Bug 1273938

Summary: Add iptables to rhel7 base image
Product: Red Hat Enterprise Linux 7 Reporter: Michal Fojtik <mfojtik>
Component: rhel-server-containerAssignee: Eliska Slobodova <eslobodo>
Status: CLOSED WONTFIX QA Contact: atomic-bugs <atomic-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 7.3CC: jperrin, pasteur, sdodson, walters
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-04-12 13:50:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michal Fojtik 2015-10-21 14:27:33 UTC 
Description of problem:

We should include the "iptables" package in rhel7 base image.
It is included in centos7 image which makes it a little bit inconsistent.

OpenShift needs "iptables" to setup routes between services. We can install
it manually, but again, our centos7 image does not need that.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Scott Dodson 2015-10-21 14:32:29 UTC 
Perhaps out of scope for this bug but there's considerable difference in packages between the rhel7 and centos:centos7 images.

Here's a complete diff of rpms between centos7 and rhel. I've removed entries where the only diff was package version.

--- rhel-rpms   2015-10-21 10:25:46.541349119 -0400
+++ centos-rpms 2015-10-21 10:25:56.297319064 -0400
@@ -1,27 +1,28 @@
+binutils-2.23.52.0.1-30.el7_1.2.x86_64
+centos-release-7-1.1503.el7.centos.2.8.x86_64
-dbus-glib-0.100-7.el7.x86_64
-dbus-python-1.1.1-9.el7.x86_64
-dmidecode-2.12-5.el7.x86_64
+elfutils-libs-0.160-1.el7.x86_64
+ethtool-3.15-2.el7.x86_64
+file-5.11-21.el7.x86_64
-gdb-gdbserver-7.6.1-64.el7.x86_64
+groff-base-1.22.2-8.el7.x86_64
+hardlink-1.0-19.el7.x86_64
+hostname-3.13-3.el7.x86_64
+iproute-3.10.0-21.el7.x86_64
+iptables-1.4.21-13.el7.x86_64
+iputils-20121221-6.el7_1.1.x86_64
+less-458-8.el7.x86_64
+libcroco-0.6.8-5.el7.x86_64
+libgomp-4.8.3-9.el7.x86_64
+libmnl-1.0.3-7.el7.x86_64
-libnl-1.1.4-3.el7.x86_64
+libnetfilter_conntrack-1.0.4-2.el7.x86_64
+libnfnetlink-1.0.1-4.el7.x86_64
+libunistring-0.9.3-9.el7.x86_64
-libxml2-python-2.9.1-5.el7_1.2.x86_64
-m2crypto-0.21.1-15.el7.x86_64
+lzo-2.06-6.el7_0.2.x86_64
-passwd-0.79-4.el7.x86_64
+procps-ng-3.3.10-3.el7.x86_64
-pygobject2-2.28.6-11.el7.x86_64
-python-chardet-2.2.1-1.el7_1.noarch
-python-dateutil-1.5-7.el7.noarch
-python-dmidecode-3.10.13-11.el7.x86_64
-python-ethtool-0.8-5.el7.x86_64
-python-kitchen-1.1.1-5.el7.noarch
-python-rhsm-1.13.10-1.el7.x86_64
-redhat-release-server-7.1-1.el7.x86_64
-subscription-manager-1.13.22-1.el7.x86_64
+snappy-1.1.0-3.el7.x86_64
+tar-1.26-29.el7.x86_64
-usermode-1.111-5.el7.x86_64
-virt-what-1.13-5.el7.x86_64
+which-2.20-7.el7.x86_64
+xz-5.1.2-9alpha.el7.x86_64
-yum-utils-1.1.31-29.el7.noarch
+yum-plugin-fastestmirror-1.1.31-29.el7.noarch
Comment 5 Stephen Tweedie 2015-10-21 18:10:34 UTC 
Is there any specific justification for iptables in the base image?

It really doesn't look like an appropriate package for a minimal image to me.  It makes sense for something like rhel-tools, but not for the base image --- most images are expected to be unprivileged and iptables really isn't core functionality for such unprivileged containers.

If it's just a matter of consistency, then I might argue that Centos ought to be dropping iptables!  We really don't want to be adding anything more than the strict minimum to the base image.
Comment 6 Stephen Tweedie 2015-10-21 18:11:47 UTC 
btw, the clean way to avoid issues like this is to add a
   Requires: iptables
to the spec file of packages that need iptables.  That way, the dependency can be resolved automatically without making assumptions about what's in the base image.
Comment 7 Scott Dodson 2015-10-21 18:20:51 UTC 
(In reply to Stephen Tweedie from comment #6)
> btw, the clean way to avoid issues like this is to add a
>    Requires: iptables
> to the spec file of packages that need iptables.  That way, the dependency
> can be resolved automatically without making assumptions about what's in the
> base image.

Hmm, good point. That'll push the problem down the road to when we build OSE as the Origin build process doesn't make use of RPMs but I agree that's a good way to solve this.
Comment 8 Jim Perrin 2015-11-02 14:16:44 UTC 
hmm. certainly some of these packages could be pruned from the CentOS base image. 

I'll make a case for keeping iputils, iproute, and less as useful debug utilities for a base container, as a fair bit of dev happens on hosts we can't control. I'll see what I can do for the next build of the CentOS base container.  

Packages I'm ignoring:
*-release
subscription-manager
yum-plugin-fastest mirror

Why is yum-utils in the rhel base container? 
Is that simply for yum-config-manager?
Comment 9 Eliska Slobodova 2015-11-02 14:42:22 UTC 
Jim, many thanks for that.

I can't remember any other reason than being able to use yum-config-manager.
Comment 10 Jim Perrin 2015-12-16 22:18:59 UTC 
The updated centos container for the 1511 release is now posted. This should be a bit closer to the expected package list based on the diff above.
Comment 11 Jim Perrin 2015-12-17 02:44:33 UTC 
Seems someone noticed the package removals. I've asked them for feedback/use-cases.

https://github.com/CentOS/sig-cloud-instance-images/issues/40