Checking a local container (instead of a container in a registry)
fhennig opened this issue · 3 comments
Is your feature request related to a problem? Please describe.
We would like to check container builds in a CI, before we push them. A container should only be published if the preflight check succeeds. Pushing a container that later turns out to be non-compliant is not good.
Describe the solution you'd like.
It seems like preflight always tries to pull containers, I'd like a way for it to check locally if the image is already present.
Describe alternatives you've considered.
Additional context.
- Relates: #593
@fhennig Thanks for creating this issue. preflight
uses crane as the container tool, and that tool requires that the image be in a container registry. One option that could be added to your CI is to create a registry local (on the same machine) to where you are running preflight.
You could do this with podman something like the below:
sudo mkdir -p /var/lib/registry
sudo podman run --privileged -d --name registry -p 5000:5000 -v /var/lib/registry:/var/lib/registry --restart=always registry:2
sudo nano /etc/containers/registries.conf
location = "localhost:5000"
sudo systemctl restart podman
podman push localhost:5000/my-custom-container:v1.0.0 --tls-verify=false
preflight check container localhost:5000/my-custom-container:v1.0.0 --insecure (note the insecure flag can't be used with submit)
I hope the above helps.
Thanks for your quick response!
I see in the ticket you linked that enabling this would require some fundamental changes, that's unfortunate. Thanks for the workaround I'll see how we'll move forward! 👍