Unusual Dependencies for Build Containers

envoyproxy / envoy-build-tools

Common build tools shared by the Envoy/UDPA ecosystem

Apache License 2.0

44 stars 65 forks source link

Unusual Dependencies for Build Containers #206

Open thekief opened 1 year ago

thekief commented 1 year ago

I had a look at the build instructions for the Ubuntu container and stumbled upon some rather unusal dependencies for a build container. The most outstanding ones for me are:

sudo
tcpdump
tshark

sudo was added with #52 without an explanation here on GitHub, if I am not mistaken. In addition, I was wondering why a build container would need tools for network sniffing.

Could these dependencies be removed without breaking the build container or the build to create a smaller build image?

phlax commented 1 year ago

sudo was added with https://github.com/envoyproxy/envoy-build-tools/pull/52 without an explanation here on GitHub

until recently the default setup for the container also ran privileged with access to the docker pipe and various caps enabled for the user

most of which made the sudo point moot anyway

im wondering now whether we can remove sudo from the image

Could these dependencies be removed without breaking the build container or the build to create a smaller build image?

these were added to run tests that actually did network sniffing

afaiaa these tests have been disabled and/or removed so i believe we can just remove these - i would agree that these things are generally pretty undesirable in a container

cc @htuch who may have a better idea about whether these tools are still used/needed anywhere

thekief commented 1 year ago

Thank you for the background. So based on this information, quite a few dependencies could be removed then I suppose. I will try to minimise the dependencies and report back what I found out.

thekief commented 1 year ago

I just realised that I tried to use the build environment for a project that may be built upon Envoy but does not use its build setup.

Sorry to bug you there and feel free to close the ticket. I will keep it open in the case it might be still a bit useful in case you want to use it to track the unused dependencies.

htuch commented 1 year ago

I think some of them were added for tap2pcap tests https://github.com/envoyproxy/envoy/blob/b0e15260326d0d6175bc2271fb712f2f1efb029e/api/tools/tap2pcap_test.py. I don't think tshark / tcpdump are unusual for test environment for a network proxy.