Currently the fedora base image ships with the shadow-utils package 4MB installed. Similarly to linux-utils I think that most of the binaries provided by that package are not useful in most use cases.
I think we should remove it from the base image, Thoughts ?
adduser/chgpasswd/chpasswd/groupadd/groupdel/groupmems/groupmod/grpck/grpconv/grpunconv/newusers/pwck/pwconv/pwunconv/useradd/userdel/usermod/vigr/vipw
Is it used during package installation for packages that create users? Our have we moved fully to systemd-sysusers?
newuidmap and newgidmap are used by rootless Podman, it could affect running Podman inside of a container
If that's the case I think such packages should have shadow-utils as a dependency, for example I tried that with httpd.
[root@429838b1b34c /]# dnf remove shadow-utils Dependencies resolved. ============================================================================================================================== Package Architecture Version Repository Size ============================================================================================================================== Removing: shadow-utils x86_64 2:4.8.1-4.fc33 @anaconda 3.7 M Removing unused dependencies: libsemanage x86_64 3.1-2.fc33 @anaconda 311 k Transaction Summary ============================================================================================================================== Remove 2 Packages Freed space: 4.0 M Is this ok [y/N]: y Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Erasing : shadow-utils-2:4.8.1-4.fc33.x86_64 1/2 Erasing : libsemanage-3.1-2.fc33.x86_64 2/2 Running scriptlet: libsemanage-3.1-2.fc33.x86_64 2/2 Verifying : libsemanage-3.1-2.fc33.x86_64 1/2 Verifying : shadow-utils-2:4.8.1-4.fc33.x86_64 2/2 Removed: libsemanage-3.1-2.fc33.x86_64 shadow-utils-2:4.8.1-4.fc33.x86_64 Complete! [root@429838b1b34c /]# dnf install httpd Fedora 33 openh264 (From Cisco) - x86_64 2.9 kB/s | 2.5 kB 00:00 Fedora Modular 33 - x86_64 2.6 MB/s | 3.3 MB 00:01 Fedora Modular 33 - x86_64 - Updates 116 kB/s | 783 kB 00:06 Fedora 33 - x86_64 - Updates 3.7 MB/s | 8.5 MB 00:02 Fedora 33 - x86_64 2.3 MB/s | 72 MB 00:30 Dependencies resolved. ============================================================================================================================== Package Architecture Version Repository Size ============================================================================================================================== Installing: httpd x86_64 2.4.46-1.fc33 fedora 1.4 M Installing dependencies: acl x86_64 2.2.53-9.fc33 fedora 72 k .... shadow-utils x86_64 2:4.8.1-4.fc33 fedora 1.2 M ... Installing weak dependencies: ... Transaction Summary ============================================================================================================================== Install 43 Packages
Similarly to httpd, shadow-utils is a dependency of podman so it would be installed when installing podman in the container.
So remaining question is "how many Dockerfiles wil break?"
Probably a few but the fix is very trivial. WDYT ?
IMO we would push these changes only in the rawhide container and make a bit of noise about it.
@cverna +1 generally to all the #44, #45, #46 . I think that this will lead to/ensure that all the container/packages/users will have to correctly declare their dependencies(I think it will only show in few cases in practice). We probably should clearly announce that, maybe via change proposal for f34?(Should I start drafting one?)
But this also brings up the question what is the "contract" of the base image. That we should probably define and document somewhere(I might have missed that, if it is up somewhere). What is it supposed to fulfill, what is its contract? Just shell, dnf(ability to install packages)+shell, just glibc,...? This would probably also help to define testing cases for the base image that QA and users can check.
+1 to the change proposal
Great question, I have not really thought about it tbh maybe we move that discussion on a separate ticket or the mailing list .
@cverna sure will look in to the change proposal and open separate issue for the base image definition
Discussion on the base image #47.
I think dropping shadow-utils is going to cause problems, because I often see people using those tools to create users and groups in the container as part of container setup layered on top, and it would be weird for Fedora to be the only base container lacking the ability to set that up.
shadow-utils
I agree that this is a relatively common use case, but IMO if you go in the trouble to setup users or groups in your Dockerfile I think having to do first a dnf install shadow-utils is more than acceptable.
dnf install shadow-utils
As a note here: Fedora RPMs still use shadow-utils to create users and groups, although using a sysusers config file is now the recommended way to do so (although the sysusers binary is not yet used for the actualy user/group creation): https://fedoraproject.org/wiki/Changes/Adopting_sysusers.d_format
Does anybody know what the plan with regards to fully migrating to using the sysusers binary in RPMs?
There isn't one at the moment. Doing so would also require us to migrate the setup package to use sysusers files instead to construct base users and groups, like how openSUSE did.
setup
Made the Change proposal for F35 : https://fedoraproject.org/wiki/Changes/SmallerContainerBase
Login to comment on this ticket.