We want to stop systemd from being added to docker images, because of rpm requiring systemctl.
Marcelo Ricardo Leitner
marcelo.leitner at gmail.com
Tue Apr 29 21:47:28 UTC 2014
Em 29-04-2014 18:27, Martin Langhoff escreveu:
> On Tue, Apr 29, 2014 at 5:12 PM, Reindl Harald <h.reindl at thelounge.net
> <mailto:h.reindl at thelounge.net>> wrote:
>
> defense in depth means limit the attack surface as much as you can
>
>
> As folks are trying to point out to you, these principles are well
> understood in this group.
>
> However, _any minimally usable environment will have a scripting engine_
> -- /bin/sh, python, and having _any_ of those general purpose tools
> available is enough for the attacker.
>
> On your own machines, you might gain some (limited) advantage removing
> some of them.
>
> Fedora and its derivatives, OTOH, are a large enough target that it's
> worth for attackers to tailor attacks to it. So removing some tools
> won't do much, and removing _all_ tools will ruin everyone's day.
Hm? Okay, thread got long, but I don't recall anybody saying to remove
scripting engines & etc. The point always was being able to have docker
images without systemd, just because it's just not needed in there, and
the thread got drifted away on 'may or not be a security liability'.
It's part of getting Fedora somewhat optimized for containers.
Anyway, sounds like we have even already agreed to remove the Requires,
if I'm reading the thread correctly. So yeah, nothing much left to
discuss in here ;)
Cheers,
Marcelo
More information about the devel
mailing list