We want to stop systemd from being added to docker images, because of rpm requiring systemctl.

Tue Apr 29 19:51:25 UTC 2014

On Tue, Apr 29, 2014 at 03:31:45PM -0400, Daniel J Walsh wrote:
> 
> On 04/29/2014 03:17 PM, Chris Adams wrote:
> > Once upon a time, Reindl Harald <h.reindl at thelounge.net> said:
> >> wrong question - is /bin/sh used?
> >> if the answer is yes then the anser to your question is no
> >>
> >> the point is remove anything *unneeded* from production systems
> >> that are best practices for many years and for good reasons
> > No, the point is that "remove a bunch of stuff to 'secure' the system"
> > is not security, and should not be claimed that it is being done for
> > 'security'.  If you have bash as /bin/sh (as a 'standard' Fedora system
> > does), you don't need wget/curl to download stuff for example.
> >
> > Can you lock that down more?  Sure, you can remove network access,
> > remove local write access, etc.  However, that is separate from removing
> > arbitrary binaries from the system/image.  Removing non-privileged
> > binaries from the image does _nothing_ for security (as claimed
> > up-thread).
> >
> I am looking at this from a tools perspective.  If I run an scap tool
> that says container image XYZ has a vulnerable image of udev, even if
> udev is not being used, I will have to update the image.  If it does not
> have the package, no reason to update.

  Welcome to the wonderful world of containers, ignoring 20 years of
shipping software in Linux distributions!

-- 
Tomasz Torcz                Only gods can safely risk perfection,
xmpp: zdzichubg at chrome.pl     it's a dangerous thing for a man.  -- Alia