On Mon, Feb 22, 2016 at 9:54 AM, Courtney Pacheco <cpacheco(a)redhat.com> wrote:
I've spent some time trying to minimize the footprint of the Fedora docker
base image. Overall, I managed to reduce its size by 39.9%.
Thanks for doing this. It is great to see someone working on minimization.
A summary of the work I did can be found here:
If you're interested, you can find a more detailed version of the above work
I essentially looked at which packages were being installed to the base
image and tried to determine which of those packages could be turned into
weak dependencies and which of those packages we could possibly break up.
If possible, I'd like some feedback on the work I did. Comments and
criticism are more than welcomed! I realize there may be some controversy in
terms of what I chose to remove and what I chose to turn into weak
dependencies, but I would like to hear your thoughts either way.
On the "Kernel Packages" section, I tend to agree that kmod and
kmod-libs likely don't make sense in a docker container. However,
libseccomp should likely remain. The library is there to make use of
the in-kernel seccomp functionality, and systemd and other
applications use it to limit their syscall interface to the kernel.
This reduces the potential attack surface, and in essence at least
helps containers actually contain.