You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment
Tell us about your request
Basic and enhanced scanning support for SIF container images.
Which service(s) is this request for?
ECR
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
ECR should support scanning of SIF format container images stored in a repository.
Presently, ECR gives message Scan status: UNSUPPORTED_IMAGE.
The impact of not having this feature added is that environments with singularity containers will not be able to scan their containers stored in ECR for vulnerabilities.
Are you currently working around this issue?
No. It is not currently possible for singularity (apptainer) release to push to ECR using docker:// transport. It is possible for singularity (apptainer) to pull a container from registries using docker protocol, such as public registry.
It is currently possible to push images to ECR in SIF format using oras:// transport protocol. The singularity command line can then pull these containers stored in ECR. That much is working correctly in ECR with OCI artifacts that match singularity images; when the same runtime is used to both push and pull through ORAS/OCI.
It is currently possible to push images to ECR in docker format and enhanced scanning will work. It is possible to first convert a singularity image to a docker image, and then push it with any container tools which support docker images such as docker or podman container run-time cli.
The reason this feature request should be voted for is because apptainer (singularity) containers are now becoming more common on Linux HPC clusters and having to convert between image formats in order to push to ECR for enhanced scanning to work, is problematic for users.
Additional context
The singularity image format (SIF) uses ORAS to push containers to ECR and stores the file system layers as OCI artifacts of type: application/vnd.sylabs.sif.layer.v1.sif.
SIF layers typically use squashfs compressed file system. However, SIF layers may also include overlays and use extfs in older .simg container images. Ideally, those additional layers could be included during scan.
docker-compose.yml starts clair-scanner in order to scan SIF images using sclair command.
Attachments
If you think you might have additional information that you'd like to include via an attachment, please do - we'll take a look. (Remember to remove any personally-identifiable information.)
The text was updated successfully, but these errors were encountered:
Community Note
Tell us about your request
Basic and enhanced scanning support for SIF container images.
Which service(s) is this request for?
ECR
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
ECR should support scanning of SIF format container images stored in a repository.
Presently, ECR gives message
Scan status: UNSUPPORTED_IMAGE
.The impact of not having this feature added is that environments with singularity containers will not be able to scan their containers stored in ECR for vulnerabilities.
Are you currently working around this issue?
No. It is not currently possible for singularity (apptainer) release to push to ECR using
docker://
transport. It is possible for singularity (apptainer) to pull a container from registries using docker protocol, such as public registry.It is currently possible to push images to ECR in SIF format using
oras://
transport protocol. The singularity command line can then pull these containers stored in ECR. That much is working correctly in ECR with OCI artifacts that match singularity images; when the same runtime is used to both push and pull through ORAS/OCI.It is currently possible to push images to ECR in docker format and enhanced scanning will work. It is possible to first convert a singularity image to a docker image, and then push it with any container tools which support docker images such as docker or podman container run-time cli.
The reason this feature request should be voted for is because apptainer (singularity) containers are now becoming more common on Linux HPC clusters and having to convert between image formats in order to push to ECR for enhanced scanning to work, is problematic for users.
Additional context
The singularity image format (SIF) uses ORAS to push containers to ECR and stores the file system layers as OCI artifacts of type:
application/vnd.sylabs.sif.layer.v1.sif
.SIF layers typically use squashfs compressed file system. However, SIF layers may also include overlays and use extfs in older
.simg
container images. Ideally, those additional layers could be included during scan.Attachments
If you think you might have additional information that you'd like to include via an attachment, please do - we'll take a look. (Remember to remove any personally-identifiable information.)
The text was updated successfully, but these errors were encountered: