Description of problem:
We should include the "iptables" package in rhel7 base image.
It is included in centos7 image which makes it a little bit inconsistent.
OpenShift needs "iptables" to setup routes between services. We can install
it manually, but again, our centos7 image does not need that.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Perhaps out of scope for this bug but there's considerable difference in packages between the rhel7 and centos:centos7 images.
Here's a complete diff of rpms between centos7 and rhel. I've removed entries where the only diff was package version.
--- rhel-rpms 2015-10-21 10:25:46.541349119 -0400
+++ centos-rpms 2015-10-21 10:25:56.297319064 -0400
@@ -1,27 +1,28 @@
Is there any specific justification for iptables in the base image?
It really doesn't look like an appropriate package for a minimal image to me. It makes sense for something like rhel-tools, but not for the base image --- most images are expected to be unprivileged and iptables really isn't core functionality for such unprivileged containers.
If it's just a matter of consistency, then I might argue that Centos ought to be dropping iptables! We really don't want to be adding anything more than the strict minimum to the base image.
btw, the clean way to avoid issues like this is to add a
to the spec file of packages that need iptables. That way, the dependency can be resolved automatically without making assumptions about what's in the base image.
(In reply to Stephen Tweedie from comment #6)
> btw, the clean way to avoid issues like this is to add a
> Requires: iptables
> to the spec file of packages that need iptables. That way, the dependency
> can be resolved automatically without making assumptions about what's in the
> base image.
Hmm, good point. That'll push the problem down the road to when we build OSE as the Origin build process doesn't make use of RPMs but I agree that's a good way to solve this.
hmm. certainly some of these packages could be pruned from the CentOS base image.
I'll make a case for keeping iputils, iproute, and less as useful debug utilities for a base container, as a fair bit of dev happens on hosts we can't control. I'll see what I can do for the next build of the CentOS base container.
Packages I'm ignoring:
Why is yum-utils in the rhel base container?
Is that simply for yum-config-manager?
Jim, many thanks for that.
I can't remember any other reason than being able to use yum-config-manager.
The updated centos container for the 1511 release is now posted. This should be a bit closer to the expected package list based on the diff above.
Seems someone noticed the package removals. I've asked them for feedback/use-cases.