[BUG] minimal base is not used

Azure / dalec

📦 Produce secure packages and containers with declarative configurations

https://azure.github.io/dalec/

MIT License

91 stars 18 forks source link

[BUG] minimal base is not used #298

Closed sozercan closed 2 months ago

sozercan commented 3 months ago

Expected Behavior

minimal base image with only the component we are building and/or supplied in runtime

Actual Behavior

i expected a minimal base image but looking at the /usr/bin contents, there are a lot of files

https://oci.dag.dev/layers/sozercan/oras@sha256:0137bd96038e5a7edd4c3114e45997b27dcaed83b906230a3943b1c161b76d8b/usr/bin/

Steps To Reproduce

docker build -t oras:latest -f  
https://gist.githubusercontent.com/sozercan/1f856f629ba85b9a223dfff1f5cb5f2a/raw/794e8ebf0fb0c9d5581050a51e8a70156c901340/oras.yaml
--load . --target mariner2/container --progress plain

Are you willing to submit PRs to contribute to this bug fix?

[ ] Yes, I am willing to implement it.

pmengelbert commented 3 months ago

This bug was introduced with PR #254 . Specifically, it's this commit https://github.com/adamperlin/dalec/commit/c91c9bae5812aacf34c8e2aedbef118e047658c3, although I can't yet fathom why

pmengelbert commented 3 months ago

What is happening is that the presence of the %post, %preun, or %postun causes /bin/sh to be baked into the dependencies of the rpm. This makes sense because a shell is needed to execute the postinstall scripts, and would be needed to run pre- or post- uninstall scripts.

without %post:

$ rpm -q --requires /tmp/out/RPMS/x86_64/oras-v1.2.0-1.cm2.x86_64.rpm
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(PayloadIsZstd) <= 5.4.18-1

with %post:

$ rpm -q --requires /tmp/out/RPMS/x86_64/oras-v1.2.0-1.cm2.x86_64.rpm
/bin/sh
/bin/sh
/bin/sh
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(PayloadIsZstd) <= 5.4.18-1

The bash package supplies /bin/sh, and all of its dependencies are installed into the container as well. So the distroless minimal image is used, but it has a bunch of extra stuff installed.

pmengelbert commented 3 months ago

The short-term solution is to not emit %post, %preun, or %postun when no postinstall scripts or systemd services are specified.

The longer-term solution involves

installing the rpm without running postinstall scripts
documenting that systemd units and rpm scripts are noop when the output is a container
printing a warning in the logs when the output is a container and rpm scripts are present

I am not sure if tdnf allows for the installation of a package without running postinstall scripts. If not, we should consider contributing that upstream while creating a workaround within dalec.

sozercan commented 2 months ago

@adamperlin is this issue fixed? do we just need to add the tests? if so, i can close this issue and we'll have #303 tracking tests

adamperlin commented 2 months ago

@adamperlin is this issue fixed? do we just need to add the tests? if so, i can close this issue and we'll have #303 tracking tests

Yes this is fixed now due to #299! I think the fix in #299 is what we'll go with for the time being.

sozercan commented 2 months ago

Ok closing this one. We'll continue in #303