IBM Security QRadar SOAR

 View Only

  • 1.  Does App Hosts support public multi-user container registries?

    Posted Mon October 12, 2020 05:56 AM

    I'm concerned about the use of public multi-user container registries such as GitHub or IBM Cloud Container Registry as private registry for App Hosts.

    Container image URLs are possibly looks like:

    public container registries                                 <registry-host>/<user>/<repository>:<tag> ---(1)
    GitHub or IBM Cloud Container Registry

    Resilient                                                                  <registry-host>/ibmresilient/fn_<app>:<ver> ---(2) *1

    *1 <registry-host> can be configured by manageAppHost registry command WITHOUT any path information
    (2) is my observation to run App Hosts successfully.

    <repository>:<tag> can be mapped to /fn_<app>:<ver> but if <user> is not ibmresilient, (1) and (2) contradicts each other.

    So I wonder public multi-user container registries such as GitHub or IBM Cloud Container Registry can be used as private registry for App Hosts. Or any future considerations?


    ------------------------------
    Yohji Amano
    ------------------------------


  • 2.  RE: Does App Hosts support public multi-user container registries?

    Posted Thu October 15, 2020 12:38 PM

    Hi Yohji,

    It is possible, but the only way I found possible is a bit clunky and managing so isn't pretty.
    The "author" of the package have the option with resilient-sdk to set the repository-name (the user in your example).

    resilient-sdk package --help options: -h, --help show this help message and exit -p, --package (required) Path to the directory containing thesetup.py file --keep-build-dir Do not delete the dist/build directory --display-name Display name to give the app --repository-name Name of the repository which contains the appcontainer


    When uploading the package to the AppHost, the AppHost reads from the package which repository to use, on the registry server it's configured to use. I.e. if you have a registry as "registry.hub.docker.com", and you specified "yohji" as repository when packing the app, it will go ahead and poll from that registry as:

    registry.hub.docker.com:443/yohji/<app>:<version>

    Where app and version is as specified the package app.json file.

    The real issue as I see it, is that if you get an app somebody else packaged (ie. IBM), you have to rebuild it for being able to upload it to your AppHost and it's registry.

    I imagine (not tested myself) a "Quick" fix is to extract the zip file and edit the app.json to your repository, and re-zip the file, and then pull the image from the docker repo, and push it back into your registry.

    IBM have made a script to sync all their images, but lack the possibility to the the destination repository (to my knowledge), for the to be usable for this.

    https://github.com/ibmresilient/resilient-community-apps/blob/master/.scripts/mirror-containers/mirror-all-images.sh

    Example app.json file so you can see it.

    { ... "current_installation": { "executables": [ { "config_string": "", "image": "ibmresilient/fn_task_utils:1.0.1", "name": "fn_task_utils", "permission_handles": [ "read_data", "read_function", "read_all_incidents", "edit_incident_public_task_fields", "read_all_private_tasks", "edit_incident_private_task_member", "edit_all_private_task_notes", "edit_incident_public_task_member", "edit_all_public_task_notes", "edit_incident_private_task_fields", "read_incident_public_task" ], "uuid": "689d2791-715b-7192-3633-effc697ebff5" } ] }, ... }



    ------------------------------
    Kevin Kragh
    ------------------------------

    Original Message


  • 3.  RE: Does App Hosts support public multi-user container registries?

    Posted Fri October 16, 2020 12:54 AM
    Hi Kevin.

    Thank you very much for your detail explanation.
    Based on your descriptions I could use github container registry (ghcr.io) as private registry for an App Hosts and pull my custom application container image into the application pod.

    With regard to your concerns, I think we can use multiple application hosts for one organization (since 38.0) . So if we have a set of container image and application (zip) someone else creates, can we alternatively configure a new app hosts for them to use their custom repository name as it is?

    ------------------------------
    Yohji Amano
    ------------------------------

    Original Message


  • 4.  RE: Does App Hosts support public multi-user container registries?

    Posted Fri October 16, 2020 02:18 AM

    Hi Yohji,

    No problem at all - I was in the same situation as you some time ago, so glad if I can help.

    The solution you describe is the way I solved it in my dev environment, one having being set up to my private registry, and another set up as "default" to quay.io (ibmresilient). So when polling apps from the app exchange it goes to the "public" app host and for own development, it goes to the "private" app host.

    My only concern about doing this for large scale is that you suddenly get twice the amount of app hosts to manage in a distributed environment where you might have an app host residing at each site/country for instance, and that seems a bit clunky and overcomplicate things a lot for something that should be meant to make it easier.

    That said, hope that it answers everything you asked for.



    ------------------------------
    Kevin Kragh
    ------------------------------

    Original Message


  • 5.  RE: Does App Hosts support public multi-user container registries?

    Posted Sun October 18, 2020 10:11 PM
    Hi Kevin.

    Thank you for your complete answers. I've got your point.

    ------------------------------
    Yohji Amano
    ------------------------------

    Original Message