Remove dependency on /bin/sh for moby-cli dependency graph

[mthalman]

I'd like to be able to install moby-cli in a distroless container environment without causing a shell to be included. The normal method in which I install packages for a distroless container is to install to a staging environment using the --installroot option of tdnf. That produces the file system I want for the distroless container.

The issue is that this the installation of moby-cli causes a shell to be included and thus end up in my distroless container. Not what I want.

This can be demonstrated roughly with this Dockerfile:

FROM mcr.microsoft.com/cbl-mariner/base/core:2.0 AS installer

RUN mkdir /staging \
    && tdnf install -y --releasever=2.0 --installroot /staging \
        moby-cli \
    && tdnf clean all --releasever=2.0 --installroot /staging


FROM mcr.microsoft.com/cbl-mariner/distroless/minimal:2.0

COPY --from=installer /staging/ /

> docker build -t distroless .

> docker run --rm -it distroless bash
root [ / ]#

You can see that we get a shell.

This is a similar request as #2345. I'm guessing the same kind of changes could by made to moby-cli's dependencies of tar and xz. But for moby-cli itself, I see it lists /bin/sh: https://github.com/microsoft/CBL-Mariner/blob/db6990c99abd56a02abe293fde87aefd72c6e2a1/SPECS/moby-cli/moby-cli.spec#L21

Is that necesary? Is there a way to remove the shell dependency for the moby-cli graph?

[eric-desrochers]

We could evaluate for future Major Release, but we won't be able to do it during the Mariner 2.0 lifetime, as we don't want to introduce new behavior/breaking changes.

Thanks for your feedbacks !