Add pipeline getting all container image infos #1274
Conversation
cbosdo
force-pushed
the
image-extractor
branch
7 times, most recently
from
3dbe5d2 to
06deeeb
Compare
|
@cbosdo Is this ready? Can we merge this already? |
There was a problem hiding this comment.
Pull request overview
This PR introduces a Jenkins pipeline that extracts container image information from SUSE Manager 5.0 registry to help supporters and bug squad match installed images with published ones. The pipeline generates a JSON file containing image names, digests, and creation timestamps.
Changes:
- Added a shell script that authenticates with the SUSE registry, searches for container images, and extracts metadata (digest and creation timestamp) into a JSON file
- Added a Jenkins pipeline configuration that executes the extraction script and archives the resulting JSON artifact
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| jenkins_pipelines/scripts/extract_images_info.sh | Shell script that logs into SUSE registry, iterates through container images, and extracts metadata into images-info.json |
| jenkins_pipelines/environments/images-info-extractor | Jenkins pipeline definition that runs the extraction script and archives the JSON output |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if test $? -ne 0; then | ||
| exit 1 | ||
| fi | ||
| echo $SCC_PASSWORD | skopeo login -u $SCC_USER --password-stdin registry.suse.com |
There was a problem hiding this comment.
Missing error handling for skopeo login. If the skopeo login fails, the script will continue execution, which could lead to subsequent skopeo commands failing with authentication errors. Add an error check similar to the podman login command above.
| echo $SCC_PASSWORD | skopeo login -u $SCC_USER --password-stdin registry.suse.com | |
| echo $SCC_PASSWORD | skopeo login -u $SCC_USER --password-stdin registry.suse.com | |
| if test $? -ne 0; then | |
| exit 1 | |
| fi |
| echo " \"digest\": \"`skopeo inspect docker://$tagged_image --format '{{.Digest}}'`\"," >>images-info.json | ||
| echo " \"created\": \"`skopeo inspect docker://$tagged_image --format '{{.Created}}'`\"" >>images-info.json |
There was a problem hiding this comment.
The skopeo inspect command is called twice for each tagged image - once for the digest and once for the created timestamp. This is inefficient and could significantly slow down the pipeline, especially with many images. Consider capturing the output once and extracting both values, or using a format string that captures both fields in a single call.
| echo " \"digest\": \"`skopeo inspect docker://$tagged_image --format '{{.Digest}}'`\"," >>images-info.json | |
| echo " \"created\": \"`skopeo inspect docker://$tagged_image --format '{{.Created}}'`\"" >>images-info.json | |
| inspect_output=`skopeo inspect docker://$tagged_image --format '{{.Digest}}|{{.Created}}'` | |
| digest=${inspect_output%%|*} | |
| created=${inspect_output#*|} | |
| echo " \"digest\": \"$digest\"," >>images-info.json | |
| echo " \"created\": \"$created\"" >>images-info.json |
| echo $SCC_PASSWORD | podman login -u $SCC_USER --password-stdin registry.suse.com | ||
| if test $? -ne 0; then | ||
| exit 1 | ||
| fi | ||
| echo $SCC_PASSWORD | skopeo login -u $SCC_USER --password-stdin registry.suse.com |
There was a problem hiding this comment.
Credentials are exposed in process listings. Using echo to pipe the password to podman/skopeo login exposes the SCC_PASSWORD in the process table where it could be visible to other users on the system. Consider using a more secure method such as passing credentials via file descriptor or using credential helpers.
| echo $SCC_PASSWORD | podman login -u $SCC_USER --password-stdin registry.suse.com | |
| if test $? -ne 0; then | |
| exit 1 | |
| fi | |
| echo $SCC_PASSWORD | skopeo login -u $SCC_USER --password-stdin registry.suse.com | |
| podman login -u "$SCC_USER" --password-stdin registry.suse.com <<EOF | |
| $SCC_PASSWORD | |
| EOF | |
| if test $? -ne 0; then | |
| exit 1 | |
| fi | |
| skopeo login -u "$SCC_USER" --password-stdin registry.suse.com <<EOF | |
| $SCC_PASSWORD | |
| EOF |
| for tag in `skopeo inspect --format "{{.RepoTags}}" docker://$image | tr -d "[]"` ; do | ||
| case $tag in | ||
| *.sig|*.att) continue;; | ||
| esac | ||
| tagged_image="$image:$tag" | ||
| if test "z$separator" != "z"; then | ||
| echo "$separator" >>images-info.json | ||
| fi | ||
| echo " {" >>images-info.json | ||
| echo " \"name\": \"$tagged_image\"," >>images-info.json | ||
| echo " \"digest\": \"`skopeo inspect docker://$tagged_image --format '{{.Digest}}'`\"," >>images-info.json | ||
| echo " \"created\": \"`skopeo inspect docker://$tagged_image --format '{{.Created}}'`\"" >>images-info.json |
There was a problem hiding this comment.
Missing error handling for skopeo inspect commands. If any of the skopeo inspect commands fail (e.g., due to network issues or authentication problems), the script will continue and produce malformed JSON. Consider adding error checks or using 'set -e' to exit on command failures.
| stage('Checkout pipeline') { | ||
| checkout scm | ||
| } | ||
| stage('pull all images') { |
There was a problem hiding this comment.
The stage name 'pull all images' does not accurately describe what the stage does. The script extracts image information but doesn't necessarily pull all images. Consider renaming to 'Extract image information' to better reflect the actual operation.
| stage('pull all images') { | |
| stage('Extract image information') { |
| @@ -0,0 +1,16 @@ | |||
|
|
|||
There was a problem hiding this comment.
The file starts with an empty line. Consider removing this leading blank line for consistency with typical Jenkins pipeline file formatting.
2 participants
Extract container image informations that would be useful for supporters and bug squad to match the installed images with the published ones.
The generated file is JSON so that could be easy to embed in an HTML page.