[openstack-dev] [TripleO][Edge] Reduce base layer of containers for security and size of images (maintenance) sakes

Jiří Stránský jistr at redhat.com
Wed Nov 28 17:02:47 UTC 2018


> Reiterating again on previous points:
> -I'd be fine removing systemd. But lets do it properly and not via 'rpm
> -ev --nodeps'.
> -Puppet and Ruby *are* required for configuration. We can certainly put
> them in a separate container outside of the runtime service containers
> but doing so would actually cost you much more space/bandwidth for each
> service container. As both of these have to get downloaded to each node
> anyway in order to generate config files with our current mechanisms
> I'm not sure this buys you anything.

+1. I was actually under the impression that we concluded yesterday on 
IRC that this is the only thing that makes sense to seriously consider. 
But even then it's not a win-win -- we'd gain some security by leaner 
production images, but pay for it with space+bandwidth by duplicating 
image content (IOW we can help achieve one of the goals we had in mind 
by worsening the situation w/r/t the other goal we had in mind.)

Personally i'm not sold yet but it's something that i'd consider if we 
got measurements of how much more space/bandwidth usage this would 
consume, and if we got some further details/examples about how serious 
are the security concerns if we leave config mgmt tools in runtime images.

IIRC the other options (that were brought forward so far) were already 
dismissed in yesterday's IRC discussion and on the reviews. Bin/lib bind 
mounting being too hacky and fragile, and nsenter not really solving the 
problem (because it allows us to switch to having different bins/libs 
available, but it does not allow merging the availability of bins/libs 
from two containers into a single context).

> We are going in circles here I think....

+1. I think too much of the discussion focuses on "why it's bad to have 
config tools in runtime images", but IMO we all sorta agree that it 
would be better not to have them there, if it came at no cost.

I think to move forward, it would be interesting to know: if we do this 
(i'll borrow Dan's drawing):

|base container| --> |service container| --> |service container w/
Puppet installed|

How much more space and bandwidth would this consume per node (e.g. 
separately per controller, per compute). This could help with decision 

> Dan



OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe

More information about the openstack-discuss mailing list