The jQAssistant Docker plugin provides a scanner for Docker registries gathering information about:
-
Repositories
-
Tags
-
Manifests and their configurations
-
Layers (Blobs)
The scanner uses the Docker Registry HTTP API V2 as described here.
Incremental scans are supported, i.e. new or updated tags will be detected.
The plugin can be enabled in the configuration file .jqassistant.yml:
jqassistant:
plugins:
- group-id: org.jqassistant.plugins
artifact-id: jqassistant-docker-plugin
version: 2.0.0
scan:
include:
urls:
- docker:registry::http://my-docker-registry:5000
properties:
docker.repository.include: "*"
# docker.repository.exclude: "foo/*"
# docker.repository.updateExistingTags: trueAfterwards a scan can be triggered and the embedded server started:
mvn jqassistant:scan
mvn jqassistant:serverbin/jqassistant.sh scan
bin/jqassistant.sh serverProperty |
Description |
Default |
docker.repository.include |
Pattern of repositories and tags to include, e.g. |
|
docker.repository.exclude |
Pattern of repositories and tags to exclude, e.g. |
|
docker.repository.updateExistingTags |
If |
false |
If the Docker registry uses HTTPS with a self-signed certificate the latter must be imported into the keystore of the Java Runtime Environment:
$JAVA_HOME/bin/keytool -import -alias DOCKER -file docker.crt -keystore $JAVA_HOME/lib/security/cacerts
|
Tip
|
The certificate can be exported directly from a web browser (e.g. as DER encoded-binary X509), the default passwort of the JRE keystore is changeit.
|
After starting the embedded server the Neo4j browser is available under the URL http://localhost:7474 and allows executing queries:
MATCH
(registry:Docker:Registry)-[:CONTAINS_REPOSITORY]->(repository:Docker:Repository)
RETURN
registry.url, collect(repository.name) AS repositoriescentosMATCH
(repository:Docker:Repository{name:'centos'})-[:CONTAINS_TAG]->(tag:Docker:Tag)
RETURN
tag.namecentoslatestMATCH
(repository:Docker:Repository{name:'centos'})-[:CONTAINS_TAG]->(tag:Docker:Tag{name:'latest'}),
(tag)-[:HAS_MANIFEST]->(manifest:Docker:Manifest)-[:HAS_CONFIG]->(config:Docker:Config)
OPTIONAL MATCH
(config)-[:HAS_LABEL]->(label:Docker:Label)
OPTIONAL MATCH
(config)-[:FOR_IMAGE]->(image:Docker:Image)
RETURN
manifest, config, label, imagecentoslatestMATCH
(repository:Docker:Repository{name:'centos'})-[:CONTAINS_TAG]->(tag:Docker:Tag{name:'latest'}),
(tag)-[:HAS_MANIFEST]->(manifest:Docker:Manifest),
(manifest:Docker:Manifest)-[:DECLARES_LAYER]->(layer:Docker:Layer)-[:WITH_BLOB]->(blob:Docker:Blob)
RETURN
layer.index, blob.digest, blob.size
ORDER BY
layer.indexMATCH
(repository:Docker:Repository)-[:CONTAINS_TAG]->(tag:Docker:Tag),
(tag)-[:HAS_MANIFEST]->(:Docker:Manifest)-[:DECLARES_LAYER]->(layer:Docker:Layer)-[:WITH_BLOB]->(blob:Docker:Blob)
RETURN
repository.name AS repository, sum(blob.size)/(1024*1024) AS repositorySizeMB
ORDER BY
repositorySizeMB DESC-
upgraded to jQAssistant 2.0.0
-
changed Maven coordinates to
org.jqassistant.plugin:jqassistant-docker-plugin
-
upgraded to jQAssistant 1.11.0
-
added scanner property
docker.repository.updateExistingTagsto enable updates of existing tags -
added chain of manifests for updated tags
(:Tag)-[:HAS_MANIFEST]→(:Manifest)-[:HAS_PREVIOUS_MANIFEST*]→(:Manifest) -
fixed NPEs when scanning a tag without valid manifest or layer references
-
introduced
Layernodes, i.e.(:Manifest)-[:DECLARES_LAYER]→(:Layer)-[:WITH_BLOB]→(:Blob)replaces(:Manifest)-[:DECLARES_LAYER]→(:Blob)
-
manage blobs per registry instead of repository, i.e.
(:Registry)-[:CONTAINS_BLOB]→(:Blob)replaces(:Repository)-[:CONTAINS_BLOB]→(:Blob)