Chore: reduce attack surface and size for Docker image

[bqcuong]

Hi,

This pull request includes a small improvement for the Dockerfile, which should help improve the security of container and reduce the risk of potential attacks.

In detail:

• I added --no-install-recommends to remove unnecessary apt packages, that were not needed for the container's functionality. Not only can this change trim your image size but it also can also reduce the attack surface.

I hope that you find them useful. Please let me know if you have any concerns.

Thank you.

[tianon]

Do you have a list of which packages we currently have that this removes? In this case, we included Recommends of the MySQL packages intentionally because of how they're defined in https://www.debian.org/doc/debian-policy/ch-relationships.html#binary-dependencies-depends-recommends-suggests-enhances-pre-depends:

This declares a strong, but not absolute, dependency.

The Recommends field should list packages that would be found together with this one in all but unusual installations.

So, unless we know for certain that none of the Recommends: of the MySQL packages are actually required for proper functionality (and/or we have installed/depended on them ourselves explicitly), this does not seem like a prudent change for us to make.

(The way Debian maintainers usually phrase this is that when you choose not to install Recommends, you "get to keep the pieces")

[bqcuong]

Hi @tianon,

I would like to update the differences between the builds before and after the improvement as below:

• With the --no-install-recommends, these 3 packages are removed: mecab-ipadic, mecab-ipadic-utf8, mecab-utils. For more information, please see the below logs.
• The image size reduces from 595MB to 446MB (save 25%)
• Both builds were successful, but I haven't tested the functionalities of the containers after builds.

If the mecab-* packages are intentionally installed, I suggest that their names should be listed in the apt-get install command and the --no-install-recommends should be still added to advoid unnecessary packages if they exist.

As quoted from CIS Docker Benchmark v1.5.0:

4.3 Ensure that unnecessary packages are not installed in the container
Description:
Containers should have as small a footprint as possible, and should not contain unnecessary software packages which could increase their attack surface.
Rationale:
Unnecessary software should not be installed into containers, as doing so increases their attack surface. Only packages strictly necessary for the correct operation of the application being deployed should be installed.

// before improvement
Step 12/19 : RUN { 		echo mysql-community-server mysql-community-server/data-dir select ''; 		echo mysql-community-server mysql-community-server/root-pass password ''; 		echo mysql-community-server mysql-community-server/re-root-pass password ''; 		echo mysql-community-server mysql-community-server/remove-test-db select false; 	} | debconf-set-selections 	&& apt-get update 	&& apt-get install -y 		mysql-community-client="${MYSQL_VERSION}" 		mysql-community-server-core="${MYSQL_VERSION}" 	&& rm -rf /var/lib/apt/lists/* 	&& rm -rf /var/lib/mysql && mkdir -p /var/lib/mysql /var/run/mysqld 	&& chown -R mysql:mysql /var/lib/mysql /var/run/mysqld 	&& chmod 1777 /var/run/mysqld /var/lib/mysql		Step 12/19 : RUN { 		echo mysql-community-server mysql-community-server/data-dir select ''; 		echo mysql-community-server mysql-community-server/root-pass password ''; 		echo mysql-community-server mysql-community-server/re-root-pass password ''; 		echo mysql-community-server mysql-community-server/remove-test-db select false; 	} | debconf-set-selections 	&& apt-get update 	&& apt-get install -y --no-install-recommends 		mysql-community-client="${MYSQL_VERSION}" 		mysql-community-server-core="${MYSQL_VERSION}" 	&& rm -rf /var/lib/apt/lists/* 	&& rm -rf /var/lib/mysql && mkdir -p /var/lib/mysql /var/run/mysqld 	&& chown -R mysql:mysql /var/lib/mysql /var/run/mysqld 	&& chmod 1777 /var/run/mysqld /var/lib/mysql
 ---> Running in 21bad631451b		 ---> Running in 25b6ad7aea50
Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB]		Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB]
Get:2 http://deb.debian.org/debian-security bullseye-security InRelease [48.4 kB]		Get:2 http://deb.debian.org/debian-security bullseye-security InRelease [48.4 kB]
Get:3 http://repo.mysql.com/apt/debian bullseye InRelease [12.9 kB]		Get:3 http://repo.mysql.com/apt/debian bullseye InRelease [12.9 kB]
Get:4 http://deb.debian.org/debian bullseye-updates InRelease [44.1 kB]		Get:4 http://deb.debian.org/debian bullseye-updates InRelease [44.1 kB]
Get:5 http://deb.debian.org/debian bullseye/main amd64 Packages [8183 kB]		Get:5 http://deb.debian.org/debian bullseye/main amd64 Packages [8183 kB]
Get:6 http://deb.debian.org/debian-security bullseye-security/main amd64 Packages [237 kB]		Get:6 http://deb.debian.org/debian-security bullseye-security/main amd64 Packages [237 kB]
Get:7 http://repo.mysql.com/apt/debian bullseye/mysql-8.0 amd64 Packages [8544 B]		Get:7 http://repo.mysql.com/apt/debian bullseye/mysql-8.0 amd64 Packages [8544 B]
Get:8 http://deb.debian.org/debian bullseye-updates/main amd64 Packages [14.6 kB]		Get:8 http://deb.debian.org/debian bullseye-updates/main amd64 Packages [14.6 kB]
Fetched 8664 kB in 2s (5565 kB/s)		Fetched 8664 kB in 2s (5759 kB/s)
Reading package lists...		Reading package lists...
Reading package lists...		Reading package lists...
Building dependency tree...		Building dependency tree...
Reading state information...		Reading state information...
The following additional packages will be installed:		The following additional packages will be installed:
  libaio1 libmecab2 libnuma1 mecab-ipadic mecab-ipadic-utf8 mecab-utils		  libaio1 libmecab2 libnuma1 mysql-common mysql-community-client-core
  mysql-common mysql-community-client-core mysql-community-client-plugins		  mysql-community-client-plugins
Recommended packages:
  mecab-ipadic-utf8
The following NEW packages will be installed:		The following NEW packages will be installed:
  libaio1 libmecab2 libnuma1 mecab-ipadic mecab-ipadic-utf8 mecab-utils		  libaio1 libmecab2 libnuma1 mysql-common mysql-community-client
  mysql-common mysql-community-client mysql-community-client-core		  mysql-community-client-core mysql-community-client-plugins
  mysql-community-client-plugins mysql-community-server-core		  mysql-community-server-core
0 upgraded, 11 newly installed, 0 to remove and 1 not upgraded.		0 upgraded, 8 newly installed, 0 to remove and 1 not upgraded.
Need to get 42.0 MB of archives.		Need to get 35.2 MB of archives.
After this operation, 355 MB of additional disk space will be used.

// after the improvement
	Step 12/19 : RUN { 		echo mysql-community-server mysql-community-server/data-dir select ''; 		echo mysql-community-server mysql-community-server/root-pass password ''; 		echo mysql-community-server mysql-community-server/re-root-pass password ''; 		echo mysql-community-server mysql-community-server/remove-test-db select false; 	} | debconf-set-selections 	&& apt-get update 	&& apt-get install -y --no-install-recommends 		mysql-community-client="${MYSQL_VERSION}" 		mysql-community-server-core="${MYSQL_VERSION}" 	&& rm -rf /var/lib/apt/lists/* 	&& rm -rf /var/lib/mysql && mkdir -p /var/lib/mysql /var/run/mysqld 	&& chown -R mysql:mysql /var/lib/mysql /var/run/mysqld 	&& chmod 1777 /var/run/mysqld /var/lib/mysql
 ---> Running in 25b6ad7aea50
Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB]
Get:2 http://deb.debian.org/debian-security bullseye-security InRelease [48.4 kB]
Get:3 http://repo.mysql.com/apt/debian bullseye InRelease [12.9 kB]
Get:4 http://deb.debian.org/debian bullseye-updates InRelease [44.1 kB]
Get:5 http://deb.debian.org/debian bullseye/main amd64 Packages [8183 kB]
Get:6 http://deb.debian.org/debian-security bullseye-security/main amd64 Packages [237 kB]
Get:7 http://repo.mysql.com/apt/debian bullseye/mysql-8.0 amd64 Packages [8544 B]
Get:8 http://deb.debian.org/debian bullseye-updates/main amd64 Packages [14.6 kB]
Fetched 8664 kB in 2s (5759 kB/s)
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
The following additional packages will be installed:
  libaio1 libmecab2 libnuma1 mysql-common mysql-community-client-core
  mysql-community-client-plugins
Recommended packages:
  mecab-ipadic-utf8
The following NEW packages will be installed:
  libaio1 libmecab2 libnuma1 mysql-common mysql-community-client
  mysql-community-client-core mysql-community-client-plugins
  mysql-community-server-core
0 upgraded, 8 newly installed, 0 to remove and 1 not upgraded.
Need to get 35.2 MB of archives.
After this operation, 300 MB of additional disk space will be used.

[michaelk83]

apt info for these 3 packages:

Package: mecab-ipadic
Installed-Size: 54.3 MB
Description: IPA dictionary compiled for Mecab

Package: mecab-ipadic-utf8
Installed-Size: 23.6 kB
Description: IPA dictionary encoded in UTF-8 compiled for Mecab

Package: mecab-utils
Installed-Size: 93.2 kB
Description: Support programs of Mecab

Package: mecab
Installed-Size: 948 kB
Description: Japanese morphological analysis system

IPA most likely stands for International Phonetic Alphabet.

These do not appear to be essential to the function of this image, and moreover may only be needed by Japanese users. Those users should add these packages themselves if they need them.

Adding --no-install-recommends is standard practice in Dockerfiles, AFAIK.