Configuring scans on containers (BigFix scenario)

Edit online

Discovery of software that is installed in Docker or Podman containers is enabled by default. In some environments, you might need to perform additional steps to specify a non-default installation path, or to exclude directories from scanning.

Requirements

For information about requirements and how software that is installed in containers is reported in License Metric Tool, see: Discovering software in containers.

Specifying installation path for engine

If Docker or Podman engine is installed in a non-default path or Podman is installed in a default path but the podman command is not redirected to the docker command, add this path as a setting of the BigFix® client, so that the software can be successfully discovered.
  1. Check the engine installation.
    • To check whether the Docker is installed in the default installation path, run the following command. 
      $ docker version
      If the result of the command is a Docker version, the Docker is installed in the default installation path. Any other outcome indicates that the Docker is installed in a non-default path.
    • To check whether the Podman is installed in the default installation path and that the docker command is correctly redirected to the podman command, run the following command. 
      $ docker version
      Note: The command intentionally refers to the docker command instead of directly to the podman command to check the correctness of the redirection configuration.
      If the result of the command is a Podman version, the Podman is installed in the default installation path and the podman command is correctly redirected. Any other outcome indicates that the Podman is installed in a non-default path or podman command is not correctly redirected.
  2. Log in to the BigFix console, and click Computer Management > Computers.
  3. Right-click on the computer that has the Docker or Podman installed, and click Edit Computer Settings.
  4. Add a computer setting. Specify the name as DOCKER_EXEC, and provide an absolute path as the value, for example /usr/bin/docker or /usr/bin/podman.

Specifying additional command options

By default, the scan runs the docker command without any options. If you want to use additional options provided by Docker, for example -H (daemon socket to connect to), add these options as a new setting of the BigFix client. Enter all options in one setting.
  1. Log in to the BigFix console, and click Computer Management > Computers.
  2. Right-click on the computer that has the Docker or Podman installed, and click Edit Computer Settings.
  3. Add a computer setting. Specify the name as DOCKER_OPTS, and provide options as the value, for example -H unix:///var/run/docker.sock.

Excluding directories from scans

The default Docker file system directory /var/lib/docker and the default Podman file system directory /var/lib/containers are excluded from scanning. If you change the engine file system directory to a custom directory, you need to manually exclude it from scanning because it might cause duplicated discoveries. For more information, see: Excluding directories.

Logs

To troubleshoot problems with discovery of software that is installed in containers, see the docker_scan.log log. The log is stored in the BigFix client installation directory. By default, it is:
  • Linux var/opt/BesClient/LMT/CIT/docker_scan.log
  • Windows C:\Program Files (x86)\BigFix Enterprise\BESClient\LMT\CIT\docker_scan.log