Smaller Container Base Image (remove sssd-client, util-linux)
Summary
This change proposes to remove 2 packages (sssd-client, util-linux) from the Container Base Image (including the minimal image). The Fedora Base Image is still quite large compared to other distributions and the tools offered by these packages are not essential in base image.
Owner
- Name: Clément Verna
- Email: <cverna-at-fedoraproject.org>
Current status
- Targeted release: Fedora Linux 35
- Last updated: 2021-04-19
- FESCo issue: #2594
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
This is a proposal to make the Fedora Container Base image smaller by remove the following packages:
- sssd-client
- util-linux
Current size of the base image and minimal base image :
| REPOSITORY | TAG | IMAGE ID | CREATED | SIZE |
|---|---|---|---|---|
| registry.fedoraproject.org/fedora | 34 | eede0db319cc | 2 days ago | 187 MB |
| registry.fedoraproject.org/fedora-minimal | 34 | 4ff120184ee4 | 2 days ago | 122 MB |
The installed size of each package is :
| Package | Installed Size |
|---|---|
| util-linux | 13018140 |
| sssd-client | 317948 |
Removing these packages would allow to gain around 13MB in both images.
Each of these packages provides useful tools but the main goal of the base image is for building layered images. Each of these packages can easily be added in a layered image if needed.
More info and discussion happened for each package in the Container SIG tracker
sssd-client : https://pagure.io/ContainerSIG/container-sig/issue/44
util-linux : https://pagure.io/ContainerSIG/container-sig/issue/45
Feedback
Following feedback received on devel@fedoraproject.org the plan to remove shadow-utils is dropped. This package provides binaries that are used in common scenario in particular creating users to avoid running application as root in the container images.
Benefit to Fedora
Reducing the size of the base image makes it a more interesting choice for users to build layered images using Fedora. The base image is also heavily used by CI systems so reducing the size makes it faster to be pulled. Removing packages from the base image also reduces the number of CVEs our users have to care about.
Scope
- Proposal owners:
Explicitly remove the packages from the base image kickstart : https://pagure.io/fedora-kickstarts/blob/main/f/fedora-container-base.ks
- Release engineering:
Approve and Merge the kickstart change.
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives: N/A
Upgrade/compatibility impact
Some layered images that relied on these packages being provided by the base image will fail to build. These images will now have to make sure to install the required package in their Container/Dockerfile.
In most cases that will results in adding the following :
RUN dnf -y install sssd-client util-linux && dnf clean all
How To Test
Once implemented, one can test this change by pulling the rawhide image and verify that none of the above packages are present in the image.
User Experience
See Upgrade/compatibility impact
Dependencies
Contingency Plan
Kickstart changes can simply be reverted and packages added back in the base image.