We want to stop systemd from being added to docker images, because of rpm requiring systemctl.

Daniel J Walsh dwalsh at redhat.com
Fri May 2 15:39:44 UTC 2014


On 05/02/2014 06:32 AM, Lennart Poettering wrote:
> On Wed, 30.04.14 09:44, Daniel J Walsh (dwalsh at redhat.com) wrote:
>
>> On 04/29/2014 05:47 PM, Marcelo Ricardo Leitner wrote:
>>> Em 29-04-2014 18:27, Martin Langhoff escreveu:
>>>> On Tue, Apr 29, 2014 at 5:12 PM, Reindl Harald <h.reindl at thelounge.net
>>>> <mailto:h.reindl at thelounge.net>> wrote:
>>>>
>>>>     defense in depth means limit the attack surface as much as you can
>>>>
>>>>
>>>> As folks are trying to point out to you, these principles are well
>>>> understood in this group.
>>>>
>>>> However, _any minimally usable environment will have a scripting engine_
>>>> -- /bin/sh, python, and having _any_ of those general purpose tools
>>>> available is enough for the attacker.
>>>>
>>>> On your own machines, you might gain some (limited) advantage removing
>>>> some of them.
>>>>
>>>> Fedora and its derivatives, OTOH, are a large enough target that it's
>>>> worth for attackers to tailor attacks to it. So removing some tools
>>>> won't do much, and removing _all_ tools will ruin everyone's day.
>>> Hm? Okay, thread got long, but I don't recall anybody saying to remove
>>> scripting engines & etc. The point always was being able to have
>>> docker images without systemd, just because it's just not needed in
>>> there, and the thread got drifted away on 'may or not be a security
>>> liability'.
>>>
>>> It's part of getting Fedora somewhat optimized for containers.
>>>
>>> Anyway, sounds like we have even already agreed to remove the
>>> Requires, if I'm reading the thread correctly. So yeah, nothing much
>>> left to discuss in here ;)
>>>
>>> Cheers,
>>> Marcelo
>>>
>> I agree, where do I open a bugzilla to make this happen?  rpm?  Distro?
>> Systemd?
> file a fpc ticket first.
>
> https://fedorahosted.org/fpc/
>
> Lennart
>
I did.


More information about the devel mailing list