fakesystemd package breaking builds
Lennart Poettering
mzerqung at 0pointer.de
Thu Aug 28 18:10:08 UTC 2014
On Thu, 28.08.14 07:24, Daniel J Walsh (dwalsh at redhat.com) wrote:
> >>> But regarding kmod/devicemapper, can we please get some stats about how
> >>> big this individually are, and how much is saved by this? kmod at least
> >>> is 150K or so only. Is there really any value in doing this weird stuff
> >>> for a fricking 150K?! Fedora has no bigger fishes to fry?
> >> I'll prepare stats for you tomorrow.
> >>> The systemd-container or fakesystemd stuff sounds awfully adhoc. Can we
> >>> please always discuss this first, and see if we can find a different
> >>> solution? We don't need three different "solutions", if one works
> >>> too...
> >> We've talked about this on Flock - it's not only about disk space
> >> but also about security reasons (CC'ing Dan Walsh). My goal was not
> > Dan, can you elaborate what the rationale for this is?
>
> It is not about Security escalation is is about the need to update a
> container image if a CVE happens on any of the packages installed.
> Basically we want to keep the turn on images as small as possible. If
> systemd, kmod, udev ... have a CVE and they are not used within an
> image, then we would still need to update the image because it
> containers "Vulnerable" code, or potentially vulnerable code.
Is kmod/systemd really that bad with CVEs? I mean, if there was a large
number of them, maybe that's something to think about, but I see 2 in
2012, and 5 in 2013, and 0 in 2014... and those are not really the
biggest issues in the world either, and certainly not in any way
relevant if you just leave the files lying around....
> Fakesystemd was developed for RHEL/Centos images to help minimize the
> CVE footprint. This was discussed on on this fpc request.
> https://fedorahosted.org/fpc/ticket/425. I actually did not want
> fakesystemd to go into Fedora for exactly the fear of it screwing up
> builds. I like the idea of systemd-container, or some other minimal
> systemd environment which understands and works well within container,
> and am trying to get pull requests into docker to allow systemd to
> work well.
>
> https://github.com/docker/docker/pull/7685
> https://github.com/docker/docker/pull/7685
>
> If we got a good version of systemd-container, (Or systemd) which did
> not suck in other requirements an stopped other random rpm sucking in
> stuff not needed in container, I would be all for dropping fakesystemd.
I don't think there's any value in having a second version of systemd
for containers. We repeatedly made clear that we care about containers
upstream, and want that systemd works fine in containers out of the
box. I want a unified OS that works in any way executed. But by
inventing thigns like "systemd-container" or "fakesystemd" you just
create two more crappy options that don't fully work.
Really, we should emphasize the value of our platform and its APIs, what
you are doing there is just splitting up things into a crude variety of
half-working, half-supported hacks.
Let's just see what changes we can make upstream and in the systemd rpm
in fedora, don't start doing things like fakesystemd/systemd-container
without first trying to do these things properly, upstream and in the
default RPM.
For example, let's split out the hwdb stuff in Fedora, and maybe some
other things, and then you can drop that from the container images, but
let's not wildly invent new hacks, without checking if there are better
ways...
Thank you very much,
Lennart
--
Lennart Poettering, Red Hat
More information about the devel
mailing list