[TripleO][Edge][Kolla] Reduce base layer of containers for security and size of images (maintenance) sakes

Bogdan Dobrelya bdobreli at redhat.com
Wed Nov 28 13:56:55 UTC 2018

Added Kolla tag as we all together might want to do something to that 
systemd included in containers via *multiple* package dependencies, like 
[0]. Ideally, that might be properly packaging all/some (like those 
names listed in [1]) of the places having it as a dependency, to stop 
doing that as of now it's Containers Time?.. As a temporary security 
band-aiding I was thinking of removing systemd via footers [1] as an 
extra layer added on top, but not sure that buys something good long-term.

[0] https://pastebin.com/RSaRsYgZ

On 11/28/18 12:45 PM, Bogdan Dobrelya wrote:
> To follow up and explain the patches for code review:
> The "header" patch https://review.openstack.org/620310 -> (requires) 
> https://review.rdoproject.org/r/#/c/17534/, and also 
> https://review.openstack.org/620061 -> (which in turn requires)
> https://review.openstack.org/619744 -> (Kolla change, the 1st to go)
> https://review.openstack.org/619736
> Please also read the commit messages, I tried to explain all "Whys" very 
> carefully. Just to sum up it here as well:
> The current self-containing (config and runtime bits) architecture of 
> containers badly affects:
> * the size of the base layer and all containers images as an
>    additional 300MB (adds an extra 30% of size).
> * Edge cases, where we have containers images to be distributed, at
>    least once to hit local registries, over high-latency and limited
>    bandwith, highly unreliable WAN connections.
> * numbers of packages to update in CI for all containers for all
>    services (CI jobs do not rebuild containers so each container gets
>    updated for those 300MB of extra size).
> * security and the surface of attacks, by introducing systemd et al as
>    additional subjects for CVE fixes to maintain for all containers.
> * services uptime, by additional restarts of services related to
>    security maintanence of irrelevant to openstack components sitting
>    as a dead weight in containers images for ever.
> On 11/27/18 4:08 PM, Bogdan Dobrelya wrote:
>> Changing the topic to follow the subject.
>> [tl;dr] it's time to rearchitect container images to stop incluiding 
>> config-time only (puppet et al) bits, which are not needed runtime and 
>> pose security issues, like CVEs, to maintain daily.
>> Background: 1) For the Distributed Compute Node edge case, there is 
>> potentially tens of thousands of a single-compute-node remote edge 
>> sites connected over WAN to a single control plane, which is having 
>> high latency, like a 100ms or so, and limited bandwith.
>> 2) For a generic security case,
>> 3) TripleO CI updates all
>> Challenge:
>>> Here is a related bug [1] and implementation [1] for that. PTAL folks!
>>> [0] https://bugs.launchpad.net/tripleo/+bug/1804822
>>> [1] https://review.openstack.org/#/q/topic:base-container-reduction
>>>> Let's also think of removing puppet-tripleo from the base container.
>>>> It really brings the world-in (and yum updates in CI!) each job and 
>>>> each container!
>>>> So if we did so, we should then either install puppet-tripleo and co 
>>>> on the host and bind-mount it for the docker-puppet deployment task 
>>>> steps (bad idea IMO), OR use the magical --volumes-from 
>>>> <a-side-car-container> option to mount volumes from some 
>>>> "puppet-config" sidecar container inside each of the containers 
>>>> being launched by docker-puppet tooling.
>>> On Wed, Oct 31, 2018 at 11:16 AM Harald Jensås <hjensas at 
>>> redhat.com> wrote:
>>>> We add this to all images:
>>>> https://github.com/openstack/tripleo-common/blob/d35af75b0d8c4683a677660646e535cf972c98ef/container-images/tripleo_kolla_template_overrides.j2#L35 
>>>> /bin/sh -c yum -y install iproute iscsi-initiator-utils lvm2 python
>>>> socat sudo which openstack-tripleo-common-container-base rsync cronie
>>>> crudini openstack-selinux ansible python-shade puppet-tripleo python2-
>>>> kubernetes && yum clean all && rm -rf /var/cache/yum 276 MB
>>>> Is the additional 276 MB reasonable here?
>>>> openstack-selinux <- This package run relabling, does that kind of
>>>> touching the filesystem impact the size due to docker layers?
>>>> Also: python2-kubernetes is a fairly large package (18007990) do we use
>>>> that in every image? I don't see any tripleo related repos importing
>>>> from that when searching on Hound? The original commit message[1]
>>>> adding it states it is for future convenience.
>>>> On my undercloud we have 101 images, if we are downloading every 18 MB
>>>> per image thats almost 1.8 GB for a package we don't use? (I hope it's
>>>> not like this? With docker layers, we only download that 276 MB
>>>> transaction once? Or?)
>>>> [1] https://review.openstack.org/527927
>>> -- 
>>> Best regards,
>>> Bogdan Dobrelya,
>>> Irc #bogdando

Best regards,
Bogdan Dobrelya,
Irc #bogdando

More information about the openstack-discuss mailing list