|
|
Subscribe / Log in / New account

DNF5 delayed

DNF5 delayed

Posted Aug 19, 2023 15:02 UTC (Sat) by meyert (subscriber, #32097)
In reply to: DNF5 delayed by pbonzini
Parent article: DNF5 delayed

I think a containerized app should never include any tools like DNF or apt, only minimal libs to support packaged application, to reduce attack surface.
I think most real-world containers in a security sensitve environment will be based on distroless, alpine or use APKO.

to post comments

DNF5 delayed

Posted Aug 19, 2023 17:21 UTC (Sat) by smoogen (subscriber, #97) [Link] (5 responses)

In theory not having tools like apt, dnf, etc inside of the container is the right thing to do.

The reality is that nearly everyone using containers starts yelling and screaming that any container can't be worked on properly because they need to do all this work to make this one little thing(*) added to make it work.

(*) Narrator: It wasn't and never is one little thing. Eventually you find your 200 containers are all running their own sshd daemons, apt/dnf, and layers of additional software to make this one thing work the way you wanted it to. [And you ended up not being able to replicate that when rebuilding it.. so you have kept this artisinal container for years past its life.]

DNF5 delayed

Posted Aug 19, 2023 17:43 UTC (Sat) by amacater (subscriber, #790) [Link] (1 responses)

One little thing - so much this. This is the reason why there are so many Docker images of varying quality, and why some folk choose to rebuild their own Docker images not by downloading some random image but by trying to rebuild from the Dockerfile.

It's another thing that's kept me away from using Docker extensively - you've no provenance. (I've no
experience but would imagine the same problem will eventually hit Podman)

DNF5 delayed

Posted Aug 20, 2023 14:37 UTC (Sun) by intelfx (subscriber, #130118) [Link]

Docker and Podman reimplement the completely identical underlying idea, so I see no reason why the same problem that supposedly applies to Docker should _not_ hit Podman.

DNF5 delayed

Posted Aug 19, 2023 18:12 UTC (Sat) by jccleaver (guest, #127418) [Link] (2 responses)

That's great, but that's container-world's problem to deal with.

Admin-levels tools on real systems shouldn't be afflicted with reduced functionality and weird bugs and instability out of a need to accommodate the needs of the hyper-optimized container world.

Can size be reduced when there's low hanging fruit? Sure. But this is not that.

(See also: How systemd was pushed onto all of us)

DNF5 delayed

Posted Aug 22, 2023 6:52 UTC (Tue) by knotapun (guest, #166136) [Link] (1 responses)

What's so bad about systemd? It seems to be an appropriate tool, in the right place. There's some rough spots, but with most things it feels appropriate.

DNF5 delayed

Posted Aug 22, 2023 9:36 UTC (Tue) by zdzichu (subscriber, #17118) [Link]

Please don't reopen this topic, we all had our share of flamewars a decade ago.

DNF5 delayed

Posted Aug 24, 2023 19:09 UTC (Thu) by jond (subscriber, #37669) [Link]

> I think a containerized app should never include any tools like DNF or apt, only minimal libs to support packaged application, to reduce attack surface.

I completely agree but the tooling to support this needs to catch up (as per smoogen’s comment)


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds