Skip to content

feat: reduce attack surface due to packages #2006

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
samrose wants to merge 11 commits into
base: develop
Choose a base branch
from
Draft

feat: reduce attack surface due to packages #2006

samrose wants to merge 11 commits into from
+63 −47

Conversation

@samrose
Copy link
Collaborator

@samrose samrose commented Jan 19, 2026

Removing packages that are not needed, with priority on items that could be security attack vector

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Jan 19, 2026

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@samrose samrose changed the title feat: reduce attack surface feat: reduce attack surface due to packages Jan 19, 2026
@samrose samrose force-pushed the image-strip branch 3 times, most recently from eb57ec0 to 390f1a1 Compare February 4, 2026 04:30
samrose added 11 commits February 11, 2026 14:38
@samrose
feat: reduce attack surface
b4cf255
@samrose
fix: gcc-14-base is just shared files used by runtime libs, not compi…
733a64f 
…ler, and is required
@samrose
fix: bypass need for add-apt-repository since it's gone by this point
f359396
@samrose
fix: do not remove ssh
1af23d0
@samrose
fix: rm all autoremove true
7ad787d
@samrose
fix: explicitly reinstall cloud-init and openssh-server before autore…
471933c 
…move

  cloud-init was being removed during Ansible package cleanup despite
  autoremove being disabled. Rather than debug further, explicitly
  reinstall both critical packages before apt-mark and autoremove.
@samrose
fix: align 90-cleanup.sh with 90-cleanup-qemu.sh for SSH stability
9d56a79 
Key changes:
- Set multi-user.target as default boot target to prevent graphical boot issues
- Move apt-get update/upgrade to after autoremove (matching qemu script order)
- Protect libevent-2.1-7t64 from autoremove (needed by PgBouncer)
- Add journalctl cleanup commands for proper log rotation
- Add fstrim at end to optimize disk

These changes align the AWS AMI cleanup script with the QEMU cleanup script
which has been working. The most critical fix is setting multi-user.target
as default, which ensures the system boots properly for SSH access.
@samrose
fix: reset to previous state do not try to run these here
f0e3b15
@samrose
fix: restoring meeded items
d740185
@samrose
fix: symlink
c48d2b6
@samrose
feat: use ubuntu minimal
a03f6c0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@samrose