We want to stop systemd from being added to docker images, because of rpm requiring systemctl.
Daniel J Walsh
dwalsh at redhat.com
Tue Apr 29 19:31:45 UTC 2014
On 04/29/2014 03:17 PM, Chris Adams wrote:
> Once upon a time, Reindl Harald <h.reindl at thelounge.net> said:
>> wrong question - is /bin/sh used?
>> if the answer is yes then the anser to your question is no
>> the point is remove anything *unneeded* from production systems
>> that are best practices for many years and for good reasons
> No, the point is that "remove a bunch of stuff to 'secure' the system"
> is not security, and should not be claimed that it is being done for
> 'security'. If you have bash as /bin/sh (as a 'standard' Fedora system
> does), you don't need wget/curl to download stuff for example.
> Can you lock that down more? Sure, you can remove network access,
> remove local write access, etc. However, that is separate from removing
> arbitrary binaries from the system/image. Removing non-privileged
> binaries from the image does _nothing_ for security (as claimed
I am looking at this from a tools perspective. If I run an scap tool
that says container image XYZ has a vulnerable image of udev, even if
udev is not being used, I will have to update the image. If it does not
have the package, no reason to update.
More information about the devel