►
Description
Demo from the distribution team. This week, it's on whether we can move our ubi images from the standard images to the ubi-minimal variants.
A
A
What
the
challenges
are
there?
Well,
the
benefits
are,
and
maybe
look
into
a
few
of
the
a
what's
going
on
here,
situations
that
we
run
into
a
few
times.
A
So
in
the
notes.
I
I've
put
a
couple
of
things.
First,
things
first,
is
you
know
a
discussion
about
using
a
distro
list
image
dodr
on.
That
is
that
we
should
be
looking
to
try
and
use
a
much
more
minimalized
image
if
possible,
the
full
fat
Ubi
image
as
well,
but
so
reducing
that
is
even
better.
The
tricky
part
here
is
what
do
we
actually
need
in
order
to
function
and
what
silent
assumptions
do
pieces
of
our
tools
and
their
compilers
make
about
the
operating
system
as
they
have
available?
A
A
A
However,
when
that
assumption
turns
out
to
be
wrong,
which
is
often
the
case
in
highly
minimalized
distributions
such
as
Alpine
or
VB,
Ubi,
minimal
or
even
Ubi
micro.
Well,
now
we're
talking
about
a
whole
different
beast
and
we
get
to
learn
the
hard
way.
What
the
assumptions
are,
because
when
you
get
a
message
that
says
empty
string,
no
such
file.
B
A
That's
not
exactly
a
usable
error
message,
so
you
get
to
go
looking
into
root
causes
of.
Why
is
a
filed
not
present
when
it
doesn't
even
know
what
the
file
it's
looking
for?
Is
okay
and
then
there's
some
other
fun
stuff,
like
every
distribution
has
user
ad
right?
A
Oh,
the
answer
is
no.
They
don't
it's
not
that
the
distribution
does
not
have
it.
It's
that
it's
not
by
default
in
the
base
OS,
depending
on
how
you've
selected
to
do
the
base
OS
and
in
a
container,
ideally
you're,
chunking
off
everything
you
don't
need,
which
means
literally,
you
don't
need
to
have
user
ad,
don't
have
user
hand
right.
So,
in
the
case
of
Ubi
minimal
as
an
example,
there
is
no
Shadow
utils
which,
by
the
way,
is
the
common
package
name
right.
A
So
where
do
you
install
it?
When
do
you
install
it?
Can
you
remove
it?
When
do
you
remove
it
optimization
choices
and
they
matter?
Because
if
you
just
go
well
the
easy
one
is
we
just
put
it
in
the
base
image
hint?
Yes,
I've
done
that
in
my
Mrs.
That's
why
it's
in
draft,
because
then
you
can
just
fix
all
the
images
at
once.
The
problem
is
now
all
your
images
have
user
ad
and
all
the
rest
of
shadow
utils
that
you
don't
actually
need
for
an
operational
program
that
doesn't
manage
users.
B
A
So,
let's
go
digging
into
those,
but
I
guess
I'm
going
to
rearrange
what
I
have
in
the
notes
here
before
we
go
digging
into
those
specific
ones.
Let's
look
at
like
why.
Why
does
Ubi
minimal
versus
Ubi
make
a
difference?
What's
the
the
value
add
going
down
in
size
down
in
default
packages
and
things
like
this?
A
A
A
A
Let's
see,
that's
200-ish
Megs
right
now,
if
I
do
the
same
thing
in
minimal,
that
seems
like
a
whole
order
of
magnitude
list.
Doesn't
it
and
that's
the
unpacked
size
we're
talking
about
the
difference
between.
A
B
A
A
Dnf
is
an
installable
package
on
the
full
size.
Ubi
it's
details
are
here
and
I
can
get
the
specifics
of
where
it
came
from
here.
But
the
big
difference
is
dnf
is
a
full-fledged
lightweight
implementation,
written
in
C
right
now,
it's
not
as
complex,
and
it
doesn't
necessarily
do
everything
right,
but
one
of
the
biggest
things
is
you
don't
have
any
of
The
Interpreter
stack,
which
means
there's
no
system
python.
There's
no
system
Perl
right.
If
I
go
over
here,
no
pearl.
A
A
A
A
A
A
A
A
And
for
those
of
us
that
have
been
keeping
up
with
what
the
scanners
like
to
yell
at
us
about
that's
a
significant
portion
of
things
that
if
we
don't
have
these
packages
that
aren't
needed,
then
we
get
a
distinctly
different
package
size
and
a
different
surface,
and
thus
a
different
result
from
the
scanners,
as
called
out
by
one
of
our
security
team.
The
difference
is
94
to
27.
A
C
Jason
quick
question
is
this
more
of
a
benefit
for
us
internally
in
development
like
the
size
since
we're
pulling
images
so
much
I?
Guess.
A
So
it's
not
about
us
versus
others.
Okay,
it's
there
is
an
Opex
value
for
us
when
it
comes
to
image
sizes
and
we've
covered
this
in
previous
demos,
but
I'll
summarize
it
here,
the
less
we
produce
in
artifacts
right
by
size
alone,
our
storage
will
go
down,
but
because
there's
less
storage
being
consumed,
there's
less
data
that
has
to
be
transferred.
Less
data
means
less
time.
Less
time
needs
more
time
for
other
things.
A
A
That's
20
savings
on
storage
on
every
single
image
going
forward,
and
that
is
a
lot
right.
It
doesn't
seem
like
it,
but
it
adds
up
super
fast
and
that
same
20
in
storage
is
also
saved
in
CDN
costs,
transit
cost
in
and
out
of
the
cloud
Transit
costs
between
zones
like
it's.
It
adds
up
repeatedly
across
all
these
things,
and
that
also
affects
every
customer
too,
because
that
means
that
the
tarball
that
they
have
to
produce
and
store
and
Transit
into
an
air-gapped
environment
is
smaller,
takes
less
time,
it's
more
performant
for
them.
A
When
you're
then
turning
around
and
actually
deploying
these
containers
to
boot,
you
also
get
the
benefit
of
now
getting
their
transits
to
you,
which
means
that's
a
good
thing.
You
can
get
the
containers
to
start
faster
because
they're
not
waiting
on
it,
especially
in
certain
platforms
for
kubernetes
that
serialize
container
pool
right,
meaning
serialized,
meaning
you
only
get
they
go
into
the
queue
and
they
come
as
they
come
right.
A
Second,
there's:
less
storage
on
the
Node
that's
being
consumed
just
by
the
layers
themselves
of
the
images,
which
means
it's
actually
more
performant
or
the
customer,
because
we're
not
taking
up
as
much
space
on
disk,
which
means
they
can
do
more
things
with
that.
Node
and
technically,
ours
have
more
space
to
work
with
when
it
comes
to
temporary
storage.
A
All
right
so
I'm
going
to
go
ahead
and
look
at
the
next
question
of
what
is
up
with
this
Sherlock
Holmes
right,
but
here's
an
example
we're
in
Italy
and
Sherlock
Holmes
gets
pulled
and
we
get
the
weirdest
error
ever
good
night
build
okay,
cool
EXT,
conv
failed.
Okay
could
not
create
make
file
due
to
some
reason.
A
Some
reason
check
the
make
MF
log
for
more
details.
You
may
need
to
continue
configuration
options.
Okay,
that's
fair!.
B
A
It's
literally
telling
you
in
empty
string,
no
such
file
or
directory.
A
A
An
expectation
for
package
config
right
now,
it's
the
funny
part,
is
it
doesn't
say
that
it's
just
an
assumed
because
it's
in
build
Essentials
when
I
talked
about
assumptions
it
wants
ICU
specifically,
and
it
wants
these
three
pieces
of
it
and
then
it's
going
to
cxx
Flags.
If
it
looks
like
the
XX,
doesn't
have
the
behaviors
for
the
standard
Library
set,
then
it
says:
I
want
C,
plus
plus
11.,
all
right,
we'll
see
about
that
one,
and
then
it
says
oh
I'm,
looking
specifically
for
ICU
and
unicode
ucnv
right.
A
B
B
A
A
A
A
Well,
they
ran
into
a
couple
of
interesting
issues.
I'm
sorry,
I'll
be
right
back.
My
package
has
arrived.
C
Hey
Mitch
I'm
gonna
slap,
you
another
issue
for
infor
similar
to
the
log.
Rotate
I
have
a
backup
issue
that
they
put
as
for
scheduling
and
they
were
asking
when
it's
going
to
be
done
in
15-6,
but
we
never
actually
made
it
a
deliverable.
So.
A
Interesting
that
someone
actually
ended
up
saying
the
real
problem
is
they
were
missing
a
package
Auto
reconf.
So
let's
close
that
one
and
have
a
look
at
this.
This
one
was
from
local
Geary
which,
by
the
way
we
make
use
of
maybe
we'll
keep
an
eye
on
for
that
one,
and
this
one
was
hurt
slightly
more
recently.
A
A
A
B
B
B
B
B
D
A
A
A
D
B
A
A
D
A
B
B
A
A
A
A
Which
that's
weird.
A
Remember
when
I
said
assumptions,
guess
what
dnf
provides
which
well
that
comes
from
the
witch
package.
So
let's
try
installing
that
and
try
again.
A
B
A
A
B
A
B
A
A
Well,
there
is
no
build
Essentials
here,
that's
a
if
you
looked.
It
was
an
apt
which
means
it's
in
Ubuntu,
sometimes
a
Debian
and
that's
a
good
question.
It's
like
what's
in
that,
if
I
go,
if
I
were
to
go
and
do
that
here
in
this
Debian
based
image,
I
could
go
find
that
out.
I
pulled
down
the
rails
Master,
which
is
the
Debian
based
one
and
basically
went
ldd
on
the
final
output
to
go
figure
out.
A
B
B
B
A
A
A
A
A
This
time
I'm
going
to
take
out
the
package
config
just
to
see
if
it
gets
installed
with
everything
else,
why
don't
manually
maintain
things
you
don't
need
to
manually
maintain
okay,
something
already
pulls
it
in
so
other
things.
We're
doing.
Don't
need
that
so
I
will
take
package
configure
out
and
leave
in
my
comment
that
I
need
which
and
find
utils
for
sanity.
A
B
A
Plastic
UI
failures
by
the
human
during
a
demo
right,
get
commit
snack
m,
bi,
filler,
add
witch
and
find
utils.
A
Okay,
so
I'm
gonna
go
ahead
and
go
to
this
new
tab.
The
whole
pipeline
that
I
had
closing
closing
closing
okay,
it's
already
failed,
which
means
the
changes
that
I
push
to
try
and
Unbreak
a
few
things
have
fixed
themselves.
Let's
see
what
container
registry
exploded
with
build
rails
failed,
build
mail
room
failed,
build
giddly,
failed.
How
much
you
bet
all
three
of
those
failed
on
Sherlock
Holmes,
the
rails.
I
know
mailroom
did
I
know.
Italy
did
so.
Let's
go
see
if
rails
did.
B
A
Tldr
by
the
way
is
this
is
because
gitlab
container
registry
does
not
actually
follow
the
exact
same
pattern
as
the
rest
of
the
images
in
terms
of
being
based
on
gitlab
base,
inheriting
set
config
patterns
and
a
few
of
the
other
things
that
make
the
other
ones
common
runtime
patterns
up
all
right.
So
we
look
at
gitlab
rails
and
previously
sure
enough.
It
blew
up
on
Sherlock
Holmes
as
well.
Surprise.
A
A
B
A
Base
we
added
Shadow
utils
because
add
user
is
required
and
the
the
reasoning
behind
that
is
relatively
simple.
Dnf
provides.
D
D
A
A
A
A
And
it
just
removes
all
the
cache
data,
but
we
don't
have
to
go.
You
know,
remove
the
package
cache
ourselves,
which
is
not
great
to
have
to
do
that
in
the
first
place,
if
we
were
to
take
this
micro,
dnf
clean
all
and
actually
put
it
down
here
at
the
bottom,
what
we
could
do
is
do
the
install
and
then
at
the
bottom
uninstall
it
and
anything
that
went
with
it.
A
The
the
problem
is,
what
happens
if
you
get
polluted
packages?
Do
you
really
need
to
keep
SC
manager
around
I
mean
SC.
Manage
might
be
one
of
those
things
that
we
do
need,
but,
like
we
just
installed
battle
utils,
let's
see
what
happens
when
we
remove
it
move
here
now,
only
Shadow
utils
with
it,
so
SC
manage
stuck
around
right.
This
is
a
classic
package
manager
issue.
When
you
install
a
package,
it
installs
things
with
it.
A
A
It's
also
entirely
possible
that
we
could
basically
earn
add
user
instead
of
it
being
ad
user.
We
could
end
up
putting
something
into
the
build
scripts
or
scripts
itself
that
basically
rise
to
run,
enf,
install,
add
user
and
then
turns
around
and
rips
it
back
out,
not
great,
but
it's
either
that
or
we
repeat
ourselves
all
over
the
place.
A
Right
because
we
we
need
to
add
it
on
every
image
and
then
we
need
to
turn
around
and
remove
it
on
every
image.
So
we
end
up
with
one
line
modification
new
line
modification,
and
then
we
just
rearrange
a
couple
of
lines
right,
but
now
that's
basically,
three
line
change
in
every
single
final
image.
A
A
B
A
I
see
neither
one
is
actually
fired
because
they
both
rely
on
Ruby,
so
we're
really
waiting
for
mail
room
to
fire.
Once
Ruby
is
done,
which
looks
like
it
just
got
done
the
mail
room
says
it's
triggering
now.
E
There's
some
chat,
I'm
thinking
back
to
like
operator
certification,
there's
some
checks
to
make
sure
there
are
images
directly
based
on
Ubi
or
Ubi
minimal
right.
We
couldn't
make
a
gitlab
flavor
of
that
image
as
our
final
runtime
image
that
just
has
the
gitlab
user
pre-baked
in
without
add
user
baked.
B
In
effectively.
A
True,
so
there
are
creative
ways,
but
the
summary
is
that
you
need
to
have
your
final
image
to
be.
You
have
to
be
based
on
one
of
their
images
to
be
certified
because
they
certify
their
base.
They
can't
certify
yours
if
you're
not
based
on
them
stain
enough.
A
A
A
A
We
just
saw
stuff
go
weird
right
and
I'm
doing
this
right
now,
as
though
everything
would
be
based
on
Ubi
minimals,
so
that
we
have
a
flat
group
of
assumptions.
We
don't
yeah.
All
the
gym
is
built
and
everything's
good,
and
then
you
go
to
run
it
you're
like
it
doesn't,
have
a
witch
right
and
we
have
programs
that
shell
out,
so
we
have
to
care.
A
If
you
have
cleared
dependencies,
you
can
basically
just
find
all
the
executables
see
if
they're
binary
forms
if
they're
binary
forms
ldd
pull
all
their
dependencies
and
make
sure
those
all
end
up
in
the
final
image.
Okay,
there's
behaviors
for
that,
and
then
you
have
well,
if
it's
a
ruby
or
it's
a
python
or
it's
a
pearl.
How
do
we
do
this?
Where
does
it
come
from
all
this
fun
stuff
comes
into
play
right?
A
Where
what
do
you
use
to
exercise
the
application
in
full
to
get
a
full
s
Trace,
to
make
sure
that
you
have
identified
every
single
file
that
gets
opened
every
single
executable
that
is
executed
every
single
directory
that
is
looked
at
right?
You,
you
literally,
have
to
do
a
full
end-to-end
test
that
has
a
100
code
coverage
yeah,
you
heard
me
to
be
dead.
Certain
everything
is
recorded.
A
So
that
kind
of
is
a
problem,
because
you
know
how
you
find
out
a
silent
dependency
when
it
fails
and
if
people
aren't
building
the
images
and
testing
the
images
through
all
of
their
code
and
anybody
else's
code.
A
Right
so
I'm,
basically
looking
for
the
larger
I'm
going
to
explode
scenarios
right
now
before
I
proceed
any
farther,
and
what
we
did
look
at
was
the
container
registry
we
know
will
explode
because
it
is
based
off
Ubi
minimal
and
does
not
have
add
user.
A
We
earlier
saw
that
we
didn't
have
add
user
and
that's
why
a
lot
of
things
blew
up.
Most
of
that
was
fixed
by
actually
just
installing
Shadow,
utils
and
gitlab
base
adds
to
the
shortcut
we'll
have
to
individually.
Add
that
specifically
to
the
registry,
because
well
it
doesn't
work
the
same
and
the
Sherlock
Holmes
was
literally
a
false
assumption
because
which,
which
is
which
on
which
is
not
accurate,
fun
to
say,
but
it's
not
accurate.
A
B
B
E
We
will
the
actual
ad
user
call
was
a
few
lines
up
right,
so
we
want
to
move
that
down.
A
The
nice
thing
about
Docker
run
command.
Is
you
can
put
comments
in
the
middle
of
them
on
Multi
lines
because
Docker
will
strip
them
out
before
it
does
the
compilation
with
run
command,
so
it
messes
with
your
eyes,
if
you're,
if
you're
reading
shell
script
purely
one,
don't
do
that
two
textually
speaking
comments
inline,
don't
end
up
in
the
Run
command,
so
you
can
do
that
even
as
confusing
as
it
may
seem.
A
A
Okay,
curls
already
there
in
the
base
image
which
isn't
but
curl
is
I,
don't
blame
them
I'm
glad
they
have
Pearl
okay.
So
next
one
up
is
the
Ubi
entry
point
which
just
does
a
couple
of
exports.
This
is
Ubi.
Entry
point
is
actually
here
for
the
sake
of
openshift
compatibility
and
flexibility
with
randomized
user
IDs
that
ensures
effectively.
This
ensures
that
everything
works
as
expected,
because
environment
variables
have
to
line
up
no
matter
what
the
uid
is.
A
Look
DB
migrate,
calls
directly
into
the
registry
database,
so
all
of
its
scripts
here
to
have
all
their
needs
met,
so
I
believe
we
can
safely
say
that
the
only
thing
we
actually
needed
to
add
to
the
container
was
the
necessary
ad
user
patterns
to
get
it
to
work
and,
yes,
technically
I
could
have
had
the
layer
that
did
that
the
tar
balls
and
then
the
layer
that
did
that.
A
B
B
D
A
E
A
D
A
E
A
D
D
A
There's
into
that
so
rails
and
toolbox
rails
blew
up
previously.
You
don't
need
to
open
that
it
just
finished.
Dude
we
knew
registry
was
going
to
blow
up,
Italy's
install
is
firing.
A
A
A
I
mean
to
be
fair,
we're
in
Builder,
so
it's
not
in
the
final
image.
But
it's
just
interesting
that,
like
tripping
git,
is
what
ended
up
tripping
the
installation
of
shadow
utils.
A
B
D
D
A
Is
just
finished
and
it's
waiting
on
the
rails
image
for
a
reason:
I,
don't
really
know
off
the
top
of
my
head.
I,
don't
remember,
run
time
wise,
while
the
Workhorse
in
Ubi
depends
upon
gitlab
rails,
ee
I'd
have
to
go
look
what
it
does
who
box
is
waiting
on
Rails?
Well,
that
one
makes
a
lot
of
sense,
because
toolbox
is
literally
the
rails
image,
with
a
different
set
of
startup
Scripts
and
the
additional
tools
for
doing
new
box
things.
Aka
talking
to
the
system
break
tasks.
All
of
that.
A
Oh
and
these
warnings,
by
the
way
Mitch
those
are
actually
really
super
easy
turn
off.
A
It's
a
it's,
a
quick
one-line
set
that
basically
goes
if
you're
looking
for
the
entitlements
manager
shut
up,
it
changes
a
config
file
with
a
single
set,
and
then
you
never
see
it
again.
So
I've
actually
I've
got
a
separate
Mr
that
actually
does
address.
That.
A
So
like,
if
you
were,
if
you
were
to
be
building
the
container
on
a
host,
it
was
red
hat
that
did
have
licenses
that
did
have
other
subscriptions.
You
could
then
use
other
repositories,
but
basically
you
can
turn
that
off,
because
we're
never
going
to
care,
because
the
images
aren't
supposed
to
have
subscription-based
packages
all
right.
A
A
A
What,
where
do
we
call
Su
command,
not
found
in
SG?
Oh
right
go,
and
then
we
go
down
to
rails.
This
is
part
of
the
final
image
state
where
we
do
the
bit
snap
boot
snap
cash,
so
we
actually
need
to
do
a
dnf
micro,
dnf
install
to
put
in
you
tell
Linux
and
then
I
uninstall,
to
take
it
back
out
because.
D
B
B
B
A
A
Nope
micro
dnf
doesn't
actually
have
a
means
to
do
a
recursive,
remove
if
I
remember
correctly,
remove.
B
B
A
A
A
What
gzip
and
both
crack
live
sets.
B
A
D
A
If
we
re-write
this
section
a
little
bit,
we
might
be
able
to
effectively
because
of
the
shown
and
CH
mod.
That's
where
we
have
to
be
careful.
So
the
Su
is
here
because
this
whole
block
is
operating
as
root.
A
A
A
A
A
B
E
It's
just
lived
here:
the
TIR.
D
D
D
D
E
B
A
A
Things
Are
Gonna
Change
right
because
Ubi
is
not
Ubi
minimal.
As
we've
seen,
certain
assumptions
are
just
not
accurate,
which
means,
if
they're,
assuming
that
they've
made
the
changes
they
need
to
make
Ubi
work.
Well
then,
if
they're
not
actually
on
the
Ubi
anymore,
then
those
assumptions
are
now
false,
so
it
could
have
a
user
impact.
A
We,
let's
not
even
get
started
on
the
fact
that,
because
we
ship
to
dsop
dsop
that
needs
to
know
that
we're
also
switching
all
of
our
images
to
be
based
on
that.
A
A
B
B
A
Right,
so
if
anybody
else
has
made
it
to
this
point
in
the
video
thanks
for
watching
and
your
patience
and
I'm
betting,
you
ran
it
like
double
speed.
It's
okay,
you
have
questions,
find
our
agenda
doc.
We
have
multiple
issues
related
to
this.
I've
shown
the
Mr
on
my
screen
for
the
better
part
of
the
entire
video.
So
we
can
collaborate
there.
If
you
have
any
further
questions
and
feel
free
to
raise
questions
or
concerns
or
other
things.
Now
we
get
the
engagement
thanks
for
everybody
for
watching
and
we'll
see
you
at
the
next
one.