opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-05-20 16:47:39 +08:00
Code Issues Packages Projects Releases Wiki Activity

container inspect: include image digest

Browse Source 
Include the digest of the image in `podman container inspect`. The image
digest is a key information for auditing as it defines the identify of
an image.  This way, it can be determined whether a container used an
image with a given CVE etc.

Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
This commit is contained in:
Valentin Rothberg
2022-09-30 13:50:08 +02:00
parent d88acd83a1
commit 02b0f9fc39
3 changed files with 29 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
libpod/container_inspect.go
View File

@ -166,6 +166,15 @@ func (c *Container) getContainerInspectData(size bool, driverData *define.Driver
IsInfra: c.IsInfra(), IsInfra: c.IsInfra(),
IsService: c.IsService(), IsService: c.IsService(),
} }
if config.RootfsImageID != "" { // May not be set if the container was created with --rootfs
image, _, err := c.runtime.libimageRuntime.LookupImage(config.RootfsImageID, nil)
if err != nil {
return nil, err
}
data.ImageDigest = image.Digest().String()
}
if ctrSpec.Process.Capabilities != nil { if ctrSpec.Process.Capabilities != nil {
data.EffectiveCaps = ctrSpec.Process.Capabilities.Effective data.EffectiveCaps = ctrSpec.Process.Capabilities.Effective
data.BoundingCaps = ctrSpec.Process.Capabilities.Bounding data.BoundingCaps = ctrSpec.Process.Capabilities.Bounding

1
libpod/define/container_inspect.go
View File

@ -659,6 +659,7 @@ type InspectContainerData struct {
Args []string `json:"Args"` Args []string `json:"Args"`
State *InspectContainerState `json:"State"` State *InspectContainerState `json:"State"`
Image string `json:"Image"` Image string `json:"Image"`
ImageDigest string `json:"ImageDigest"`
ImageName string `json:"ImageName"` ImageName string `json:"ImageName"`
Rootfs string `json:"Rootfs"` Rootfs string `json:"Rootfs"`
Pod string `json:"Pod"` Pod string `json:"Pod"`

21
test/system/030-run.bats
View File

@ -548,11 +548,23 @@ json-file | f
# prior to #8623 `podman run` would error out on untagged images with: # prior to #8623 `podman run` would error out on untagged images with:
# Error: both RootfsImageName and RootfsImageID must be set if either is set: invalid argument # Error: both RootfsImageName and RootfsImageID must be set if either is set: invalid argument
run_podman untag $IMAGE run_podman untag $IMAGE
run_podman run --rm $imageID ls
run_podman run --rm $randomname $imageID true
run_podman tag $imageID $IMAGE run_podman tag $imageID $IMAGE
} }
@test "podman inspect includes image data" {
randomname=$(random_string 30)
run_podman inspect $IMAGE --format "{{.ID}} {{.Digest}}"
expected="$IMAGE $output"
run_podman run --name $randomname $IMAGE true
run_podman container inspect $randomname --format "{{.ImageName}} {{.Image}} {{.ImageDigest}}"
is "$output" "$expected"
run_podman rm -f -t0 $randomname
}
@test "Verify /run/.containerenv exist" { @test "Verify /run/.containerenv exist" {
# Nonprivileged container: file exists, but must be empty # Nonprivileged container: file exists, but must be empty
run_podman run --rm $IMAGE stat -c '%s' /run/.containerenv run_podman run --rm $IMAGE stat -c '%s' /run/.containerenv
@ -620,10 +632,15 @@ json-file | f
run_podman image mount $IMAGE run_podman image mount $IMAGE
romount="$output" romount="$output"
randomname=$(random_string 30)
# FIXME FIXME FIXME: Remove :O once (if) #14504 is fixed! # FIXME FIXME FIXME: Remove :O once (if) #14504 is fixed!
run_podman run --rm --rootfs $romount:O echo "Hello world" run_podman run --name=$randomname --rootfs $romount:O echo "Hello world"
is "$output" "Hello world" is "$output" "Hello world"
run_podman container inspect $randomname --format "{{.ImageDigest}}"
is "$output" "" "Empty image digest for --rootfs container"
run_podman rm -f -t0 $randomname
run_podman image unmount $IMAGE run_podman image unmount $IMAGE
fi fi
} }