Test build for #3166

Author: SUSE Update Bot

base-fips-image/Dockerfile

@@ -24,18 +24,25 @@ FROM registry.suse.com/bci/bci-base:15.6
 
 RUN set -euo pipefail; \
     zypper -n install --no-recommends sles-release coreutils crypto-policies-scripts
-
-# cleanup logs and temporary files
+# image cleanup
 RUN set -euo pipefail; zypper -n clean -a; \
-    rm -rf {/target,}/var/log/{alternatives.log,lastlog,tallylog,zypper.log,zypp/history,YaST2}; \
-    rm -rf {/target,}/run/*; \
-    rm -f {/target,}/etc/{shadow-,group-,passwd-,.pwd.lock}; \
-    rm -f {/target,}/usr/lib/sysimage/rpm/.rpm.lock; \
-    rm -f {/target,}/var/cache/ldconfig/aux-cache; \
-    command -v zypper >/dev/null 2>&1 || rm -f /var/lib/zypp/AutoInstalled
-
-# set the day of last password change to empty
-RUN set -euo pipefail; sed -i 's/^\([^:]*:[^:]*:\)[^:]*\(:.*\)$/\1\2/' /etc/shadow
+    rm -vrf /var/log/alternatives.log; \
+    rm -vrf /var/log/lastlog; \
+    rm -vrf /var/log/tallylog; \
+    rm -vrf /var/log/zypper.log; \
+    rm -vrf /var/log/zypp/history; \
+    rm -vrf /var/log/YaST2; \
+    rm -vrf /var/lib/zypp/AnonymousUniqueId; \
+    rm -vrf /var/cache/zypp/*; \
+    rm -vrf /run/*; \
+    rm -vrf /etc/shadow-; \
+    rm -vrf /etc/group-; \
+    rm -vrf /etc/passwd-; \
+    rm -vrf /etc/.pwd.lock; \
+    rm -vrf /usr/lib/sysimage/rpm/.rpm.lock; \
+    rm -vrf /var/cache/ldconfig/aux-cache; \
+    [ -f /var/lib/zypp/AutoInstalled ] && sed -i '1d' /var/lib/zypp/AutoInstalled; \
+    sed -i 's/^\([^:]*:[^:]*:\)[^:]*\(:.*\)$/\1\2/' /etc/shadow
 
 # Define labels according to https://en.opensuse.org/Building_derived_containers
 # labelprefix=com.suse.bci.base-fips

busybox-image/config.sh

@@ -19,35 +19,5 @@ fi
 
 sed -i 's|/bin/bash|/bin/sh|' /etc/passwd
 
-# not making sense in a zypper-free image
-rm -vf /var/lib/zypp/AutoInstalled
-
-# includes device and inode numbers that change on deploy
-rm -vf /var/cache/ldconfig/aux-cache
-
-# Will be recreated by the next rpm(1) run as root user
-rm -vf /usr/lib/sysimage/rpm/Index.db
-
-# set the day of last password change to empty
-sed -i 's/^\([^:]*:[^:]*:\)[^:]*\(:.*\)$/\1\2/' /etc/shadow
-
-
-#=======================================
-# Clean up after zypper if it is present
-#---------------------------------------
-if command -v zypper > /dev/null; then
-    zypper -n clean -a
-fi
-
-#=============================================
-# Clean up logs and temporary files if present
-#---------------------------------------------
-rm -rf {/target,}/var/log/{alternatives.log,lastlog,tallylog,zypper.log,zypp/history,YaST2}; \
-    rm -rf {/target,}/run/*; \
-    rm -f {/target,}/etc/{shadow-,group-,passwd-,.pwd.lock}; \
-    rm -f {/target,}/usr/lib/sysimage/rpm/.rpm.lock; \
-    rm -f {/target,}/var/cache/ldconfig/aux-cache; \
-    command -v zypper >/dev/null 2>&1 || rm -f /var/lib/zypp/AutoInstalled
-
 
 exit 0

busybox-image/images.sh

@@ -0,0 +1,50 @@
+#!/bin/sh
+# SPDX-License-Identifier: MIT
+# SPDX-FileCopyrightText: (c) 2022-2025 SUSE LLC
+
+set -euo pipefail
+
+#======================================
+# Image Cleanup
+#--------------------------------------
+if command -v zypper > /dev/null; then
+    zypper -n clean -a
+    # drop timestamp
+    tail -n +2 /var/lib/zypp/AutoInstalled > /var/lib/zypp/AutoInstalled.new && mv /var/lib/zypp/AutoInstalled.new /var/lib/zypp/AutoInstalled
+else
+    # it does not make sense in a zypper-free image
+    rm -vrf /var/lib/zypp/AutoInstalled
+    rm -vrf /usr/lib/sysimage/rpm/Index.db
+fi
+
+# set the day of last password change to empty
+# prefer sed if available
+if command -v sed > /dev/null; then
+    sed -i 's/^\([^:]*:[^:]*:\)[^:]*\(:.*\)$/\1\2/' /etc/shadow
+else
+    while IFS=: read -r username password last_change min_age max_age warn inactive expire reserved; do
+        echo "$username:$password::$min_age:$max_age:$warn:$inactive:$expire:$reserved" >> /etc/shadow.new
+    done < /etc/shadow
+    mv /etc/shadow.new /etc/shadow
+    chmod 640 /etc/shadow
+fi
+
+# remove logs and temporary files
+rm -vrf /var/log/alternatives.log
+rm -vrf /var/log/lastlog
+rm -vrf /var/log/tallylog
+rm -vrf /var/log/zypper.log
+rm -vrf /var/log/zypp/history
+rm -vrf /var/log/YaST2
+rm -vrf /var/lib/zypp/AnonymousUniqueId
+rm -vrf /var/cache/zypp/*
+rm -vrf /run/*
+rm -vrf /etc/shadow-
+rm -vrf /etc/group-
+rm -vrf /etc/passwd-
+rm -vrf /etc/.pwd.lock
+rm -vrf /usr/lib/sysimage/rpm/.rpm.lock
+rm -vrf /var/cache/ldconfig/aux-cache
+
+
+exit 0

init-image/Dockerfile

@@ -30,18 +30,25 @@ RUN set -euo pipefail; install -d -m 0755 /etc/systemd/system.conf.d/ \
 RUN set -euo pipefail; systemctl disable [email protected]
 RUN set -euo pipefail; useradd --no-create-home --uid 497 systemd-coredump
 
-
-# cleanup logs and temporary files
+# image cleanup
 RUN set -euo pipefail; zypper -n clean -a; \
-    rm -rf {/target,}/var/log/{alternatives.log,lastlog,tallylog,zypper.log,zypp/history,YaST2}; \
-    rm -rf {/target,}/run/*; \
-    rm -f {/target,}/etc/{shadow-,group-,passwd-,.pwd.lock}; \
-    rm -f {/target,}/usr/lib/sysimage/rpm/.rpm.lock; \
-    rm -f {/target,}/var/cache/ldconfig/aux-cache; \
-    command -v zypper >/dev/null 2>&1 || rm -f /var/lib/zypp/AutoInstalled
-
-# set the day of last password change to empty
-RUN set -euo pipefail; sed -i 's/^\([^:]*:[^:]*:\)[^:]*\(:.*\)$/\1\2/' /etc/shadow
+    rm -vrf /var/log/alternatives.log; \
+    rm -vrf /var/log/lastlog; \
+    rm -vrf /var/log/tallylog; \
+    rm -vrf /var/log/zypper.log; \
+    rm -vrf /var/log/zypp/history; \
+    rm -vrf /var/log/YaST2; \
+    rm -vrf /var/lib/zypp/AnonymousUniqueId; \
+    rm -vrf /var/cache/zypp/*; \
+    rm -vrf /run/*; \
+    rm -vrf /etc/shadow-; \
+    rm -vrf /etc/group-; \
+    rm -vrf /etc/passwd-; \
+    rm -vrf /etc/.pwd.lock; \
+    rm -vrf /usr/lib/sysimage/rpm/.rpm.lock; \
+    rm -vrf /var/cache/ldconfig/aux-cache; \
+    [ -f /var/lib/zypp/AutoInstalled ] && sed -i '1d' /var/lib/zypp/AutoInstalled; \
+    sed -i 's/^\([^:]*:[^:]*:\)[^:]*\(:.*\)$/\1\2/' /etc/shadow
 
 # Define labels according to https://en.opensuse.org/Building_derived_containers
 # labelprefix=com.suse.bci.init

micro-fips-image/Dockerfile

@@ -29,18 +29,28 @@ RUN set -euo pipefail; \
 
 RUN set -euo pipefail; zypper -n install jdupes \
     && jdupes -1 -L -r /target/usr/
-
-# cleanup logs and temporary files
+# image cleanup
 RUN set -euo pipefail; zypper -n --installroot /target clean -a; \
-    rm -rf {/target,}/var/log/{alternatives.log,lastlog,tallylog,zypper.log,zypp/history,YaST2}; \
-    rm -rf {/target,}/run/*; \
-    rm -f {/target,}/etc/{shadow-,group-,passwd-,.pwd.lock}; \
-    rm -f {/target,}/usr/lib/sysimage/rpm/.rpm.lock; \
-    rm -f {/target,}/var/cache/ldconfig/aux-cache; \
-    command -v zypper >/dev/null 2>&1 || rm -f /var/lib/zypp/AutoInstalled
+    rm -vrf /target/var/log/alternatives.log; \
+    rm -vrf /target/var/log/lastlog; \
+    rm -vrf /target/var/log/tallylog; \
+    rm -vrf /target/var/log/zypper.log; \
+    rm -vrf /target/var/log/zypp/history; \
+    rm -vrf /target/var/log/YaST2; \
+    rm -vrf /target/var/lib/zypp/AnonymousUniqueId; \
+    rm -vrf /target/var/cache/zypp/*; \
+    rm -vrf /target/run/*; \
+    rm -vrf /target/etc/shadow-; \
+    rm -vrf /target/etc/group-; \
+    rm -vrf /target/etc/passwd-; \
+    rm -vrf /target/etc/.pwd.lock; \
+    rm -vrf /target/usr/lib/sysimage/rpm/.rpm.lock; \
+    rm -vrf /target/var/cache/ldconfig/aux-cache; \
+    rm -vrf /target/var/lib/zypp/AutoInstalled; \
+    rm -vrf /target/usr/lib/sysimage/rpm/Index.db; \
+    [ -f /var/lib/zypp/AutoInstalled ] && sed -i '1d' /var/lib/zypp/AutoInstalled; \
+    sed -i 's/^\([^:]*:[^:]*:\)[^:]*\(:.*\)$/\1\2/' /target/etc/shadow
 
-# set the day of last password change to empty
-RUN set -euo pipefail; sed -i 's/^\([^:]*:[^:]*:\)[^:]*\(:.*\)$/\1\2/' /target/etc/shadow
 FROM scratch
 COPY --from=builder /target /
 # Define labels according to https://en.opensuse.org/Building_derived_containers

micro-image/Dockerfile

@@ -29,18 +29,28 @@ RUN set -euo pipefail; \
 RUN set -euo pipefail; rpm --root /target --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-3fa1d6ce-67c856ee.asc
 RUN set -euo pipefail; zypper -n install jdupes \
     && jdupes -1 -L -r /target/usr/
-
-# cleanup logs and temporary files
+# image cleanup
 RUN set -euo pipefail; zypper -n --installroot /target clean -a; \
-    rm -rf {/target,}/var/log/{alternatives.log,lastlog,tallylog,zypper.log,zypp/history,YaST2}; \
-    rm -rf {/target,}/run/*; \
-    rm -f {/target,}/etc/{shadow-,group-,passwd-,.pwd.lock}; \
-    rm -f {/target,}/usr/lib/sysimage/rpm/.rpm.lock; \
-    rm -f {/target,}/var/cache/ldconfig/aux-cache; \
-    command -v zypper >/dev/null 2>&1 || rm -f /var/lib/zypp/AutoInstalled
+    rm -vrf /target/var/log/alternatives.log; \
+    rm -vrf /target/var/log/lastlog; \
+    rm -vrf /target/var/log/tallylog; \
+    rm -vrf /target/var/log/zypper.log; \
+    rm -vrf /target/var/log/zypp/history; \
+    rm -vrf /target/var/log/YaST2; \
+    rm -vrf /target/var/lib/zypp/AnonymousUniqueId; \
+    rm -vrf /target/var/cache/zypp/*; \
+    rm -vrf /target/run/*; \
+    rm -vrf /target/etc/shadow-; \
+    rm -vrf /target/etc/group-; \
+    rm -vrf /target/etc/passwd-; \
+    rm -vrf /target/etc/.pwd.lock; \
+    rm -vrf /target/usr/lib/sysimage/rpm/.rpm.lock; \
+    rm -vrf /target/var/cache/ldconfig/aux-cache; \
+    rm -vrf /target/var/lib/zypp/AutoInstalled; \
+    rm -vrf /target/usr/lib/sysimage/rpm/Index.db; \
+    [ -f /var/lib/zypp/AutoInstalled ] && sed -i '1d' /var/lib/zypp/AutoInstalled; \
+    sed -i 's/^\([^:]*:[^:]*:\)[^:]*\(:.*\)$/\1\2/' /target/etc/shadow
 
-# set the day of last password change to empty
-RUN set -euo pipefail; sed -i 's/^\([^:]*:[^:]*:\)[^:]*\(:.*\)$/\1\2/' /target/etc/shadow
 FROM scratch
 COPY --from=builder /target /
 # Define labels according to https://en.opensuse.org/Building_derived_containers
@@ -65,8 +75,3 @@ LABEL com.suse.release-stage="released"
 LABEL io.artifacthub.package.readme-url="%SOURCEURL_WITH(README.md)%"
 LABEL io.artifacthub.package.logo-url="https://opensource.suse.com/bci/SLE_BCI_logomark_green.svg"
 CMD ["/bin/sh"]
-
-# not making sense in a zypper-free image
-RUN set -euo pipefail; rm -vf /var/lib/zypp/AutoInstalled
-# includes device and inode numbers that change on deploy
-RUN set -euo pipefail; rm -vf /var/cache/ldconfig/aux-cache

minimal-image/config.sh

@@ -28,36 +28,5 @@ fi
 jdupes -1 -L -r /usr/share/licenses
 rpm -e jdupes
 
-# set the day of last password change to empty
-sed -i 's/^\([^:]*:[^:]*:\)[^:]*\(:.*\)$/\1\2/' /etc/shadow
-rpm -e sed
-
-# not making sense in a zypper-free image
-rm -vf /var/lib/zypp/AutoInstalled
-
-# includes device and inode numbers that change on deploy
-rm -vf /var/cache/ldconfig/aux-cache
-
-# Will be recreated by the next rpm(1) run as root user
-rm -vf /usr/lib/sysimage/rpm/Index.db
-
-
-#=======================================
-# Clean up after zypper if it is present
-#---------------------------------------
-if command -v zypper > /dev/null; then
-    zypper -n clean -a
-fi
-
-#=============================================
-# Clean up logs and temporary files if present
-#---------------------------------------------
-rm -rf {/target,}/var/log/{alternatives.log,lastlog,tallylog,zypper.log,zypp/history,YaST2}; \
-    rm -rf {/target,}/run/*; \
-    rm -f {/target,}/etc/{shadow-,group-,passwd-,.pwd.lock}; \
-    rm -f {/target,}/usr/lib/sysimage/rpm/.rpm.lock; \
-    rm -f {/target,}/var/cache/ldconfig/aux-cache; \
-    command -v zypper >/dev/null 2>&1 || rm -f /var/lib/zypp/AutoInstalled
-
 
 exit 0

minimal-image/images.sh

@@ -0,0 +1,50 @@
+#!/bin/bash
+# SPDX-License-Identifier: MIT
+# SPDX-FileCopyrightText: (c) 2022-2025 SUSE LLC
+
+set -euo pipefail
+
+#======================================
+# Image Cleanup
+#--------------------------------------
+if command -v zypper > /dev/null; then
+    zypper -n clean -a
+    # drop timestamp
+    tail -n +2 /var/lib/zypp/AutoInstalled > /var/lib/zypp/AutoInstalled.new && mv /var/lib/zypp/AutoInstalled.new /var/lib/zypp/AutoInstalled
+else
+    # it does not make sense in a zypper-free image
+    rm -vrf /var/lib/zypp/AutoInstalled
+    rm -vrf /usr/lib/sysimage/rpm/Index.db
+fi
+
+# set the day of last password change to empty
+# prefer sed if available
+if command -v sed > /dev/null; then
+    sed -i 's/^\([^:]*:[^:]*:\)[^:]*\(:.*\)$/\1\2/' /etc/shadow
+else
+    while IFS=: read -r username password last_change min_age max_age warn inactive expire reserved; do
+        echo "$username:$password::$min_age:$max_age:$warn:$inactive:$expire:$reserved" >> /etc/shadow.new
+    done < /etc/shadow
+    mv /etc/shadow.new /etc/shadow
+    chmod 640 /etc/shadow
+fi
+
+# remove logs and temporary files
+rm -vrf /var/log/alternatives.log
+rm -vrf /var/log/lastlog
+rm -vrf /var/log/tallylog
+rm -vrf /var/log/zypper.log
+rm -vrf /var/log/zypp/history
+rm -vrf /var/log/YaST2
+rm -vrf /var/lib/zypp/AnonymousUniqueId
+rm -vrf /var/cache/zypp/*
+rm -vrf /run/*
+rm -vrf /etc/shadow-
+rm -vrf /etc/group-
+rm -vrf /etc/passwd-
+rm -vrf /etc/.pwd.lock
+rm -vrf /usr/lib/sysimage/rpm/.rpm.lock
+rm -vrf /var/cache/ldconfig/aux-cache
+
+
+exit 0

minimal-image/minimal-image.kiwi

@@ -75,7 +75,6 @@ You can contact the BCI team via https://github.com/SUSE/bci/discussions
     <package name="skelcd-EULA-bci"/>
     <package name="sles-release"/>
     <package name="jdupes"/>
-    <package name="sed"/>
     <package name="rpm-ndb"/>
     <package name="perl-base"/>
   </packages>

nodejs-20-image/Dockerfile

@@ -27,18 +27,25 @@ FROM registry.suse.com/bci/bci-base:15.6
 
 RUN set -euo pipefail; \
     zypper -n install --no-recommends nodejs20 npm20 update-alternatives curl findutils gawk git-core procps
-
-# cleanup logs and temporary files
+# image cleanup
 RUN set -euo pipefail; zypper -n clean -a; \
-    rm -rf {/target,}/var/log/{alternatives.log,lastlog,tallylog,zypper.log,zypp/history,YaST2}; \
-    rm -rf {/target,}/run/*; \
-    rm -f {/target,}/etc/{shadow-,group-,passwd-,.pwd.lock}; \
-    rm -f {/target,}/usr/lib/sysimage/rpm/.rpm.lock; \
-    rm -f {/target,}/var/cache/ldconfig/aux-cache; \
-    command -v zypper >/dev/null 2>&1 || rm -f /var/lib/zypp/AutoInstalled
-
-# set the day of last password change to empty
-RUN set -euo pipefail; sed -i 's/^\([^:]*:[^:]*:\)[^:]*\(:.*\)$/\1\2/' /etc/shadow
+    rm -vrf /var/log/alternatives.log; \
+    rm -vrf /var/log/lastlog; \
+    rm -vrf /var/log/tallylog; \
+    rm -vrf /var/log/zypper.log; \
+    rm -vrf /var/log/zypp/history; \
+    rm -vrf /var/log/YaST2; \
+    rm -vrf /var/lib/zypp/AnonymousUniqueId; \
+    rm -vrf /var/cache/zypp/*; \
+    rm -vrf /run/*; \
+    rm -vrf /etc/shadow-; \
+    rm -vrf /etc/group-; \
+    rm -vrf /etc/passwd-; \
+    rm -vrf /etc/.pwd.lock; \
+    rm -vrf /usr/lib/sysimage/rpm/.rpm.lock; \
+    rm -vrf /var/cache/ldconfig/aux-cache; \
+    [ -f /var/lib/zypp/AutoInstalled ] && sed -i '1d' /var/lib/zypp/AutoInstalled; \
+    sed -i 's/^\([^:]*:[^:]*:\)[^:]*\(:.*\)$/\1\2/' /etc/shadow
 
 # Define labels according to https://en.opensuse.org/Building_derived_containers
 # labelprefix=com.suse.bci.nodejs