Banyan Collector: A framework to peek inside containers
Have you wondered what your container images really contain? If they have the very packages that are susceptible to all kinds of attacks? Or, if they have the configuration you expect when they are run? Banyan Collector provides a powerful, extensible framework to answer all these questions and more.
Banyan Collector (github) is a light-weight, easy to use, and modular system that allows you to launch containers from a registry, run arbitrary scripts inside them, and gather useful information. This framework can be used to statically analyze images for several purposes including:
- Collect specific information from all images (e.g., packages installed)
- Enforce policies (e.g., no unauthorized user accounts, etc.)
- Validate invariants (e.g., nginx.conf is present in the right directory, etc.)
- and so on...
Pull the collector container from Docker Hub and run it:
$ sudo docker pull banyanops/collector $ sudo docker run --rm \ -v ~/.docker:/root/.docker \ -v ~/.dockercfg:/root/.dockercfg \ -v /var/run/docker.sock:/var/run/docker.sock \ -v $HOME/.banyan:/banyandir \ -v <USER_SCRIPTS_DIR>:/banyancollector/data/userscripts \ -e BANYAN_HOST_DIR=$HOME/.banyan \ banyanops/collector <REGISTRY> <REPO>
where REGISTRY is either a private registry (e.g., http://reg.myorg.com) or Docker Hub (registry-1.docker.io), and REPO is a repository for which you'd like to collect data. If you want to collect data from a private registry make sure you are logged into it (sudo docker login REGISTRY). Also, for a private registry (with search enabled), if no REPO is specified, data is collected from all the repositories.
More generally, collector can be configured using several options (e.g., registry poll interval, remove images threshold, secure registry settings, etc.):
$ sudo docker run --rm -v ... banyanops/collector [options] REGISTRY [REPO1 REPO2 ...]
For a list of all the options run:
$ sudo docker run --rm banyanops/collector -h
More details about Banyan Collector (e.g., source code, tests, operation/architecture, etc.) are available in github.
For further details about how one might use this in an enterprise, please check out [Banyan] (http://www.banyanops.com). This SAAS service offers deeper analysis of your data and provides a dashboard showing which of your images are compliant to your policies (e.g., which of your images have security vulnerabilities, etc.) along with real-time updates and email notifications.
Banyan Collector is distributed under Apache 2.0 License. More details in LICENSE.