How imgtrack Works
imgtrack is a Bash shell script invoked on the command line of any Linux computer meeting its requirements. It is a utility whose job is to arrange for the execution of the FlexNet Inventory Scanner in a context where it can access the file system content of a container image, without interfering with any container running in a production environment.
To do this, imgtrack derives an image (the derived image) from the source image that is the target for inventory collection. The derived image is created in the standard Docker way, by adding a layer to a copy of the source image, where the extra layer in this case contains the FlexNet Inventory Scanner and related files. The entry point for the derived image (that is, the process invoked when a container is instantiated from the image and run) is to run the FlexNet Inventory Scanner.
Both the derived image and any container run from it are short-lived – both are destroyed when the inventory process is completed. Of course, this does not affect the source image in any way.
imgtrack image [options]
The
script then performs the following operations:- Optionally, pull the source image: If the
--pull
option was specified, the target image can be pulled from the registry. This requires that the credentials used to run imgtrack have read permissions from the registry, and that the operator has logged into the repository (if it required authentication) before invoking imgtrack (since, to avoid setting authentication parameters on the command line, imgtrack does not support logging in to any registry). - Load image metadata:
imgtrack uses the
docker inspect
command to collect metadata including both the image ID and the Repo Digest from Docker (for details, see Identifying Container Images). This also verifies that the source image exists in the local Docker image index – if this command fails, it is a fatal error for this run of imgtrack. - Locate ndtrack source: The
--from-ndtrack
option may be used to specify a custom installation of the FlexNet Inventory Scanner (ndtrack.sh) already existing on the local Linux device (or less commonly, perhaps, the--local-ndtrack
option may point to use of the installation in the default location on this device). These options, and the related installations, are not mandatory, since the imgtrack script includes a tarball of ndtrack.sh with its platform-related versions of the ndtrack inventory component. - Determine ndtrack platform: The imgtrack script uses
the
uname
utility on the host (the local Linux device where the script is running) to determine which platform-specific version of ndtrack must be run. Then imgtrack runs a container from the source image where it uses theldd
command to determine which implementation (if any) of the C standard library is available.Tip: No other software is run in this container, and it is removed immediately after the check for the C library. You may, instead, bypass this check on the C library implementation using the--libc-variant
option to specify the implementation that is available. - Create working directory:
imgtrack requires several temporary files during operation,
and uses the
mktemp
utility to create a work directory (and subdirectories) to hold these. The work directory (and subdirectories, and contents) are by default deleted before imgtrack exits (even with an error), although you may prevent that clean-up with the--no-cleanup-files
option. - Extract ndtrack into working directory: Using the appropriate tarball selected at step 3, imgtrack installs the platform-specific version of ndtrack ready to collect software inventory.
- Search for InventorySettings.xml: The
InventorySettings.xml, as updated from time to time
with the downloads of the Application Recognition Library, extends the
inventory-gathering functionality of ndtrack especially in
areas like Oracle and Microsoft inventory. The script looks for this valuable
file in the default installation folder (on this Linux device), or in the path
specified with the
--inventorysettings-path
option. - Construct Dockerfile: This manifest instructs Docker on how to build an
image. This takes the source image as a base, adding a layer for
ndtrack and InventorySettings.xml,
and configures the command line for ndtrack.Tip: Because ndtrack requires that it runs as theTo inspect the Dockerfile, run imgtrack with the
root
user, imgtrack explicitly sets to user toroot
in the Dockerfile.--no-cleanup-files
option. Although the file name (created withmktemp
) is unpredictable, the file is contained within the work directory. - Build derived image:
imgtrack now uses the
docker build
command to build the derived image. Several labels are applied to the image at build time (see Labels for the Derived Image for details). To review the derived image without instantiating a container, use the--build-only
option, which causes imdtrack to exit at this point without deleting the derived image. - Run container from derived image:
imgtrack now uses the
docker run
command to instantiate and run a container based on the new derived image. The container executes the ndtrack component, which collects software inventory from inside the container, saving the results in an .ndi file. Normal practice is to specify the--beacon
option, so that the tracker can upload the .ndi file as soon as it is ready to the inventory beacon at that URL.Tip: This requires that the container must be attached to a network that can access the inventory beacon. Use theIf the inventory beacon serves over HTTPS, the CA certificate bundle needed to verify the inventory beacon's certificate must be available in the container. If the source image provides the needed certificate bundle, no further action is needed. If the source image does not supply an appropriate certificate bundle, it can be injected into the derived image using the--network
option to specify a suitable Docker network to which the container is attached.--ca-certificates
option. - Copy inventory into host directory: If the
--output-dir
option was set to a directory on the host system, imgtrack copies the saved .ndi file into the final directory on the host given in the option's value. This option may be used in addition to the beacon upload option, but at least one of the two should be used. - Delete derived image: By default, imgtrack arranges
for clean-up after the container terminates by using the
--rm
option to thedocker run
command. This removes both the derived image and the work directory (along with all the files in it, of course). To retain artifacts for inspection, troubleshooting, or evaluation, see the various--no-cleanup-*
options – after which the preserved artifacts need to be deleted manually.
IT Asset Management (Cloud)
Current