Bug 2028819

Summary: nss_wrapper pulls in cmake by default, enlarging the footprint too much
Product: Red Hat Enterprise Linux 9 Reporter: Honza Horak <hhorak>
Component: nss_wrapperAssignee: Andreas Schneider <asn>
Status: CLOSED ERRATA QA Contact: Denis Karpelevich <dkarpele>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: asn, extras-qa, jhrozek, madam
Target Milestone: rcKeywords: Patch, Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: nss_wrapper-1.1.11-8.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2023435 Environment:
Last Closed: 2022-11-15 10:11:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2023435    
Bug Blocks:    

Description Honza Horak 2021-12-03 13:28:55 UTC 
This could help decrease RHEL-9 containers a bit.

+++ This bug was initially created as a clone of Bug #2023435 +++

Description of problem:

nss_wrapper is used in non-root containers to create missing user entries:
https://src.fedoraproject.org/container/postgresql/blob/rawhide/f/root/usr/share/container-scripts/postgresql/common.sh#_183

And in containers, every MB is counted. nss_wrapper by default pulls in cmake and many other packages, because it ships cmake config file. In total, it's around 100MB unpacked.

Version-Release number of selected component (if applicable):
nss_wrapper-1.1.11-6.fc35

How reproducible:
easily

Steps to Reproduce:
1. podman run -ti --rm fedora bash -c 'yum install -y nss_wrapper'

Actual results:
  <other dnf output snipped>
Install  78 Packages
  <other dnf output snipped>
Installed size: 109 M
  <other dnf output snipped>

Expected results:
Ideally only nss_wrapper library is installed.

Additional info:

I'd suggest to introduce a nss_wrapper-devel package that can ship the cmake config file and the necessary dependencies, and only users/components that need those would install that.

This change might need 3 other components to update the spec, as they might currently count with cmake config to be installed:

$> dnf repoquery --repoid=fedora-source --whatrequires nss_wrapper
cyrus-sasl-0:2.1.27-8.fc34.src
libssh-0:0.9.5-2.fc34.src
sssd-0:2.4.2-3.fc34.src

--- Additional comment from Honza Horak on 2021-11-15 17:35:50 UTC ---

I've had second thoughts and realized due to the backward compatibility and because there is also a perl tool that is not something to the devel package, introducing nss_wrapper-libs that would only provide the library itself is likely better way how to deal with this. A PR is prepared:

https://src.fedoraproject.org/rpms/nss_wrapper/pull-request/1
Comment 1 Honza Horak 2021-12-06 08:31:22 UTC 
Andreas, once the change got applied in Fedora, do you think it would be possible to use this in RHEL-9 as well? As said above, this will help us shipping smaller container images, which is something we're trying to fix. We can help with testing if needed.
Comment 2 Honza Horak 2022-01-07 11:51:55 UTC 
*** Bug 2023442 has been marked as a duplicate of this bug. ***
Comment 3 Honza Horak 2022-01-07 11:55:10 UTC 
Andreas, I'm wondering what your thoughts are about including the same change that was applied in Fedora already. If there are issues with resources, I think I can offer help with maintaining this package, as our team is one of the user of it (for container images purposes).
Comment 12 errata-xmlrpc 2022-11-15 10:11:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (nss_wrapper bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8016