Control and Automation against containers on target host


#1

Hi,

I’ve configured a control policy to execute custom automation when containers are discovered within the Container Provider (Openshift).

I would like to the automation to execute a script against the newly discovered container.

I can pull back the container parameters, such as:

$evm.root[‘container_image’].name
$evm.root[‘container_image’].image_ref
$evm.root[‘container_image’].environment_variables

I used object_walker to identify what i needed.

I can instantiate scripts using awesome_spawn pass variables and read back output.

The issue I have is trying to execute a script against a target host where the container is running. I’m assuming its possible as smartstate scanning is able to schedule a container on target hosts and inspect discovered containers.

I’m trying to perform compliance scanning of containers.

Any ideas/thoughts/guidance would be much appreciated.


#2

Hi,
If I understood it correctly, you are trying to run a custom (shell)-script, on the container node of the newly discovered container, throught the same mechanism that SmartState analysis uses?

  1. I couldn’t find any clue, that SmartState can be extended beyond what the product can do out of the box (although I haven’t searched very long)

  2. Apparently SmartState analysis in Openshift and on VMs are two completely seperate things (Chapter 10 and 10.1.4 https://access.redhat.com/documentation/en-us/reference_architectures/2017/html/deploying_cloudforms_at_scale/smartstate_analysis)
    VM: Since SmartState is running on a mounted snapshot, there won’t be any running containers or container daemon and any changed made by the script will be removed with the snapshot
    Containers: It is probably easier to write your own service, than to hack your way into that

  3. Any script running with awesome_spawn will always run in your ManageIQ Appliance. And you would have to somehow get your script over the network to the container node yourself (e.g. over SSH) or do it completely through APIs you can call remotely (e.g. the oc-command)

I would try one of the following approaches:

  1. Have you considered using ansible for that? It sounds like a perfect match to me. If you have SSH keys already in place, it should be pretty straight forward to get your script running on the container node and If you don’t have Embedded Ansible configured in ManageIQ, you can just call it from the CLI through awsome_spawn.
  2. Run a small Application on Openshift, which does the scanning for you and just do a REST Call from Automate.
    I think it should be fairly doable, however I know Openshift mostly from Webinars, so don’t trust me on this

Disclaimer: We do not have Openshift in our environment, and I have never tried anything like that before. Therefore I am just guessing, with a little help from the documentation and google :slight_smile:

Regards