1378007 – [RFE] Provide a config property to override "default" docker repository to pull down image-inspector container image.

Bug 1378007 - [RFE] Provide a config property to override "default" docker repository to pull down image-inspector container image.

Summary: [RFE] Provide a config property to override "default" docker repository to pu...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat CloudForms Management Engine
Classification:	Red Hat
Component:	Providers
Sub Component:
Version:	5.6.0
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	GA
Target Release:	5.8.0
Assignee:	Nimrod Shneor
QA Contact:	Pavel Zagalsky
Docs Contact:
URL:
Whiteboard:	container
Depends On:
Blocks:	1429654 1459189
TreeView+	depends on / blocked

Reported:	2016-09-21 09:47 UTC by Prasad Mukhedkar
Modified:	2020-08-13 08:36 UTC (History)
CC List:	14 users (show)
Fixed In Version:	5.8.0.2
Doc Type:	Enhancement
Doc Text:	This enhancement makes registry and repository information configurable for the 'image-inspector’ container image. However, the built-in OpenSCAP policy in CloudForms scans only images named `<file>/image-inspector`, and skips any modified image names and paths. To scan customised images, copy and modify the OpenSCAP policy, then assign the modified condition to the image.
Clone Of:
Clones:	1429654 (view as bug list)
Environment:
Last Closed:	2017-06-12 17:04:53 UTC
Category:	---
Cloudforms Team:	Container Management
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Prasad Mukhedkar 2016-09-21 09:47:58 UTC

Description of problem:

At the moment cloud form's docker OpenSCAP scanning functionality relies on triggering Openshift to launch the Image Inspector docker file to perform the scanning.  Cloudforms is instructing Openshift to explicitly download the docker file from an internet location and then launch it.

If you are not connected to the internet then this functionality is broken.  To fix this broken functionality it would be best if we can specify a "default" docker repository location property such that ANY cloudforms activity that involved downloading docker files from the internet could use this property (if present) rather then the hard-coded location on the internet.


config/initializers/override_containers_scanning_image.rb

module OverrideContainersScanningImage
  def inspector_image
    'registry.access.redhat.com/openshift3/image-inspector:2.0'
  end
end

ManageIQ::Providers::Kubernetes::ContainerManager::Scanning::Job.prepend(OverrideContainersScanningImage)
~

Comment 4 Beni Paskin-Cherniavsky 2016-09-27 10:47:54 UTC

Note that configuring where to get 'image-inspector' docker image won't be enough to support OpenSCAP in clusters not connected to the internet.

image-inspector currently hardcodes downloading the CVE info from:
    CVEUrl          = "https://www.redhat.com/security/data/metrics/ds/"

https://github.com/openshift/image-inspector/issues/18 tracks that part.

Comment 6 CFME Bot 2017-02-22 16:36:19 UTC

New commit detected on ManageIQ/manageiq/master:
https://github.com/ManageIQ/manageiq/commit/63b46caf7dd170b752cd233daae824acd2e79fd5

commit 63b46caf7dd170b752cd233daae824acd2e79fd5
Author:     Daniel Trieu <dtrieu80>
AuthorDate: Mon Feb 20 18:39:19 2017 +0200
Commit:     Beni Cherniavsky-Paskin <cben>
CommitDate: Mon Feb 20 18:39:24 2017 +0200

    Make registry & repo configurable for 'image-inspector'
    
    Tag (:2.1) deliberately left non-configurable as we depend on a
    specific version's interface.
    (Minor 2.1.z versions will be activated simply by re-pointing the 2.1 tag.)
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1378007

 .../providers/kubernetes/container_manager/scanning/job.rb         | 7 ++++---
 config/settings.yml                                                | 2 ++
 2 files changed, 6 insertions(+), 3 deletions(-)

Note You need to log in before you can comment on or make changes to this bug.