jodh-intel
commented
6 years ago Open mcastelino opened 6 years ago
jodh-intel
commented
6 years ago 
jcvenegas
commented
6 years ago @jodh-intel, I will add bash by now after, I will work with CL team to add probably busybox.
devimc
commented
6 years ago I prefer to do not include bash or any other utility that will not be used by the agent, less components -> less CVEs -> less vulnerabilities
jcvenegas
commented
6 years ago @devimc @mcastelino in case dont want to add it, it could be documented in https://github.com/clearcontainers/agent/pull/122 to use EXTRA_PKGS="bash-bin" just for debugging
devimc
commented
6 years ago we can create a debugeable image running next command:
make clean
$ EXTRA_PKGS="dbus-bin dbus-autostart util-linux-bin p11-kit-bin bash shadow ca-certs dist-pam-configs xz-bin tar-bin grep-bin sed-bin pigz-bin iproute2-bin procps-ng-bin psstop-bin htop-bin curl nano pciutils usbutils-bin" make rootfs
$ IMG_SIZE="450MB" make imagealso we can include any other package needed
mcastelino
commented
6 years ago @devimc @jodh-intel I would rather have some minimal shell, vs asking the user to rebuild the image. If it come to that, we should provide a debug image as part of our default package, so that we provide debuggability by default.
Also I do not buy that having bash will make our solution any worse from a security point of view. Our going in assumption for clear containers is that obtaining root in the VM is a given. We prevent further compromise.
devimc
commented
6 years ago @jcvenegas how many MB increase the image size?
gorozco1
commented
6 years ago my vote for toybox @jodh-intel
devimc
commented
6 years ago I wouldn't like to include bash in the "production" version of the CC image because I want to avoid any possible container escape (i.e chroot /proc/1/cwd)
@jcvenegas can we add a shell to the rootfs. That will allow us to provide a debug console. The current minimal set of tools does not have a shell pre-installed.
See https://github.com/clearcontainers/agent/pull/122