From Fedora Project Wiki
No edit summary
(Add trackers)
 
(4 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{admon/tip | Guidance | For details on how to fill out this form, see the [https://docs.fedoraproject.org/en-US/program_management/changes_guide/ documentation].}}
= Smaller Container Base Image (remove sssd-client, util-linux) =


<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->
= Smaller Container Base Image (remove sssd-client, util-linux, shadow-utils) =
<!-- The name of your change proposal -->


== Summary ==
== Summary ==
This change proposes to remove 3 packages (sssd-client, util-linux, shadow-utils) from the Container Base Image (including the minimal image). The Fedora Base Image is still quite large compared to other distributions and the tools offered by these packages are not essential in base image.
This change proposes to remove 2 packages (sssd-client, util-linux) from the Container Base Image (including the minimal image). The Fedora Base Image is still quite large compared to other distributions and the tools offered by these packages are not essential in base image.


== Owner ==
== Owner ==
Line 22: Line 18:


== Current status ==
== Current status ==
[[Category:ChangeReadyForWrangler]]
[[Category:ChangeAcceptedF35]]
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
Line 40: Line 36:
ON_QA -> change is fully code complete
ON_QA -> change is fully code complete
-->
-->
* FESCo issue: <will be assigned by the Wrangler>
* FESCo issue: [https://pagure.io/fesco/issue/2594 #2594]
* Tracker bug: <will be assigned by the Wrangler>
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=1951111 #1951111]
* Release notes tracker: <will be assigned by the Wrangler>
* Release notes tracker: [https://pagure.io/fedora-docs/release-notes/issue/685 #685]


== Detailed Description ==
== Detailed Description ==
This is a proposal to make the Fedora Container Base image smaller by remove the following 3 packages:  
This is a proposal to make the Fedora Container Base image smaller by remove the following packages:  
* sssd-client
* sssd-client
* util-linux
* util-linux
* shadow-utils


Current size of the base image and minimal base image :
Current size of the base image and minimal base image :
Line 67: Line 62:
|-
|-
| util-linux || 13018140
| util-linux || 13018140
|-
| shadow-utils || 3876259
|-
|-
| sssd-client || 317948
| sssd-client || 317948
|}
|}


Removing these packages would allow to gain around 17MB in both images.
Removing these packages would allow to gain around 13MB in both images.


Each of these packages provides useful tools but the main goal of the base image is for building layered images. Each of these packages can easily be added in a layered image if needed.
Each of these packages provides useful tools but the main goal of the base image is for building layered images. Each of these packages can easily be added in a layered image if needed.
Line 82: Line 75:


util-linux : https://pagure.io/ContainerSIG/container-sig/issue/45
util-linux : https://pagure.io/ContainerSIG/container-sig/issue/45
shadow-utils : https://pagure.io/ContainerSIG/container-sig/issue/46
   
   


== Feedback ==
== Feedback ==
<!-- Summarize the feedback from the community and address why you chose not to accept proposed alternatives. This section is optional for all change proposals but is strongly suggested. Incorporating feedback here as it is raised gives FESCo a clearer view of your proposal and leaves a good record for the future. If you get no feedback, that is useful to note in this section as well. For innovative or possibly controversial ideas, consider collecting feedback before you file the change proposal. -->
<!-- Summarize the feedback from the community and address why you chose not to accept proposed alternatives. This section is optional for all change proposals but is strongly suggested. Incorporating feedback here as it is raised gives FESCo a clearer view of your proposal and leaves a good record for the future. If you get no feedback, that is useful to note in this section as well. For innovative or possibly controversial ideas, consider collecting feedback before you file the change proposal. -->
Following feedback received on devel@fedoraproject.org the plan to remove shadow-utils is dropped. This package provides binaries that are used in common scenario in particular creating users to avoid running application as root in the container images.


== Benefit to Fedora ==
== Benefit to Fedora ==
Line 96: Line 89:
== Scope ==
== Scope ==
* Proposal owners:
* Proposal owners:
Explicitly remove the 3 packages from the base image kickstart : https://pagure.io/fedora-kickstarts/blob/main/f/fedora-container-base.ks
Explicitly remove the packages from the base image kickstart : https://pagure.io/fedora-kickstarts/blob/main/f/fedora-container-base.ks


* Release engineering:  
* Release engineering:  
Line 113: Line 106:
In most cases that will results in adding the following :  
In most cases that will results in adding the following :  


RUN dnf -y install sssd-client shadow-utils util-linux && dnf clean all  
RUN dnf -y install sssd-client util-linux && dnf clean all  





Latest revision as of 16:29, 19 April 2021

Smaller Container Base Image (remove sssd-client, util-linux)

Summary

This change proposes to remove 2 packages (sssd-client, util-linux) from the Container Base Image (including the minimal image). The Fedora Base Image is still quite large compared to other distributions and the tools offered by these packages are not essential in base image.

Owner

Current status

Detailed Description

This is a proposal to make the Fedora Container Base image smaller by remove the following packages:

  • sssd-client
  • util-linux

Current size of the base image and minimal base image :

REPOSITORY TAG IMAGE ID CREATED SIZE
registry.fedoraproject.org/fedora 34 eede0db319cc 2 days ago 187 MB
registry.fedoraproject.org/fedora-minimal 34 4ff120184ee4 2 days ago 122 MB

The installed size of each package is :

Package Installed Size
util-linux 13018140
sssd-client 317948

Removing these packages would allow to gain around 13MB in both images.

Each of these packages provides useful tools but the main goal of the base image is for building layered images. Each of these packages can easily be added in a layered image if needed.

More info and discussion happened for each package in the Container SIG tracker

sssd-client : https://pagure.io/ContainerSIG/container-sig/issue/44

util-linux : https://pagure.io/ContainerSIG/container-sig/issue/45


Feedback

Following feedback received on devel@fedoraproject.org the plan to remove shadow-utils is dropped. This package provides binaries that are used in common scenario in particular creating users to avoid running application as root in the container images.

Benefit to Fedora

Reducing the size of the base image makes it a more interesting choice for users to build layered images using Fedora. The base image is also heavily used by CI systems so reducing the size makes it faster to be pulled. Removing packages from the base image also reduces the number of CVEs our users have to care about.


Scope

  • Proposal owners:

Explicitly remove the packages from the base image kickstart : https://pagure.io/fedora-kickstarts/blob/main/f/fedora-container-base.ks

  • Release engineering:

Approve and Merge the kickstart change.

  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives: N/A

Upgrade/compatibility impact

Some layered images that relied on these packages being provided by the base image will fail to build. These images will now have to make sure to install the required package in their Container/Dockerfile.

In most cases that will results in adding the following :

RUN dnf -y install sssd-client util-linux && dnf clean all


How To Test

Once implemented, one can test this change by pulling the rawhide image and verify that none of the above packages are present in the image.

User Experience

See Upgrade/compatibility impact

Dependencies

Contingency Plan

Kickstart changes can simply be reverted and packages added back in the base image.

Documentation

Release Notes