... snip ... > > The only one of these I have a major problem with removing is > shadow-utils. Without those tools, it's impossible to create and > modify users, and that's an extremely common pattern for containers. I > also don't think freeing 4MB on the unpacked rootfs is much of a gain > for the pain you're about to cause by dropping shadow-utils from the > base image. The overhead of having to install that makes it > considerably less attractive to use. >
Yes this one is a tough one. For me it is all about the balance between the base image being useful and small. Binaries included in shadow-utils are indeed useful and often used but what makes me consider dropping the package from the base image is that these binary are almost always used at build time and not run time. IMO if you already have commands to create users in your Dockerfile there is not much overhead in making sure you include shadow-utils to the list of package you install in the layered image. > > Unless OpenShift and RKE recently changed so that containers can run > as root by default (as of yesterday, they didn't), this is solidly a > bad idea, since it makes it much more unintuitive to set up secure > containers conforming with the guidelines for these Kubernetes > platforms. > Yes, that's a fair point, and that makes me reconsider removing shadow-utils :-). Waiting to see if I get more feedback on the change before tho. Thanks > > > > > -- > 真実はいつも一つ!/ Always, there's only one truth! > _______________________________________________ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
