Home > Enterprise >  Red Hat base image - list packages installed in an image with "rpm", without running it
Red Hat base image - list packages installed in an image with "rpm", without running it

Time:11-15

Our org builds apps based on some Red Hat base images, we find that rpm -qa can be used to check installed system packages and run security checks. Here "packages" means system libs, like libxml2 or expat.(For software dependencies we have Maven). From the dockerfiles, we know that it's not downloading sources and install from it, so in theory, all packages are detected by rpm.

Some of them always pointing to latest, I have to check regularly to make sure which package is at which level. Need to automate this.

When it's impossible to run the image first(for example, when entrypoint is defined as java -jar), I cannot easily run the container and run rpm -qa. I have to create a project, create a main class doing some long-running job, set all the things in Maven jib plugin, build and run it, and docker exec xxx rpm -qa. It's inconvenient.

I have tried dive, I see things but I cannot view the content. I can docker save -o foo.tar and try to extract files from there, but it's inconvenient. Besides, I am not aware of any file containing a list of packages installed. Is there any?

Tried docker history, not very helpful.

I would like a feature from docker to list all packages and versions, for vulnerability checks, delegating the listing of packages to rpm or dpkg(for Ubuntu based images, maybe in the future) depending on the availability of any one of them.

dockerfile can be inaccessible if the image comes from some remote registry. Needs to analyze the binary.

CodePudding user response:

If the default ENTRYPOINT of a given image is on your way for a particular operation, you can unilaterally decide to change it to whatever you want at run time, even to totally drop it.

In your particular case, this should do the trick:

docker run -it --rm --entrypoint '' <your_image> rpm -it

Change the final command to the one you need. You can even run bash and interactively enter your own set of commands to inspect.

  • Related