Reduce Container Dependencies (round #2)

[deeplow]

We've done this in the past, but according to the auditors, we can further slim down the image (and thus removing potential attacker gadgets). They found nc and wget but they mention these are probably not the only ones. Probably many other executables from busybox are in reality not needed.

[deeplow]

While looking into seccomp policies generation (I can't find the specific reference) I came across an interesting approach: execute over a test set and find all the binaries called. Then remove everything else. Not sure how risky that is in this case, but it feels like something we can explore. But maybe that's overkill here.

[almet]

I came across an interesting approach: execute over a test set and find all the binaries called.

This seem similar to what https://github.com/slimtoolkit/slim is proposing, so putting the reference here in case it helps.

[apyrgio]

We know that a lot of dependencies come from Alpine's LibreOffice package, which brings GTK and Wayland dependencies as well. Switching from Alpine Linux to Debian Linux (Bookworm?), and using --no-install-recommends should be the first step to slim down the image.

If we see that unwanted binaries are still installed, we can remove them on a case-by-case basis.