[TripleO][Kolla] Reduce base layer of containers for security and size of images (maintenance) sakes: UPDATE

Bogdan Dobrelya bdobreli at redhat.com
Mon Feb 11 14:02:20 UTC 2019


Good news: so the %systemd_ordering macro works well for containers 
images to build it w/o systemd & deps pulled in, and the changes got 
accepted for RDO and some of the base packages for f29!

Bad news: [0] is a show stopper for removing systemd off the base 
RHEL/Fedora containers in Kolla. To mitigate that issue for the 
remaining dnf and puppet, and as well for the less important* to have it 
fixed iscsi-initiator-utils and kuryr-kubernetes-distgit, we need to 
consider using microdnf instead of dnf for installing RPM packages in 
Kolla. Or alternatively somehow to achieve a trick with _tmpfiles to be 
split off the main spec files into sub-packages [1]: if the tmpfiles and 
such were split out into a subpackage that'd be required if and only if 
the kernel was installed or being installed, that might work.

* it is only less important as those do not belong to the Kolla 
base/openstack-base images and impacts only its individual containers 
images.

[0] https://bugs.launchpad.net/tripleo/+bug/1804822/comments/17
[1] 
https://github.com/rpm-software-management/dnf/pull/1315#issuecomment-462326283

> Here is an update.
> The %{systemd_ordering} macro is proposed for lightening containers 
> images and removing the systemd dependency for containers. Please see & 
> try patches in the topic [0] for RDO, and [1][2][3][4][5] for generic 
> Fedora 29 rpms. I'd very appreciate if anyone building Kolla containers 
> for f29/(rhel8 yet?) could try these out as well.
> 
> PS (somewhat internal facing but who cares): I wonder if we could see 
> those changes catched up automagically for rhel8 repos as well?
> 
>> I'm tracking systemd changes here [0],[1],[2], btw (if accepted, 
>> it should be working as of fedora28(or 29) I hope)
>> 
>> [0] https://review.rdoproject.org/r/#/q/topic:base-container-reduction
>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1654659
>> [2] https://bugzilla.redhat.com/show_bug.cgi?id=1654672
> 
> [0] https://review.rdoproject.org/r/#/q/topic:base-container-reduction
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1654659
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=1654672
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=1668688
> [4] https://bugzilla.redhat.com/show_bug.cgi?id=1668687
> [5] https://bugzilla.redhat.com/show_bug.cgi?id=1668678

-- 
Best regards,
Bogdan Dobrelya,
Irc #bogdando



More information about the openstack-discuss mailing list