how to re-architect pipeline images to break out utilities and use smaller images
- define different ways to proceed
- argue about it
- write document describing the path forward
- shared mounted filesystem
The idea is to use multiple containers or parent/child containers with a shared filesystem or store for artifacts between stages to allow all non-root containers except for the stage that runs oscap. It could even be possible to break out twistlock and anchore from the oscap scanner so that is the only job that runs as root and everything else can be unprivileged.
The list below denotes the required technologies, not necessarily that these can run all in the same container based on pre-loaded data that may be required for a stage
Shell only
- Post build
- Documentation
- Preprocess
- Scan-artifacts
rootless podman:
- Build
Python only
- Csv-output
- Generate-allowlists
- Harbor
- Import-artifacts
- Lint
- Pre-flight
- S3
- vat
Privileged pipeline runner + python + shell
- Scanning