Bug 1273938
Summary: | Add iptables to rhel7 base image | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Michal Fojtik <mfojtik> |
Component: | rhel-server-container | Assignee: | Eliska Slobodova <eslobodo> |
Status: | CLOSED WONTFIX | QA Contact: | atomic-bugs <atomic-bugs> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 7.3 | CC: | jperrin, pasteur, sdodson, walters |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-04-12 13:50:32 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Michal Fojtik
2015-10-21 14:27:33 UTC
Perhaps out of scope for this bug but there's considerable difference in packages between the rhel7 and centos:centos7 images. Here's a complete diff of rpms between centos7 and rhel. I've removed entries where the only diff was package version. --- rhel-rpms 2015-10-21 10:25:46.541349119 -0400 +++ centos-rpms 2015-10-21 10:25:56.297319064 -0400 @@ -1,27 +1,28 @@ +binutils-2.23.52.0.1-30.el7_1.2.x86_64 +centos-release-7-1.1503.el7.centos.2.8.x86_64 -dbus-glib-0.100-7.el7.x86_64 -dbus-python-1.1.1-9.el7.x86_64 -dmidecode-2.12-5.el7.x86_64 +elfutils-libs-0.160-1.el7.x86_64 +ethtool-3.15-2.el7.x86_64 +file-5.11-21.el7.x86_64 -gdb-gdbserver-7.6.1-64.el7.x86_64 +groff-base-1.22.2-8.el7.x86_64 +hardlink-1.0-19.el7.x86_64 +hostname-3.13-3.el7.x86_64 +iproute-3.10.0-21.el7.x86_64 +iptables-1.4.21-13.el7.x86_64 +iputils-20121221-6.el7_1.1.x86_64 +less-458-8.el7.x86_64 +libcroco-0.6.8-5.el7.x86_64 +libgomp-4.8.3-9.el7.x86_64 +libmnl-1.0.3-7.el7.x86_64 -libnl-1.1.4-3.el7.x86_64 +libnetfilter_conntrack-1.0.4-2.el7.x86_64 +libnfnetlink-1.0.1-4.el7.x86_64 +libunistring-0.9.3-9.el7.x86_64 -libxml2-python-2.9.1-5.el7_1.2.x86_64 -m2crypto-0.21.1-15.el7.x86_64 +lzo-2.06-6.el7_0.2.x86_64 -passwd-0.79-4.el7.x86_64 +procps-ng-3.3.10-3.el7.x86_64 -pygobject2-2.28.6-11.el7.x86_64 -python-chardet-2.2.1-1.el7_1.noarch -python-dateutil-1.5-7.el7.noarch -python-dmidecode-3.10.13-11.el7.x86_64 -python-ethtool-0.8-5.el7.x86_64 -python-kitchen-1.1.1-5.el7.noarch -python-rhsm-1.13.10-1.el7.x86_64 -redhat-release-server-7.1-1.el7.x86_64 -subscription-manager-1.13.22-1.el7.x86_64 +snappy-1.1.0-3.el7.x86_64 +tar-1.26-29.el7.x86_64 -usermode-1.111-5.el7.x86_64 -virt-what-1.13-5.el7.x86_64 +which-2.20-7.el7.x86_64 +xz-5.1.2-9alpha.el7.x86_64 -yum-utils-1.1.31-29.el7.noarch +yum-plugin-fastestmirror-1.1.31-29.el7.noarch Is there any specific justification for iptables in the base image? It really doesn't look like an appropriate package for a minimal image to me. It makes sense for something like rhel-tools, but not for the base image --- most images are expected to be unprivileged and iptables really isn't core functionality for such unprivileged containers. If it's just a matter of consistency, then I might argue that Centos ought to be dropping iptables! We really don't want to be adding anything more than the strict minimum to the base image. btw, the clean way to avoid issues like this is to add a Requires: iptables to the spec file of packages that need iptables. That way, the dependency can be resolved automatically without making assumptions about what's in the base image. (In reply to Stephen Tweedie from comment #6) > btw, the clean way to avoid issues like this is to add a > Requires: iptables > to the spec file of packages that need iptables. That way, the dependency > can be resolved automatically without making assumptions about what's in the > base image. Hmm, good point. That'll push the problem down the road to when we build OSE as the Origin build process doesn't make use of RPMs but I agree that's a good way to solve this. hmm. certainly some of these packages could be pruned from the CentOS base image. I'll make a case for keeping iputils, iproute, and less as useful debug utilities for a base container, as a fair bit of dev happens on hosts we can't control. I'll see what I can do for the next build of the CentOS base container. Packages I'm ignoring: *-release subscription-manager yum-plugin-fastest mirror Why is yum-utils in the rhel base container? Is that simply for yum-config-manager? Jim, many thanks for that. I can't remember any other reason than being able to use yum-config-manager. The updated centos container for the 1511 release is now posted. This should be a bit closer to the expected package list based on the diff above. Seems someone noticed the package removals. I've asked them for feedback/use-cases. https://github.com/CentOS/sig-cloud-instance-images/issues/40 |