| Summary: | [RFE] Provide a config property to override "default" docker repository to pull down image-inspector container image. | |||
|---|---|---|---|---|
| Product: | Red Hat CloudForms Management Engine | Reporter: | Prasad Mukhedkar <pmukhedk> | |
| Component: | Providers | Assignee: | Nimrod Shneor <nshneor> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Pavel Zagalsky <pzagalsk> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 5.6.0 | CC: | bazulay, cben, cpatters, cpelland, dron, fsimonce, jfrey, jhardy, lavenel, ncatling, obarenbo, paul.maddocks1, pmukhedk, simaishi | |
| Target Milestone: | GA | Keywords: | FutureFeature, TestOnly, ZStream | |
| Target Release: | 5.8.0 | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | container | |||
| Fixed In Version: | 5.8.0.2 | Doc Type: | Enhancement | |
| Doc Text: |
This enhancement makes registry and repository information configurable for the 'image-inspector’ container image. However, the built-in OpenSCAP policy in CloudForms scans only images named `<file>/image-inspector`, and skips any modified image names and paths. To scan customised images, copy and modify the OpenSCAP policy, then assign the modified condition to the image.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1429654 (view as bug list) | Environment: | ||
| Last Closed: | 2017-06-12 17:04:53 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | Container Management | Target Upstream Version: | ||
| Bug Depends On: | ||||
| Bug Blocks: | 1429654, 1459189 | |||
Note that configuring where to get 'image-inspector' docker image won't be enough to support OpenSCAP in clusters not connected to the internet.
image-inspector currently hardcodes downloading the CVE info from:
CVEUrl = "https://www.redhat.com/security/data/metrics/ds/"
https://github.com/openshift/image-inspector/issues/18 tracks that part.
New commit detected on ManageIQ/manageiq/master: https://github.com/ManageIQ/manageiq/commit/63b46caf7dd170b752cd233daae824acd2e79fd5 commit 63b46caf7dd170b752cd233daae824acd2e79fd5 Author: Daniel Trieu <dtrieu80> AuthorDate: Mon Feb 20 18:39:19 2017 +0200 Commit: Beni Cherniavsky-Paskin <cben> CommitDate: Mon Feb 20 18:39:24 2017 +0200 Make registry & repo configurable for 'image-inspector' Tag (:2.1) deliberately left non-configurable as we depend on a specific version's interface. (Minor 2.1.z versions will be activated simply by re-pointing the 2.1 tag.) https://bugzilla.redhat.com/show_bug.cgi?id=1378007 .../providers/kubernetes/container_manager/scanning/job.rb | 7 ++++--- config/settings.yml | 2 ++ 2 files changed, 6 insertions(+), 3 deletions(-) |
Description of problem: At the moment cloud form's docker OpenSCAP scanning functionality relies on triggering Openshift to launch the Image Inspector docker file to perform the scanning. Cloudforms is instructing Openshift to explicitly download the docker file from an internet location and then launch it. If you are not connected to the internet then this functionality is broken. To fix this broken functionality it would be best if we can specify a "default" docker repository location property such that ANY cloudforms activity that involved downloading docker files from the internet could use this property (if present) rather then the hard-coded location on the internet. config/initializers/override_containers_scanning_image.rb module OverrideContainersScanningImage def inspector_image 'registry.access.redhat.com/openshift3/image-inspector:2.0' end end ManageIQ::Providers::Kubernetes::ContainerManager::Scanning::Job.prepend(OverrideContainersScanningImage) ~