Bug 25370 - container image/registry scanning
Summary: container image/registry scanning
Status: NEW
Alias: None
Product: elfutils
Classification: Unclassified
Component: debuginfod (show other bugs)
Version: unspecified
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-01-11 00:36 UTC by Frank Ch. Eigler
Modified: 2020-01-11 00:36 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Frank Ch. Eigler 2020-01-11 00:36:54 UTC
There may be a use case where debuginfo-carrying container images are available on registries or filesystems, and where extracting that content could serve container debugging tasks.

hypothetical algorithm:
- given a list of image names
  - periodically make contact with designated registry across https://docs.docker.com/registry/spec/api/
  - fetch authentication token if needed
  - download image manifest json, thence layer fs-delta files (tarballs)
  - scan resulting tarballs as ordinary libarchive inputs
  - use fs-delta blob hexid as archive path key - need only ever scan once!
  - https://gist.github.com/cirocosta/17ea17be7ac11594cb0f290b0a3ac0d1

or podman-intermediated:
- given a list of image names
  - perform periodic "podman pull"s
  - podman mount
  - scan contents in -F mode
  - "podman unmount" afterwards
  - ... or podman save; scan the resulting tarball's contents as sub tarballs
  - one problem is how to scan only new layers (and not waste time instantiating old at all)