Discovery and Inventory of Docker Containers in Flexnet Manager Suite 2020 R1

mrichardson
Flexera
Flexera
7 20 5,967

What are Containers in FNMS 2020 R1?

Containers are a new type of application virtualisation that provides much greater flexibility and scalability then other technologies.  The most popular of these is Docker and in FNMS 2020 R1 the upgraded agent will allow you to discover and inventory docker containers giving you complete visibility into docker instances in your environment and the software running on them.

Some key points about this functionality:

  1. An agent upgrade IS required (Cloud and On-Premises)
  2. Server components also need to be updated (On-Premises customers only)
  3. Docker capability is only on our Linux agents in this release, Windows will be updated later.
  4. This release is focused on Discovery and Inventory, software running in containers will not be included in license reconcile or consumption calculations
  5. The new agent monitors the Docker Engine service on the device to collect inventory which means you can only discover containers on devices where you have the agent installed and so cloud based Kubernetes or other Container Orchestration services is not currently included.

 

Getting started with Docker discovery and inventory

How to enable Docker Container inventory?

Enabling docker inventory will modify installation counts and so by default it is disabled and will need to be enabled.

You can do this by:

  • Open Discovery & Inventory – Settings
  • Find “Container Scanning” section
  • Enable checkbox “Enable detection of Docker and running inventory agent inside Docker containers”
  • Click Save in bottom right of screen

Once enabled, this will update agent policy and will be deployed to beacons and then agents need to update policy, run inventory, upload this inventory and then full inventory import and reconcile needs to complete.

This process usually takes 24-48 hours before it’s all processed.

mrichardson_0-1593186573901.png

 

 

Viewing list of Containers in your environment

To validate that inventory has succeeded, go back to Discovery & Inventory menu and there is now a new Containers section with a view called “All Containers”, this view shows all containers in your environment.

mrichardson_1-1593186573907.png

 

Licensing Managers

One of the use cases we were trying to address for SAM Managers was “How many of my applications are running in containers”?  We know from discussions that you want to see what impact containerised applications are having so we’ve added a new “Containers” column to the following views:

  • Application views e.g. Install Applications, All Applications etc
  • Unlicensed Installations

mrichardson_2-1593186573916.png

 

mrichardson_3-1593186573924.png

 

 

These Container columns show the subset of installations from containers so from the Unlicensed Installations above, you have 4 installations of Ubuntu and 3 come from Containers which means that as Container applications aren’t included in license reconcile, you have 1 that can be addressed by the reconcile and 3 from containers which you need to review and manually allocate where necessary.

 

 

 

Hardware Asset Managers

If you are managing specific devices and want to see whether they are running containers there is a “Container” tab which lists the Container and Docker Images.

mrichardson_4-1593186573931.png

 

If you then want to see what applications these devices are running within containers you can go to the Applications tab and you will see a new sub-tab called Containers which will show you all the Containers associated with this device.

mrichardson_5-1593186573940.png

 

 

These are the main views we’ve implemented, I will be adding a Q&A section at a later date once I’ve finished collating all of the recent questions.

20 Comments
mfranz
Trusted advisor

Hi Matt,

A few questions:

  • Will the container data be part of the inventory (ndi) file?
  • How is the container data matched to applications? Is it file evidence?
  • Is this a snapshot only, or is the contianer data taken like usage data, over time?

Best regards,

Markward

mrichardson
Flexera
Flexera

Hi @mfranz,

I'll ask one of the engineers to add further input if needed but in summary we've added an extra daemon service to the usage engine of the agent that monitors the docker engine service and once it identifies a docker image has been created it uses the zero footprint inventory (i.e. ndtrack.sh on Linux) to scan the contents of the image to produce ndi content.

As each docker image is immutable i.e. it cannot be changed, we know that any container deployed from that image will have the same contents, this allows for on-going updates instead of just a one-time snapshot.

So to track both the software in containers and the state of containers / images we use a combination of the inventory agent and the usage agent respectively; the latter will track when the containers were started, stopped and destroyed and these are used to populate the fields you see in the All Containers and properties views.

 

bruce_giles
Intrepid explorer

Hi Matt, I have just been asked if Flexera supports Kubernetes Clusters (in my situation they are talking about Redhats Openshift) ... only knowing a little bit about Containers and the different type of environments that house them , for example Docker and RedHats Openshift , I am a little bit confused after reading what Flexera has delivered in this particular Release.

Perhaps you could answer the question that has been asked of me .. I understand from reading the information that I could find doing searches - that the "updated" agent will be required for sure and that it will only identify the type of container (Docker only) but not the applications running within it .. or atleast that is what I understood.

I apologize in advance for my lack of knowledge between containers, kubernetes etc. and if the information is located somewhere else but I too am prohibited in viewing YouTube videos so I could not see what was discussed in a previous webinar where the different phases was explained. Perhaps you could copy the key areas of discussion into a response.

Thanks Again

Bruce Giles

mrichardson
Flexera
Flexera

Hi @bruce_giles,

The 2020 R1 version on container functionality will carry out discovery and inventory of docker containers so will identify the Host, Container Image and Containers and will also run ndtrack to identify software running in the containers.

 

We don't currently support Kubernetes / OpenShift however this is something I've been asked for a lot recently so it is going to either by 1st or 2nd on the container roadmap which means that current expectations is they will be delivered in the first half of next year however we're still finalising the roadmap for Q1 and Q2 so I can't give exact release details at this point.

 

Does this help?

bruce_giles
Intrepid explorer

Hi Matt, that is Perfect !!  ...  thanks again, really appreciate it !!

 

Bruce

Smitty987
Intrepid explorer

Hi,

Will the agent report correctly on Oracle deployments within containers?

Thanks

Mike_Marino
Flexera
Flexera

Yes it will.  We run the same agent code  inside containers, that we do outside.

mschwach
Active participant

Hi,

thanks for the article. Very interesting.

In my Env. I've checked docker on a RHEL8 system as well as on a SLES 15 System. I've set up a simple Apache-server in a docker on both and scanned the systems too, and I know for sure, that both OS have different kind of dockerization-technology implemented.

So for them (the OS-Vendors), it is not really necessary to have the "initial docker/container-binaries or installation packs" in place. They do it somehow different.

 

RHEL8 see this article:
https://access.redhat.com/solutions/3696691


SLES15:

https://documentation.suse.com/de-de/sles/15-GA/html/SLES-all/book-sles-docker.html


It seems like the OS-Vendors have established different approaches, to achieve the same goal, and it seems that they don't need the initial docker-installation as provided by docker itself "https://docs.docker.com/engine/install/"

My question is:
How does Flexera keep up with this little "own-revolution" regarding dockerization and different techniques, to deliver a correct recognition by the Agent for those different OSes, if the initial docker installation is "missing" or is "hidden" to the Agent?

regards,

Matthias

 

PS: used Agents and FNMS-Server for my checks are on 2020 R2 - on-prem

mrichardson
Flexera
Flexera

Hi @mschwach,

Building additional inventory capabilities around containers is time consuming as there are several scenarios to consider for each one; the most common being that containers are created / destroyed in very short time periods and so monitoring needs to continuously running.

As such, while we are aware that there are multiple different container technologies in the market, the plan is to focus on the most common / most in demand technologies.  The next one we'll be focusing on is Kubernetes.

After that, we will gauge demand for other technologies and consider each on a case by case basis, the best way to submit these is through the Ideas portal.

Hope this helps.

mschwach
Active participant

Hi @mrichardson,

thanks a lot for the answer. It is sufficient for me.

Will you also pick up sub-capacity calculations in regard to IBM Kubernetes?

 

https://www.ibm.com/software/passportadvantage/containerlicenses.html

 

https://www.ibm.com/software/passportadvantage/containerfaqov.html

 

stefange
Active participant

Hi,

Is there any update in the method of inventorying Kubernetes? Will the agent perform the API calls or will it be part of the beacon?

With the support of Kubernetes, will FNMS also support OpenShift?

Stefan

ChrisG
Community Manager Community Manager
Community Manager

As a follow-up and extension to comments in this post in relation to Kubernetes, the following new features are included in the FlexNet Manager Suite Cloud (Flexera One ITAM) June 2021 update:

Ronny_OO7
Frequent contributor

Hi Matt,

You mentioned in Sep 20:

We don't currently support Kubernetes / OpenShift however this is something I've been asked for a lot recently so it is going to either by 1st or 2nd on the container roadmap which means that current expectations is they will be delivered in the first half of next year however we're still finalising the roadmap for Q1 and Q2 so I can't give exact release details at this point.

What is the latest status? As my customer is using:

openshift version 4 : running on RedHat CoreOS.

 

Regards

Ronald



ChrisG
Community Manager Community Manager
Community Manager

@Ronny_OO7 - see my previous comment (just above yours) for links which describe the current capabilities (as of June 2021) that have been recently added related to Kubernetes.

I have not heard of any further work around OpenShift being released at this point. You and your customer may want to vote for the following idea to help add weight to it: FNMS-I-51 (FNMS Agent OS support : OpenShift, OpenShift Enterprise & LINUX SERVER OPENSHIFT). This idea currently has an "under consideration" status.

Ronny_OO7
Frequent contributor

Hi Chris,

Thanks for your help. I have asked the customer to vote for this.

It feels a bit weird that there where only 5 votes for this while it looks like there is an higer demand from the market.

Regards

Ronald 

darren_haehnel
Occasional contributor

Does enabling detection of Docker containers and the container software inventory have any negative effect on systems running agents that do not have Docker?  ie: once enabled, is there a new daemon monitoring the Docker engine now running on ALL agents whether they have Docker or not?  

James_Day
Flexera beginner

@darren_haehnel We recently had an issue with Docker inventory being turned on and running on RHEL 4 OS that caused a spike in CPU utilisation. The recommendation from Flexera was to ensure only a supported version of the agent for the particular OS version is deployed i.e. a version of the agent that doesnt have docker inventory capability.

darren_haehnel
Occasional contributor
Thank you. This is a good part of my concern. Was there any noticeable impact to your servers that are not running docker after you turned on Docker discovery?
James_Day
Flexera beginner

We have suspended the use of the Docker inventory temporarily whilst we review our version sprawl of the agent and ensure that only supported agents are deployed against the relevant OS version.

Having said that this is more an abundance of caution on my part as the only server with CPU spikes were RHEL 4. Flexera were not able to recreate the issue during the incident in their test environment.

mschwach
Active participant

we have had several issues and Cases. e.g. one was:

On Unix the FNMS Docker Scan option causes massive growing defunct processes  of about 3000 new entries every day leading to system crash / reboot. As Workaround we disabled Dockerscan in FNMS GUI.

 

and also:

We have enabled Container scanning in our Env. On a System where no Docker-deamon is running, the setting is trying to establish a new service which will fail to start, because dockerd is not found. On some Systems it even tries to start the service every Minute and will not stop. The syslog is monitored and will generate an Auto-Ticket for OS-Admins as soon an Error or failure has occurred in syslog. Therefore our Admins have received almost 700 Tickets in short period of time. Only solution was to disable Container scanning via UI and redistribute the Policy again.

 

Both issues should be solved in Version 2021R1