Skip to content
This repository has been archived by the owner on May 6, 2020. It is now read-only.

os: Add a default shell to mini-os #37

Closed
wants to merge 1 commit into from
Closed

os: Add a default shell to mini-os #37

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion scripts/osbuilder.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,7 @@ build_rootfs()
fi
DNF="$DNF --config=$DNF_CONF -y --installroot=${ROOTFS_DIR} --noplugins"
$DNF install systemd hyperstart cc-oci-runtime-extras coreutils-bin \
systemd-bootchart iptables-bin clear-containers-agent ${EXTRA_PKGS}
systemd-bootchart iptables-bin clear-containers-agent bash-bin ${EXTRA_PKGS}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does the agent need bash ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hey @devimc, it does not. It a request to allow to debug the vm.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

my vote that if this is only for debug the developer build their own image (with this tool) with bash included, and we do not need to ship with bash for security risks.

Documentation will fix that IMHO

Copy link

@mcastelino mcastelino Oct 6, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@devimc @gorozco1 @jodh-intel

How is the security risk different between us including as shell and the user of the container who normally already has access to a shell as part of the container workload. If there is a material difference between the two then it makes a difference. If not we are just sacrificing usability.

So the question is, how is this shell different from the shell available in the workload. Both are root.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mcastelino well, if we provide bash this is the vm rootfs, the shell that is provided with the workload is in another layer, limited within the container - imho - correct me if I am wrong.

[ -n "${ROOTFS_DIR}" ] && rm -r "${ROOTFS_DIR}/var/cache/dnf"
}

Expand Down