Container Image scan feature - Support and Troubleshooting

Container Image scan feature Description Overview:

Discover image OS packages using trivy tool and map image OS packages to its containers. Identify suitable CI class for image based on image command details.

create application record per container and enrich application record using container environment variables.

Release:

This feature is available in the following release.

SR - ITOM - Discovery and Service Mapping - 202302

Prerequisites:

The family version should be Utah or later. Tokyo or the prior family versions won't support this feature Once discovery is completed to enable image scan set the system property to true " sn_itom_pattern.container_image_scan ". The default value is false. Trigger Docker and Kubernetes discovery. Download and import trivy uploaded file sa_uploaded_file_8d3db62c530301103e76ddeeff7b129c.xml

Description:

Existing docker and kubernetes patterns are enhanced to collect container environment variables.

The " Scan Container Images " scheduled job runs periodically and do the following

create a new record for each cmdb_ci_oslv_image CI in a table sn_itom_pattern_container_image_scan_status. Adding records in image scan status can be configured using the system property "sn_itom_pattern.container_image_batch_size" Will trigger a Scan Container Image pattern for scan_status is "none" records in sn_itom_pattern_container_image_scan_status and update scan_status from "none" to "in_progress". The number of images that can be scanned in each batch can be configured using the system property " sn_itom_pattern.container_image_batch_size " and the default value is 10 To trigger a Scan Container Image , The MID is selected based on a new capability called " Scan Container Images ". Note that Trivy runs only on Linux, so we should limit our MID selection to Linux Hosts which means "Host Os" equals "Linux". " Scan Container Image " pattern runs the Trivy tool and returns a payload containing installed packages and additional information on the image (architecture, os, os_family, os_version, command). Once the payload arrives at the instance, we update some fields on cmdb_ci_docker_image and update the scan status of the image from in_progress to scanned /error. And update an additional table that describes the OS packages associated with the image (sn_itom_pattern_container_image_os_packages). Note:

By default, the " Scan Container Images " scheduled job runs every 1 minute. If the " Scan Container Image" pattern fails with the error and message containing " TOOMANYREQUESTS: You have reached your pull rate limit " then do the following:

Modify Scan Container Images schedule Job frequency to longer intervals (maybe 6 hours or more) which optimally works for you. Modify scan_status from " error " to " none " in sn_itom_pattern_container_image_scan_status for which images scan failed with TOOMANYREQUESTS error. If scan_status is changed from error to none, the Schedule job picks this image and triggers the " Scan Container Image " pattern. This feature uses the following pre-post script along with Scan Container Image pattern flow:

Pre-sensor scripts:

Handle scanned container images: Collects information on software packages and script inserts to sn_itom_pattern_container_image_os_packages information about packages associated with the current image. If trivy command in the pattern returns an error then will update the error message as a message in the sn_itom_pattern_container_image_scan_status table. Post-sensor scripts:

UpdateImageCIClass: Will update the ci_class field in sn_itom_pattern_container_image_scan_status based on image command details. Uses the existing ADM logic to map a process command to an application class. Update Image OS Packages To Containers: Process all containers that use a given image. Per each container, add the installed packages and application CIs Prepare a map of software packages for this image based on sn_itom_pattern_container_image_os_packages Apply the packages to each of the containers If the application class is detected, we also create application Cis and relate it to the hosting container with runs::runs on the relation Update Container image Scan Status: Will update the image scan status to in_progress to scanned /error based on trivy command execution in the pattern. Note:

1. Currently, we support only those container images does not require authentication.

2. trivy command errors are populated in the message column in sn_itom_pattern_container_image_scan_status.

3. EnrichMSSQLcontainer - MSSQL records are enriched using container environment variables

The " Update installed packages and application CIs in containers " scheduled job runs periodically and do the following

Process a batch of newly created containers. Process all containers that use a given image. Per each container, add the installed packages and application CIs based on the results of container image scanning Prepare a map of software packages for this image based on sn_itom_pattern_container_image_os_packages Apply the packages to each of the containers

Model Diagram:

Tables:

cmdb_container_environment_variables Extends: cmdb_key_value Fields: Container : Reference [cmdb_ci_oslv_container], 32 Key: String, 255 Value: String, 255

sn_itom_pattern_container_enrich_scripts Extends: sys_metadata Fields: Active: Boolean, default is true Ci_type: string 255 Order: integer, default 0 Script: Script (Server side) – default is a comment explaining the expected input and output sn_itom_pattern_container_image_os_packages Fields:

Image : Reference, cmdb_ci_oslv_image ,255 Package Name : String, 255 Package Version : String, 255 Package Maintainer : String, 255

sn_itom_pattern_container_image_scan_status Fields:

last_scan : time field scan_status : Choice list None (empty value) In Progress Scanned Error Skipped Ci_class: string, 512 characters Image: Reference to cmdb_ci_oslv_image Message: String 1000 characters Discovery status: Reference, discovery_status

Know Issues:

Number

DEF0364182