►
Description
Demo from the distribution team. This week, it's on whether we can move our ubi images from the standard images to the ubi-minimal variants.
A
A
So
in
the
notes.
I
I've
put
a
couple
of
things.
First,
things
first,
is
you
know
a
discussion
about
using
a
distro
list
image
dodr
on.
That
is
that
we
should
be
looking
to
try
and
use
a
much
more
minimalized
image
if
possible,
the
full
fat
Ubi
image
as
well,
but
so
reducing
that
is
even
better.
The
tricky
part
here
is
what
do
we
actually
need
in
order
to
function
and
what
silent
assumptions
do
pieces
of
our
tools
and
their
compilers
make
about
the
operating
system
as
they
have
available?
A
A
However,
when
that
assumption
turns
out
to
be
wrong,
which
is
often
the
case
in
highly
minimalized
distributions
such
as
Alpine
or
VB,
Ubi,
minimal
or
even
Ubi
micro.
Well,
now
we're
talking
about
a
whole
different
beast
and
we
get
to
learn
the
hard
way.
What
the
assumptions
are,
because
when
you
get
a
message
that
says
empty
string,
no
such
file.
B
A
A
Oh,
the
answer
is
no.
They
don't
it's
not
that
the
distribution
does
not
have
it.
It's
that
it's
not
by
default
in
the
base
OS,
depending
on
how
you've
selected
to
do
the
base
OS
and
in
a
container,
ideally
you're,
chunking
off
everything
you
don't
need,
which
means
literally,
you
don't
need
to
have
user
ad,
don't
have
user
hand
right.
So,
in
the
case
of
Ubi
minimal
as
an
example,
there
is
no
Shadow
utils
which,
by
the
way,
is
the
common
package
name
right.
A
So
where
do
you
install
it?
When
do
you
install
it?
Can
you
remove
it?
When
do
you
remove
it
optimization
choices
and
they
matter?
Because
if
you
just
go
well
the
easy
one
is
we
just
put
it
in
the
base
image
hint?
Yes,
I've
done
that
in
my
Mrs.
That's
why
it's
in
draft,
because
then
you
can
just
fix
all
the
images
at
once.
The
problem
is
now
all
your
images
have
user
ad
and
all
the
rest
of
shadow
utils
that
you
don't
actually
need
for
an
operational
program
that
doesn't
manage
users.
B
A
So,
let's
go
digging
into
those,
but
I
guess
I'm
going
to
rearrange
what
I
have
in
the
notes
here
before
we
go
digging
into
those
specific
ones.
Let's
look
at
like
why.
Why
does
Ubi
minimal
versus
Ubi
make
a
difference?
What's
the
the
value
add
going
down
in
size
down
in
default
packages
and
things
like
this?
A
A
A
A
A
B
A
A
Dnf
is
an
installable
package
on
the
full
size.
Ubi
it's
details
are
here
and
I
can
get
the
specifics
of
where
it
came
from
here.
But
the
big
difference
is
dnf
is
a
full-fledged
lightweight
implementation,
written
in
C
right
now,
it's
not
as
complex,
and
it
doesn't
necessarily
do
everything
right,
but
one
of
the
biggest
things
is
you
don't
have
any
of
The
Interpreter
stack,
which
means
there's
no
system
python.
There's
no
system
Perl
right.
If
I
go
over
here,
no
pearl.
A
A
A
A
A
A
A
And
for
those
of
us
that
have
been
keeping
up
with
what
the
scanners
like
to
yell
at
us
about
that's
a
significant
portion
of
things
that
if
we
don't
have
these
packages
that
aren't
needed,
then
we
get
a
distinctly
different
package
size
and
a
different
surface,
and
thus
a
different
result
from
the
scanners,
as
called
out
by
one
of
our
security
team.
The
difference
is
94
to
27.
A
C
A
So
it's
not
about
us
versus
others.
Okay,
it's
there
is
an
Opex
value
for
us
when
it
comes
to
image
sizes
and
we've
covered
this
in
previous
demos,
but
I'll
summarize
it
here,
the
less
we
produce
in
artifacts
right
by
size
alone,
our
storage
will
go
down,
but
because
there's
less
storage
being
consumed,
there's
less
data
that
has
to
be
transferred.
Less
data
means
less
time.
Less
time
needs
more
time
for
other
things.
A
That's
20
savings
on
storage
on
every
single
image
going
forward,
and
that
is
a
lot
right.
It
doesn't
seem
like
it,
but
it
adds
up
super
fast
and
that
same
20
in
storage
is
also
saved
in
CDN
costs,
transit
cost
in
and
out
of
the
cloud
Transit
costs
between
zones
like
it's.
It
adds
up
repeatedly
across
all
these
things,
and
that
also
affects
every
customer
too,
because
that
means
that
the
tarball
that
they
have
to
produce
and
store
and
Transit
into
an
air-gapped
environment
is
smaller,
takes
less
time,
it's
more
performant
for
them.
A
When
you're
then
turning
around
and
actually
deploying
these
containers
to
boot,
you
also
get
the
benefit
of
now
getting
their
transits
to
you,
which
means
that's
a
good
thing.
You
can
get
the
containers
to
start
faster
because
they're
not
waiting
on
it,
especially
in
certain
platforms
for
kubernetes
that
serialize
container
pool
right,
meaning
serialized,
meaning
you
only
get
they
go
into
the
queue
and
they
come
as
they
come
right.
A
Second,
there's:
less
storage
on
the
Node
that's
being
consumed
just
by
the
layers
themselves
of
the
images,
which
means
it's
actually
more
performant
or
the
customer,
because
we're
not
taking
up
as
much
space
on
disk,
which
means
they
can
do
more
things
with
that.
Node
and
technically,
ours
have
more
space
to
work
with
when
it
comes
to
temporary
storage.
A
All
right
so
I'm
going
to
go
ahead
and
look
at
the
next
question
of
what
is
up
with
this
Sherlock
Holmes
right,
but
here's
an
example
we're
in
Italy
and
Sherlock
Holmes
gets
pulled
and
we
get
the
weirdest
error
ever
good
night
build
okay,
cool
EXT,
conv
failed.
Okay
could
not
create
make
file
due
to
some
reason.
A
B
A
A
An
expectation
for
package
config
right
now,
it's
the
funny
part,
is
it
doesn't
say
that
it's
just
an
assumed
because
it's
in
build
Essentials
when
I
talked
about
assumptions
it
wants
ICU
specifically,
and
it
wants
these
three
pieces
of
it
and
then
it's
going
to
cxx
Flags.
If
it
looks
like
the
XX,
doesn't
have
the
behaviors
for
the
standard
Library
set,
then
it
says:
I
want
C,
plus
plus
11.,
all
right,
we'll
see
about
that
one,
and
then
it
says
oh
I'm,
looking
specifically
for
ICU
and
unicode
ucnv
right.
A
B
B
A
A
A
A
C
A
Interesting
that
someone
actually
ended
up
saying
the
real
problem
is
they
were
missing
a
package
Auto
reconf.
So
let's
close
that
one
and
have
a
look
at
this.
This
one
was
from
local
Geary
which,
by
the
way
we
make
use
of
maybe
we'll
keep
an
eye
on
for
that
one,
and
this
one
was
hurt
slightly
more
recently.
A
A
A
B
B
B
B
B
D
A
A
D
B
A
A
D
A
B
B
A
A
A
A
A
B
A
A
B
A
B
A
A
Well,
there
is
no
build
Essentials
here,
that's
a
if
you
looked.
It
was
an
apt
which
means
it's
in
Ubuntu,
sometimes
a
Debian
and
that's
a
good
question.
It's
like
what's
in
that,
if
I
go,
if
I
were
to
go
and
do
that
here
in
this
Debian
based
image,
I
could
go
find
that
out.
I
pulled
down
the
rails
Master,
which
is
the
Debian
based
one
and
basically
went
ldd
on
the
final
output
to
go
figure
out.
A
B
B
B
A
A
A
A
A
This
time
I'm
going
to
take
out
the
package
config
just
to
see
if
it
gets
installed
with
everything
else,
why
don't
manually
maintain
things
you
don't
need
to
manually
maintain
okay,
something
already
pulls
it
in
so
other
things.
We're
doing.
Don't
need
that
so
I
will
take
package
configure
out
and
leave
in
my
comment
that
I
need
which
and
find
utils
for
sanity.
A
B
A
Okay,
so
I'm
gonna
go
ahead
and
go
to
this
new
tab.
The
whole
pipeline
that
I
had
closing
closing
closing
okay,
it's
already
failed,
which
means
the
changes
that
I
push
to
try
and
Unbreak
a
few
things
have
fixed
themselves.
Let's
see
what
container
registry
exploded
with
build
rails
failed,
build
mail
room
failed,
build
giddly,
failed.
How
much
you
bet
all
three
of
those
failed
on
Sherlock
Holmes,
the
rails.
I
know
mailroom
did
I
know.
Italy
did
so.
Let's
go
see
if
rails
did.
B
A
Tldr
by
the
way
is
this
is
because
gitlab
container
registry
does
not
actually
follow
the
exact
same
pattern
as
the
rest
of
the
images
in
terms
of
being
based
on
gitlab
base,
inheriting
set
config
patterns
and
a
few
of
the
other
things
that
make
the
other
ones
common
runtime
patterns
up
all
right.
So
we
look
at
gitlab
rails
and
previously
sure
enough.
It
blew
up
on
Sherlock
Holmes
as
well.
Surprise.
A
A
B
A
D
D
A
A
A
A
And
it
just
removes
all
the
cache
data,
but
we
don't
have
to
go.
You
know,
remove
the
package
cache
ourselves,
which
is
not
great
to
have
to
do
that
in
the
first
place,
if
we
were
to
take
this
micro,
dnf
clean
all
and
actually
put
it
down
here
at
the
bottom,
what
we
could
do
is
do
the
install
and
then
at
the
bottom
uninstall
it
and
anything
that
went
with
it.
A
The
the
problem
is,
what
happens
if
you
get
polluted
packages?
Do
you
really
need
to
keep
SC
manager
around
I
mean
SC.
Manage
might
be
one
of
those
things
that
we
do
need,
but,
like
we
just
installed
battle
utils,
let's
see
what
happens
when
we
remove
it
move
here
now,
only
Shadow
utils
with
it,
so
SC
manage
stuck
around
right.
This
is
a
classic
package
manager
issue.
When
you
install
a
package,
it
installs
things
with
it.
A
A
It's
also
entirely
possible
that
we
could
basically
earn
add
user
instead
of
it
being
ad
user.
We
could
end
up
putting
something
into
the
build
scripts
or
scripts
itself
that
basically
rise
to
run,
enf,
install,
add
user
and
then
turns
around
and
rips
it
back
out,
not
great,
but
it's
either
that
or
we
repeat
ourselves
all
over
the
place.
A
A
A
B
A
E
There's
some
chat,
I'm
thinking
back
to
like
operator
certification,
there's
some
checks
to
make
sure
there
are
images
directly
based
on
Ubi
or
Ubi
minimal
right.
We
couldn't
make
a
gitlab
flavor
of
that
image
as
our
final
runtime
image
that
just
has
the
gitlab
user
pre-baked
in
without
add
user
baked.
A
A
A
A
A
We
just
saw
stuff
go
weird
right
and
I'm
doing
this
right
now,
as
though
everything
would
be
based
on
Ubi
minimals,
so
that
we
have
a
flat
group
of
assumptions.
We
don't
yeah.
All
the
gym
is
built
and
everything's
good,
and
then
you
go
to
run
it
you're
like
it
doesn't,
have
a
witch
right
and
we
have
programs
that
shell
out,
so
we
have
to
care.
A
If
you
have
cleared
dependencies,
you
can
basically
just
find
all
the
executables
see
if
they're
binary
forms
if
they're
binary
forms
ldd
pull
all
their
dependencies
and
make
sure
those
all
end
up
in
the
final
image.
Okay,
there's
behaviors
for
that,
and
then
you
have
well,
if
it's
a
ruby
or
it's
a
python
or
it's
a
pearl.
How
do
we
do
this?
Where
does
it
come
from
all
this
fun
stuff
comes
into
play
right?
A
Where
what
do
you
use
to
exercise
the
application
in
full
to
get
a
full
s
Trace,
to
make
sure
that
you
have
identified
every
single
file
that
gets
opened
every
single
executable
that
is
executed
every
single
directory
that
is
looked
at
right?
You,
you
literally,
have
to
do
a
full
end-to-end
test
that
has
a
100
code
coverage
yeah,
you
heard
me
to
be
dead.
Certain
everything
is
recorded.
A
We
earlier
saw
that
we
didn't
have
add
user
and
that's
why
a
lot
of
things
blew
up.
Most
of
that
was
fixed
by
actually
just
installing
Shadow,
utils
and
gitlab
base
adds
to
the
shortcut
we'll
have
to
individually.
Add
that
specifically
to
the
registry,
because
well
it
doesn't
work
the
same
and
the
Sherlock
Holmes
was
literally
a
false
assumption
because
which,
which
is
which
on
which
is
not
accurate,
fun
to
say,
but
it's
not
accurate.
A
B
B
A
The
nice
thing
about
Docker
run
command.
Is
you
can
put
comments
in
the
middle
of
them
on
Multi
lines
because
Docker
will
strip
them
out
before
it
does
the
compilation
with
run
command,
so
it
messes
with
your
eyes,
if
you're,
if
you're
reading
shell
script
purely
one,
don't
do
that
two
textually
speaking
comments
inline,
don't
end
up
in
the
Run
command,
so
you
can
do
that
even
as
confusing
as
it
may
seem.
A
A
Okay,
curls
already
there
in
the
base
image
which
isn't
but
curl
is
I,
don't
blame
them
I'm
glad
they
have
Pearl
okay.
So
next
one
up
is
the
Ubi
entry
point
which
just
does
a
couple
of
exports.
This
is
Ubi.
Entry
point
is
actually
here
for
the
sake
of
openshift
compatibility
and
flexibility
with
randomized
user
IDs
that
ensures
effectively.
This
ensures
that
everything
works
as
expected,
because
environment
variables
have
to
line
up
no
matter
what
the
uid
is.
A
B
B
D
A
E
A
D
A
E
A
D
D
A
A
A
A
A
B
D
D
A
Is
just
finished
and
it's
waiting
on
the
rails
image
for
a
reason:
I,
don't
really
know
off
the
top
of
my
head.
I,
don't
remember,
run
time
wise,
while
the
Workhorse
in
Ubi
depends
upon
gitlab
rails,
ee
I'd
have
to
go
look
what
it
does
who
box
is
waiting
on
Rails?
Well,
that
one
makes
a
lot
of
sense,
because
toolbox
is
literally
the
rails
image,
with
a
different
set
of
startup
Scripts
and
the
additional
tools
for
doing
new
box
things.
Aka
talking
to
the
system
break
tasks.
All
of
that.
A
A
So
like,
if
you
were,
if
you
were
to
be
building
the
container
on
a
host,
it
was
red
hat
that
did
have
licenses
that
did
have
other
subscriptions.
You
could
then
use
other
repositories,
but
basically
you
can
turn
that
off,
because
we're
never
going
to
care,
because
the
images
aren't
supposed
to
have
subscription-based
packages
all
right.
A
A
A
What,
where
do
we
call
Su
command,
not
found
in
SG?
Oh
right
go,
and
then
we
go
down
to
rails.
This
is
part
of
the
final
image
state
where
we
do
the
bit
snap
boot
snap
cash,
so
we
actually
need
to
do
a
dnf
micro,
dnf
install
to
put
in
you
tell
Linux
and
then
I
uninstall,
to
take
it
back
out
because.
D
B
B
B
A
B
B
A
A
B
A
D
A
A
A
A
A
A
B
D
D
D
D
E
B
A
A
Things
Are
Gonna
Change
right
because
Ubi
is
not
Ubi
minimal.
As
we've
seen,
certain
assumptions
are
just
not
accurate,
which
means,
if
they're,
assuming
that
they've
made
the
changes
they
need
to
make
Ubi
work.
Well
then,
if
they're
not
actually
on
the
Ubi
anymore,
then
those
assumptions
are
now
false,
so
it
could
have
a
user
impact.
A
A
B
B
A
Right,
so
if
anybody
else
has
made
it
to
this
point
in
the
video
thanks
for
watching
and
your
patience
and
I'm
betting,
you
ran
it
like
double
speed.
It's
okay,
you
have
questions,
find
our
agenda
doc.
We
have
multiple
issues
related
to
this.
I've
shown
the
Mr
on
my
screen
for
the
better
part
of
the
entire
video.
So
we
can
collaborate
there.
If
you
have
any
further
questions
and
feel
free
to
raise
questions
or
concerns
or
other
things.
Now
we
get
the
engagement
thanks
for
everybody
for
watching
and
we'll
see
you
at
the
next
one.