-linux : https://pagure.io/ContainerSIG/container-sig/issue/45 > > shadow-utils : https://pagure.io/ContainerSIG/container-sig/issue/46 > > > == Benefit to Fedora == > Reducing the size of the base image makes it a more interesting choice > for users to build layered images using Fedora. The base image is also > heavily used by CI systems so reducing the size makes it faster to be > pulled. > Removing packages from the base image also reduces the number of CVEs > our users have to care about. > > > == Scope == > * Proposal owners: > Explicitly remove the 3 packages from the base image kickstart : > https://pagure.io/fedora-kickstarts/blob/main/f/fedora-container-base.ks > > * Release engineering: > Approve and Merge the kickstart change. > > * Policies and guidelines: N/A (not needed for this Change) > > * Trademark approval: N/A (not needed for this Change) > > * Alignment with Objectives: N/A > > == Upgrade/compatibility impact == > > Some layered images that relied on these packages being provided by > the base image will fail to build. These images will now have to make > sure to install the required package in their Container/Dockerfile. > > In most cases that will results in adding the following : > > RUN dnf -y install sssd-client shadow-utils util-linux && dnf clean all > > > == How To Test == > Once implemented, one can test this change by pulling the rawhide > image and verify that none of the above packages are present in the > image. > > == User Experience == > See Upgrade/compatibility impact > > == Dependencies == > > == Contingency Plan == > Kickstart changes can simply be reverted and packages added back in > the base image. >
The only one of these I have a major problem with removing is shadow-utils. Without those tools, it's impossible to create and modify users, and that's an extremely common pattern for containers. I also don't think freeing 4MB on the unpacked rootfs is much of a gain for the pain you're about to cause by dropping shadow-utils from the base image. The overhead of having to install that makes it considerably less attractive to use. Unless OpenShift and RKE recently changed so that containers can run as root by default (as of yesterday, they didn't), this is solidly a bad idea, since it makes it much more unintuitive to set up secure containers conforming with the guidelines for these Kubernetes platforms. -- 真実はいつも一つ!/ Always, there's only one truth! _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
