Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] minimal base is not used #298

Closed
1 task
sozercan opened this issue Jun 24, 2024 · 8 comments
Closed
1 task

[BUG] minimal base is not used #298

sozercan opened this issue Jun 24, 2024 · 8 comments
Labels
bug Something isn't working

Comments

@sozercan
Copy link
Member

Expected Behavior

minimal base image with only the component we are building and/or supplied in runtime

Actual Behavior

i expected a minimal base image but looking at the /usr/bin contents, there are a lot of files

https://oci.dag.dev/layers/sozercan/oras@sha256:0137bd96038e5a7edd4c3114e45997b27dcaed83b906230a3943b1c161b76d8b/usr/bin/

Steps To Reproduce

docker build -t oras:latest -f  
https://gist.githubusercontent.com/sozercan/1f856f629ba85b9a223dfff1f5cb5f2a/raw/794e8ebf0fb0c9d5581050a51e8a70156c901340/oras.yaml
--load . --target mariner2/container --progress plain

Are you willing to submit PRs to contribute to this bug fix?

  • Yes, I am willing to implement it.
@sozercan sozercan added the bug Something isn't working label Jun 24, 2024
@pmengelbert
Copy link
Contributor

This bug was introduced with PR #254 . Specifically, it's this commit https://github.com/adamperlin/dalec/commit/c91c9bae5812aacf34c8e2aedbef118e047658c3, although I can't yet fathom why

@pmengelbert
Copy link
Contributor

pmengelbert commented Jun 26, 2024

What is happening is that the presence of the %post, %preun, or %postun causes /bin/sh to be baked into the dependencies of the rpm. This makes sense because a shell is needed to execute the postinstall scripts, and would be needed to run pre- or post- uninstall scripts.

without %post:

$ rpm -q --requires /tmp/out/RPMS/x86_64/oras-v1.2.0-1.cm2.x86_64.rpm
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(PayloadIsZstd) <= 5.4.18-1

with %post:

$ rpm -q --requires /tmp/out/RPMS/x86_64/oras-v1.2.0-1.cm2.x86_64.rpm
/bin/sh
/bin/sh
/bin/sh
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(PayloadIsZstd) <= 5.4.18-1

The bash package supplies /bin/sh, and all of its dependencies are installed into the container as well. So the distroless minimal image is used, but it has a bunch of extra stuff installed.

@pmengelbert
Copy link
Contributor

The short-term solution is to not emit %post, %preun, or %postun when no postinstall scripts or systemd services are specified.

The longer-term solution involves

  • installing the rpm without running postinstall scripts
  • documenting that systemd units and rpm scripts are noop when the output is a container
  • printing a warning in the logs when the output is a container and rpm scripts are present

I am not sure if tdnf allows for the installation of a package without running postinstall scripts. If not, we should consider contributing that upstream while creating a workaround within dalec.

pmengelbert added a commit to pmengelbert/dalec that referenced this issue Jun 26, 2024
This PR prevents the fields `%post`, `%preun`, and `%postun` from being
written to the rpm SPEC unless they are specified in the dalec spec.

This is a short-term solution to the problem specified in Azure#298. Please
see that issue for more details on the long-term solution. A short
summary of the problem follows:

What is happening is that the presence of the `%post`, `%preun`, or
`%postun` causes `/bin/sh` to be baked into the dependencies of the rpm.
This makes sense because a shell is needed to execute the postinstall
scripts, and would be needed to run pre- or post- uninstall scripts.

_without %post_:
```
$ rpm -q --requires /tmp/out/RPMS/x86_64/oras-v1.2.0-1.cm2.x86_64.rpm
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(PayloadIsZstd) <= 5.4.18-1
```

_with %post_:
```
$ rpm -q --requires /tmp/out/RPMS/x86_64/oras-v1.2.0-1.cm2.x86_64.rpm
/bin/sh
/bin/sh
/bin/sh
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(PayloadIsZstd) <= 5.4.18-1
```

The `bash` package supplies `/bin/sh`, and all of its dependencies are
installed into the container as well. So the distroless minimal image is
used, but it has a bunch of extra stuff installed.

Signed-off-by: Peter Engelbert <pmengelbert@gmail.com>
cpuguy83 pushed a commit that referenced this issue Jun 28, 2024
This PR prevents the fields `%post`, `%preun`, and `%postun` from being
written to the rpm SPEC unless they are specified in the dalec spec.

This is a short-term solution to the problem specified in #298. Please
see that issue for more details on the long-term solution. A short
summary of the problem follows:

What is happening is that the presence of the `%post`, `%preun`, or
`%postun` causes `/bin/sh` to be baked into the dependencies of the rpm.
This makes sense because a shell is needed to execute the postinstall
scripts, and would be needed to run pre- or post- uninstall scripts.

_without %post_:
```
$ rpm -q --requires /tmp/out/RPMS/x86_64/oras-v1.2.0-1.cm2.x86_64.rpm
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(PayloadIsZstd) <= 5.4.18-1
```

_with %post_:
```
$ rpm -q --requires /tmp/out/RPMS/x86_64/oras-v1.2.0-1.cm2.x86_64.rpm
/bin/sh
/bin/sh
/bin/sh
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(PayloadIsZstd) <= 5.4.18-1
```

The `bash` package supplies `/bin/sh`, and all of its dependencies are
installed into the container as well. So the distroless minimal image is
used, but it has a bunch of extra stuff installed.

Signed-off-by: Peter Engelbert <pmengelbert@gmail.com>
@sozercan
Copy link
Member Author

@adamperlin is this issue fixed? do we just need to add the tests? if so, i can close this issue and we'll have #303 tracking tests

@adamperlin
Copy link
Contributor

@adamperlin is this issue fixed? do we just need to add the tests? if so, i can close this issue and we'll have #303 tracking tests

Yes this is fixed now due to #299! I think the fix in #299 is what we'll go with for the time being.

@sozercan
Copy link
Member Author

Ok closing this one. We'll continue in #303

@sozercan sozercan reopened this Nov 2, 2024
@cpuguy83
Copy link
Member

cpuguy83 commented Nov 4, 2024

For posterity, we discussed this:
It looks like gatekeeper has a dependency on ca-certificates which brings in coreutils and bash.
azlinux/mariner have a package for just the root CA's prebuilt-ca-certificates which can be used instead.

Also opened a PR (#424) to include this by default in container images along with some other base things defined by the azlinux team.

@cpuguy83 cpuguy83 closed this as completed Nov 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

4 participants