Configuring scans on containers (BigFix scenario)
Discovery of software that is installed in Docker or Podman containers is enabled by default. In some environments, you might need to perform additional steps to specify a non-default installation path, or to exclude directories from scanning.
Requirements
For information about requirements and how software that is installed in containers is reported in License Metric Tool, see: Discovering software in containers.
Specifying installation path for engine
- Check the engine installation.
- To check whether the Docker is installed in the default installation path, run the following
command.
If the result of the command is a Docker version, the Docker is installed in the default installation path. Any other outcome indicates that the Docker is installed in a non-default path.$ docker version
- To check whether the Podman is installed in the default installation path and that the
docker command is correctly redirected to the podman
command, run the following command.
$ docker version
Note: The command intentionally refers to the docker command instead of directly to the podman command to check the correctness of the redirection configuration.If the result of the command is a Podman version, the Podman is installed in the default installation path and the podman command is correctly redirected. Any other outcome indicates that the Podman is installed in a non-default path or podman command is not correctly redirected.
- To check whether the Docker is installed in the default installation path, run the following
command.
- Log in to the BigFix console, and click .
- Right-click on the computer that has the Docker or Podman installed, and click Edit Computer Settings.
- Add a computer setting. Specify the name as
DOCKER_EXEC
, and provide an absolute path as the value, for example /usr/bin/docker or /usr/bin/podman.
Specifying additional command options
- Log in to the BigFix console, and click .
- Right-click on the computer that has the Docker or Podman installed, and click Edit Computer Settings.
- Add a computer setting. Specify the name as
DOCKER_OPTS
, and provide options as the value, for example -H unix:///var/run/docker.sock.
Excluding directories from scans
The default Docker file system directory /var/lib/docker and the default Podman file system directory /var/lib/containers are excluded from scanning. If you change the engine file system directory to a custom directory, you need to manually exclude it from scanning because it might cause duplicated discoveries. For more information, see: Excluding directories.
Logs
- var/opt/BesClient/LMT/CIT/docker_scan.log
- C:\Program Files (x86)\BigFix Enterprise\BESClient\LMT\CIT\docker_scan.log