[Bug debuginfod/25370] New: container image/registry scanning

fche at redhat dot com sourceware-bugzilla@sourceware.org
Sat Jan 11 00:36:00 GMT 2020


https://sourceware.org/bugzilla/show_bug.cgi?id=25370

            Bug ID: 25370
           Summary: container image/registry scanning
           Product: elfutils
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: debuginfod
          Assignee: unassigned at sourceware dot org
          Reporter: fche at redhat dot com
                CC: elfutils-devel at sourceware dot org, lberk at redhat dot com
  Target Milestone: ---

There may be a use case where debuginfo-carrying container images are available
on registries or filesystems, and where extracting that content could serve
container debugging tasks.

hypothetical algorithm:
- given a list of image names
  - periodically make contact with designated registry across
https://docs.docker.com/registry/spec/api/
  - fetch authentication token if needed
  - download image manifest json, thence layer fs-delta files (tarballs)
  - scan resulting tarballs as ordinary libarchive inputs
  - use fs-delta blob hexid as archive path key - need only ever scan once!
  - https://gist.github.com/cirocosta/17ea17be7ac11594cb0f290b0a3ac0d1

or podman-intermediated:
- given a list of image names
  - perform periodic "podman pull"s
  - podman mount
  - scan contents in -F mode
  - "podman unmount" afterwards
  - ... or podman save; scan the resulting tarball's contents as sub tarballs
  - one problem is how to scan only new layers (and not waste time
instantiating old at all)

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the Elfutils-devel mailing list