From 2f3f37ebd69041baf20475c82050a3ddfda10366 Mon Sep 17 00:00:00 2001 From: Dusty Mabe Date: Thu, 19 Jan 2017 14:11:49 -0500 Subject: [PATCH 01/15] docker-min: add a new kickstart for creating a slimmer image We'll start with the same used for fedora docker base. --- fedora-docker-base-minimal.ks | 79 +++++++++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 fedora-docker-base-minimal.ks diff --git a/fedora-docker-base-minimal.ks b/fedora-docker-base-minimal.ks new file mode 100644 index 0000000..8c0a117 --- /dev/null +++ b/fedora-docker-base-minimal.ks @@ -0,0 +1,79 @@ +# This is a minimal Fedora install designed to serve as a Docker base image. +# +# To keep this image minimal it only installs English language. You need to change +# yum configuration in order to enable other languages. +# +### Hacking on this image ### +# This kickstart is processed using Anaconda-in-ImageFactory (via Koji typically), +# but you can run imagefactory locally too. +# +# To do so, testing local changes, first you'll need a TDL file. I store one here: +# https://git.fedorahosted.org/cgit/fedora-atomic.git/tree/fedora-atomic-rawhide.tdl +# +# Then, once you have imagefactory and imagefactory-plugins installed, run: +# +# imagefactory --debug target_image --template /path/to/fedora-atomic-rawhide.tdl --parameter offline_icicle true --file-parameter install_script $(pwd)/fedora-docker-base.ks docker +# + +text # don't use cmdline -- https://github.com/rhinstaller/anaconda/issues/931 +bootloader --disabled +timezone --isUtc --nontp Etc/UTC +rootpw --lock --iscrypted locked + +keyboard us +zerombr +clearpart --all +part / --fstype ext4 --grow +network --bootproto=dhcp --device=link --activate --onboot=on +reboot + +%packages --excludedocs --instLangs=en --nocore +bash +tar # https://bugzilla.redhat.com/show_bug.cgi?id=1409920 +fedora-release +rootfiles +vim-minimal +dnf +dnf-yum # https://fedorahosted.org/fesco/ticket/1312#comment:29 +sssd-client +#fakesystemd #TODO: waiting for review https://bugzilla.redhat.com/show_bug.cgi?id=1118740 +-kernel + + +%end + +%post --erroronfail --log=/root/anaconda-post.log +set -eux + +# Set install langs macro so that new rpms that get installed will +# only install langs that we limit it to. +LANG="en_US" +echo "%_install_langs $LANG" > /etc/rpm/macros.image-language-conf + +# https://bugzilla.redhat.com/show_bug.cgi?id=1400682 +echo "Import RPM GPG key" +releasever=$(rpm -q --qf '%{version}\n' fedora-release) +basearch=$(uname -i) +rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch + +echo "# fstab intentionally empty for containers" > /etc/fstab + +# remove some extraneous files +rm -rf /var/cache/dnf/* +rm -rf /tmp/* + +#Mask mount units and getty service so that we don't get login prompt +systemctl mask systemd-remount-fs.service dev-hugepages.mount sys-fs-fuse-connections.mount systemd-logind.service getty.target console-getty.service + +# https://bugzilla.redhat.com/show_bug.cgi?id=1343138 +# Fix /run/lock breakage since it's not tmpfs in docker +# This unmounts /run (tmpfs) and then recreates the files +# in the /run directory on the root filesystem of the container +umount /run +systemd-tmpfiles --create --boot + +# Remove machine-id on pre generated images +rm -f /etc/machine-id +touch /etc/machine-id + +%end From 5cbb3babd079535403bbf1d804cbc8ac8ad1be14 Mon Sep 17 00:00:00 2001 From: Dusty Mabe Date: Thu, 19 Jan 2017 21:32:36 -0500 Subject: [PATCH 02/15] docker-min: add in post processing from walters' scripts He has done some work on this in the past at [1]. [1] - https://github.com/cgwalters/dockerbase-minimal/blob/3f6c905fef080d49d8ef3433c7f3a035778ee68f/postprocess.sh --- fedora-docker-base-minimal.ks | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/fedora-docker-base-minimal.ks b/fedora-docker-base-minimal.ks index 8c0a117..4f2e6e2 100644 --- a/fedora-docker-base-minimal.ks +++ b/fedora-docker-base-minimal.ks @@ -76,4 +76,38 @@ systemd-tmpfiles --create --boot rm -f /etc/machine-id touch /etc/machine-id +# Strip documentation +find usr/share/doc/ -type f | + (while read line; do + bn=$(basename ${line}); + if echo ${bn} | grep -Eiq '^(COPYING|LICENSE)'; then + continue + else + rm $line + fi; + done) + +rm usr/share/doc/{info,man} -rf +rm usr/share/gnupg/help*.txt -f + +# See: https://bugzilla.redhat.com/show_bug.cgi?id=1051816 +KEEPLANG=en_US +for dir in locale i18n; do + find usr/share/${dir} -mindepth 1 -maxdepth 1 -type d -not \( -name "${KEEPLANG}" -o -name POSIX \) -exec rm -rf {} + +done + +# Pruning random things +rm usr/lib/rpm/rpm.daily # seriously? +rm usr/lib64/nss/unsupported-tools/ -rf # unsupported + +# gcc should really split this off +rm usr/share/gcc*/python -rf + +# Statically linked crap +rm usr/sbin/{glibc_post_upgrade.x86_64,sln} +ln usr/bin/ln usr/sbin/sln + +# Final pruning +rm -rf etc/machine-id var/cache/* var/log/* run/* tmp/* + %end From 4109ebf261693500d2b08d8b8d6332cb7193308a Mon Sep 17 00:00:00 2001 From: Dusty Mabe Date: Thu, 19 Jan 2017 22:06:33 -0500 Subject: [PATCH 03/15] docker-min: trim down package list, exclude weak deps We only want basics and microdnf. --- fedora-docker-base-minimal.ks | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/fedora-docker-base-minimal.ks b/fedora-docker-base-minimal.ks index 4f2e6e2..d34af02 100644 --- a/fedora-docker-base-minimal.ks +++ b/fedora-docker-base-minimal.ks @@ -27,16 +27,10 @@ part / --fstype ext4 --grow network --bootproto=dhcp --device=link --activate --onboot=on reboot -%packages --excludedocs --instLangs=en --nocore +%packages --excludedocs --instLangs=en --nocore --excludeWeakdeps bash -tar # https://bugzilla.redhat.com/show_bug.cgi?id=1409920 fedora-release -rootfiles -vim-minimal -dnf -dnf-yum # https://fedorahosted.org/fesco/ticket/1312#comment:29 -sssd-client -#fakesystemd #TODO: waiting for review https://bugzilla.redhat.com/show_bug.cgi?id=1118740 +microdnf -kernel From 46c10b3c768d8be0e6828384b7f813711705a113 Mon Sep 17 00:00:00 2001 From: Dusty Mabe Date: Thu, 19 Jan 2017 22:08:32 -0500 Subject: [PATCH 04/15] docker-min: remove cleanup of /usr/share/doc There are no files in those directories to clean up. --excludedocs is doing its job. --- fedora-docker-base-minimal.ks | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/fedora-docker-base-minimal.ks b/fedora-docker-base-minimal.ks index d34af02..cf7db45 100644 --- a/fedora-docker-base-minimal.ks +++ b/fedora-docker-base-minimal.ks @@ -70,18 +70,6 @@ systemd-tmpfiles --create --boot rm -f /etc/machine-id touch /etc/machine-id -# Strip documentation -find usr/share/doc/ -type f | - (while read line; do - bn=$(basename ${line}); - if echo ${bn} | grep -Eiq '^(COPYING|LICENSE)'; then - continue - else - rm $line - fi; - done) - -rm usr/share/doc/{info,man} -rf rm usr/share/gnupg/help*.txt -f # See: https://bugzilla.redhat.com/show_bug.cgi?id=1051816 From 1efe347bcbd3b89f0592f887842210694f6fdd0a Mon Sep 17 00:00:00 2001 From: Dusty Mabe Date: Thu, 19 Jan 2017 22:10:12 -0500 Subject: [PATCH 05/15] docker-min: delete systemctl mask calls No systemd so no need to mask. --- fedora-docker-base-minimal.ks | 3 --- 1 file changed, 3 deletions(-) diff --git a/fedora-docker-base-minimal.ks b/fedora-docker-base-minimal.ks index cf7db45..7ee16ba 100644 --- a/fedora-docker-base-minimal.ks +++ b/fedora-docker-base-minimal.ks @@ -56,9 +56,6 @@ echo "# fstab intentionally empty for containers" > /etc/fstab rm -rf /var/cache/dnf/* rm -rf /tmp/* -#Mask mount units and getty service so that we don't get login prompt -systemctl mask systemd-remount-fs.service dev-hugepages.mount sys-fs-fuse-connections.mount systemd-logind.service getty.target console-getty.service - # https://bugzilla.redhat.com/show_bug.cgi?id=1343138 # Fix /run/lock breakage since it's not tmpfs in docker # This unmounts /run (tmpfs) and then recreates the files From ac2953ec386fc54c465b5bb0695a5c2c3278fada Mon Sep 17 00:00:00 2001 From: Dusty Mabe Date: Thu, 19 Jan 2017 22:24:41 -0500 Subject: [PATCH 06/15] docker-min: fix /run/lock without legacy.conf or systemd-tmpfiles --- fedora-docker-base-minimal.ks | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/fedora-docker-base-minimal.ks b/fedora-docker-base-minimal.ks index 7ee16ba..4572ddd 100644 --- a/fedora-docker-base-minimal.ks +++ b/fedora-docker-base-minimal.ks @@ -61,7 +61,11 @@ rm -rf /tmp/* # This unmounts /run (tmpfs) and then recreates the files # in the /run directory on the root filesystem of the container umount /run -systemd-tmpfiles --create --boot +# The file that specifies the /run/lock tmpfile is +# /usr/lib/tmpfiles.d/legacy.conf, which is part of the systemd +# rpm that isn't included in this image. We'll create the /run/lock +# file here manually with the settings from legacy.conf +install -d /run/lock -m 0755 -o root -g root # Remove machine-id on pre generated images rm -f /etc/machine-id From 8ce607a7ef2676e82338bc1fb360a53a5b9586b7 Mon Sep 17 00:00:00 2001 From: Dusty Mabe Date: Thu, 19 Jan 2017 22:27:11 -0500 Subject: [PATCH 07/15] docker-min: cleanup dead code usr/share/gcc* isn't in the image. --- fedora-docker-base-minimal.ks | 3 --- 1 file changed, 3 deletions(-) diff --git a/fedora-docker-base-minimal.ks b/fedora-docker-base-minimal.ks index 4572ddd..9f041f2 100644 --- a/fedora-docker-base-minimal.ks +++ b/fedora-docker-base-minimal.ks @@ -83,9 +83,6 @@ done rm usr/lib/rpm/rpm.daily # seriously? rm usr/lib64/nss/unsupported-tools/ -rf # unsupported -# gcc should really split this off -rm usr/share/gcc*/python -rf - # Statically linked crap rm usr/sbin/{glibc_post_upgrade.x86_64,sln} ln usr/bin/ln usr/sbin/sln From ee367f90b07051a466faa503c663a01c37e4905a Mon Sep 17 00:00:00 2001 From: Dusty Mabe Date: Thu, 19 Jan 2017 22:30:39 -0500 Subject: [PATCH 08/15] docker-min: merge pruning commands Merge pruning commands. Don't rm /etc/machine-id or /run/ because we just ran commands to touch /etc/machine-id and /run/lock --- fedora-docker-base-minimal.ks | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/fedora-docker-base-minimal.ks b/fedora-docker-base-minimal.ks index 9f041f2..e730914 100644 --- a/fedora-docker-base-minimal.ks +++ b/fedora-docker-base-minimal.ks @@ -52,10 +52,6 @@ rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch echo "# fstab intentionally empty for containers" > /etc/fstab -# remove some extraneous files -rm -rf /var/cache/dnf/* -rm -rf /tmp/* - # https://bugzilla.redhat.com/show_bug.cgi?id=1343138 # Fix /run/lock breakage since it's not tmpfs in docker # This unmounts /run (tmpfs) and then recreates the files @@ -88,6 +84,6 @@ rm usr/sbin/{glibc_post_upgrade.x86_64,sln} ln usr/bin/ln usr/sbin/sln # Final pruning -rm -rf etc/machine-id var/cache/* var/log/* run/* tmp/* +rm -rf var/cache/* var/log/* tmp/* %end From 135de4a70bfe7b7218af70f92be49f993de508a4 Mon Sep 17 00:00:00 2001 From: Dusty Mabe Date: Thu, 19 Jan 2017 22:32:12 -0500 Subject: [PATCH 09/15] docker-min: add a comment, remove a comment --- fedora-docker-base-minimal.ks | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fedora-docker-base-minimal.ks b/fedora-docker-base-minimal.ks index e730914..4431d0a 100644 --- a/fedora-docker-base-minimal.ks +++ b/fedora-docker-base-minimal.ks @@ -67,6 +67,7 @@ install -d /run/lock -m 0755 -o root -g root rm -f /etc/machine-id touch /etc/machine-id +# remove some random help txt files rm usr/share/gnupg/help*.txt -f # See: https://bugzilla.redhat.com/show_bug.cgi?id=1051816 @@ -76,7 +77,7 @@ for dir in locale i18n; do done # Pruning random things -rm usr/lib/rpm/rpm.daily # seriously? +rm usr/lib/rpm/rpm.daily rm usr/lib64/nss/unsupported-tools/ -rf # unsupported # Statically linked crap From af2754943727f9c6b8e5e22394dc08ad07fde527 Mon Sep 17 00:00:00 2001 From: Dusty Mabe Date: Thu, 19 Jan 2017 22:36:54 -0500 Subject: [PATCH 10/15] docker-min: move /usr/share/{locale,i18n} to %post nochroot find does not exist in the minimal image chroot so we'll have to run it from outside. --- fedora-docker-base-minimal.ks | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/fedora-docker-base-minimal.ks b/fedora-docker-base-minimal.ks index 4431d0a..e6c349b 100644 --- a/fedora-docker-base-minimal.ks +++ b/fedora-docker-base-minimal.ks @@ -70,11 +70,6 @@ touch /etc/machine-id # remove some random help txt files rm usr/share/gnupg/help*.txt -f -# See: https://bugzilla.redhat.com/show_bug.cgi?id=1051816 -KEEPLANG=en_US -for dir in locale i18n; do - find usr/share/${dir} -mindepth 1 -maxdepth 1 -type d -not \( -name "${KEEPLANG}" -o -name POSIX \) -exec rm -rf {} + -done # Pruning random things rm usr/lib/rpm/rpm.daily @@ -88,3 +83,15 @@ ln usr/bin/ln usr/sbin/sln rm -rf var/cache/* var/log/* tmp/* %end + +%post --nochroot --erroronfail --log=/mnt/sysimage/root/anaconda-post-nochroot.log +set -eux + +# See: https://bugzilla.redhat.com/show_bug.cgi?id=1051816 +# NOTE: run this in nochroot because "find" does not exist in chroot +KEEPLANG=en_US +for dir in locale i18n; do + find /mnt/sysimage/usr/share/${dir} -mindepth 1 -maxdepth 1 -type d -not \( -name "${KEEPLANG}" -o -name POSIX \) -exec rm -rf {} + +done + +%end From 22bc79ed6ff0781b113c9ca699474c6b7d32d508 Mon Sep 17 00:00:00 2001 From: Dusty Mabe Date: Thu, 19 Jan 2017 22:50:29 -0500 Subject: [PATCH 11/15] docker-min: move /run/lock to %post nochroot umount doesn't exist in the minimal image --- fedora-docker-base-minimal.ks | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/fedora-docker-base-minimal.ks b/fedora-docker-base-minimal.ks index e6c349b..6d30e38 100644 --- a/fedora-docker-base-minimal.ks +++ b/fedora-docker-base-minimal.ks @@ -52,17 +52,6 @@ rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch echo "# fstab intentionally empty for containers" > /etc/fstab -# https://bugzilla.redhat.com/show_bug.cgi?id=1343138 -# Fix /run/lock breakage since it's not tmpfs in docker -# This unmounts /run (tmpfs) and then recreates the files -# in the /run directory on the root filesystem of the container -umount /run -# The file that specifies the /run/lock tmpfile is -# /usr/lib/tmpfiles.d/legacy.conf, which is part of the systemd -# rpm that isn't included in this image. We'll create the /run/lock -# file here manually with the settings from legacy.conf -install -d /run/lock -m 0755 -o root -g root - # Remove machine-id on pre generated images rm -f /etc/machine-id touch /etc/machine-id @@ -87,6 +76,20 @@ rm -rf var/cache/* var/log/* tmp/* %post --nochroot --erroronfail --log=/mnt/sysimage/root/anaconda-post-nochroot.log set -eux +# https://bugzilla.redhat.com/show_bug.cgi?id=1343138 +# Fix /run/lock breakage since it's not tmpfs in docker +# This unmounts /run (tmpfs) and then recreates the files +# in the /run directory on the root filesystem of the container +# NOTE: run this in nochroot because "umount" does not exist in chroot +umount /mnt/sysimage/run +# The file that specifies the /run/lock tmpfile is +# /usr/lib/tmpfiles.d/legacy.conf, which is part of the systemd +# rpm that isn't included in this image. We'll create the /run/lock +# file here manually with the settings from legacy.conf +# NOTE: chroot to run "install" because it is not in anaconda env +chroot /mnt/sysimage install -d /run/lock -m 0755 -o root -g root + + # See: https://bugzilla.redhat.com/show_bug.cgi?id=1051816 # NOTE: run this in nochroot because "find" does not exist in chroot KEEPLANG=en_US From 6f0cdf042dc177ecc0248f4fcfedcdb3f6fe6fb2 Mon Sep 17 00:00:00 2001 From: Dusty Mabe Date: Fri, 20 Jan 2017 18:27:39 -0500 Subject: [PATCH 12/15] docker-min: make our rm commands verbose --- fedora-docker-base-minimal.ks | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/fedora-docker-base-minimal.ks b/fedora-docker-base-minimal.ks index 6d30e38..9f2ad2c 100644 --- a/fedora-docker-base-minimal.ks +++ b/fedora-docker-base-minimal.ks @@ -53,23 +53,22 @@ rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch echo "# fstab intentionally empty for containers" > /etc/fstab # Remove machine-id on pre generated images -rm -f /etc/machine-id +rm -fv /etc/machine-id touch /etc/machine-id # remove some random help txt files -rm usr/share/gnupg/help*.txt -f - +rm -fv usr/share/gnupg/help*.txt # Pruning random things rm usr/lib/rpm/rpm.daily -rm usr/lib64/nss/unsupported-tools/ -rf # unsupported +rm -rfv usr/lib64/nss/unsupported-tools/ # unsupported # Statically linked crap -rm usr/sbin/{glibc_post_upgrade.x86_64,sln} +rm -fv usr/sbin/{glibc_post_upgrade.x86_64,sln} ln usr/bin/ln usr/sbin/sln # Final pruning -rm -rf var/cache/* var/log/* tmp/* +rm -rfv var/cache/* var/log/* tmp/* %end @@ -94,7 +93,7 @@ chroot /mnt/sysimage install -d /run/lock -m 0755 -o root -g root # NOTE: run this in nochroot because "find" does not exist in chroot KEEPLANG=en_US for dir in locale i18n; do - find /mnt/sysimage/usr/share/${dir} -mindepth 1 -maxdepth 1 -type d -not \( -name "${KEEPLANG}" -o -name POSIX \) -exec rm -rf {} + + find /mnt/sysimage/usr/share/${dir} -mindepth 1 -maxdepth 1 -type d -not \( -name "${KEEPLANG}" -o -name POSIX \) -exec rm -rfv {} + done %end From 42b8714c65ff157362744434ad5d64b1b6db5e55 Mon Sep 17 00:00:00 2001 From: Dusty Mabe Date: Fri, 20 Jan 2017 18:28:39 -0500 Subject: [PATCH 13/15] docker-min: a few more things that can be removed --- fedora-docker-base-minimal.ks | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/fedora-docker-base-minimal.ks b/fedora-docker-base-minimal.ks index 9f2ad2c..7fb67b6 100644 --- a/fedora-docker-base-minimal.ks +++ b/fedora-docker-base-minimal.ks @@ -67,6 +67,23 @@ rm -rfv usr/lib64/nss/unsupported-tools/ # unsupported rm -fv usr/sbin/{glibc_post_upgrade.x86_64,sln} ln usr/bin/ln usr/sbin/sln +# Remove some dnf info +rm -rfv /var/lib/dnf + +# don't need icons +rm -rfv /usr/share/icons/* + +#some random not-that-useful binaries +rm -fv /usr/bin/pinky + +# we lose presets by removing /usr/lib/systemd but we do not care +rm -rfv /usr/lib/systemd + +# if you want to change the timezone, bind-mount it from the host or reinstall tzdata +rm -fv /etc/localtime +mv /usr/share/zoneinfo/UTC /etc/localtime +rm -rfv /usr/share/zoneinfo + # Final pruning rm -rfv var/cache/* var/log/* tmp/* From e99c9edc74fdfbcf6178fa41c5cac7c679c30e63 Mon Sep 17 00:00:00 2001 From: Dusty Mabe Date: Fri, 20 Jan 2017 18:29:29 -0500 Subject: [PATCH 14/15] docker-min: remove e2fsprogs,libss,fuse-libs --- fedora-docker-base-minimal.ks | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fedora-docker-base-minimal.ks b/fedora-docker-base-minimal.ks index 7fb67b6..c597a60 100644 --- a/fedora-docker-base-minimal.ks +++ b/fedora-docker-base-minimal.ks @@ -32,6 +32,9 @@ bash fedora-release microdnf -kernel +-e2fsprogs +-libss # used by e2fsprogs +-fuse-libs %end From 7ba27d5891d510b07ab6f3f2ff2391e8e0b3ec6c Mon Sep 17 00:00:00 2001 From: Dusty Mabe Date: Mon, 23 Jan 2017 10:54:01 -0500 Subject: [PATCH 15/15] docker-min,docker-base: remove reference to yum in kickstart --- fedora-docker-base-minimal.ks | 2 +- fedora-docker-base.ks | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/fedora-docker-base-minimal.ks b/fedora-docker-base-minimal.ks index c597a60..cf40cff 100644 --- a/fedora-docker-base-minimal.ks +++ b/fedora-docker-base-minimal.ks @@ -1,7 +1,7 @@ # This is a minimal Fedora install designed to serve as a Docker base image. # # To keep this image minimal it only installs English language. You need to change -# yum configuration in order to enable other languages. +# dnf configuration in order to enable other languages. # ### Hacking on this image ### # This kickstart is processed using Anaconda-in-ImageFactory (via Koji typically), diff --git a/fedora-docker-base.ks b/fedora-docker-base.ks index 8c0a117..9e04d5c 100644 --- a/fedora-docker-base.ks +++ b/fedora-docker-base.ks @@ -1,7 +1,7 @@ # This is a minimal Fedora install designed to serve as a Docker base image. # # To keep this image minimal it only installs English language. You need to change -# yum configuration in order to enable other languages. +# dnf configuration in order to enable other languages. # ### Hacking on this image ### # This kickstart is processed using Anaconda-in-ImageFactory (via Koji typically),