A Docker container image is a package of all the scripts, software, runtime, system tools, libraries, and configuration required to run an application. A container image can be launched as a Docker container in a lightweight isolated environment using the Docker Engine. Like virtual machines, containers isolate resources. However, while virtual machines abstract hardware and run individual operating system kernels, containers make it possible to run multiple isolated applications on a single operating system kernel instance. Therefore, containers eliminate the weight of a hypervisor by executing directly on the Linux or Windows kernel.
The simplicity of deployment, portability to any system, repeatability, efficient execution, and isolation is making container technology extremely popular in the enterprise. The concept of containerization was not new with Linux. AIX Workload Partitions (wPAR) and Solaris Zones have come before. However, Docker has provided a far more complete ecosystem.
Support for gathering inventory of Docker containers and inventory of the container images running on Linux has been introduced in the recent FlexNet Manager Suite 2020 R1 release. In this initial phase, our aim (as described in a previous blog post Discovery and Inventory of Docker Containers in FlexNet Manager Suite 2020 R1) is to provide visibility of running containers, the container images, and the recognized software within these images.
This new capability has introduced a new component to the Linux FlexNet inventory agent: Flexera’s Docker tracker. Docker tracker is responsible for monitoring the Docker Engine to discover containers as they start and stop. Further to this, it is responsible for gathering raw evidence from container images.
In the initial path chosen for inventorying Docker container images, Docker tracker waits for a container executing the image to be launched and performs a zero-footprint inventory on the executing container – in other words, there is no need for particular software to be pre-installed or specially configured inside the container. The inventory gathering process involves the following steps:
- Copy the lightweight inventory scanner, ndtrack.sh, into the container’s file system
- Use the Docker Engine to execute ndtrack.sh within the container to gather inventory for the container’s image
- Copy the resulting ndi inventory file out of the container into the inventory agent “upload” folder on the Docker host
- Upload the ndi inventory files generated for both the container images and the host to the FlexNet Manager servers.
This is illustrated in the following diagram:
By performing a zero-footprint inventory, the full capability of the FlexNet inventory agent is used to gather all types of raw installation evidence from each container image.
To present the information obtained by the agent, several new UI elements have been introduced into FlexNet Manager. The Discovery & Inventory > All Containers view displays information about all the container hosts, the Docker images on those hosts, and the containers created using those Docker images:
From here, a user can drill down into a container image’s properties:
These image properties include a list of all the applications identified by the Application Recognition Library (ARL) from software evidence gathered from the image:
Another tab highlights the evidence used to identify those applications. It is worth noting in this example that it includes not just the RPM evidence of the containerized Linux operating system, but also the custom Oracle Universal Installer (OUI) technology used to install many Oracle applications. This evidence, amongst others, is specifically identified and reported by the FlexNet inventory agent.
It is also possible to open an inventory device’s properties and see all the Docker containers running on that device.
This is an initial capability for working with containers. As always, there is still more work that can be done. Let us know in comments on this post about what additional capabilities you’d like to see – some potential capabilities under consideration include:
- Support for Windows Docker containers
- Gathering inventory from container management infrastructure such as Kubernetes
- Static analysis of container images without the need to run images
- Consider software running within containers when calculating license consumption
We hope you enjoy this early Docker container support and we look forward to your feedback!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.