• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#!/usr/bin/env bash
2# Strip the image to a small minimal system.
3# When changing this file, you need to bump the following
4# .gitlab-ci/image-tags.yml tags:
5# KERNEL_ROOTFS_TAG
6set -ex
7
8section_start strip-rootfs "Stripping rootfs"
9
10export DEBIAN_FRONTEND=noninteractive
11
12UNNEEDED_PACKAGES=(
13  libfdisk1 git
14  python3-dev python3-pip python3-setuptools python3-wheel
15)
16
17# Removing unused packages
18for PACKAGE in "${UNNEEDED_PACKAGES[@]}"
19do
20	if ! apt-get remove --purge --yes "${PACKAGE}"
21	then
22		echo "WARNING: ${PACKAGE} isn't installed"
23	fi
24done
25
26apt-get autoremove --yes || true
27
28UNNEEDED_PACKAGES=(
29  apt libapt-pkg6.0
30  ncurses-bin ncurses-base libncursesw6 libncurses6
31  perl-base libperl5.36 perl-modules-5.36
32  debconf libdebconfclient0
33  e2fsprogs e2fslibs libfdisk1
34  insserv
35  udev
36  init-system-helpers
37  cpio
38  passwd
39  libsemanage1 libsemanage-common
40  libsepol1
41  gpgv
42  hostname
43  adduser
44  debian-archive-keyring
45  libgl1-mesa-dri mesa-vulkan-drivers mesa-va-drivers mesa-vdpau-drivers i965-va-driver
46  intel-media-va-driver
47  gnupg2
48  software-properties-common
49)
50
51# Removing unneeded packages
52for PACKAGE in "${UNNEEDED_PACKAGES[@]}"
53do
54	if ! dpkg --purge --force-remove-essential --force-depends "${PACKAGE}"
55	then
56		echo "WARNING: ${PACKAGE} isn't installed"
57	fi
58done
59
60# Show what's left package-wise before dropping dpkg itself
61COLUMNS=300 dpkg-query -W --showformat='${Installed-Size;10}\t${Package}\n' | sort -k1,1n
62
63# Drop dpkg
64dpkg --purge --force-remove-essential --force-depends dpkg
65
66# directories for a removal
67
68directories=(
69  /var/log/* # logs
70  /usr/share/doc/* # docs, i18n, etc.
71  /usr/share/locale/*
72  /usr/share/X11/locale/*
73  /usr/share/man
74  /usr/share/i18n/*
75  /usr/share/info/*
76  /usr/share/lintian/*
77  /usr/share/common-licenses/*
78  /usr/share/mime/*
79  /usr/share/bug
80  /lib/udev/hwdb.bin # udev hwdb not required on a stripped system
81  /lib/udev/hwdb.d/*
82  /usr/bin/iconv # gconv conversions && binaries
83  /usr/sbin/iconvconfig
84  /usr/lib/*/gconv/
85  /usr/sbin/update-usbids # libusb db
86  /usr/share/misc/usb.ids
87  /var/lib/usbutils/usb.ids
88  /root/.pip # pip cache
89  /root/.cache
90  /root/.cargo
91  /etc/apt # configuration archives of apt and dpkg
92  /etc/dpkg
93  /var/* # drop non-ostree directories
94  /srv
95  /share
96  /usr/share/ca-certificates # certificates are in /etc
97  /usr/share/bash-completion # completions
98  /usr/share/zsh/vendor-completions
99  /usr/share/gcc # gcc python helpers
100  /etc/inid.d # sysvinit leftovers
101  /etc/rc[0-6S].d
102  /etc/init
103  /usr/lib/lsb
104  /usr/lib/xtables # xtrables helpers
105  /usr/lib/locale/* # should we keep C locale?
106  /usr/sbin/*fdisk # partitioning
107  /usr/bin/localedef # local compiler
108  /usr/sbin/ldconfig* # only needed when adding libs
109  /usr/games
110  /usr/lib/*/security/pam_userdb.so # Remove pam module to authenticate against a DB
111  /usr/lib/*/libdb-5.3.so # libdb-5.3.so that is only used by this pam module ^
112  /usr/lib/*/libnss_hesiod* # remove NSS support for nis, nisplus and hesiod
113  /usr/lib/*/libnss_nis*
114  /usr/lib/*/wine # don't need Wine's implementation, using Proton instead
115  /usr/local/bin/mold
116  /usr/local/bin/bindgen
117  /usr/local/bin/cargo*
118  /usr/local/bin/clippy*
119  /usr/local/bin/rust*
120  /usr/local/bin/rls
121  /usr/lib/*/dri
122)
123
124for directory in "${directories[@]}"; do
125  rm -rf "$directory" || echo "Failed to remove $directory! Update scripts!"
126done
127
128files=(
129  '*systemd-resolve*' # systemd dns resolver
130  '*networkd*' # systemd network configuration
131  '*timesyncd*' # systemd ntp
132  'systemd-hwdb*' # systemd hw database
133  '*fuse*' # FUSE
134)
135
136for files in "${files[@]}"; do
137  find /usr /etc -name "$files" -prune -exec rm -r {} \;
138done
139
140# We purge apt and dpkg to save on space, which is great for runtime and
141# bandwidth use etc, but less great for cbuild which wants to run apt-get clean
142# when we're done. Install a stub which works for that and is apologetic for
143# anyone else.
144cat >/usr/bin/apt-get <<EOF
145#!/bin/bash
146
147if [ "\${1:-}" != "clean" ]; then
148    echo "Couldn't run '\$0 \$*', because apt has been cleaned from this container."
149    echo ""
150    echo "After .gitlab-ci/container/strip-rootfs.sh has run, you cannot install"
151    echo "new packages."
152    echo ""
153    echo "Sorry."
154    exit 1
155fi
156EOF
157
158chmod +x /usr/bin/apt-get
159ln -s /usr/bin/apt-get /usr/bin/apt
160
161section_end strip-rootfs
162