slimtoolkit/slim

build --exec will keep /bin/sh even with --include-shell=false

Open

#551 opened on Jul 22, 2023

View on GitHub
 (2 comments) (0 reactions) (0 assignees)Go (17,694 stars) (673 forks)batch import
commentenhancementhelp wantedquestion

Description

Expected Behavior

When using the build command with --include-shell=false the shell script(s) should be removed from the image

Actual Behavior

It appears as if the shell used to run the --exec script will be included in the assets to keep (probably because it is actually running at the time of analysis)

Steps to Reproduce the Problem

  1. Minimize a standard unbuntu image, do not run any script:
>~/apps/dist_linux/slim build --http-probe=false --include-shell=false ubuntu:22.04

Try to execute a shell inside the minimized image, as expected, docker will complain:

>docker run --rm -ti ubuntu.slim /bin/sh
docker: Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: "/bin/sh": stat /bin/sh: no such file or directory: unknown.
  1. Fake a script run:
~/apps/dist_linux/slim build --http-probe=false --include-shell=false --exec /bin/true ubuntu:22.04

Run the /bin/sh shell inside the trimmed image (you get a shell prompt):

>docker run --rm -ti ubuntu.slim /bin/sh
#

This is probably not a bug but an unexpected side-effect of the build internal implementation. Maybe an additional option like --run dedicated to run binary files bypassing the shell (like ENTRYPOINT do with its json array arguments) would clarify the intent and preserve the semantics of --include-shell ?

Specifications

slim version linux|Transformer|1.40.3|155f1b79556b7d100726f5ef4633f81a6ed27a2b|2023-07-13_07:46:40AM

  • Platform:
  • Distributor ID: Ubuntu Description: Ubuntu 22.04.2 LTS Release: 22.04 Codename: jammy

Contributor guide

Tech stack
goshell
Domain
devops
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
half day
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Go basicsDocker image concepts
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
45
Research direction
Investigate the exec handling code in the build command to understand how the exec script is run and how file analysis includes the shell. The goal is to ensure that when include shell=false, the shell used to run exec is not kept in the final image. This may involve modifying the exec spawn process to avoid shell involvement or adding a new run option that runs binaries directly without a shell. Review the relevant source files, likely in the build executor or command runner, and check if there are any existing discussions or PRs addressing this issue.