用于查找容器映像中安装的包的OSS符合性元数据的检查工具。
tern的Python项目详细描述
欢迎来到tern项目
tern是一个用于集装箱的软件包检查工具。它是用python3编写的,有少量的shell脚本。
目录
- Introduction
- Getting Started
- Using Tern
- Report Formats
- Running tests
- Project Status
- Documentation
- Contributing
什么是燕鸥?
Tern is an inspection tool to find the metadata of the packages installed in a container image. The overall operation looks like this:
- It uses overlayfs to mount the first filesystem layer (also known as the BaseOS) used to build the container image
- It then executes scripts from the "command library" in a chroot environment to collect information about packages installed in that layer
- With that information as a starting point, it continues to iterate over steps 1 and 2 for the rest of the layers in the container image
- Once done, it generates a report in different formats. The default report is a verbose explanation of what layers brought in what software components. If a Dockerfile is provided then it will also provide what lines in the Dockerfile was used to create the layers.
Tern gives you a deeper understanding of your container's bill of materials so you can make better decisions about your container based infrastructure, integration and deployment strategies. It's also a good tool if you are curious about the contents of the container images you have built.
Getting Started
Tern is not distributed on PyPI or as Docker images yet. This is coming soon. See the Project Status了解详细信息。
Docker
Docker is the most widely used tool to build and run containers. If you already have Docker installed, you can run Tern by building a container with the Dockerfile provided and the ^{
Clone this repository:
^{pr 1}$Build the Docker image (called ^{
Run the script ^{
To produce a json report run
^{pr 4}$What the ^{
WARNING: privileged Docker containers are not secure. DO NOT run this container in production unless you have secured the node (VM or bare metal machine) that the docker daemon is running on.
Getting Started with Vagrant
Vagrant is a tool to setup an isolated virtual software development environment. If you are using Windows or Mac OSes, this is the best way to get started as Tern does not run natively in a Mac OS or Windows environment at this time.
Install
Follow the instructions on the VirtualBox网站入门,在您的操作系统上下载VirtualBox。
按照网站上的说明为您的操作系统安装Vagrant。
创造一个流浪的环境
在终端应用程序中,运行以下命令。
克隆此存储库:
$ git clone https://github.com/vmware/tern.git
打开流浪箱:
$ cd tern/vagrant
$ vagrant up
ssh到创建的vm:
$ vagrant ssh
运行程序:
$ python3 -m tern -l report -i debian:buster -f output.txt
Linux入门
If you have a Linux OS you will need a distro with a kernel version >= 4.0 (Ubuntu 16.04 or newer or Fedora 25 or newer are good selections) and will need to install the following requirements:
- Git (Installation instructions can be found here: https://git-scm.com/book/en/v2/Getting-Started-Installing-Git)
- attr(sudo apt get install attr或sudo dnf install attr)
- python3.6或更新版本(sudo apt get install python3.6(3.7)或sudo dnf install python36(37))
- pip(sudo apt get install python3 pip)。注意,你不必为Fedora OSS这样做。
对于Docker容器
- Docker CE(安装说明见:https://docs.docker.com/engine/installation/#server)
确保Docker守护进程正在运行。
注意:tern当前支持使用docker构建的容器,但其架构支持其他容器图像格式。
创建python3虚拟环境:
$ python3 -m venv ternenv
$ cd ternenv
注意:您的操作系统可能会分别分发每个python版本。例如,在ubuntu lts上,python 2.7链接到python2,python 3.6链接到python3。我使用python 3.7进行开发,python3.7单独安装,没有符号链接。在这种情况下,我使用二进制。二进制文件通常安装在/usr/bin/python中。
克隆此存储库:
$ git clone https://github.com/vmware/tern.git
激活虚拟环境:
$ source bin/activate
安装要求:
$ cd tern
$ pip install .
运行tern:
$ tern -l report -f output.txt -i debian:buster
使用tern
Tern creates a report containing the Bill of Materials (BoM) of a container image, including notes about how it collects this information, and files for which it has no information about. Currently, Tern supports only containers built using Docker. This is the most ubiquitous type of container image that exists so the project started with a focus on those. However, it is architected to support other images that closely follow the OCI image spec。
为docker图片生成bom报告的方法{{a45}{a46}{a47}{a47}{a48}{{a49}{a49}{a50}{{a51}{a51}{a52}{a53}{{a53}{a54}{{a54}{a55}YAML Format{{a57}{a57}{a57}{a58}{{a58}{{a58}{{{a58}{{a58}{{a58}{a58}a/>
{a48}{{a49}{a49}{a50}{{a51}{a51}{a52}{a53}{{a53}{a54}{{a54}{a55}YAML Format{{a57}{a57}{a57}{a58}{{a58}{{a58}{{{a58}{{a58}{{a58}{a58}a/>
{a52}{a53}{{a53}{a54}{{a54}{a55}YAML Format{{a57}{a57}{a57}{a58}{{a58}{{a58}{{{a58}{{a58}{{a58}{a58}a/>
SPDX是linux基金会开发的一种格式,用于提供报告许可证信息的标准方法。许多符合性工具都与spdx兼容。tern遵循SPDX specifications特别是标记值格式,这是与组织提供的工具包最兼容的格式。标记值格式是tern唯一支持的spdx格式。有转换工具可用here(有些还在开发中)。您可以阅读spdx标记值规范here的概述,以及tern如何将其属性映射到规范here规定的键。
$ tern -l report -m spdxtagvalue -i golang:1.12-alpine -f spdx.txt
运行测试
WARNING: The ^{
Project Status
Release 0.4.0 is here!
See the release notes了解更多信息。
我们尽量使project roadmap保持最新。我们目前正在开发0.5.0版
释放量
文档
Architecture, function blocks, code descriptions and the project roadmap are located in the docs folder. Contributions to the documentation are welcome! See the contributing guide以了解如何提交更改。
首先参与
Do you have questions about Tern? Do you think it can do better? Would you like to make it better? You can get involved by giving your feedback and contributing to the code, documentation and conversation!
Please read our code of conduct。
接下来,查看contributing guide以了解如何开始。
欢迎加入QQ群-->: 979659372
