[systemd-devel] Fwd: How to create minimal portable services environments?

Wed Aug 29 14:43:47 UTC 2018

On 29 August 2018 at 11:24, Wojtek Swiatek <w at swtk.info> wrote:
[..]
> How should I create a filesystem which has only the files required by the
> packages (= the ones it brings in, as well as all the dependencies)?

This is a good question and one which is on my list of things to look
at soon for various reasons. One thing that is worth knowing is that
in Debian derived distros, packages don't have to declare dependencies
on "Essential: yes" packages (grep-status -FEssential yes -sPackage).
On my system this gives me:

perl-base grep base-passwd debianutils bash hostname init gzip
bsdutils dash mount coreutils e2fsprogs tar base-files ncurses-base
libc-bin dpkg diffutils findutils login ncurses-bin util-linux sed

> I know that I can dbootstrap a new system and install there dnsmasq - and
> then hopefully use this as the tree to be attached via portablectl. This
> however means that I do not have a "dnsmasq" portable service but rather a
> "bionic install with dnsmasq installed on top".

Peering into the debootstrap innards, it seems like one of the scripts
in /usr/share/debootstrap could be customized to only install
"Essential: yes" packages, which would be an improvement, but I see
your point. You can also tell dpkg to install package in a
subdirectory, not on the main system.

The absolute bare minimum I guess is the shared libraries the binary
is linked against, here's a horrible bit of bash to show deps for ls:

 for i in `ldd /bin/ls | grep '=> /' | sed -re 's/^.*=> \/(.*)
\(0x.*$/\1/'`; do dlocate -S /$i; done ) | sed -e 's/:.*$//' | sort |
uniq

(needs dlocate)

I'm kind of surprised a tool for this hasn't crossed my path already,
but I haven't seen one. Ultimately I suspect it will boil down to
"keep adding packages to the image/chroot until it works" - knocking
up a little test suite mightn't be a bad idea.

> The main reason for me to
> use portable service is to create small packages which encompass my service,
> to be mounted on a more or less base core OS install (say, minimal bionic).
> This would allow to get rid of several nspawn containers which do exactly
> this (base OS + a package installed on top).

I was also thinking about looking into Ubuntu's snap[py] stuff to see
how they do this. They ship a supposedly minimal OS image called
Ubuntu Core which might be useful. I also wonder if there might be any
Docker based tools that do this sort of inspection.

Steve