Use multistage build to remove zypper stack from final image

[dirkmueller]

This can be used for other app containers as well. Unsure if it should be done globally for all application containers.

[github-actions[bot]]

Created a staging project on OBS for 5: home:defolos:BCI:Staging:SLE-15-SP5:5-1387 Changes pushed to branch 5-1387 as commit 3c7f62849ea9b87bced0f2b4c61f6ff6189007b4

[github-actions[bot]]

Created a staging project on OBS for 6: home:defolos:BCI:Staging:SLE-15-SP6:6-1387 Changes pushed to branch 6-1387 as commit e60f3fce4b1d0e615b3df494a5b132dc6ad64d6e

[github-actions[bot]]

Created a staging project on OBS for Tumbleweed: home:defolos:BCI:Staging:Tumbleweed:Tumbleweed-1387 Changes pushed to branch Tumbleweed-1387 as commit 5b97bd90b340283cd33339ac39605a9e07a70d7a

[dirkmueller]

"requests changes" means what needs to be changed? we can't change to kiwi build easily because it changes repositories so qa pipelines etc needs adjustment.

I don't think kiwi is a better approach. enabling a multistage build is seamless and allows to remove packages that frequently attract vulnerabilities.

[dcermak]

"requests changes" means what needs to be changed? we can't change to kiwi build easily because it changes repositories so qa pipelines etc needs adjustment.

I wouldn't find the change that intrusive, given that this just touches tomcat, that hasn't been setup yet.

I don't think kiwi is a better approach. enabling a multistage build is seamless and allows to remove packages that frequently attract vulnerabilities.

Kiwi allows us to do the same. One disadvantage of the multistage build is, that the .packages file that OBS produces is no longer correct. E.g. suse-tomcat-10-15.6.10.x86_64-35.7.packages contains zypper and all its dependencies. The SBOMs appear to be correct though.

[dcermak]

I don't think kiwi is a better approach. enabling a multistage build is seamless and allows to remove packages that frequently attract vulnerabilities.

Kiwi allows us to do the same. One disadvantage of the multistage build is, that the .packages file that OBS produces is no longer correct. E.g. suse-tomcat-10-15.6.10.x86_64-35.7.packages contains zypper and all its dependencies. The SBOMs appear to be correct though.

The report files suffer from the same flaw as the packages files, e.g. suse-tomcat-10-15.6.10.x86_64-35.7.report contains the whole zypper stack too. This will mess up the reports that @msmeissn generates.

[dirkmueller]

The report files suffer from the same flaw as the packages files, e.g. suse-tomcat-10-15.6.10.x86_64-35.7.report contains the whole zypper stack too. This will mess up the reports that @msmeissn generates.

Marcus mentioned to me that it would not be an issue for him to switch to SBOMs for reports, which I think would make most sense.