2

Problem

I would like to do the following:

  1. Create an image with Trivy and Docker installed
  2. Run the container on Kubernetes
  3. Schedule a CRON job to pull all images from a container registry and to scan them, and output the results to stdout

Question

Is there a smart way to do this? Can you even install docker within a docker container?

Esben Eickhardt
  • 3,183
  • 2
  • 35
  • 56
  • You should assume you can't install Docker or run `docker` commands in a container, especially if you're targeting Kubernetes (it is either incredibly complex or incredibly insecure, and Kubernetes doesn't necessarily allow the options that it would require). What have you tried so far? Is there a specific problem you're encountering, with a source-code fragment that demonstrates it? – David Maze May 16 '22 at 13:19
  • I have tried running docker-in-docker (dead-end because of security), I have tried running podman in a docker container (doesn't work), I have looked for ways to download images from a container registry without using docker (doesn't exist, all examples suggests docker save). There must be a way to pull docker images without the need for a docker daemon! – Esben Eickhardt May 16 '22 at 13:33
  • 1
    The [Registry HTTP API](https://docs.docker.com/registry/spec/api/) is documented. – David Maze May 16 '22 at 14:03

1 Answers1

3

I ended up doing the following:

  1. Creating an image with Trivy and Skopeo installed
  2. Downloading the docker images with Skopeo
    • skopeo copy --src-creds=user:password --dest-compress --src-tls-verify=false docker://myrepo.com/mynamespace/ubuntu:latest oci:ubuntu
  3. Scanning the image
    • trivy image --input ubuntu

An alternative to Skopeo would be to use the Registry HTTP API to download images as suggested by David Maze.

Esben Eickhardt
  • 3,183
  • 2
  • 35
  • 56
  • 1
    Really nice solution, one additional info for people like me looking around for this. Registry in this format for docker hub is registry.hub.docker.com. library is the namespace for those directly released by docker hub. – autarch princeps Feb 06 '23 at 14:09
  • Thanks :) One has to be pragmatic working in IT! – Esben Eickhardt Mar 21 '23 at 04:13