BigFix Inventory container scanning

cstoneba 2021-04-06 15:53:14 UTC #1

I see that this article https://help.hcltechsw.com/bigfix/10.0/inventory/Inventory/planinconf/c_docker_discovery.html discuss how BFI scans docker containers (with some requirements).

Does anyone have any experience in doing this?
Any gotchas other than what’s in the article?
Any support for Kubernetes too?

ssakunala 2021-04-06 16:38:56 UTC #2

Kubernetes support has been added with BFI 10.0.1.1 version
https://help.hcltechsw.com/bigfix/10.0/inventory/Inventory/overview/Release_notes.html?hl=kubernetes

cstoneba 2021-04-06 17:22:34 UTC #3

So it was, yet the v10 doc has zero results for Kubernetes. I think the v10 doc needs a section called “Discovering software in containers” with a sub for Docker and another for Kubernetes.

cstoneba 2021-04-07 16:22:17 UTC #4

My scans are successful against the host but the installed software in the container is not showing up in Software Installations. The host is RHEL 7.9.
Is the requirements saying that only software with a swid tag included will be detected? No package scans results/scanned files from the docker instance will show in BFI?

Requirements
BigFix Inventory discovers software that is installed in Docker containers on condition that:
Only one Docker engine is deployed on the host computer.
The Docker container is deployed on one of the following platforms:
Red Hat Enterprise Linux 7 for x86
Red Hat Enterprise Linux 7 for BigFix 64-bit)
SUSE Linux 12 for x86
The Docker container is running.
The BigFix client is installed on the host computer.
Scans and uploads of their results are enabled on the host computer.
Software that is installed in the Docker container delivers software ID tags.

cstoneba 2021-04-08 15:34:27 UTC #5

New enhancement request, please vote - https://bigfix-ideas.hcltechsw.com/ideas/BFINV-I-200

Docker scans only find SWID tags, nothing else.
Kubernetes is only finding the Kubernetes software on the host, no capabilities for scanning the containers.

ITSAM 2021-04-14 14:33:57 UTC #6

"To take advantage of container licensing, IBM License Service must be used to track license usage and determine your required entitlement. There are no exceptions to this rule."
https://www.ibm.com/software/passportadvantage/containerlicenses.html

I find it ironic that IBM requires a special discovery/reporting tool that does NOT interface with their asset management system (ICD) and does not work with their discovery tool ILMT. Containers and IBM Cloud Pak are new challenges.