I was just handed a new revised Amazon Machine Image to employ, a fully-compliant corporate beast intended to facilitate keeping servers secure.
I have extensive experience stripping builds for security purposes. The Solaris OS I worked with at Fidelity had stripped out all the graphical pieces integral to Solaris at that time, and paid SUN Microsystems extra to be supported in that. A large number of SUN’s support tools required the graphical interface to run, and without it SUN support engineers were forced to go third tier support and old school command line. I ran firewalls with read-only partitions making alteration impossible.
Yes, you do not put extra stuff on your servers.
This base was missing basic Amazon tooling, things like the awscli and aws-cfn-bootstrap packages installed on every instance image by default because they are the pieces that allow the images to be cloud-aware and cloud-responsive.
Fine. I already have a job that adds pieces that are needed. But in resolving this I hit something that clearly delineates sysadmins with experience and those without.
Real sysadmins work WITH the package management on the systems they are working with. For example, if removing the aws-cfn-bootstrap packages, do a yum erase. If removing the awscli installed with pip, do a pip uninstall. Do not ever delete files directly without respecting the package manager, unless unavoidable.
When I installed the packages that contain the missing files, I found the package managers (both pip and yum, respectively) insisted the package was present. Which means someone went off a list of files to remove. Gaaaaahhhhh. Don’t. Just don’t.
First check for what manages the package. Work with that management structure. THEN bypass and delete directly.
— doug