Skip to content
This repository has been archived by the owner on May 6, 2020. It is now read-only.

Adding a minimal shell to default rootfs #36

Open
mcastelino opened this issue Sep 30, 2017 · 9 comments
Open

Adding a minimal shell to default rootfs #36

mcastelino opened this issue Sep 30, 2017 · 9 comments

Comments

@mcastelino
Copy link

@jcvenegas can we add a shell to the rootfs. That will allow us to provide a debug console.
The current minimal set of tools does not have a shell pre-installed.

See clearcontainers/agent#122

@jodh-intel
Copy link
Contributor

bash is probably too big for a basic shell. I don't think CLR currently has busybox (GPL-licensed) or toybox (BSD-licensed), but they are both autospec-able (I've got examples somewhere if needed).

jcvenegas added a commit to jcvenegas/cc-osbuilder that referenced this issue Oct 2, 2017
Need to provide a shell for vm debuging.

Fixes: clearcontainers#36

Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
@jcvenegas
Copy link
Contributor

@jodh-intel, I will add bash by now after, I will work with CL team to add probably busybox.

@devimc
Copy link

devimc commented Oct 2, 2017

I prefer to do not include bash or any other utility that will not be used by the agent,
less components -> less CVEs -> less vulnerabilities

@jcvenegas
Copy link
Contributor

@devimc @mcastelino in case dont want to add it, it could be documented in clearcontainers/agent#122 to use EXTRA_PKGS="bash-bin" just for debugging

@devimc
Copy link

devimc commented Oct 2, 2017

we can create a debugeable image running next command:

make clean
$ EXTRA_PKGS="dbus-bin dbus-autostart util-linux-bin p11-kit-bin bash shadow ca-certs dist-pam-configs xz-bin tar-bin grep-bin sed-bin pigz-bin iproute2-bin procps-ng-bin psstop-bin htop-bin curl nano pciutils usbutils-bin" make rootfs
$ IMG_SIZE="450MB" make image

also we can include any other package needed

@mcastelino
Copy link
Author

@devimc @jodh-intel I would rather have some minimal shell, vs asking the user to rebuild the image. If it come to that, we should provide a debug image as part of our default package, so that we provide debuggability by default.

Also I do not buy that having bash will make our solution any worse from a security point of view. Our going in assumption for clear containers is that obtaining root in the VM is a given. We prevent further compromise.

@devimc
Copy link

devimc commented Oct 2, 2017

@jcvenegas how many MB increase the image size?

@gorozco1
Copy link

gorozco1 commented Oct 2, 2017

my vote for toybox @jodh-intel

@devimc
Copy link

devimc commented Oct 2, 2017

I wouldn't like to include bash in the "production" version of the CC image because I want to avoid any possible container escape (i.e chroot /proc/1/cwd)

jodh-intel added a commit to jodh-intel/osbuilder that referenced this issue Aug 28, 2020
The `image_builder.sh` script must be run as `root`.

Fixes clearcontainers#36.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants