Page 1 of 1

Remove packages to make minimal system

Posted: 2009/04/02 15:59:54
by dgrant
Continuing on my quest to build a system with sole purpose of being a LAMP server, I am trying to have the bare minimum number of packages installed.

I'm not just trying to disable as many deamons as possible, but actually remove any package that is not required. It might sound a bit extreme but each package that is installed that is not needed is using valuable space on the expensive (and small) 36GB 15krpm SAS disk. Also it is a damage control approach, in that assuming a cracker finds an exploit in Apache or PHP that allows them to run executables on the filesystem then taking away as many tools as possible will help in damage limitation. For example I don't want an SSH client installed on the system as it has no purpose for me but could be used by a cracker to access other systems on the network, if they compromise that system.

I have installed the absolute minimum from the 5.3 install by deselecting everything during install but that still leaves a great deal of unnecessary packages installed. Seeing as how the system is a 64bit installation and will have no 32bit apps running on it I have first uninstalled all the i386 versions of various libraries. I presume their only function is to provide compatibility for 32bit apps.

I have been looking for information about removing other packages but I don't seem to be able to find information on real dependancies. For example I believe I have no need for dmraid as it is for managing software RAID arrays that I have no intention using. but if I attempt to remove it the dependancies include kernel and mkinitrd. What I can't figure out though is if these are hard dependancies in that those packages will fail to work or soft ones that simply mean without dmraid it will not be possible to configure the software raid module that is loaded into the kernel.

What packages would people recommend to remove, anyone seen a good guide to reducing down CentOS/RHEL to the absolute minimum ?

Here are a couple that I'm not sure about so far ...

python-elementtree-1.2.6 : Is this really required by YUM ?
m2crypto-0.16 x86_64 : Is this really used by YUM, I didn't think YUM connected via SSL ?

Would be grateful for any pointers.

Thanks

Remove packages to make minimal system

Posted: 2009/04/02 17:04:07
by Erasmus_Darwin
[quote]
dgrant wrote:
python-elementtree-1.2.6 : Is this really required by YUM ?
[/quote]

It looks like that's used to help with parsing XML-based repository information. I'm no expert, but I wouldn't risk uninstalling it.

[quote]
m2crypto-0.16 x86_64 : Is this really used by YUM, I didn't think YUM connected via SSL ?
[/quote]

It looks like it supports it if you provide an https URL for a repository. It looks like m2crypto is used indirectly via the code in the python-urlgrabber RPM. I don't know Python, but glancing at the code makes it look like it should be smart enough not to cause a fatal error if m2crypto isn't present. So I suspect you can get away with removing it.

Re: Remove packages to make minimal system

Posted: 2009/04/02 17:18:09
by dgrant
Thanks for the quick reply Erasmus, I'll give that a go, it is a test system anyway so if it breaks something it's not the end of the world.

How about tcl-8.4.13 : is it really necessary for setools, I guess it probably is ?

Thanks

Re: Remove packages to make minimal system

Posted: 2009/04/02 18:01:39
by Erasmus_Darwin
[quote]
dgrant wrote:
How about tcl-8.4.13 : is it really necessary for setools, I guess it probably is ?
[/quote]

I'm not entirely sure, but it looks like the tcl requirement is actually unnecessary for the base setools package. There are a number of graphical tools and tcl bindings including in the source package that setools is built from, but it looks like that stuff is packaged separately in setools-gui.