We want to stop systemd from being added to docker images, because of rpm requiring systemctl.

Alexander Larsson alexl at redhat.com
Tue Apr 29 14:58:15 UTC 2014


On tis, 2014-04-29 at 12:33 +0200, Lennart Poettering wrote:
> On Mon, 28.04.14 17:01, Daniel J Walsh (dwalsh at redhat.com) wrote:
> 
> > The problem  is lots of services require systemd because they ship a
> > unit file and want systemctl reload to happen.  Systemd then triggers a
> > require for udev and kmod, which docker containers do not need.
> 
> If you discount the docs/man pages of the RPMs, how much does kmod,
> udev, systemd actually contribtue in bytes to your docker images?

Its around 15 megs or so, although on rhel7 its 20 megs larger because
of a dependency that kmod has on /usr/bin/nm (binutils) that doesn't
seem to be there on fedora kmod. This seems like a bug in fedora though,
as kmod ships /usr/sbin/weak-modules which calls nm, so once fixed
fedora would be at 35 meg too.

But, even if the size is small that is not the full picture. There are a
bunch of dependencies like dbus (the daemon), device-mapper, kmod, and
iptables that are recursively pulled in by systemd that don't really
make sense in a container. Having such things there increases the risk
of security issues even if they are not in use (maybe something is
setuid?). Furthermore, things being in the base image by "accident"
means these packages get cemented into some kind of "ABI" that we
probably have to keep forever, as apps could rely on them.



More information about the devel mailing list