Bug 1877463 - Remove oci-seccomp-bpf-hook package from default packages installed by container-tools-rhel8-8.3.0
Summary: Remove oci-seccomp-bpf-hook package from default packages installed by contai...
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: container-tools-rhel8-module
Version: 8.3
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 8.0
Assignee: Jindrich Novy
QA Contact: atomic-bugs@redhat.com
Depends On:
TreeView+ depends on / blocked
Reported: 2020-09-09 16:52 UTC by Jindrich Novy
Modified: 2020-11-04 03:07 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-11-04 03:06:49 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4694 0 None None None 2020-11-04 03:07:04 UTC

Description Jindrich Novy 2020-09-09 16:52:38 UTC
Description of problem:
oci-seccomp-bpf-hook pulls in kernel-devel package via its bcc dependency - this largely inflates the dependency footprint of the whole container-tools:

L      4.1M oci-seccomp-bpf-hook      1.2.0-1.fc32.x86_64
  o    78.2M ├─> bcc                       0.15.0-2.fc31.x86_64
  o     1.8M │   ├─>+bcc-tools                 0.15.0-2.fc31.x86_64
  o     7.2M │   │   ├─> bash                      5.0.17-1.fc31.x86_64
        935K │   │   ├─> elfutils-libelf           0.179-2.fc31.x86_64
  o    16.5M │   │   ├─> glibc                     2.30-13.fc31.x86_64
       50.7M │   │   ├─> kernel-devel              5.7.15-100.fc31.x86_64                                                                                                                     
  o      32K │   │   ├─> python3                   3.7.9-1.fc31.x86_64
  o     320K │   │   ├─>+python3-bcc               0.15.0-2.fc31.noarch
        8.3M │   │   ├─> python3-netaddr           0.7.19-17.fc31.noarch
        201K │   │   └─> zlib                      1.2.11-20.fc31.x86_64

The plan is to make this package optional in container-tools if module subsystem allows to.

Comment 10 Joy Pu 2020-09-14 09:13:06 UTC
Checked the filelist from errata and check rpms after install the packages. Seems the oci-seccomp-bpf-hook is not installed as expect. So set this to verified.

Comment 14 Alex Jia 2020-09-14 10:25:52 UTC
Close this as VERIFIED according to the following testing.

# yum module info container-tools:rhel8|grep oci-seccomp-bpf-hook
                 : oci-seccomp-bpf-hook-0:1.1.2-3.module+el8.3.0+8049+d0453aae.src
                 : oci-seccomp-bpf-hook-0:1.1.2-3.module+el8.3.0+8049+d0453aae.x86_64
                 : oci-seccomp-bpf-hook-debuginfo-0:1.1.2-3.module+el8.3.0+8049+d0453aae.x86_64
                 : oci-seccomp-bpf-hook-debugsource-0:1.1.2-3.module+el8.3.0+8049+d0453aae.x86_64

NOTE: the oci-seccomp-bpf-hook belongs to container-tools:rhel8

# yum module install container-tools:rhel8

NOTE: the oci-seccomp-bpf-hook is not a dependency of the container-tools:rhel8

# yum install oci-seccomp-bpf-hook

NOTE: can install oci-seccomp-bpf-hook rpm separately.

Comment 17 errata-xmlrpc 2020-11-04 03:06:49 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: container-tools:rhel8 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.