We want to stop systemd from being added to docker images, because of rpm requiring systemctl.

Tomasz Torcz tomek at pipebreaker.pl
Tue Apr 29 19:51:25 UTC 2014

On Tue, Apr 29, 2014 at 03:31:45PM -0400, Daniel J Walsh wrote:
> On 04/29/2014 03:17 PM, Chris Adams wrote:
> > Once upon a time, Reindl Harald <h.reindl at thelounge.net> said:
> >> wrong question - is /bin/sh used?
> >> if the answer is yes then the anser to your question is no
> >>
> >> the point is remove anything *unneeded* from production systems
> >> that are best practices for many years and for good reasons
> > No, the point is that "remove a bunch of stuff to 'secure' the system"
> > is not security, and should not be claimed that it is being done for
> > 'security'.  If you have bash as /bin/sh (as a 'standard' Fedora system
> > does), you don't need wget/curl to download stuff for example.
> >
> > Can you lock that down more?  Sure, you can remove network access,
> > remove local write access, etc.  However, that is separate from removing
> > arbitrary binaries from the system/image.  Removing non-privileged
> > binaries from the image does _nothing_ for security (as claimed
> > up-thread).
> >
> I am looking at this from a tools perspective.  If I run an scap tool
> that says container image XYZ has a vulnerable image of udev, even if
> udev is not being used, I will have to update the image.  If it does not
> have the package, no reason to update.

  Welcome to the wonderful world of containers, ignoring 20 years of
shipping software in Linux distributions!

Tomasz Torcz                Only gods can safely risk perfection,
xmpp: zdzichubg at chrome.pl     it's a dangerous thing for a man.  -- Alia

More information about the devel mailing list