We want to stop systemd from being added to docker images, because of rpm requiring systemctl.

Lennart Poettering mzerqung at 0pointer.de
Tue Apr 29 15:27:27 UTC 2014

On Tue, 29.04.14 10:37, Daniel J Walsh (dwalsh at redhat.com) wrote:

> On 04/29/2014 06:33 AM, Lennart Poettering wrote:
> > On Mon, 28.04.14 17:01, Daniel J Walsh (dwalsh at redhat.com) wrote:
> >
> >> The problem  is lots of services require systemd because they ship a
> >> unit file and want systemctl reload to happen.  Systemd then triggers a
> >> require for udev and kmod, which docker containers do not need.
> > If you discount the docs/man pages of the RPMs, how much does kmod,
> > udev, systemd actually contribtue in bytes to your docker images?
> >
> > Lennart
> >
> Shrinking the the docker image is more then just size.  We want to
> eliminate packages that are not used (Within reason) to eliminate
> problems like CVE's.  If udev/systemd/kmod had a CVE we would need to
> update all Container images. 

Well, if you are this principled maybe. But do note that we dont really
ship suid binaries (except one binary with fscaps which is
systemd-detect-virt), and hence by leaving systemd in the image without
running it should result in no increased attack surface that wasn't
there anyway... Dead code in the image, that cannot be use to acquire
new caps isn't much of a security threat...


Lennart Poettering, Red Hat

More information about the devel mailing list