Configuring scans on Docker containers
Available from 9.2.5. Discovery of software that is installed in Docker or Podman containers is enabled by default. In some environments, you might need to perform additional steps to specify a non-default installation path, or to exclude directories from scanning.
- Specifying a non-default installation path for engine
- Note: To check whether the Docker is installed in the default installation path, run the following command.If Docker or Podman is installed in a non-default path or Podman, add this path as a setting of the BigFix client, so that the software can be successfully discovered.
If the result of the command is a Docker version, the Docker is installed in the default installation path. Any other outcome indicates that the Docker is installed in a non-default path.$ docker version
- Check the engine installation.
- To check whether the Docker is installed in the default installation path, run
the following command.
$ docker version
If the result of the command is a Docker version, the Docker is installed in the default installation path. Any other outcome indicates that the Docker is installed in a non-default path.
- To check whether the Podman is installed in the default installation path and
that the docker command is correctly redirected to the podman command, run the
following command.
$ docker version
Note: The command intentionally refers to the docker command instead of directly to the podman command to check the correctness of the redirection configuration.If the result of the command is a Podman version, the Podman is installed in the default installation path and the podman command is correctly redirected. Any other outcome indicates that the Podman is installed in a non-default path or podman command is not correctly redirected.
- To check whether the Docker is installed in the default installation path, run
the following command.
- Log in to the BigFix console, and click .
- Right-click on the computer that has the Docker or Podman installed, and click Edit Computer Settings.
- Add a computer setting. Specify the name as
DOCKER_EXEC
, and provide an absolute path as the value, for example /usr/bin/docker or /usr/bin/podman.
- Check the engine installation.
- Specifying additional command options
- By default, the scan runs the
docker
command without any options. If you want to use additional options provided by Docker or Podman, for example -H (daemon socket to connect to), add these options as a new setting of the BigFix client. Enter all options in one setting.- Log in to the BigFix console, and click .
- Right-click on the computer that has the Docker or Podman installed, and click Edit Computer Settings.
- Add a computer setting. Specify the name as
DOCKER_OPTS
, and provide options as the value, for example -H unix:///var/run/docker.sock.
- Excluding directories from scans
- The default Docker file system directory
/var/lib/docker
and the default Podman file system directory /var/lib/containers are excluded from scanning. If you change the engine file system directory to a custom directory, you need to manually exclude it from scanning because it might cause duplicated discoveries. For more information, see: Excluding directories.