Definitely not to the docker socket. This would be a huge security issue and would hard code us to docker containers.
I would prefer to drop a JSON file into the directory with content describing the container. On 01/13/2017 09:53 AM, Brent Baude wrote: > Dharmit, > > I believe the intended image is mounted by its UUID. One idea would be > to share the docker socket with you scan container and then do a quick > translation of the UUID to image name using the docker-py API. > > One issue with this approach is you get yourself in a bind (in some > cases) with determining the image name. Meaning, is it the repotag > name(s), the LABEL name, or some other approach? I would say that is > one upside of your approach. > > There are other ways to resolve the name that are a little more > involved. If you want to know more, contact me off-list and we can > discuss them. > > Brent > > > > On Fri, 2017-01-13 at 15:24 +0530, Dharmit Shah wrote: >> Hi! >> >> I recently worked on developing a scanner [1] that reports pip, npm, >> gem >> updates for a container. But, to me, it looks like I'm missing >> something >> and doing it in an improper way from `atomic scan` side of things. >> >> The command I execute to check, let's say, pip related updates is: >> >> `IMAGE_NAME=<image_name> atomic scan --scanner misc-package- >> updates --scan_type pip-updates <image_name>` >> >> And the configuration file ensures that `IMAGE_NAME` variable I've >> set >> in above command is passed on to the scanner container as an >> envrionment >> variable [2]. It is then used to spin up a new container from the >> image >> to check for pip updates. >> >> It is my understanding, and I'd like to know if it's correct, that >> the >> rootfs of image name specified with `atomic scan` command is mounted >> onto the scanner container under `/scanin` directory and the scanner >> output is expected under `/scanout` directory; but the image's name >> is >> not passed to the scanner container. >> >> Is there a way to access the image's name inside a container without >> doing it the way I've done using a variable? >> >> [1] >> https://github.com/CentOS/container-pipeline-service/tree/master/atom >> ic_scanners/misc-package-updates >> >> [2] >> https://github.com/CentOS/container-pipeline-service/blob/master/atom >> ic_scanners/misc-package-updates/misc-package-updates#L5 >> >> Regards, >> Dharmit. >>
