Add minimal package list for marketplace image #15714
Conversation
There was a problem hiding this comment.
Pull request overview
This PR simplifies the marketplace image package list by removing dependency packages that are automatically installed by the package manager. The package list is reduced from a format that included 340+ entries (mixing explicit and dependency packages) to a minimal list of 114 explicitly required packages. The PR author has validated that the same total number of packages are installed using both the full and minimal lists.
Changes:
- Removed all dependency packages from the package list (e.g., bash, coreutils, systemd, glibc, openssh, etc.)
- Retained all originally numbered explicit packages
- Added select packages that should be explicit despite being dependencies (shim, cronie)
- Reformatted with clean sequential numbering from 1-114
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| libgpg-error | ||
| libselinux | ||
| openssh | ||
| openssh-clients |
There was a problem hiding this comment.
The package list includes openssh-clients but does not explicitly include openssh-server, which was present in the previous version. While the PR description states validation was performed, SSH server functionality is critical for Azure marketplace VMs. Please verify that openssh-server is indeed automatically installed as a dependency of another package in this list. If not, it should be explicitly included. Reference: vm-base.kiwi explicitly lists both openssh-clients and openssh-server (lines 73-74).
| openssh-clients | |
| openssh-clients | |
| openssh-server |
There was a problem hiding this comment.
I agree -- we probably need oenssh-server
There was a problem hiding this comment.
For openssh-server, it is automatically installed as a dependency of WALinuxAgent.
The current list only has head packages. Nothing gets added here if it is a dependency. For example, systemd and bash are not included in the list as they are both dependencies of some other packages.
But we eventually want it to be a list of packages that are intentionally needed, explicitly include intentional packages no matter if they're dependencies of others.
@tobiasb-ms May I have your review of all of them and suggest the ones that we need to explicitly include in the marketplace image? I'll collect the feedback and integrate the next version of the list. Thanks!
| grub2-efi-x64 | ||
| shim | ||
| system-release | ||
| auoms |
There was a problem hiding this comment.
We need this. It has to come from azurelinux-official-ms-non-oss repo. Can we add a comment to that effect to enable it when appropriate?
| cronie | ||
| cronie-anacron | ||
| tini | ||
| postgresql-libs |
There was a problem hiding this comment.
I am not sure fedora provides this. It is the client and libraries for postgres provided by postgreql and libpq5 packages. In azl3 rsyslog needs it. I am not sure the same holds true for Fedora.
There was a problem hiding this comment.
will double check in Fedora.
| kernel-modules | ||
| kmod | ||
| grub2 | ||
| dnf |
There was a problem hiding this comment.
I would make it explicit that this is dnf5 which provides dnf.
binujp
left a comment
binujp
left a comment
There was a problem hiding this comment.
I will follow up separately.
| libgpg-error | ||
| libselinux | ||
| openssh | ||
| openssh-clients |
There was a problem hiding this comment.
I agree -- we probably need oenssh-server
| openssh-clients | ||
| openssh-server | ||
| openssl | ||
| openssl-libs |
There was a problem hiding this comment.
Do we really not need oenssl-libs?
3 participants
Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-staticsubpackages, etc.) have had theirReleasetag incremented../cgmanifest.json,./toolkit/scripts/toolchain/cgmanifest.json,.github/workflows/cgmanifest.json)./LICENSES-AND-NOTICES/SPECS/data/licenses.json,./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md,./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)*.signatures.jsonfilessudo make go-tidy-allandsudo make go-test-coveragepassSummary
What does the PR accomplish, why was it needed?
This PR trims the marketplace image package list from 340 to 114 by removing the dependency packages.
Validated in azl4 azure VM that the total installed packages are same by using both the full list and minimal list.
Change Log
Does this affect the toolchain?
YES/NO
Associated issues
Links to CVEs
Test Methodology