Security - Hardened Container OS - List of Minimal Packages

Hello,

I’m interested in building the minimal essential base-image for Docker container using LEAP 42.3,
What is the minimal list of essential (must-have) packages in order for the container to be able to launch a binary / shell script?

my current result for rpm -qa | wc -l (list of installed packages) is 155 packages installed, and it contains to many commands that are not needed by my Java programs.

For that matter, I do not want to have curl, wget, iconfig, netstat, ping, etc. commands. I would rather have just /bin/bash if I could.

Thanks!

boven:~ # rpm -qa | wc -l
2004
boven:~ #

So you have aleady removed (not installed) a lot I assume.

I do not think anybody has a list of what you think is absolutely needed.
And as you do not show what those 155 are, I am not going to suggest you to remove a package becasuse it may already have been removed by you. Complete waste of time for me.

BTW, I hope you are aware of the fact that the tools you mention are not packages, they are often parts of packages (e.g. netstat is part of nettools). Thus you also may need to break down those packages to achieve your goal.

Within YaST, Software, there’s a “View” named “Patterns” and, within the “Base Technologies” you’ll notice that a “Base System” section is defined.
Within that section, there’s a package which defines a YaST Software “Pattern” named ‘patterns-base-minimal_base’.


 > zypper info --requires patterns-base-minimal_base
Loading repository data...
Reading installed packages...


Information for package patterns-base-minimal_base:
---------------------------------------------------
Repository     : Hauptaktualisierungs-Repository
Name           : patterns-base-minimal_base
Version        : 20171206-lp150.15.9.1
Arch           : x86_64
Vendor         : openSUSE
Installed Size : 58 B
Installed      : Yes (automatically)
Status         : up-to-date
Source package : patterns-base-20171206-lp150.15.9.1.src
Summary        : Base System
Description    :
    This is the minimal openSUSE runtime system. It is really a minimal system, you can login and a shell will be
    started, that's all. It is intended as base for Appliances.
Requires       : [20]
    coreutils
    systemd
    glibc
    dracut
    distribution-release
    rpm
    zypper
    filesystem
    pam
    e2fsprogs
    bash
    aaa_base
    sysconfig
    procps
    device-mapper
    kmod
    kbd
    system-group-hardware
    system-user-nobody
    openSUSE-build-key

 > 

You can either use the “Pattern” package as is or, take the “Requires” package list …

Go backwards. Start with docker hub leap image, it has 135 packages. Remove packages either via Dockerfile build or in a running container with zypper. Check that you java app is still working. Once zypper does no longer allow you to remove packages due to dependencies, go for rpm -e. Again check that you app still runs on that container. Lastly, delete stuff with rm in your container. Commit the container, then flatten the filesystem layers with docker export. Import, tag, push to your registry.

On the other hand, I fail to see the point in stripping out network utilities. But go ahead, if it does not work, then you still have the exercise of building custom imges. Oh, just make sure you really are working in a container and not your local filesystem :wink:

Save yourself the trouble described in prior posts,
Start with a JeOS image.

“Just enough OS” is built for what you asking about… a stripped down image with the bare necessities although because openSUSE is a bit more enhanced than other distros is quite a bit bigger. With JeOS though, you’ll find that things like common tools like those used for troubleshooting networking and documentation are exculded.

And, as always, it’s always better to start from what is minimally necessary and add rather than to manually remove what you can from a standard image… It’s unlikely you’ll be able to identify and remove all that you can and some minimal configurations require special configuration or components themselves which you won’t know how to resolve without some unnecessary (unless you just want to know about this stuff) research.

Lastly, it should be noted that JeOS is mainly useful for building special purpose applications, although people install things like Desktops on JeOS, I don’t recommend it… You may eventually run into a corner scenario. Instead, just start with an image with Desktop or some other standard “full” image.

HTH,
TSU

Building customized base images is a nice excercise and certainly fun. Usually, I add stuff to images but removing things is possible and valid if optimizing for size is the goal. Just remember to merge the image layers because otherwise the size will not shrink. If optimizing for security, there are other things to consider: avoid running as root in the container, avoid root switches like sudo too, use whatever security hardening scheme the host-containerd-combo provides like selinux or apparmor. There is no point in removing stuff from the image when any container user can simply install things at runtime. So, customizing an Opensuse image might well be worth it, if your docker host is Opensuse.

You usually pick a base image that has as many of the things you want already built in. Or, in other words, you want to offload maintenance of the base to someone else. If you use a well maintened upstream image as base, you can be fairly sure that it will be updated with security patches. Hence, no need to constantly update and rebuild your base image. Just pull the current upstream image and modify it with as few changes as possible. Ideally, you just copy your app in or, for dev purposes, volmount your app into an unmodified base. Saves a lot of work.

That said, if optimizing for size, I suggest using alpine based images. There is even jre-alpine for your java needs. They are well maintained and fairly standard. I only use those for quick proof-of-concept setups as I am forced to use vendor provided base images for real installations.