Exercise 1.5 - Atomic Scanner

Return to Workshop

atomic scan

The atomic command-line tool provides a way to interact and manage Atomic Host systems and containers. It provides a high level, coherent entrypoint to the system and makes it easier to interact with special kinds of containers, such as super-privileged containers, and debugging tools.

The atomic command uses tools such as docker, ostree and skopeo to manage containers and container host systems. There are also a lot of features built into the atomic command that are not available in the docker command. These features allow you to use special commands for image signing, image verification, the ability to install a container - mounting file systems and opening privileges.

Before containers are run, it makes good sense to be able to scan container images for known vulnerabilities and configuration problems. A number of container scanning tools are beginning to appear including RHEL’s atomic scan command.

Atomic Scan

This lab will get you familiar with the atomic scan command and also how to extend atomic scan with a custom scanner.

Step 1:

Pull some images

Pull a RHEL 7.1 & 7.3 image
sudo docker pull registry.access.redhat.com/rhel7.1

sudo docker pull registry.access.redhat.com/rhel7.3

Let’s see what types of scanners are available

List scanners
sudo atomic scan --list

First lets take a look at RHEL7.1

Atomic default scan OpenSCAP
sudo atomic scan registry.access.redhat.com/rhel7.1
Atomic Compliance scan
sudo atomic scan --scan_type standards_compliance

Now let’s take a look at RHEL7.3 (latest)

Atomic default scan OpenSCAP
sudo atomic scan registry.access.redhat.com/rhel7.3
Atomic Compliance scan
sudo atomic scan --scan_type standards_compliance

You will notice that over time vulnerabilities are found in OS and applications. So you can see that security is more of a race against time to find and patch vulnerabilities before an attacker can exploit them. This is where containers can really help to enhance security by being able to make a security fix to a base image and have OpenShift deploy that image to all containers that are running outdated versions.

Step 2:

Writing a Custom Scanner

The atomic scanner was designed with a pluggable architecture to allow developers to write custom scanners using any programming language supported by RHEL. Adding a scanner plugin involves the following:

  • Make atomic aware of your plug­in.

  • Ensure the plugin obtains the proper input from the / scanin directory.

  • Ensure the plugin writes the results to the /scanout directory.

cd into /home/ec2-user/workshopfiles
cd /home/ec2-user/workshopfiles
build the Dockerfile
sudo docker build --rm=true --force-rm=true --tag=example_plugin .
Notice . it means in the current directory.
see the newly built container
sudo docker images


REPOSITORY          TAG          IMAGE ID         CREATED             SIZE
example_plugin      latest       008f60125ce5     16 seconds ago      192.5 MB
install the new plugin
sudo atomic install --name example_plugin example_plugin
view the new scanner as a operation
sudo atomic scan --list

Now lets try the get rpms scan

sudo atomic scan --scanner example_plugin --scan_type=rpm-list

Additional Fun

Have a look at the files in the /home/ec2-user/workshopfiles directory. They contain the files that make up your new example_scanner. The meat of the scanner is the list_rpms.py Python file. This is a similar architecture to writing Ansible Module, by that as long as you adhere to the api you can write the plugin in any language you like. Basically returning proper json that is defined in example_plugin. Let see that now;

type: scanner
scanner_name: example_plugin
image_name: example_plugin
default_scan: rpm-list
custom_args: ['-v', '/tmp/foobar:/foobar']
scans: [
 { name: rpm-list,
   args: ['python', 'list_rpms.py', 'list-rpms'],
   description: "List all RPMS",
 { name: get-os,
   args: ['python', 'list_rpms.py', 'get-os'],
   description: "Get the OS of the object",

So you can see that as long as you package up the scanner code in the container and adhere to the api it should be easy to add your own custom scanner.

Return to Workshop