docker: Remove libarchive as a dependency

Also remove keylime user creation from non-fedora distributions and add
wget to wolfi-based dockerfile

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>

Author: ansasaki

docker/fedora/keylime_rust.Dockerfile

@@ -35,7 +35,6 @@ glib2-static \
 gnulib \
 kmod \
 llvm llvm-devel \
-libarchive-devel \
 libselinux-python3 \
 libtool \
 libtpms \

docker/release/Dockerfile.distroless

@@ -20,24 +20,6 @@ RUN ./configure \
 RUN make
 RUN make install
 
-# Install libarchive (dependency for the compress-tools crate) - we need only a minimum feature set here
-WORKDIR /src
-RUN wget https://github.com/libarchive/libarchive/releases/download/v3.6.2/libarchive-3.6.2.tar.gz
-RUN tar xf libarchive-3.6.2.tar.gz
-WORKDIR /src/libarchive-3.6.2
-RUN ./configure \
-    --prefix=/usr \
-    --with-openssl \
-    --without-mbedtls \
-    --without-nettle \
-    --without-xml2 \
-    --without-expat \
-    --disable-static
-RUN make
-RUN make install
-# there is a bug in the libarchive.pc file which wrongly adds iconv
-RUN sed -i "s/iconv //" /usr/lib/pkgconfig/libarchive.pc
-
 # build rust-keylime
 COPY . /src/rust-keylime/
 WORKDIR /src/rust-keylime
@@ -65,11 +47,8 @@ LABEL org.opencontainers.image.vendor="The Keylime Authors"
 # NOTE: the cc base image comes with all C runtime dependencies (libc, libm, libgcc, etc.), so no need to copy those
 # TODO: Unfortunately the COPY directive is following links and not preserving the link file. This slightly bloats the image.
 
-# libarchive is a direct dependency for the compress-tools crate, so we must copy itself and all its dependencies
+# libz is a direct dependency for the zip crate
 COPY --from=builder \
-    /usr/lib/libarchive.so* \
-    /lib/x86_64-linux-gnu/liblzma.so* \
-    /lib/x86_64-linux-gnu/libbz2.so* \
     /lib/x86_64-linux-gnu/libz.so* \
     /usr/lib/x86_64-linux-gnu/
 # tpm2-tss libraries are a dependency (probably not all of them, but we just copy all)
@@ -95,8 +74,5 @@ LABEL install="podman volume create keylime-agent"
 LABEL uninstall="podman volume rm keylime-agent"
 LABEL run="podman run --read-only --name keylime-agent --rm --device /dev/tpm0 --device /dev/tpmrm0 -v keylime-agent:/var/lib/keylime -v /etc/keylime:/etc/keylime:ro --tmpfs /var/lib/keylime/secure:rw,size=1m,mode=0700 -dt IMAGE"
 
-# Create a system user 'keylime' to allow dropping privileges
-RUN useradd -s /sbin/nologin -r -G tss keylime
-
 # run as root by default
 USER 0:0

docker/release/Dockerfile.fedora

@@ -9,7 +9,6 @@ RUN microdnf install -y \
     clang-devel \
     dnf-plugins-core \
     git \
-    libarchive-devel \
     make \
     openssl-devel \
     rust \
@@ -43,7 +42,7 @@ LABEL vendor="The Keylime Authors"
 # Install all agent runtime dependencies from the builder image
 # NOTE: the fedora base image is "fat" and comes with basically all dependencies that we need out of the box with a few exceptions
 RUN microdnf makecache && \
-    microdnf -y install tpm2-tss libarchive openssl util-linux-core && \
+    microdnf -y install tpm2-tss openssl util-linux-core && \
     microdnf clean all && \
     rm -rf /var/cache/dnf/*
 

docker/release/Dockerfile.wolfi

@@ -10,15 +10,10 @@ RUN apk update
 # - install rust
 # - install gcc and others to compile tpm2-tss
 # - we are using the "generate-bindings" feature for the tss-esapi crate which requires clang/llvm
-# - Install libarchive (dependency for the compress-tools crate)
 RUN apk add --no-cache --update-cache \
     rust \
     make pkgconf gcc glibc glibc-dev openssl openssl-dev posix-libc-utils \
-    clang-15 llvm15 \
-    libarchive libarchive-dev
-
-# there is a bug in the libarchive.pc file which wrongly adds iconv
-RUN sed -i "s/iconv //" /usr/lib/pkgconfig/libarchive.pc
+    clang-15 llvm15 wget
 
 # Install tpm2-tss (dependency for the tss-esapi crate)
 WORKDIR /src
@@ -69,19 +64,10 @@ COPY --from=builder \
     /usr/lib/libssl.so* \
     /usr/lib/
 
-# libarchive is a direct dependency for the compress-tools crate, so we must copy itself and all its dependencies
+# libz is a direct dependency for the zip crate
 COPY --from=builder \
-    /lib/libacl.so* \
-    /lib/libattr.so* \
     /lib/libz.so* \
     /lib/
-COPY --from=builder \
-    /usr/lib/libarchive.so* \
-    /usr/lib/libexpat.so* \
-    /usr/lib/liblzma.so* \
-    /usr/lib/libzstd.so* \
-    /usr/lib/libbz2.so* \
-    /usr/lib/
 
 # tpm2-tss libraries are a dependency (probably not all of them, but we just copy all)
 # because we are using the tss-esapi crate which is essentially just a wrapper around those (unfortunately)
@@ -106,8 +92,5 @@ LABEL install="podman volume create keylime-agent"
 LABEL uninstall="podman volume rm keylime-agent"
 LABEL run="podman run --read-only --name keylime-agent --rm --device /dev/tpm0 --device /dev/tpmrm0 -v keylime-agent:/var/lib/keylime -v /etc/keylime:/etc/keylime:ro --tmpfs /var/lib/keylime/secure:rw,size=1m,mode=0700 -dt IMAGE"
 
-# Create a system user 'keylime' to allow dropping privileges
-RUN useradd -s /sbin/nologin -r -G tss keylime
-
 # run as root by default
 USER 0:0