1273938 – Add iptables to rhel7 base image

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1273938 - Add iptables to rhel7 base image

Summary: Add iptables to rhel7 base image

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	rhel-server-container
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Eliska Slobodova
QA Contact:	atomic-bugs@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-10-21 14:27 UTC by Michal Fojtik
Modified:	2016-04-12 13:51 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-04-12 13:50:32 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Michal Fojtik 2015-10-21 14:27:33 UTC

Description of problem:

We should include the "iptables" package in rhel7 base image.
It is included in centos7 image which makes it a little bit inconsistent.

OpenShift needs "iptables" to setup routes between services. We can install
it manually, but again, our centos7 image does not need that.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Scott Dodson 2015-10-21 14:32:29 UTC

Perhaps out of scope for this bug but there's considerable difference in packages between the rhel7 and centos:centos7 images.

Here's a complete diff of rpms between centos7 and rhel. I've removed entries where the only diff was package version.

--- rhel-rpms   2015-10-21 10:25:46.541349119 -0400
+++ centos-rpms 2015-10-21 10:25:56.297319064 -0400
@@ -1,27 +1,28 @@
+binutils-2.23.52.0.1-30.el7_1.2.x86_64
+centos-release-7-1.1503.el7.centos.2.8.x86_64
-dbus-glib-0.100-7.el7.x86_64
-dbus-python-1.1.1-9.el7.x86_64
-dmidecode-2.12-5.el7.x86_64
+elfutils-libs-0.160-1.el7.x86_64
+ethtool-3.15-2.el7.x86_64
+file-5.11-21.el7.x86_64
-gdb-gdbserver-7.6.1-64.el7.x86_64
+groff-base-1.22.2-8.el7.x86_64
+hardlink-1.0-19.el7.x86_64
+hostname-3.13-3.el7.x86_64
+iproute-3.10.0-21.el7.x86_64
+iptables-1.4.21-13.el7.x86_64
+iputils-20121221-6.el7_1.1.x86_64
+less-458-8.el7.x86_64
+libcroco-0.6.8-5.el7.x86_64
+libgomp-4.8.3-9.el7.x86_64
+libmnl-1.0.3-7.el7.x86_64
-libnl-1.1.4-3.el7.x86_64
+libnetfilter_conntrack-1.0.4-2.el7.x86_64
+libnfnetlink-1.0.1-4.el7.x86_64
+libunistring-0.9.3-9.el7.x86_64
-libxml2-python-2.9.1-5.el7_1.2.x86_64
-m2crypto-0.21.1-15.el7.x86_64
+lzo-2.06-6.el7_0.2.x86_64
-passwd-0.79-4.el7.x86_64
+procps-ng-3.3.10-3.el7.x86_64
-pygobject2-2.28.6-11.el7.x86_64
-python-chardet-2.2.1-1.el7_1.noarch
-python-dateutil-1.5-7.el7.noarch
-python-dmidecode-3.10.13-11.el7.x86_64
-python-ethtool-0.8-5.el7.x86_64
-python-kitchen-1.1.1-5.el7.noarch
-python-rhsm-1.13.10-1.el7.x86_64
-redhat-release-server-7.1-1.el7.x86_64
-subscription-manager-1.13.22-1.el7.x86_64
+snappy-1.1.0-3.el7.x86_64
+tar-1.26-29.el7.x86_64
-usermode-1.111-5.el7.x86_64
-virt-what-1.13-5.el7.x86_64
+which-2.20-7.el7.x86_64
+xz-5.1.2-9alpha.el7.x86_64
-yum-utils-1.1.31-29.el7.noarch
+yum-plugin-fastestmirror-1.1.31-29.el7.noarch

Comment 5 Stephen Tweedie 2015-10-21 18:10:34 UTC

Is there any specific justification for iptables in the base image?

It really doesn't look like an appropriate package for a minimal image to me.  It makes sense for something like rhel-tools, but not for the base image --- most images are expected to be unprivileged and iptables really isn't core functionality for such unprivileged containers.

If it's just a matter of consistency, then I might argue that Centos ought to be dropping iptables!  We really don't want to be adding anything more than the strict minimum to the base image.

Comment 6 Stephen Tweedie 2015-10-21 18:11:47 UTC

btw, the clean way to avoid issues like this is to add a
   Requires: iptables
to the spec file of packages that need iptables.  That way, the dependency can be resolved automatically without making assumptions about what's in the base image.

Comment 7 Scott Dodson 2015-10-21 18:20:51 UTC

(In reply to Stephen Tweedie from comment #6)
> btw, the clean way to avoid issues like this is to add a
>    Requires: iptables
> to the spec file of packages that need iptables.  That way, the dependency
> can be resolved automatically without making assumptions about what's in the
> base image.

Hmm, good point. That'll push the problem down the road to when we build OSE as the Origin build process doesn't make use of RPMs but I agree that's a good way to solve this.

Comment 8 Jim Perrin 2015-11-02 14:16:44 UTC

hmm. certainly some of these packages could be pruned from the CentOS base image. 

I'll make a case for keeping iputils, iproute, and less as useful debug utilities for a base container, as a fair bit of dev happens on hosts we can't control. I'll see what I can do for the next build of the CentOS base container.  

Packages I'm ignoring:
*-release
subscription-manager
yum-plugin-fastest mirror

Why is yum-utils in the rhel base container? 
Is that simply for yum-config-manager?

Comment 9 Eliska Slobodova 2015-11-02 14:42:22 UTC

Jim, many thanks for that.

I can't remember any other reason than being able to use yum-config-manager.

Comment 10 Jim Perrin 2015-12-16 22:18:59 UTC

The updated centos container for the 1511 release is now posted. This should be a bit closer to the expected package list based on the diff above.

Comment 11 Jim Perrin 2015-12-17 02:44:33 UTC

Seems someone noticed the package removals. I've asked them for feedback/use-cases.

https://github.com/CentOS/sig-cloud-instance-images/issues/40

Note You need to log in before you can comment on or make changes to this bug.