Introducing the all-new TIBCO Community site!

For current users, please click "Sign In" to reset your password and access the enhanced features. If you're a first-time visitor, we extend a warm welcome—click "Sign Up" to become a part of the TIBCO Community!

If you're seeking alternative community sites, explore ibi, Jaspersoft, and Spotfire.

Jump to content
  • TIBCO Cloud API Management - Local Edition: Analyze Container Image Licenses


    Joe Padre

    Base container image

    This project uses a CentOS and Alpine official container image and as the common base image layer for building images.

    See the license information for details on licenses and software package types. 

    As with all container images, the base container image likely also contains other software (such as bash, glibc, zlib, etc. from the base distribution, along with any direct or indirect dependencies of the primary software included in the built image) which may be subject to other licenses.

    The following links provide auto-detected license information for the these official images:

    For example, you can find the information of the artifacts of the centos:7.9.2009 and alpine:3.15 official image.

    As with any image, it is the image user's responsibility to ensure that any use of the image complies with all relevant licenses for all software contained within.

    Additional software packages

    Building images often installs additional software packages (fetched from the official distro software repositories, from other user added repositories or from specific locations) in addition to the packages already provided by the base image. You can inspect the Dockerfiles to identify these additional packages.

    For example, inspecting the Local Edition Dockerfiles located at docker-build/tmgc in the installer, provides a list of packages that will be installed in the image as specified in the Dockerfile. Please note that each such specified package may, in turn, automatically install other software packages as dependencies.

    Manually retrieve installed packages information

    You can inspect a container image and retrieve its contents with standard container and package management tools.

    Note: There are different ways to extract the list of installed packages and other installed artifacts. Providing detailed instructions on software license analysis specialized tools is outside the scope of this document. Retrieving information on software artifacts other than software packages installed with the package manager tools is also outside the scope of this document.

    centos

    You can retrieve the full list of installed packages in a container image using the yum list installed command.

    For example, to retrieve the installed packages in the centos:7.9.2009 image:

    $ docker run --rm centos:7.9.2009 yum list installed

    Loaded plugins: fastestmirror, ovl

    Determining fastest mirrors

     * base: mirrors.nxtgen.com

     * extras: mirrors.nxtgen.com

     * updates: repo.extreme-ix.org

    base                                                     | 3.6 kB     00:00

    extras                                                   | 2.9 kB     00:00

    updates                                                  | 2.9 kB     00:00

    (1/4): extras/7/x86_64/primary_db                          | 247 kB   00:00

    (2/4): base/7/x86_64/group_gz                              | 153 kB   00:06

    (3/4): base/7/x86_64/primary_db                            | 6.1 MB   00:07

    (4/4): updates/7/x86_64/primary_db                         |  16 MB   00:11

    Installed Packages

    acl.x86_64                               2.2.51-15.el7                 @CentOS

    audit-libs.x86_64                        2.8.5-4.el7                   @CentOS

    basesystem.noarch                        10.0-7.el7.centos             @CentOS

    bash.x86_64                              4.2.46-34.el7                 @CentOS

    bc.x86_64                                1.06.95-13.el7                @CentOS

    bind-license.noarch                      32:9.11.4-26.P2.el7           @CentOS

    binutils.x86_64                          2.27-44.base.el7              @CentOS

    bzip2-libs.x86_64                        1.0.6-13.el7                  @CentOS

    ca-certificates.noarch                   2020.2.41-70.0.el7_8          @CentOS

    centos-release.x86_64                    7-9.2009.0.el7.centos         @CentOS

    chkconfig.x86_64                         1.7.6-1.el7                   @CentOS

    coreutils.x86_64                         8.22-24.el7                   @CentOS

    cpio.x86_64                              2.11-28.el7                   @CentOS

    cracklib.x86_64                          2.9.0-11.el7                  @CentOS

    cracklib-dicts.x86_64                    2.9.0-11.el7                  @CentOS

    cryptsetup-libs.x86_64                   2.0.3-6.el7                   @CentOS

    ...

    alpine

    You can retrieve the full list of installed packages in a container image using the apk list -I command.

    For example, to retrieve the installed packages in the alpine:3.15 image:

    $ docker run --rm alpine:3.15 apk list -I

    libretls-3.3.4-r3 x86_64 {libretls} (ISC AND (BSD-3-Clause OR MIT)) [installed]

    musl-1.2.2-r7 x86_64 {musl} (MIT) [installed]

    zlib-1.2.12-r1 x86_64 {zlib} (Zlib) [installed]

    apk-tools-2.12.7-r3 x86_64 {apk-tools} (GPL-2.0-only) [installed]

    musl-utils-1.2.2-r7 x86_64 {musl} (MIT BSD GPL2+) [installed]

    libssl1.1-1.1.1q-r0 x86_64 {openssl} (OpenSSL) [installed]

    alpine-baselayout-3.2.0-r18 x86_64 {alpine-baselayout} (GPL-2.0-only) [installed]

    alpine-keys-2.4-r1 x86_64 {alpine-keys} (MIT) [installed]

    busybox-1.34.1-r7 x86_64 {busybox} (GPL-2.0-only) [installed]

    scanelf-1.3.3-r0 x86_64 {pax-utils} (GPL-2.0-only) [installed]

    ca-certificates-bundle-20211220-r0 x86_64 {ca-certificates} (MPL-2.0 AND MIT) [installed]

    libc-utils-0.7.2-r3 x86_64 {libc-dev} (BSD-2-Clause AND BSD-3-Clause) [installed]

    ssl_client-1.34.1-r7 x86_64 {busybox} (GPL-2.0-only) [installed]

    libcrypto1.1-1.1.1q-r0 x86_64 {openssl} (OpenSSL) [installed]

    ...

    Manually retrieve installed packages licenses

    centos

    You can retrieve the license for any package using the rpm command.

    For example, to retrieve license information for the installed package curl:

    $ docker run --rm centos:7.9.2009 rpm -qa --qf "%{name}:%{version}t %{license}t %{URL}n" curl

     

    curl:7.29.0 MIT http://curl.haxx.se/

    alpine

    You can retrieve the license for any package using the apk info --license command.

    For example, to retrieve license information for the installed package musl:

    docker run ?rm alpine:3.15 apk info --license musl

    musl-1.2.2-r7 license:

    MIT

    Manually retrieve installed packages sources

    centos

    You can retrieve the source for any package using the rpm command.

    For example, to retrieve the apt source for the installed package curl:

    $ docker run --rm centos:7.9.2009 rpm -qa --qf '%{NAME}:%{VERSION}t%{SOURCERPM}t%{SIGPGP:pgpsig}t%{SIGGPG:pgpsig}n' curl

     

    curl:7.29.0 curl-7.29.0-59.el7.src.rpm RSA/SHA256, Wed Oct 14 18:47:41 2020, Key ID 24c6a8a7f4a80eb5 (none)

     

    alpine

    The APKBUILD files for all alpine packages is available in the aports repository.

    For example, the source packages for alpine:3.15 main can be found here.

    Manually retrieve installed files

    It is possible to extract the contents of a container for further inspection using the docker command.

    One way is creating a temporal container, called temp-container that will be based on the unknown-image:latest image.

    docker create --name temp-container unknown-image:latest

    Note: Creating a new container from an image allows to inspect it without running the container.

    Now it is possible to extract the container filesystem as a tar file:

    docker export temp-container > temp-container.tar

    If you prefer to directly extract the files list without creating a tar archive:

    docker export temp-container | tar t > temp-container-files.txt

    Another way to inspect the image contents is to use the docker image save command:

    docker image save unknown-image:latest > temp-image.tar

    For more information, see the Docker CLI documentation.

    The first method, creating and exporting the contents of a stopped container, is a direct way to extract the image?s final filesystem, the composite view of a container instance.

    The second method produces an archive that exposes the image format, not the containers created from it. The tar will include a manifest.json file, describing the image?s layers, and a set of separate directories containing the content of each of the individual layers. This is helpful when you?re evaluating each layer?s role in building the image.

    For details on the container image format, see the OCI image format specification.

    The diagram below illustrates the differences between the layered view and the composite view of a container image.

    dbTVyE253P4557ffFvf5KL_mvrrnhqlqEIhO7PKylBlKKZPQD4cISNGtulCYYnLX6Lfp6bu8PrsxNpnOX-HpHYj5io-4XMnZoMiJB3cIUhoSmUrdbNz2YJmyCUKamJE36HdkOoJBVZHArOTkvyW_KJgt8Dy0aaSut_OmR7Y-pW9b4L3bbXUtiBKxAd7A1Q

     


    User Feedback

    Recommended Comments

    There are no comments to display.


×
×
  • Create New...