Hide Forgot
+++ This bug was initially created as a clone of Bug #1966519 +++ Description of problem: We would like to ship the Security Profiles Operator in OpenShift. One of the things it does is record syscalls that the workload is doing with the seccomp-bpf hook. So we'd like to include the seccomp-bpf hook in RHCOS, but because RHCOS tries to have a minimal footprint, we need to trim the dependencies down a bit. The most critical parts are really the python libraries (python is not allowed on RHCOS), but the fewer packages, the better in general. It seems that the simplest way would be to not require bcc-tools but instead Recommend them. That way, we'd retain backwards compatibility, while environments where the tools are not required could choose not to install them. Version-Release number of selected component (if applicable): bcc-0.20.0-1.el8.1.x86_64 How reproducible: Steps to Reproduce: 1. yum install bcc 2. 3. Actual results: bcc installs bcc-tools which brings in python3-bcc, python3-netaddr, kernel-devel etc Expected results: no python, no kernel-devel Additional info: The openshift enhancement proposal can be find at https://github.com/openshift/enhancements/pull/745 and our team's tracker to include the seccomp hook can be found at https://issues.redhat.com/browse/CMP-927 --- Additional comment from Jerome Marchand on 2021-06-01 13:10:31 UTC --- (In reply to Jakub Hrozek from comment #0) > Description of problem: > We would like to ship the Security Profiles Operator in OpenShift. One of > the things it does is record syscalls that the workload is doing with the > seccomp-bpf hook. So we'd like to include the seccomp-bpf hook in RHCOS, but > because RHCOS tries to have a minimal footprint, we need to trim the > dependencies down a bit. The most critical parts are really the python > libraries (python is not allowed on RHCOS), but the fewer packages, the > better in general. > > It seems that the simplest way would be to not require bcc-tools but > instead Recommend them. That way, we'd retain backwards compatibility, while > environments where the tools are not required could choose not to install > them. I'm not quite sure why bcc depends on bcc-tools: that seems unnecessary. I'll try to find if the were a valid reason for it, but my guess would be there never really was one. > > Version-Release number of selected component (if applicable): > bcc-0.20.0-1.el8.1.x86_64 > > How reproducible: > > > Steps to Reproduce: > 1. yum install bcc > 2. > 3. > > Actual results: > bcc installs bcc-tools which brings in python3-bcc, python3-netaddr, > kernel-devel etc > > Expected results: > no python, no kernel-devel > > Additional info: > The openshift enhancement proposal can be find at > https://github.com/openshift/enhancements/pull/745 and our team's tracker to > include the seccomp hook can be found at > https://issues.redhat.com/browse/CMP-927 --- Additional comment from Jakub Hrozek on 2021-06-02 08:01:06 UTC --- (In reply to Jerome Marchand from comment #1) > (In reply to Jakub Hrozek from comment #0) > > Description of problem: > > We would like to ship the Security Profiles Operator in OpenShift. One of > > the things it does is record syscalls that the workload is doing with the > > seccomp-bpf hook. So we'd like to include the seccomp-bpf hook in RHCOS, but > > because RHCOS tries to have a minimal footprint, we need to trim the > > dependencies down a bit. The most critical parts are really the python > > libraries (python is not allowed on RHCOS), but the fewer packages, the > > better in general. > > > > It seems that the simplest way would be to not require bcc-tools but > > instead Recommend them. That way, we'd retain backwards compatibility, while > > environments where the tools are not required could choose not to install > > them. > > I'm not quite sure why bcc depends on bcc-tools: that seems unnecessary. > I'll try to find if the were a valid reason for it, but my guess would be > there never really was one. Great, thank you very much for looking into this. I wonder if you already plan on updating bcc in the near future so I could take time timing into account? Is there maybe already a z-stream update that this could be attached to or were you thinking 8.5?
Just cloning this bug against Fedora, so that we can get the trimmed deps into FCOS first
FEDORA-2021-3875b6e442 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-3875b6e442
FEDORA-2021-3875b6e442 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-3875b6e442` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-3875b6e442 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-1ea2bfd57e has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-1ea2bfd57e
FEDORA-2021-1ea2bfd57e has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-1ea2bfd57e` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-1ea2bfd57e See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-1ea2bfd57e has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report.