Test build for #3166

Author: SUSE Update Bot

base-fips-image/Dockerfile

@@ -23,18 +23,25 @@ FROM bci/bci-base:16.1
 
 RUN set -euo pipefail; \
     zypper -n install --no-recommends SLES-release coreutils crypto-policies-scripts patterns-base-fips
-
-# cleanup logs and temporary files
+# image cleanup
 RUN set -euo pipefail; zypper -n clean -a; \
-    rm -rf {/target,}/var/log/{alternatives.log,lastlog,tallylog,zypper.log,zypp/history,YaST2}; \
-    rm -rf {/target,}/run/*; \
-    rm -f {/target,}/etc/{shadow-,group-,passwd-,.pwd.lock}; \
-    rm -f {/target,}/usr/lib/sysimage/rpm/.rpm.lock; \
-    rm -f {/target,}/var/cache/ldconfig/aux-cache; \
-    command -v zypper >/dev/null 2>&1 || rm -f /var/lib/zypp/AutoInstalled
-
-# set the day of last password change to empty
-RUN set -euo pipefail; sed -i 's/^\([^:]*:[^:]*:\)[^:]*\(:.*\)$/\1\2/' /etc/shadow
+    rm -vrf /var/log/alternatives.log; \
+    rm -vrf /var/log/lastlog; \
+    rm -vrf /var/log/tallylog; \
+    rm -vrf /var/log/zypper.log; \
+    rm -vrf /var/log/zypp/history; \
+    rm -vrf /var/log/YaST2; \
+    rm -vrf /var/lib/zypp/AnonymousUniqueId; \
+    rm -vrf /var/cache/zypp/*; \
+    rm -vrf /run/*; \
+    rm -vrf /etc/shadow-; \
+    rm -vrf /etc/group-; \
+    rm -vrf /etc/passwd-; \
+    rm -vrf /etc/.pwd.lock; \
+    rm -vrf /usr/lib/sysimage/rpm/.rpm.lock; \
+    rm -vrf /var/cache/ldconfig/aux-cache; \
+    [ -f /var/lib/zypp/AutoInstalled ] && sed -i '1d' /var/lib/zypp/AutoInstalled; \
+    sed -i 's/^\([^:]*:[^:]*:\)[^:]*\(:.*\)$/\1\2/' /etc/shadow
 
 # Define labels according to https://en.opensuse.org/Building_derived_containers
 # labelprefix=com.suse.bci.base-fips

base-image/config.sh

@@ -50,59 +50,9 @@ zypper -n ar --refresh --gpgcheck --priority 100 --enable 'https://public-dl.sus
 zypper -n ar --refresh --gpgcheck --priority 100 --disable 'https://public-dl.suse.com/SUSE/Products/SLE-BCI/$releasever_major.$releasever_minor/$basearch/product_debug/' SLE_BCI_debug
 zypper -n ar --refresh --gpgcheck --priority 100 --disable 'https://public-dl.suse.com/SUSE/Products/SLE-BCI/$releasever_major.$releasever_minor/$basearch/product_source/' SLE_BCI_source
 
-#======================================
-# Remove zypp uuid (bsc#1098535)
-#--------------------------------------
-rm -f /var/lib/zypp/AnonymousUniqueId
-
-# Remove the entire zypper cache content (not the dir itself, owned by libzypp)
-rm -rf /var/cache/zypp/*
-
-# drop timestamp
-tail -n +2 /var/lib/zypp/AutoInstalled > /var/lib/zypp/AutoInstalled.new && mv /var/lib/zypp/AutoInstalled.new /var/lib/zypp/AutoInstalled
-
-# drop useless device/inode specific cache file (see https://github.com/docker-library/official-images/issues/16044)
-rm -vf /var/cache/ldconfig/aux-cache
-
-# remove backup of /etc/{shadow,group,passwd} and lock file
-rm -vf /etc/{shadow-,group-,passwd-,.pwd.lock}
-
-# drop pid and lock files
-rm -vrf /run/*
-rm -vf /usr/lib/sysimage/rpm/.rpm.lock
-
-# set the day of last password change to empty
-sed -i 's/^\([^:]*:[^:]*:\)[^:]*\(:.*\)$/\1\2/' /etc/shadow
-
-#==========================================
-# Hack! The go container management tools can't handle sparse files:
-# https://github.com/golang/go/issues/13548
-# If lastlog doesn't exist, useradd doesn't attempt to reserve space,
-# also in derived containers.
-#------------------------------------------
-rm -f /var/log/lastlog
-
 #======================================
 # Remove locale files
 #--------------------------------------
 (shopt -s globstar; rm -f /usr/share/locale/**/*.mo)
 
-#=======================================
-# Clean up after zypper if it is present
-#---------------------------------------
-if command -v zypper > /dev/null; then
-    zypper -n clean -a
-fi
-
-#=============================================
-# Clean up logs and temporary files if present
-#---------------------------------------------
-rm -rf {/target,}/var/log/{alternatives.log,lastlog,tallylog,zypper.log,zypp/history,YaST2}; \
-    rm -rf {/target,}/run/*; \
-    rm -f {/target,}/etc/{shadow-,group-,passwd-,.pwd.lock}; \
-    rm -f {/target,}/usr/lib/sysimage/rpm/.rpm.lock; \
-    rm -f {/target,}/var/cache/ldconfig/aux-cache; \
-    command -v zypper >/dev/null 2>&1 || rm -f /var/lib/zypp/AutoInstalled
-
-
 exit 0

base-image/images.sh

@@ -0,0 +1,50 @@
+#!/bin/bash
+# SPDX-License-Identifier: MIT
+# SPDX-FileCopyrightText: (c) 2022-2025 SUSE LLC
+
+set -euo pipefail
+
+#======================================
+# Image Cleanup
+#--------------------------------------
+if command -v zypper > /dev/null; then
+    zypper -n clean -a
+    # drop timestamp
+    tail -n +2 /var/lib/zypp/AutoInstalled > /var/lib/zypp/AutoInstalled.new && mv /var/lib/zypp/AutoInstalled.new /var/lib/zypp/AutoInstalled
+else
+    # it does not make sense in a zypper-free image
+    rm -vrf /var/lib/zypp/AutoInstalled
+    rm -vrf /usr/lib/sysimage/rpm/Index.db
+fi
+
+# set the day of last password change to empty
+# prefer sed if available
+if command -v sed > /dev/null; then
+    sed -i 's/^\([^:]*:[^:]*:\)[^:]*\(:.*\)$/\1\2/' /etc/shadow
+else
+    while IFS=: read -r username password last_change min_age max_age warn inactive expire reserved; do
+        echo "$username:$password::$min_age:$max_age:$warn:$inactive:$expire:$reserved" >> /etc/shadow.new
+    done < /etc/shadow
+    mv /etc/shadow.new /etc/shadow
+    chmod 640 /etc/shadow
+fi
+
+# remove logs and temporary files
+rm -vrf /var/log/alternatives.log
+rm -vrf /var/log/lastlog
+rm -vrf /var/log/tallylog
+rm -vrf /var/log/zypper.log
+rm -vrf /var/log/zypp/history
+rm -vrf /var/log/YaST2
+rm -vrf /var/lib/zypp/AnonymousUniqueId
+rm -vrf /var/cache/zypp/*
+rm -vrf /run/*
+rm -vrf /etc/shadow-
+rm -vrf /etc/group-
+rm -vrf /etc/passwd-
+rm -vrf /etc/.pwd.lock
+rm -vrf /usr/lib/sysimage/rpm/.rpm.lock
+rm -vrf /var/cache/ldconfig/aux-cache
+
+
+exit 0

busybox-image/config.sh

@@ -19,35 +19,5 @@ fi
 
 sed -i 's|/bin/bash|/bin/sh|' /etc/passwd
 
-# not making sense in a zypper-free image
-rm -vf /var/lib/zypp/AutoInstalled
-
-# includes device and inode numbers that change on deploy
-rm -vf /var/cache/ldconfig/aux-cache
-
-# Will be recreated by the next rpm(1) run as root user
-rm -vf /usr/lib/sysimage/rpm/Index.db
-
-# set the day of last password change to empty
-sed -i 's/^\([^:]*:[^:]*:\)[^:]*\(:.*\)$/\1\2/' /etc/shadow
-
-
-#=======================================
-# Clean up after zypper if it is present
-#---------------------------------------
-if command -v zypper > /dev/null; then
-    zypper -n clean -a
-fi
-
-#=============================================
-# Clean up logs and temporary files if present
-#---------------------------------------------
-rm -rf {/target,}/var/log/{alternatives.log,lastlog,tallylog,zypper.log,zypp/history,YaST2}; \
-    rm -rf {/target,}/run/*; \
-    rm -f {/target,}/etc/{shadow-,group-,passwd-,.pwd.lock}; \
-    rm -f {/target,}/usr/lib/sysimage/rpm/.rpm.lock; \
-    rm -f {/target,}/var/cache/ldconfig/aux-cache; \
-    command -v zypper >/dev/null 2>&1 || rm -f /var/lib/zypp/AutoInstalled
-
 
 exit 0

busybox-image/images.sh

@@ -0,0 +1,50 @@
+#!/bin/sh
+# SPDX-License-Identifier: MIT
+# SPDX-FileCopyrightText: (c) 2022-2025 SUSE LLC
+
+set -euo pipefail
+
+#======================================
+# Image Cleanup
+#--------------------------------------
+if command -v zypper > /dev/null; then
+    zypper -n clean -a
+    # drop timestamp
+    tail -n +2 /var/lib/zypp/AutoInstalled > /var/lib/zypp/AutoInstalled.new && mv /var/lib/zypp/AutoInstalled.new /var/lib/zypp/AutoInstalled
+else
+    # it does not make sense in a zypper-free image
+    rm -vrf /var/lib/zypp/AutoInstalled
+    rm -vrf /usr/lib/sysimage/rpm/Index.db
+fi
+
+# set the day of last password change to empty
+# prefer sed if available
+if command -v sed > /dev/null; then
+    sed -i 's/^\([^:]*:[^:]*:\)[^:]*\(:.*\)$/\1\2/' /etc/shadow
+else
+    while IFS=: read -r username password last_change min_age max_age warn inactive expire reserved; do
+        echo "$username:$password::$min_age:$max_age:$warn:$inactive:$expire:$reserved" >> /etc/shadow.new
+    done < /etc/shadow
+    mv /etc/shadow.new /etc/shadow
+    chmod 640 /etc/shadow
+fi
+
+# remove logs and temporary files
+rm -vrf /var/log/alternatives.log
+rm -vrf /var/log/lastlog
+rm -vrf /var/log/tallylog
+rm -vrf /var/log/zypper.log
+rm -vrf /var/log/zypp/history
+rm -vrf /var/log/YaST2
+rm -vrf /var/lib/zypp/AnonymousUniqueId
+rm -vrf /var/cache/zypp/*
+rm -vrf /run/*
+rm -vrf /etc/shadow-
+rm -vrf /etc/group-
+rm -vrf /etc/passwd-
+rm -vrf /etc/.pwd.lock
+rm -vrf /usr/lib/sysimage/rpm/.rpm.lock
+rm -vrf /var/cache/ldconfig/aux-cache
+
+
+exit 0

init-image/Dockerfile

@@ -30,18 +30,25 @@ RUN set -euo pipefail; install -d -m 0755 /etc/systemd/system.conf.d/ \
 RUN set -euo pipefail; systemctl disable [email protected]
 RUN set -euo pipefail; useradd --no-create-home --uid 497 systemd-coredump
 
-
-# cleanup logs and temporary files
+# image cleanup
 RUN set -euo pipefail; zypper -n clean -a; \
-    rm -rf {/target,}/var/log/{alternatives.log,lastlog,tallylog,zypper.log,zypp/history,YaST2}; \
-    rm -rf {/target,}/run/*; \
-    rm -f {/target,}/etc/{shadow-,group-,passwd-,.pwd.lock}; \
-    rm -f {/target,}/usr/lib/sysimage/rpm/.rpm.lock; \
-    rm -f {/target,}/var/cache/ldconfig/aux-cache; \
-    command -v zypper >/dev/null 2>&1 || rm -f /var/lib/zypp/AutoInstalled
-
-# set the day of last password change to empty
-RUN set -euo pipefail; sed -i 's/^\([^:]*:[^:]*:\)[^:]*\(:.*\)$/\1\2/' /etc/shadow
+    rm -vrf /var/log/alternatives.log; \
+    rm -vrf /var/log/lastlog; \
+    rm -vrf /var/log/tallylog; \
+    rm -vrf /var/log/zypper.log; \
+    rm -vrf /var/log/zypp/history; \
+    rm -vrf /var/log/YaST2; \
+    rm -vrf /var/lib/zypp/AnonymousUniqueId; \
+    rm -vrf /var/cache/zypp/*; \
+    rm -vrf /run/*; \
+    rm -vrf /etc/shadow-; \
+    rm -vrf /etc/group-; \
+    rm -vrf /etc/passwd-; \
+    rm -vrf /etc/.pwd.lock; \
+    rm -vrf /usr/lib/sysimage/rpm/.rpm.lock; \
+    rm -vrf /var/cache/ldconfig/aux-cache; \
+    [ -f /var/lib/zypp/AutoInstalled ] && sed -i '1d' /var/lib/zypp/AutoInstalled; \
+    sed -i 's/^\([^:]*:[^:]*:\)[^:]*\(:.*\)$/\1\2/' /etc/shadow
 
 # Define labels according to https://en.opensuse.org/Building_derived_containers
 # labelprefix=com.suse.bci.init

micro-fips-image/Dockerfile

@@ -29,18 +29,28 @@ RUN set -euo pipefail; \
 
 RUN set -euo pipefail; zypper -n install jdupes \
     && jdupes -1 -L -r /target/usr/
-
-# cleanup logs and temporary files
+# image cleanup
 RUN set -euo pipefail; zypper -n --installroot /target clean -a; \
-    rm -rf {/target,}/var/log/{alternatives.log,lastlog,tallylog,zypper.log,zypp/history,YaST2}; \
-    rm -rf {/target,}/run/*; \
-    rm -f {/target,}/etc/{shadow-,group-,passwd-,.pwd.lock}; \
-    rm -f {/target,}/usr/lib/sysimage/rpm/.rpm.lock; \
-    rm -f {/target,}/var/cache/ldconfig/aux-cache; \
-    command -v zypper >/dev/null 2>&1 || rm -f /var/lib/zypp/AutoInstalled
+    rm -vrf /target/var/log/alternatives.log; \
+    rm -vrf /target/var/log/lastlog; \
+    rm -vrf /target/var/log/tallylog; \
+    rm -vrf /target/var/log/zypper.log; \
+    rm -vrf /target/var/log/zypp/history; \
+    rm -vrf /target/var/log/YaST2; \
+    rm -vrf /target/var/lib/zypp/AnonymousUniqueId; \
+    rm -vrf /target/var/cache/zypp/*; \
+    rm -vrf /target/run/*; \
+    rm -vrf /target/etc/shadow-; \
+    rm -vrf /target/etc/group-; \
+    rm -vrf /target/etc/passwd-; \
+    rm -vrf /target/etc/.pwd.lock; \
+    rm -vrf /target/usr/lib/sysimage/rpm/.rpm.lock; \
+    rm -vrf /target/var/cache/ldconfig/aux-cache; \
+    rm -vrf /target/var/lib/zypp/AutoInstalled; \
+    rm -vrf /target/usr/lib/sysimage/rpm/Index.db; \
+    [ -f /var/lib/zypp/AutoInstalled ] && sed -i '1d' /var/lib/zypp/AutoInstalled; \
+    sed -i 's/^\([^:]*:[^:]*:\)[^:]*\(:.*\)$/\1\2/' /target/etc/shadow
 
-# set the day of last password change to empty
-RUN set -euo pipefail; sed -i 's/^\([^:]*:[^:]*:\)[^:]*\(:.*\)$/\1\2/' /target/etc/shadow
 FROM scratch
 COPY --from=builder /target /
 # Define labels according to https://en.opensuse.org/Building_derived_containers

micro-image/Dockerfile

@@ -29,18 +29,28 @@ RUN set -euo pipefail; \
 RUN set -euo pipefail; rpm --root /target --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-3fa1d6ce-67c856ee.asc
 RUN set -euo pipefail; zypper -n install jdupes \
     && jdupes -1 -L -r /target/usr/
-
-# cleanup logs and temporary files
+# image cleanup
 RUN set -euo pipefail; zypper -n --installroot /target clean -a; \
-    rm -rf {/target,}/var/log/{alternatives.log,lastlog,tallylog,zypper.log,zypp/history,YaST2}; \
-    rm -rf {/target,}/run/*; \
-    rm -f {/target,}/etc/{shadow-,group-,passwd-,.pwd.lock}; \
-    rm -f {/target,}/usr/lib/sysimage/rpm/.rpm.lock; \
-    rm -f {/target,}/var/cache/ldconfig/aux-cache; \
-    command -v zypper >/dev/null 2>&1 || rm -f /var/lib/zypp/AutoInstalled
+    rm -vrf /target/var/log/alternatives.log; \
+    rm -vrf /target/var/log/lastlog; \
+    rm -vrf /target/var/log/tallylog; \
+    rm -vrf /target/var/log/zypper.log; \
+    rm -vrf /target/var/log/zypp/history; \
+    rm -vrf /target/var/log/YaST2; \
+    rm -vrf /target/var/lib/zypp/AnonymousUniqueId; \
+    rm -vrf /target/var/cache/zypp/*; \
+    rm -vrf /target/run/*; \
+    rm -vrf /target/etc/shadow-; \
+    rm -vrf /target/etc/group-; \
+    rm -vrf /target/etc/passwd-; \
+    rm -vrf /target/etc/.pwd.lock; \
+    rm -vrf /target/usr/lib/sysimage/rpm/.rpm.lock; \
+    rm -vrf /target/var/cache/ldconfig/aux-cache; \
+    rm -vrf /target/var/lib/zypp/AutoInstalled; \
+    rm -vrf /target/usr/lib/sysimage/rpm/Index.db; \
+    [ -f /var/lib/zypp/AutoInstalled ] && sed -i '1d' /var/lib/zypp/AutoInstalled; \
+    sed -i 's/^\([^:]*:[^:]*:\)[^:]*\(:.*\)$/\1\2/' /target/etc/shadow
 
-# set the day of last password change to empty
-RUN set -euo pipefail; sed -i 's/^\([^:]*:[^:]*:\)[^:]*\(:.*\)$/\1\2/' /target/etc/shadow
 FROM scratch
 COPY --from=builder /target /
 # Define labels according to https://en.opensuse.org/Building_derived_containers
@@ -65,8 +75,3 @@ LABEL com.suse.release-stage="beta"
 LABEL io.artifacthub.package.readme-url="%SOURCEURL_WITH(README.md)%"
 LABEL io.artifacthub.package.logo-url="https://opensource.suse.com/bci/SLE_BCI_logomark_green.svg"
 CMD ["/bin/sh"]
-
-# not making sense in a zypper-free image
-RUN set -euo pipefail; rm -vf /var/lib/zypp/AutoInstalled
-# includes device and inode numbers that change on deploy
-RUN set -euo pipefail; rm -vf /var/cache/ldconfig/aux-cache

minimal-image/config.sh

@@ -28,36 +28,5 @@ fi
 jdupes -1 -L -r /usr/share/licenses
 rpm -e jdupes
 
-# set the day of last password change to empty
-sed -i 's/^\([^:]*:[^:]*:\)[^:]*\(:.*\)$/\1\2/' /etc/shadow
-rpm -e sed
-
-# not making sense in a zypper-free image
-rm -vf /var/lib/zypp/AutoInstalled
-
-# includes device and inode numbers that change on deploy
-rm -vf /var/cache/ldconfig/aux-cache
-
-# Will be recreated by the next rpm(1) run as root user
-rm -vf /usr/lib/sysimage/rpm/Index.db
-
-
-#=======================================
-# Clean up after zypper if it is present
-#---------------------------------------
-if command -v zypper > /dev/null; then
-    zypper -n clean -a
-fi
-
-#=============================================
-# Clean up logs and temporary files if present
-#---------------------------------------------
-rm -rf {/target,}/var/log/{alternatives.log,lastlog,tallylog,zypper.log,zypp/history,YaST2}; \
-    rm -rf {/target,}/run/*; \
-    rm -f {/target,}/etc/{shadow-,group-,passwd-,.pwd.lock}; \
-    rm -f {/target,}/usr/lib/sysimage/rpm/.rpm.lock; \
-    rm -f {/target,}/var/cache/ldconfig/aux-cache; \
-    command -v zypper >/dev/null 2>&1 || rm -f /var/lib/zypp/AutoInstalled
-
 
 exit 0