bosh-linux-stemcell-builder
bosh-linux-stemcell-builder copied to clipboard
cloudfoundry
Consider removing any packages from Noble that are not in Ubuntu's "Main" repository
Given that Ubuntu's policy is to only provide "Best effort" updates to packages outside of the "Main" repository we should consider removing as many as possible from the Noble stemcell so that we don't end up with unpatched CVEs late in the stemcell lifecycle[1]. See this article on Ubuntu's ESM for more context.
Currently on Jammy the packages not in the "Main" repository are:
clang
clang-14
dnsutils
grub2
ifupdown
libclang-common-14-dev
libclang-cpp14
libclang1-14
libobjc-11-dev:amd64
libobjc4:amd64
linux-modules-6.5.0-21-genericlinux-modules-extra-6.5.0-21-genericllvm-14-linker-tools
module-assistant
resolvconf
rng-tools-debian
runit
scsitools
sysuser-helper
traceroute
[1] The traceroute package, in the "Universe" repository, has a reported CVE which is not patched even though Jammy is still within its LTS support window.
I like the idea to cleanup the stemcell a little bit. If we invest in such a feature, we should maybe also think about removing packages that we don't need for bosh/cf-deployment universe... For example:
- eject ( cd-rom support)
- ubuntu-advantage-tools ( we will not enable ubuntu pro in the community stemcells )
eject is used by the agent: https://github.com/cloudfoundry/bosh-agent/blob/main/platform/cdrom/linux_cdrom.go vSphere userdata gets injected via a cdrom...
resolvconf is already be replaced with systemd-resolved runit (which is used to start the agent can be migrated to use systemd) don't know why grub 2 is in this list.. all the the clang and libs are all dependencies. so i don't think these can be removed.
as we move to iptables we could also remove this. but we can only remove this if the bosh-agent is also moving from its nats iptable rules to nftables
