We want to stop systemd from being added to docker images, because of rpm requiring systemctl.

Daniel J Walsh dwalsh at redhat.com
Tue Apr 29 19:31:45 UTC 2014

On 04/29/2014 03:17 PM, Chris Adams wrote:
> Once upon a time, Reindl Harald <h.reindl at thelounge.net> said:
>> wrong question - is /bin/sh used?
>> if the answer is yes then the anser to your question is no
>> the point is remove anything *unneeded* from production systems
>> that are best practices for many years and for good reasons
> No, the point is that "remove a bunch of stuff to 'secure' the system"
> is not security, and should not be claimed that it is being done for
> 'security'.  If you have bash as /bin/sh (as a 'standard' Fedora system
> does), you don't need wget/curl to download stuff for example.
> Can you lock that down more?  Sure, you can remove network access,
> remove local write access, etc.  However, that is separate from removing
> arbitrary binaries from the system/image.  Removing non-privileged
> binaries from the image does _nothing_ for security (as claimed
> up-thread).
I am looking at this from a tools perspective.  If I run an scap tool
that says container image XYZ has a vulnerable image of udev, even if
udev is not being used, I will have to update the image.  If it does not
have the package, no reason to update.

More information about the devel mailing list