Bug 1378007

Summary: [RFE] Provide a config property to override "default" docker repository to pull down image-inspector container image.
Product: Red Hat CloudForms Management Engine Reporter: Prasad Mukhedkar <pmukhedk>
Component: ProvidersAssignee: Nimrod Shneor <nshneor>
Status: CLOSED CURRENTRELEASE QA Contact: Pavel Zagalsky <pzagalsk>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.6.0CC: bazulay, cben, cpatters, cpelland, dron, fsimonce, jfrey, jhardy, lavenel, ncatling, obarenbo, paul.maddocks1, pmukhedk, simaishi
Target Milestone: GAKeywords: FutureFeature, TestOnly, ZStream
Target Release: 5.8.0   
Hardware: x86_64   
OS: Linux   
Whiteboard: container
Fixed In Version: 5.8.0.2 Doc Type: Enhancement
Doc Text:
This enhancement makes registry and repository information configurable for the 'image-inspector’ container image. However, the built-in OpenSCAP policy in CloudForms scans only images named `<file>/image-inspector`, and skips any modified image names and paths. To scan customised images, copy and modify the OpenSCAP policy, then assign the modified condition to the image.
 Story Points: ---
Clone Of:
: 1429654 (view as bug list) Environment:
Last Closed: 2017-06-12 17:04:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: Container Management Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1429654, 1459189    

Description Prasad Mukhedkar 2016-09-21 09:47:58 UTC 
Description of problem:

At the moment cloud form's docker OpenSCAP scanning functionality relies on triggering Openshift to launch the Image Inspector docker file to perform the scanning.  Cloudforms is instructing Openshift to explicitly download the docker file from an internet location and then launch it.

If you are not connected to the internet then this functionality is broken.  To fix this broken functionality it would be best if we can specify a "default" docker repository location property such that ANY cloudforms activity that involved downloading docker files from the internet could use this property (if present) rather then the hard-coded location on the internet.


config/initializers/override_containers_scanning_image.rb

module OverrideContainersScanningImage
  def inspector_image
    'registry.access.redhat.com/openshift3/image-inspector:2.0'
  end
end

ManageIQ::Providers::Kubernetes::ContainerManager::Scanning::Job.prepend(OverrideContainersScanningImage)
~
Comment 4 Beni Paskin-Cherniavsky 2016-09-27 10:47:54 UTC 
Note that configuring where to get 'image-inspector' docker image won't be enough to support OpenSCAP in clusters not connected to the internet.

image-inspector currently hardcodes downloading the CVE info from:
    CVEUrl          = "https://www.redhat.com/security/data/metrics/ds/"

https://github.com/openshift/image-inspector/issues/18 tracks that part.
Comment 6 CFME Bot 2017-02-22 16:36:19 UTC 
New commit detected on ManageIQ/manageiq/master:
https://github.com/ManageIQ/manageiq/commit/63b46caf7dd170b752cd233daae824acd2e79fd5

commit 63b46caf7dd170b752cd233daae824acd2e79fd5
Author:     Daniel Trieu <dtrieu80>
AuthorDate: Mon Feb 20 18:39:19 2017 +0200
Commit:     Beni Cherniavsky-Paskin <cben>
CommitDate: Mon Feb 20 18:39:24 2017 +0200

    Make registry & repo configurable for 'image-inspector'
    
    Tag (:2.1) deliberately left non-configurable as we depend on a
    specific version's interface.
    (Minor 2.1.z versions will be activated simply by re-pointing the 2.1 tag.)
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1378007

 .../providers/kubernetes/container_manager/scanning/job.rb         | 7 ++++---
 config/settings.yml                                                | 2 ++
 2 files changed, 6 insertions(+), 3 deletions(-)