Checking a local container (instead of a container in a registry)

Question

Checking a local container (instead of a container in a registry)

fhennig opened this issue 2 years ago · 3 comments

Is your feature request related to a problem? Please describe.

We would like to check container builds in a CI, before we push them. A container should only be published if the preflight check succeeds. Pushing a container that later turns out to be non-compliant is not good.

Describe the solution you'd like.

It seems like preflight always tries to pull containers, I'd like a way for it to check locally if the image is already present.

Describe alternatives you've considered.

Additional context.

Answer 1 · 2023-02-21T15:48:17.000Z

Relates: #593

Answer 2 · 2023-02-21T16:43:06.000Z

@fhennig Thanks for creating this issue. preflight uses crane as the container tool, and that tool requires that the image be in a container registry. One option that could be added to your CI is to create a registry local (on the same machine) to where you are running preflight.

You could do this with podman something like the below:

sudo mkdir -p /var/lib/registry

sudo podman run --privileged -d --name registry -p 5000:5000 -v /var/lib/registry:/var/lib/registry --restart=always registry:2

sudo nano /etc/containers/registries.conf

location = "localhost:5000"

sudo systemctl restart podman

podman push localhost:5000/my-custom-container:v1.0.0 --tls-verify=false

preflight check container  localhost:5000/my-custom-container:v1.0.0 --insecure (note the insecure flag can't be used with submit)

I hope the above helps.

Answer 3 · 2023-02-22T08:39:56.000Z

Thanks for your quick response!

I see in the ticket you linked that enabling this would require some fundamental changes, that's unfortunate. Thanks for the workaround I'll see how we'll move forward! 👍