RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1994521 - [RFE] consider using (lib)curl-minimal as a replacement for (lib)curl
Summary: [RFE] consider using (lib)curl-minimal as a replacement for (lib)curl
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: ubi9-container
Version: 9.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: beta
: ---
Assignee: Jindrich Novy
QA Contact: atomic-bugs@redhat.com
Gabriela Nečasová
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-08-17 12:45 UTC by Kamil Dudka
Modified: 2023-03-08 20:57 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Release Note
Doc Text:
ubi9 container images now use a conservatively configured build of (lib)curl, named (lib)curl-minimal. If the support for dict, gopher, gophers, imap, imaps, ldap, ldaps, mqtt, pop3, pop3s, rtsp, scp, sftp, smb, smbs, smtp, smtps, telnet, tftp, brotli, IDN, NTLM_WB, PSL, or TLS-SRP is needed in (lib)curl, it can be installed using the following command: dnf install --allowerasing libcurl-full
Clone Of:
Environment:
Last Closed: 2023-03-08 20:57:32 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-93832 0 None None None 2021-08-17 12:49:01 UTC

Description Kamil Dudka 2021-08-17 12:45:07 UTC 
libcurl-minimal does not require libbrotli, libidn2, libssh, libpsl, and openldap.  It could transitively help to save additional dependencies and, consequently, a lot of disk space.

curl-minimal installs a reduced amount of documentation.

The -minimal packages can still be "upgraded" to libcurl-full and curl-full in layered images if necessary. Both the variants provide compatible API/ABI.
Comment 2 Jan Pazdziora (Red Hat) 2021-08-18 09:52:49 UTC 
Apart from minimizing the image size, the -minimal subpackages support smaller number of feature and protocols. Therefore, their use would also lower the number of CVEs applicable to the container images based on UBI 9 as the recent CVEs seem to primarily be related to older protocols. [citation needed]
Comment 3 Josh Boyer 2021-08-18 13:00:45 UTC 
I'm trying to do some scratch builds of ubi9 with curl-minimal and libcurl-minimal.  We'll see how they go.
Comment 4 Colin Walters 2021-08-18 13:25:16 UTC 
From my {rpm-,}ostree PoV, libcurl having protocols other than http{s}:// is basically an anti-feature.

In ostree we already explicitly restrict it https://github.com/ostreedev/ostree/blob/cac4f2133b4f4d14c59c0fe4a2e568d0d938eac4/src/libostree/ostree-fetcher-curl.c#L853

Briefly looking at this, it seems like this needs fixing:

```
$ rpm -e curl
error: Failed dependencies:
	curl is needed by (installed) rpm-4.16.1.3-1.fc34.x86_64
$
```

And curl -> libcurl (not libcurl-minimal).
Comment 5 Jan Pazdziora (Red Hat) 2021-08-18 13:39:13 UTC 
The curl-minimal package provides curl, so the rpm dependency remains met when you do

   dnf swap -y curl -- curl-minimal
Comment 6 Josh Boyer 2021-08-18 16:49:39 UTC 
At the moment, the savings for the regular ubi9 base image look relatively small.  Here is the package difference when using curl-minimal and libcurl-minimal.

Essentially, libbrotli, libpsl, libssh, libssh-config, and publicsuffix-list-dafsa are the only packages removed.  That's approximately 1.3MB.  I'm going to try this with ubi9-minimal as well.

[jwboyer@vader ubi9]$ diff -Nup ubi9.txt curl-minimal.txt 
--- ubi9.txt	2021-08-18 12:42:39.360698620 -0400
+++ curl-minimal.txt	2021-08-18 12:39:45.451443737 -0400
@@ -11,7 +11,7 @@ cracklib-dicts
 crypto-policies
 crypto-policies-scripts
 cryptsetup-libs
-curl
+curl-minimal
 cyrus-sasl-lib
 dbus
 dbus-broker
@@ -61,12 +61,11 @@ libarchive
 libassuan
 libattr
 libblkid
-libbrotli
 libcap
 libcap-ng
 libcom_err
 libcomps
-libcurl
+libcurl-minimal
 libdb
 libdnf
 libdnf-plugin-subscription-manager
@@ -83,7 +82,6 @@ libmodulemd
 libmount
 libnghttp2
 libnl3
-libpsl
 libpwquality
 librepo
 libreport-filesystem
@@ -95,8 +93,6 @@ libsepol
 libsigsegv
 libsmartcols
 libsolv
-libssh
-libssh-config
 libstdc++
 libtasn1
 libunistring
@@ -127,7 +123,6 @@ pcre
 pcre2
 pcre2-syntax
 popt
-publicsuffix-list-dafsa
 python3
 python3-chardet
 python3-cloud-what
Comment 7 Josh Boyer 2021-08-18 17:02:33 UTC 
Identical results with ubi9-minimal

[jwboyer@vader ubi9-minimal]$ diff -Nup ubi9-minimal.txt minimal-curl-minimal.txt 
--- ubi9-minimal.txt	2021-08-18 13:00:45.968060585 -0400
+++ minimal-curl-minimal.txt	2021-08-18 13:01:14.530596383 -0400
@@ -6,7 +6,7 @@ bzip2-libs
 ca-certificates
 coreutils-single
 crypto-policies
-curl
+curl-minimal
 cyrus-sasl-lib
 dejavu-sans-fonts
 dnf-data
@@ -39,11 +39,10 @@ libarchive
 libassuan
 libattr
 libblkid
-libbrotli
 libcap
 libcap-ng
 libcom_err
-libcurl
+libcurl-minimal
 libdnf
 libffi
 libgcc
@@ -55,7 +54,6 @@ libmodulemd
 libmount
 libnghttp2
 libpeas
-libpsl
 librepo
 libreport-filesystem
 librhsm
@@ -64,8 +62,6 @@ libsepol
 libsigsegv
 libsmartcols
 libsolv
-libssh
-libssh-config
 libstdc++
 libtasn1
 libunistring
@@ -92,7 +88,6 @@ pcre
 pcre2
 pcre2-syntax
 popt
-publicsuffix-list-dafsa
 readline
 redhat-release
 rootfiles
Comment 8 Josh Boyer 2021-08-18 17:16:10 UTC 
Overall this isn't a bad change, but we're left largely with things we don't "want" because of depchains like this:

libdnf -> gpgme -> gnupg2 -> openldap -> cyrus-sasl-lib -> krb5-libs -> gawk -> mpfr

Not to pick on libdnf, passwd and usermode also wind up depending on openldap (via libuser), and libcurl-minimal depends on krb5-libs.  So we're not getting rid of those packages at all as things stand.

I have no problems making this change, but it's barely over a 1% savings for ubi9-minimal and not even that for the regular ubi9 image.
Comment 9 Kamil Dudka 2021-08-19 09:48:06 UTC 
(In reply to Colin Walters from comment #4)
> From my {rpm-,}ostree PoV, libcurl having protocols other than http{s}:// is basically an anti-feature.

Only libssh and openldap affect the set of supported protocols.  libbrotli, libidn2, and libpsl are used for http(s).

> Briefly looking at this, it seems like this needs fixing:
> 
> ```
> $ rpm -e curl
> error: Failed dependencies:
> 	curl is needed by (installed) rpm-4.16.1.3-1.fc34.x86_64
> $
> ```
> 
> And curl -> libcurl (not libcurl-minimal).

As already explained by Jan, there is no need to fix anything like that.
Comment 10 Kamil Dudka 2021-08-19 09:51:09 UTC 
(In reply to Josh Boyer from comment #8)
> Overall this isn't a bad change, but we're left largely with things we don't
> "want" because of depchains like this:
> 
> libdnf -> gpgme -> gnupg2 -> openldap -> cyrus-sasl-lib -> krb5-libs -> gawk
> -> mpfr
> 
> Not to pick on libdnf, passwd and usermode also wind up depending on
> openldap (via libuser), and libcurl-minimal depends on krb5-libs.  So we're
> not getting rid of those packages at all as things stand.
> 
> I have no problems making this change, but it's barely over a 1% savings for
> ubi9-minimal and not even that for the regular ubi9 image.

Thanks for the analysis!

I guess we need to start cutting the chains somewhere.  Otherwise gnupg2 folks will look at the dependency graph and think they would save nothing by making LDAP optional because libcurl uses openldap anyway.
Comment 11 Scott McCarty 2021-08-20 15:23:08 UTC 
LGTM. Has anybody tried this with UBI Micro? It might be more than a 1% size difference, and with as small as that's getting it could be REALLY good.
Comment 12 Josh Boyer 2021-08-20 15:31:49 UTC 
(In reply to Scott McCarty from comment #11)
> LGTM. Has anybody tried this with UBI Micro? It might be more than a 1% size
> difference, and with as small as that's getting it could be REALLY good.

None of these packages are in ubi-micro at all.  0% savings :)
Comment 13 Scott McCarty 2021-08-20 15:59:02 UTC 
Doh! Fair enough :-)
Comment 14 Jan Pazdziora (Red Hat) 2021-09-06 10:33:15 UTC 
Hello Jindřich, are you OK for making the change for UBI 9 or is additional justification needed?
Comment 15 Jindrich Novy 2021-09-06 11:13:40 UTC 
Hi Jan, this change sounds good to me. The ubi9 is built off a kickstart file as it is a base image - the change needs to be done in there. It is defined in https://code.engineering.redhat.com/gerrit/login/#/admin/projects/spin-kickstarts (I'm no longer authorized to even look into this repo).

I filed https://issues.redhat.com/browse/RHELBLD-7352 to EXD team to perform this change.
Comment 16 Jindrich Novy 2021-09-07 12:18:05 UTC 
Any objections against me kicking the build to allow Kamil to test the new ubi9 image Josh?
Comment 17 Josh Boyer 2021-09-07 12:37:54 UTC 
(In reply to Jindrich Novy from comment #16)
> Any objections against me kicking the build to allow Kamil to test the new
> ubi9 image Josh?

No objections, but the images are built as part of the nightly composes.  There's at least 2 more that will run today, so you might be fine to just wait for those.
Comment 18 Jan Pazdziora (Red Hat) 2021-09-08 08:46:32 UTC 
The change seems in:

$ podman images registry-proxy.engineering.redhat.com/rh-osbs/ubi9
REPOSITORY                                          TAG     IMAGE ID      CREATED       SIZE
registry-proxy.engineering.redhat.com/rh-osbs/ubi9  latest  ec33d0133f87  19 hours ago  229 MB
$ podman run --rm -ti registry-proxy.engineering.redhat.com/rh-osbs/ubi9 rpm -qa '*curl*'
libcurl-minimal-7.76.1-11.el9.x86_64
curl-minimal-7.76.1-11.el9.x86_64
Comment 19 Kamil Dudka 2021-09-08 10:13:50 UTC 
Looks good.  Thanks to all involved!
Comment 20 Jan Pazdziora (Red Hat) 2021-09-20 11:59:54 UTC 
For the record, in bug 2005874 we propose to further limit the protocols carried by the -minimal version of the packages, primarily for vulnerability assessment reasons. Please chime in there if you feel that would be a good / bad idea.
Comment 21 Scott McCarty 2022-01-19 15:26:46 UTC 
Jan, personally I think that would be a fine idea!
Comment 22 Derrick Ornelas 2022-05-09 22:51:58 UTC 
Is there a significant difference between curl/libcurl and curl-minimal/libcurl-minimal?  Should this have been a Release Note to let users know we were making this change?
Comment 23 Kamil Dudka 2022-05-10 06:33:08 UTC 
Yes, please.
Comment 25 Michael Gray 2022-05-31 18:35:19 UTC 
How does one install full curl now if more protocols are needed?  Seems to be a chicken-egg problem now:

```
$ docker run -it registry.redhat.io/ubi9/ubi-minimal:latest bash
[root@5a243f19a43c /]# microdnf install curl

(microdnf:15): librhsm-WARNING **: 18:25:57.488: Found 0 entitlement certificates

(microdnf:15): librhsm-WARNING **: 18:25:57.492: Found 0 entitlement certificates
Downloading metadata...
Downloading metadata...
Downloading metadata...
error: Could not depsolve transaction; 1 problem detected:
 Problem: problem with installed package curl-minimal-7.76.1-14.el9.x86_64
  - package curl-minimal-7.76.1-14.el9.x86_64 conflicts with curl provided by curl-7.76.1-14.el9.x86_64
  - conflicting requests


[root@5a243f19a43c /]# microdnf remove curl-minimal

(microdnf:72): librhsm-WARNING **: 18:27:17.154: Found 0 entitlement certificates

(microdnf:72): librhsm-WARNING **: 18:27:17.156: Found 0 entitlement certificates
error: Could not depsolve transaction; 1 problem detected:
 Problem: package rpm-4.16.1.3-12.el9_0.x86_64 requires curl, but none of the providers can be installed
  - conflicting requests
  - problem with installed package rpm-4.16.1.3-12.el9_0.x86_64
```

We have use-cases where other protocols are required and it's not obvious (to me) how to replace curl-minimal with curl-full without installing dnf (microdnf doesn't have `swap` command).
I'm all for small images and keeping things "minimal", but it should be possible to switch to full versions if needed IMHO.
Comment 26 Jan Pazdziora (Red Hat) 2022-05-31 19:24:57 UTC 
The following seems to do the swap:

  microdnf install -y libssh libpsl libbrotli \
    && microdnf download curl libcurl \
    && rpm -Uvh --nodeps --replacefiles "*curl*$( uname -i ).rpm" \
    && microdnf remove -y libcurl-minimal curl-minimal

It's not beautiful so others might offer better solution.
Comment 27 Michael Gray 2022-05-31 19:42:44 UTC 
Thanks -- I was a little less clever and installed and removed (full) dnf to use the swap command -- TIL!
This might be worthy of a "how to install curl-full in ubi9" tech note...
Comment 28 Kamil Dudka 2022-06-01 06:18:39 UTC 
This seems awkward but I am not aware of any obvious better solution.
Comment 30 Derrick Ornelas 2023-03-08 20:57:32 UTC 
This changed was included in RHEL 9 GA.
Note You need to log in before you can comment on or make changes to this bug.