1#!/usr/bin/env bash 2# Strip the image to a small minimal system. 3# When changing this file, you need to bump the following 4# .gitlab-ci/image-tags.yml tags: 5# KERNEL_ROOTFS_TAG 6set -ex 7 8export DEBIAN_FRONTEND=noninteractive 9 10UNNEEDED_PACKAGES=( 11 libfdisk1 git 12 python3-dev python3-pip python3-setuptools python3-wheel 13) 14 15# Removing unused packages 16for PACKAGE in "${UNNEEDED_PACKAGES[@]}" 17do 18 if ! apt-get remove --purge --yes "${PACKAGE}" 19 then 20 echo "WARNING: ${PACKAGE} isn't installed" 21 fi 22done 23 24apt-get autoremove --yes || true 25 26UNNEEDED_PACKAGES=( 27 apt libapt-pkg6.0 28 ncurses-bin ncurses-base libncursesw6 libncurses6 29 perl-base 30 debconf libdebconfclient0 31 e2fsprogs e2fslibs libfdisk1 32 insserv 33 udev 34 init-system-helpers 35 cpio 36 passwd 37 libsemanage1 libsemanage-common 38 libsepol1 39 gpgv 40 hostname 41 adduser 42 debian-archive-keyring 43 libegl1-mesa-dev # mesa group 44 libegl-mesa0 45 libgl1-mesa-dev 46 libgl1-mesa-dri 47 libglapi-mesa 48 libgles2-mesa-dev 49 libglx-mesa0 50 mesa-common-dev 51 gnupg2 52 software-properties-common 53) 54 55# Removing unneeded packages 56for PACKAGE in "${UNNEEDED_PACKAGES[@]}" 57do 58 if ! dpkg --purge --force-remove-essential --force-depends "${PACKAGE}" 59 then 60 echo "WARNING: ${PACKAGE} isn't installed" 61 fi 62done 63 64# Show what's left package-wise before dropping dpkg itself 65COLUMNS=300 dpkg-query -W --showformat='${Installed-Size;10}\t${Package}\n' | sort -k1,1n 66 67# Drop dpkg 68dpkg --purge --force-remove-essential --force-depends dpkg 69 70# directories for a removal 71 72directories=( 73 /var/log/* # logs 74 /usr/share/doc/* # docs, i18n, etc. 75 /usr/share/locale/* 76 /usr/share/X11/locale/* 77 /usr/share/man 78 /usr/share/i18n/* 79 /usr/share/info/* 80 /usr/share/lintian/* 81 /usr/share/common-licenses/* 82 /usr/share/mime/* 83 /usr/share/bug 84 /lib/udev/hwdb.bin # udev hwdb not required on a stripped system 85 /lib/udev/hwdb.d/* 86 /usr/bin/iconv # gconv conversions && binaries 87 /usr/sbin/iconvconfig 88 /usr/lib/*/gconv/ 89 /usr/sbin/update-usbids # libusb db 90 /usr/share/misc/usb.ids 91 /var/lib/usbutils/usb.ids 92 /root/.pip # pip cache 93 /root/.cache 94 /etc/apt # configuration archives of apt and dpkg 95 /etc/dpkg 96 /var/* # drop non-ostree directories 97 /srv 98 /share 99 /usr/share/ca-certificates # certificates are in /etc 100 /usr/share/bash-completion # completions 101 /usr/share/zsh/vendor-completions 102 /usr/share/gcc # gcc python helpers 103 /etc/inid.d # sysvinit leftovers 104 /etc/rc[0-6S].d 105 /etc/init 106 /usr/lib/lsb 107 /usr/lib/xtables # xtrables helpers 108 /usr/lib/locale/* # should we keep C locale? 109 /usr/sbin/*fdisk # partitioning 110 /usr/bin/localedef # local compiler 111 /usr/sbin/ldconfig* # only needed when adding libs 112 /usr/games 113 /usr/lib/*/security/pam_userdb.so # Remove pam module to authenticate against a DB 114 /usr/lib/*/libdb-5.3.so # libdb-5.3.so that is only used by this pam module ^ 115 /usr/lib/*/libnss_hesiod* # remove NSS support for nis, nisplus and hesiod 116 /usr/lib/*/libnss_nis* 117) 118 119for directory in "${directories[@]}"; do 120 rm -rf "$directory" || echo "Failed to remove $directory! Update scripts!" 121done 122 123files=( 124 '*systemd-resolve*' # systemd dns resolver 125 '*networkd*' # systemd network configuration 126 '*timesyncd*' # systemd ntp 127 'systemd-hwdb*' # systemd hw database 128 '*fuse*' # FUSE 129) 130 131for files in "${files[@]}"; do 132 find /usr /etc -name "$files" -prune -exec rm -r {} \; 133done 134