Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Why is shadow-utils (providing useradd and groupadd) not included by default in core:2.0 images? #8964

Open
dagood opened this issue Apr 30, 2024 · 3 comments
Open

Why is shadow-utils (providing useradd and groupadd) not included by default in core:2.0 images? #8964

dagood opened this issue Apr 30, 2024 · 3 comments
Labels
question Further information is requested

Comments

@dagood
Copy link
Member

dagood commented Apr 30, 2024
edited
Loading

We've gotten two reports (one about useradd, one about groupadd) where Azure Pipelines expects them to be installed:

We produce Go images based on mcr.microsoft.com/cbl-mariner/base/core:2.0, so we're somewhat dependent on what Azure Linux 2.0 provides by default. We can add more packages in our Dockerfiles, but we're curious about this in particular because it seems to break the use of "ordinary" Azure Linux/Mariner 2.0 images in Azure Pipelines container jobs.

By contrast, current Debian and Fedora images do include useradd and groupadd by default. (We also build Debian-based Go images, but some of our users do need to use Azure Linux.)

I'm curious what the reason is for not including these tools by default, and if AzDO's (and/or Microsoft 1ES PT's?) dependency on these tools has been considered.

/cc @gdams
@dagood dagood added the question Further information is requested label Apr 30, 2024
@zcobol
Copy link

zcobol commented Apr 30, 2024

IMO: keeps the core container at minimum size. shadow-utils is dependent of several other packages. When installed it adds about 16M to the image. If you deploy many core images and don't need to manage user it adds a lot of wasteful storage.

@dagood
Copy link
Member Author

dagood commented May 2, 2024

For what it's worth, I believe that (and in principle it makes sense), but I'm curious if the Azure Pipelines dependency is intentionally not being satisfied. Or maybe AzDO's requirements for using a container in a pipeline have crept upwards over time and this hasn't been considered? There could also be a bit-more-than-core image we should be using instead that I haven't noticed.

About Azure Pipeline dependencies: after adding shadow-utils to our image, Azure Pipelines now says it also needs su (provided by util-linux and not installed by default).

@dagood
Copy link
Member Author

dagood commented May 6, 2024
edited
Loading

Maybe a more straightforward question is: what image should I use in order to use Azure Linux, but with a set of dependencies similar to a buildpack-deps image?

It doesn't make sense to me for every team building dev/build images on top of Azure Linux to reinvent one.

Deployment vs. build is probably an important distinction. Size matters a lot less for build: the maintenance cost of putting together your own image can be extreme when you're in a constrained environment (large overhead to set up infra that can produce custom image builds).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dagood @zcobol