Right now, I have little to no control over the rootfs short of rebuilding
toggle quoted messageShow quoted text
alot of the components from source (assuming you aren't using a vendor
version). I have a choice with buildpacks, if I don't want something in my
environment, as an operator I can remove it.
Rootfs bloat vs buildpack complexity is always going to be a tricky
balancing act. Buildpacks as we know them today are too simplistic in
nature. Perhaps some of the recent proposals for how buildpacks could
evolve offer some help in this space.
On 7 Jun 2016 6:10 p.m., "Mike Youngstrom" <youngm(a)gmail.com> wrote:
This is an interesting question/problem. Although I see the value in not
bloating the RootFS it can be nice from a security perspective to know that
when a CVE does come up upgrading the RootFS can fix it for all instead of
relying on application developers to update. Could a bloated RootFS where
security is managed outside the application make a better counter approach
to a Docker solution?
A more bloated RootFS could also help keep buldpack complexity down.
On Tue, Jun 7, 2016 at 4:56 AM, john mcteague <john.mcteague(a)gmail.com>
I would be inclined to suggest we should be heading in the opposite
direction, stripping libraries out of the rootfs and finding a way to allow
buildpacks to add in required dependencies, thereby reducing the size and
complexity of the rootfs and minimising the number of potential CVE's in
In addition, something I have spoken to a number of people about in the
past is the presence of compilers in the rootfs which some regulated
environments do not allow.
Whether its the ability to properly customize rootfs ourselves (as CF
operators) or finding ways for buildpacks to add in missing dependencies,
we need to limit what we add to the rootfs.
On Mon, Jun 6, 2016 at 10:02 PM, Gabriel Ramirez <gramirez(a)pivotal.io>
We are looking for community feedback on adding GraphViz support for
rootfs. This is an issue that came up in a request last week. (
We appreciate your feedback on this request. Please send us your
comments on this email list or on this github issue: