Skip to content

Document /lib and /lib64 system library requirements for agent container #12444

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Copilot wants to merge 3 commits into from
Closed

Document /lib and /lib64 system library requirements for agent container #12444

Copilot wants to merge 3 commits into from
+1,580 −0

Conversation

Copy link
Contributor

Copilot AI commented Jan 29, 2026
edited
Loading

Agent container needs explicit library mounting strategy. Currently no documentation exists for which system libraries from /lib and /lib64 are required for core utilities.

Analysis

Audited 14 common utilities (bash, git, curl, jq, grep, awk, sed, tar, gzip, python3, node, go, java) using ldd. Identified 47 unique system libraries with transitive dependencies mapped.

Deliverables

specs/agent-container-system-libraries.md

  • Library catalog: 47 libraries categorized by priority
    • 10 critical (libc, ld-linux, libm, libpthread, libz, libpcre2, libtinfo, libgcc_s, libstdc++, libdl)
    • 19 important (OpenSSL, Kerberos, SSH, HTTP/2, SELinux, JSON/XML parsing, ACLs)
    • 18 optional (Brotli, Zstandard, RTMP, LDAP, GnuTLS, IDN)
  • Dependency chains: Traced for bash, git, curl, jq, node, python3, tar
  • Mounting strategies: Minimal (10 libs), standard (29 libs), full directory
  • Security analysis: Read-only mounting, symlink preservation, update considerations

Notable: curl requires 33 libraries (most complex), go requires 0 (statically linked).

specs/agent-container-utilities.md

  • Utility profiles: Library dependencies for each of 14 utilities
  • Workflow requirements: Library sets needed for shell/git/API/data-processing/development workflows
  • Troubleshooting: Missing library resolution, version mismatch handling

Recommendation

Mount full directories read-only for simplicity and future-proofing:

volumes:
  - /lib/x86_64-linux-gnu:/lib/x86_64-linux-gnu:ro
  - /lib64:/lib64:ro

Alternative selective mounting documented for minimal attack surface scenarios.

Cross-references

Complements /usr/lib analysis (#11972) and utility audit baseline (#11971). Part of container hardening effort (#11970).

Original prompt

This section details on the original issue you should resolve

<issue_title>[plan] Audit critical system libraries in /lib and /lib64 for agent container</issue_title>
<issue_description>## Objective

Identify and document essential system libraries from /lib and /lib64 directories that should be mounted to support core system operations in the agent container.

Context

While #11972 addresses /usr/lib shared libraries for utilities, the agent container also needs access to critical system libraries in /lib and /lib64 directories. These include:

  • C standard library (libc)
  • Dynamic linker/loader (ld-linux)
  • Core system libraries (libm, libdl, libpthread)
  • Security libraries (libselinux, libapparmor)

Approach

  1. Use ldd to analyze library dependencies of mounted /usr/bin utilities
  2. Identify which libraries come from /lib and /lib64 vs /usr/lib
  3. Test container functionality without these directories mounted
  4. Document minimum required libraries for basic operations
  5. Categorize by priority: critical (container won't function), important (common utilities need), optional (specialized use cases)

Files to Create

  • Create: specs/agent-container-system-libraries.md (audit results)
  • Update: specs/agent-container-utilities.md (cross-reference library deps)

Acceptance Criteria

  • Audit identifies at least 10 system libraries from /lib and /lib64
  • Libraries categorized as critical/important/optional
  • Document explains dependency chains for key utilities
  • Mounting recommendations provided with security considerations
  • Testing confirms minimal set enables basic workflows

Related

Complements #11972 (focuses on /usr/lib) and builds on #11971 (utility audit)
Related to #11970

AI generated by Plan Command for #11970

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI and others added 2 commits January 29, 2026 05:24
@pelikhan
Add comprehensive agent container library and utility audit documenta…
ad82bcf 
…tion

- Create specs/agent-container-system-libraries.md with detailed analysis
- Create specs/agent-container-utilities.md with utility-to-library mapping
- Document 46 unique system libraries from /lib and /lib64
- Categorize libraries: 10 critical, 15 important, 21 optional
- Include dependency chains, mounting recommendations, security considerations
- Cross-reference utilities with their library dependencies

Co-authored-by: pelikhan <[email protected]>
@pelikhan
Fix library count inconsistencies in documentation
db0a911 
- Update total library count from 46 to 47
- Correct Important libraries count from 15 to 19
- Correct Optional libraries count from 21 to 18
- Update Critical + Important total from 25 to 29
- Remove "to be created" note for utilities document
- Ensure consistent counts between system-libraries and utilities docs

Co-authored-by: pelikhan <[email protected]>
Copilot AI changed the title [WIP] Audit critical system libraries in /lib and /lib64 Document /lib and /lib64 system library requirements for agent container Jan 29, 2026
Copilot AI requested a review from pelikhan January 29, 2026 05:31
@github-actions
Copy link
Contributor

github-actions bot commented Jan 29, 2026

🔍 PR Triage Results

Category: docs | Risk: low | Priority: 40/100

Scores Breakdown

  • Impact: 15/50 - Documentation/test improvement
  • Urgency: 15/30 - 0 days old, 0 comments
  • Quality: 10/20 - Description: good, CI: unknown

📋 Recommended Action: defer

Low impact or work in progress

Triaged by PR Triage Agent on 2026-01-29

AI generated by PR Triage Agent

Copilot AI added a commit that referenced this pull request Jan 29, 2026
@pelikhan
Improve Quick Start documentation with progressive disclosure
8a84397 
- Move Prerequisites section to top before introductory content
- Add "Time to complete: ~5 minutes" to Prerequisites
- Add "What You'll Build" section with collapsed "About This Workflow" details
- Wrap customization options in collapsed "Customization Options" details
- Improve visual hierarchy and reduce scrolling for basic setup path

Fixes #12444

Co-authored-by: pelikhan <[email protected]>
@github-actions github-actions bot mentioned this pull request Jan 31, 2026
Closed
@github-actions github-actions bot mentioned this pull request Jan 31, 2026
Closed
@github-actions
Copy link
Contributor

github-actions bot commented Jan 31, 2026

🔍 PR Triage Results

Category: docs | Risk: low | Priority: 35/100

Scores Breakdown

  • Impact: 15/50 - Documents system library requirements
  • Urgency: 10/30 - 2 days old
  • Quality: 10/20 - Draft status, CI pending

📋 Recommended Action: batch_review

Part of Batch #3: Documentation (batch-docs-001) along with PR #12384. Quick review focusing on accuracy and completeness.

Triaged by PR Triage Agent on 2026-01-31 | Run #21540069309

AI generated by PR Triage Agent

@github-actions github-actions bot mentioned this pull request Jan 31, 2026
Closed
@github-actions
Copy link
Contributor

github-actions bot commented Jan 31, 2026

🔍 PR Triage Results

Category: docs | Risk: low | Priority: 40/100

Scores Breakdown

  • Impact: 15/50 - Docs with low risk level
  • Urgency: 10/30 - Recent PR (2 days), CI pending
  • Quality: 15/20 - CI pending, Draft status

📋 Recommended Action: Batch Review

This PR is recommended for batch review with similar PRs.

📦 Batch Processing

This PR is part of batch-docs-001 with 1 other PR(s): #12384

Consider reviewing these PRs together for consistency and efficiency.

Triaged by PR Triage Agent on 2026-01-31 12:17 UTC
See full report: PR Triage Discussion

AI generated by PR Triage Agent

@pelikhan pelikhan closed this Jan 31, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

pr-action:batch-review pr-action:defer pr-agent:copilot pr-batch:batch-docs-001 pr-priority:low pr-priority:medium pr-risk:low pr-type:docs

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[plan] Audit critical system libraries in /lib and /lib64 for agent container

2 participants

@pelikhan