Bug 1994521

Apart from minimizing the image size, the -minimal subpackages support smaller number of feature and protocols. Therefore, their use would also lower the number of CVEs applicable to the container images based on UBI 9 as the recent CVEs seem to primarily be related to older protocols. [citation needed]

I'm trying to do some scratch builds of ubi9 with curl-minimal and libcurl-minimal.  We'll see how they go.

From my {rpm-,}ostree PoV, libcurl having protocols other than http{s}:// is basically an anti-feature.

In ostree we already explicitly restrict it https://github.com/ostreedev/ostree/blob/cac4f2133b4f4d14c59c0fe4a2e568d0d938eac4/src/libostree/ostree-fetcher-curl.c#L853

Briefly looking at this, it seems like this needs fixing:

```
$ rpm -e curl
error: Failed dependencies:
	curl is needed by (installed) rpm-4.16.1.3-1.fc34.x86_64
$
```

And curl -> libcurl (not libcurl-minimal).

The curl-minimal package provides curl, so the rpm dependency remains met when you do

   dnf swap -y curl -- curl-minimal

At the moment, the savings for the regular ubi9 base image look relatively small.  Here is the package difference when using curl-minimal and libcurl-minimal.

Essentially, libbrotli, libpsl, libssh, libssh-config, and publicsuffix-list-dafsa are the only packages removed.  That's approximately 1.3MB.  I'm going to try this with ubi9-minimal as well.

[jwboyer@vader ubi9]$ diff -Nup ubi9.txt curl-minimal.txt 
--- ubi9.txt	2021-08-18 12:42:39.360698620 -0400
+++ curl-minimal.txt	2021-08-18 12:39:45.451443737 -0400
@@ -11,7 +11,7 @@ cracklib-dicts
 crypto-policies
 crypto-policies-scripts
 cryptsetup-libs
-curl
+curl-minimal
 cyrus-sasl-lib
 dbus
 dbus-broker
@@ -61,12 +61,11 @@ libarchive
 libassuan
 libattr
 libblkid
-libbrotli
 libcap
 libcap-ng
 libcom_err
 libcomps
-libcurl
+libcurl-minimal
 libdb
 libdnf
 libdnf-plugin-subscription-manager
@@ -83,7 +82,6 @@ libmodulemd
 libmount
 libnghttp2
 libnl3
-libpsl
 libpwquality
 librepo
 libreport-filesystem
@@ -95,8 +93,6 @@ libsepol
 libsigsegv
 libsmartcols
 libsolv
-libssh
-libssh-config
 libstdc++
 libtasn1
 libunistring
@@ -127,7 +123,6 @@ pcre
 pcre2
 pcre2-syntax
 popt
-publicsuffix-list-dafsa
 python3
 python3-chardet
 python3-cloud-what

Identical results with ubi9-minimal

[jwboyer@vader ubi9-minimal]$ diff -Nup ubi9-minimal.txt minimal-curl-minimal.txt 
--- ubi9-minimal.txt	2021-08-18 13:00:45.968060585 -0400
+++ minimal-curl-minimal.txt	2021-08-18 13:01:14.530596383 -0400
@@ -6,7 +6,7 @@ bzip2-libs
 ca-certificates
 coreutils-single
 crypto-policies
-curl
+curl-minimal
 cyrus-sasl-lib
 dejavu-sans-fonts
 dnf-data
@@ -39,11 +39,10 @@ libarchive
 libassuan
 libattr
 libblkid
-libbrotli
 libcap
 libcap-ng
 libcom_err
-libcurl
+libcurl-minimal
 libdnf
 libffi
 libgcc
@@ -55,7 +54,6 @@ libmodulemd
 libmount
 libnghttp2
 libpeas
-libpsl
 librepo
 libreport-filesystem
 librhsm
@@ -64,8 +62,6 @@ libsepol
 libsigsegv
 libsmartcols
 libsolv
-libssh
-libssh-config
 libstdc++
 libtasn1
 libunistring
@@ -92,7 +88,6 @@ pcre
 pcre2
 pcre2-syntax
 popt
-publicsuffix-list-dafsa
 readline
 redhat-release
 rootfiles

Overall this isn't a bad change, but we're left largely with things we don't "want" because of depchains like this:

libdnf -> gpgme -> gnupg2 -> openldap -> cyrus-sasl-lib -> krb5-libs -> gawk -> mpfr

Not to pick on libdnf, passwd and usermode also wind up depending on openldap (via libuser), and libcurl-minimal depends on krb5-libs.  So we're not getting rid of those packages at all as things stand.

I have no problems making this change, but it's barely over a 1% savings for ubi9-minimal and not even that for the regular ubi9 image.

(In reply to Colin Walters from comment #4)
> From my {rpm-,}ostree PoV, libcurl having protocols other than http{s}:// is basically an anti-feature.

Only libssh and openldap affect the set of supported protocols.  libbrotli, libidn2, and libpsl are used for http(s).

> Briefly looking at this, it seems like this needs fixing:
> 
> ```
> $ rpm -e curl
> error: Failed dependencies:
> 	curl is needed by (installed) rpm-4.16.1.3-1.fc34.x86_64
> $
> ```
> 
> And curl -> libcurl (not libcurl-minimal).

As already explained by Jan, there is no need to fix anything like that.

(In reply to Josh Boyer from comment #8)
> Overall this isn't a bad change, but we're left largely with things we don't
> "want" because of depchains like this:
> 
> libdnf -> gpgme -> gnupg2 -> openldap -> cyrus-sasl-lib -> krb5-libs -> gawk
> -> mpfr
> 
> Not to pick on libdnf, passwd and usermode also wind up depending on
> openldap (via libuser), and libcurl-minimal depends on krb5-libs.  So we're
> not getting rid of those packages at all as things stand.
> 
> I have no problems making this change, but it's barely over a 1% savings for
> ubi9-minimal and not even that for the regular ubi9 image.

Thanks for the analysis!

I guess we need to start cutting the chains somewhere.  Otherwise gnupg2 folks will look at the dependency graph and think they would save nothing by making LDAP optional because libcurl uses openldap anyway.

LGTM. Has anybody tried this with UBI Micro? It might be more than a 1% size difference, and with as small as that's getting it could be REALLY good.

(In reply to Scott McCarty from comment #11)
> LGTM. Has anybody tried this with UBI Micro? It might be more than a 1% size
> difference, and with as small as that's getting it could be REALLY good.

None of these packages are in ubi-micro at all.  0% savings :)

Doh! Fair enough :-)

Hello Jindřich, are you OK for making the change for UBI 9 or is additional justification needed?

Hi Jan, this change sounds good to me. The ubi9 is built off a kickstart file as it is a base image - the change needs to be done in there. It is defined in https://code.engineering.redhat.com/gerrit/login/#/admin/projects/spin-kickstarts (I'm no longer authorized to even look into this repo).

I filed https://issues.redhat.com/browse/RHELBLD-7352 to EXD team to perform this change.

Any objections against me kicking the build to allow Kamil to test the new ubi9 image Josh?

(In reply to Jindrich Novy from comment #16)
> Any objections against me kicking the build to allow Kamil to test the new
> ubi9 image Josh?

No objections, but the images are built as part of the nightly composes.  There's at least 2 more that will run today, so you might be fine to just wait for those.

The change seems in:

$ podman images registry-proxy.engineering.redhat.com/rh-osbs/ubi9
REPOSITORY                                          TAG     IMAGE ID      CREATED       SIZE
registry-proxy.engineering.redhat.com/rh-osbs/ubi9  latest  ec33d0133f87  19 hours ago  229 MB
$ podman run --rm -ti registry-proxy.engineering.redhat.com/rh-osbs/ubi9 rpm -qa '*curl*'
libcurl-minimal-7.76.1-11.el9.x86_64
curl-minimal-7.76.1-11.el9.x86_64

Looks good.  Thanks to all involved!

For the record, in bug 2005874 we propose to further limit the protocols carried by the -minimal version of the packages, primarily for vulnerability assessment reasons. Please chime in there if you feel that would be a good / bad idea.

Jan, personally I think that would be a fine idea!

Is there a significant difference between curl/libcurl and curl-minimal/libcurl-minimal?  Should this have been a Release Note to let users know we were making this change?

Yes, please.

How does one install full curl now if more protocols are needed?  Seems to be a chicken-egg problem now:

```
$ docker run -it registry.redhat.io/ubi9/ubi-minimal:latest bash
[root@5a243f19a43c /]# microdnf install curl

(microdnf:15): librhsm-WARNING **: 18:25:57.488: Found 0 entitlement certificates

(microdnf:15): librhsm-WARNING **: 18:25:57.492: Found 0 entitlement certificates
Downloading metadata...
Downloading metadata...
Downloading metadata...
error: Could not depsolve transaction; 1 problem detected:
 Problem: problem with installed package curl-minimal-7.76.1-14.el9.x86_64
  - package curl-minimal-7.76.1-14.el9.x86_64 conflicts with curl provided by curl-7.76.1-14.el9.x86_64
  - conflicting requests


[root@5a243f19a43c /]# microdnf remove curl-minimal

(microdnf:72): librhsm-WARNING **: 18:27:17.154: Found 0 entitlement certificates

(microdnf:72): librhsm-WARNING **: 18:27:17.156: Found 0 entitlement certificates
error: Could not depsolve transaction; 1 problem detected:
 Problem: package rpm-4.16.1.3-12.el9_0.x86_64 requires curl, but none of the providers can be installed
  - conflicting requests
  - problem with installed package rpm-4.16.1.3-12.el9_0.x86_64
```

We have use-cases where other protocols are required and it's not obvious (to me) how to replace curl-minimal with curl-full without installing dnf (microdnf doesn't have `swap` command).
I'm all for small images and keeping things "minimal", but it should be possible to switch to full versions if needed IMHO.

The following seems to do the swap:

  microdnf install -y libssh libpsl libbrotli \
    && microdnf download curl libcurl \
    && rpm -Uvh --nodeps --replacefiles "*curl*$( uname -i ).rpm" \
    && microdnf remove -y libcurl-minimal curl-minimal

It's not beautiful so others might offer better solution.

Thanks -- I was a little less clever and installed and removed (full) dnf to use the swap command -- TIL!
This might be worthy of a "how to install curl-full in ubi9" tech note...

This seems awkward but I am not aware of any obvious better solution.

This changed was included in RHEL 9 GA.