osbuilder
osbuilder copied to clipboard
clearcontainers
Adding a minimal shell to default rootfs
@jcvenegas can we add a shell to the rootfs. That will allow us to provide a debug console. The current minimal set of tools does not have a shell pre-installed.
See https://github.com/clearcontainers/agent/pull/122
bash is probably too big for a basic shell. I don't think CLR currently has busybox (GPL-licensed) or toybox (BSD-licensed), but they are both autospec-able (I've got examples somewhere if needed).
@jodh-intel, I will add bash by now after, I will work with CL team to add probably busybox.
I prefer to do not include bash or any other utility that will not be used by the agent, less components -> less CVEs -> less vulnerabilities
@devimc @mcastelino in case dont want to add it, it could be documented in https://github.com/clearcontainers/agent/pull/122 to use EXTRA_PKGS="bash-bin" just for debugging
we can create a debugeable image running next command:
make clean
$ EXTRA_PKGS="dbus-bin dbus-autostart util-linux-bin p11-kit-bin bash shadow ca-certs dist-pam-configs xz-bin tar-bin grep-bin sed-bin pigz-bin iproute2-bin procps-ng-bin psstop-bin htop-bin curl nano pciutils usbutils-bin" make rootfs
$ IMG_SIZE="450MB" make image
also we can include any other package needed
@devimc @jodh-intel I would rather have some minimal shell, vs asking the user to rebuild the image. If it come to that, we should provide a debug image as part of our default package, so that we provide debuggability by default.
Also I do not buy that having bash will make our solution any worse from a security point of view. Our going in assumption for clear containers is that obtaining root in the VM is a given. We prevent further compromise.
I wouldn't like to include bash in the "production" version of the CC image because I want to avoid any possible container escape (i.e chroot /proc/1/cwd)