Less is more. Famous saying, perhaps less well known person (Ludwig Mies van der Rohe). Another way to look at this is “Perfection is achieved, not when there is nothing more to add, but when there is nothing left to take away” (Antoine de Saint-Exupery). Course he also said ‘Dessine-moi un mouton!’ which became a 1999 pop not so hit. Draw that sheep!
We all know that reducing the attack surface is a good thing. And, recently, the concept of ‘living off the land‘ has become popular for cyber-security-attackers, the concept of using what tools are available. Left ‘nc’ and ‘curl’ and ‘awk’ in your image? You’ve left a lot. What about gcc?
OK, got it, memo to self, remove stuff not using. But, what am I not using? Well here’s an interesting technique, using a combination of ‘apk add -virtual’ (which adds but remembers to delete later), and, scanelf. Scanelf? Is that Will Ferrell elf?
No, its scanelf(1), a tool you probably are not using. But, if we look at how they are using it here, all will become clear. Its like a way of scrubbing things not needed, without knowing:
apk add --virtual .build-deps gcc make musl-dev ...
make ... make install
runDeps=$(scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \
| tr ',' '\n' \
| sort -u \
| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }')
apk add --virtual $runDeps
apk del .build-deps
(I simplified it a bit).
What this does is:
- Install the build tools, but tagged with .build-deps so we can later remove
- Make the executable
- Make a list of all the libraries referenced by the executable, figure out what package they are in
- Add those packages (in case they were in the build-deps and might get removed)
- Remove the build-deps
Nowhere did I need to specify a list of what files are in the executable that come from system packages. I end up w/ the original image + what system libs my package needs, plus my package. Nothing more. Less is more.
And now, that 2-decode old ‘draw me a sheep’ song. Enjoy.
Leave a Reply