The only one of these I have a major problem with removing is
shadow-utils. Without those tools, it's impossible to create and
modify users, and that's an extremely common pattern for containers. I
also don't think freeing 4MB on the unpacked rootfs is much of a gain
for the pain you're about to cause by dropping shadow-utils from the
base image. The overhead of having to install that makes it
considerably less attractive to use.
Yes this one is a tough one. For me it is all about the balance between the base image being useful and small. Binaries included in shadow-utils are indeed useful and often used but what makes me consider dropping the package from the base image is that these binary are almost always used at build time and not run time.
IMO if you already have commands to create users in your Dockerfile there is not much overhead in making sure you include shadow-utils to the list of package you install in the layered image.
Unless OpenShift and RKE recently changed so that containers can run
as root by default (as of yesterday, they didn't), this is solidly a
bad idea, since it makes it much more unintuitive to set up secure
containers conforming with the guidelines for these Kubernetes
platforms.
Yes, that's a fair point, and that makes me reconsider removing shadow-utils :-). Waiting to see if I get more feedback on the change before tho.
Thanks
--
真実はいつも一つ!/ Always, there's only one truth!
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure