Articles from Brent Baude

Introducing atomic diff

The original mission of the atomic application to install, manage, and run container images using container labels has slowly been growing. We have been concentrating on ease-of-use and value-add functions for containers and images, and to accomplish this have recently added the atomic diff command. This command allows you to differentiate between two container images, which is critically important...

Read More »

Don't Run yum update Within a Running Container

Recently, I have been reviewing a massive collection of Dockerfiles and interacting with customers and ISVs alike. In this time, I have seen all sorts of actions being taken for container design and how those containers should be run. One such action I really struggle with is when users are either told or take the initiative themselves to update packages within a running container. For example, they execute something like:

docker run -it foobar yum -y update

Read More »

Using the Atomic CLI to Scan Virtual Machines

Recently on the Red Hat Developers blog, I wrote about the re-architecture of the atomic vulnerability scan feature. The primary function of atomic scan is to detect vulnerabilities in your images and containers using a plug-in enabled architecture.

Building upon that concept, we added an additional feature to atomic scan where you can now pass a chroot to it for the purposes of scanning. One immediate benefit from this change was that we can now use the same scanner for our images and containers to scan a virtual machine (VM) that has been mounted onto the host’s filesystem.

In this blog, I will show you how to scan a live VM with atomic scan.

Read More »

A remote API for Podman

Podman grows a remote API using Varlink

Podman up to now has been a simple CLI for managing pods and containers. But I wanted to allow other tools like Atomic CLI and Cockpit to interact with the pods/containers created by Podman and other tools. Execing a CLI tool to do this and screen scraping the output never quite works, so we wanted to add an API. But I did not want to add a daemon to implement a restAPI. #nobigfatdaemons.

Read More »

Podman and insecure registries

Podman and insecure registries

The last few weeks, we have had a number of bugs and questions about how to pull from an insecure registry. The obvious advice here is that you should always be using a registry which implements tls-verify. But if you are a container or image developer or you are just plain breaking new ground, your registry may not use tls-verify. And Podman can handle this; and I wanted to spend a minute or two explaining how it does and the logic behind it.

Read More »