Docker Registry Sync Application

alex_baluha · September 21, 2020, 8:54pm

Hi,

I have a question about the Registry Sync Application. The documentation states

During the first run, the application will fingerprint all tagged images from a connected registry, no matter if it is associated with a running container or not.
Recurring scans run every hour by default, unless you set a different time. Only new fingerprints are sent to InsightVM.

Can someone clarify what that means?

My original impression was that this meant that the registry sync application would only pull and process an image if the image has not already been pulled and processed. However, the behavior I’m seeing is that the registry sync app will pull and process every single tag for a given repository, regardless of whether or not it’s already been scanned and assessed in InsightVM. Can someone please clarify what the actual behavior is supposed to be?

For us, it’s very inefficient for the scanner to “re-scan” every single tag in a repository. Ideally, it should check the InsightVM API first and only pull images when we don’t already have valid assessments for them

Thanks

alex_baluha · September 21, 2020, 9:06pm

Also, I don’t believe that this statement is true at all

Only new fingerprints are sent to InsightVM.

I have tested locally and can demonstrate that the registry sync service uploads image metadata to InsightVM every time it scans an image, even if it’s already been assessed

version: "3.7"
services:
  registry-sync-app:
    image: rapid7/container-registry-sync-app
    environment:
      - INSIGHTVM_KEY=foo
      - INSIGHTVM_REGION=us
      - REGISTRY_NAME=test
      - REGISTRY_URL=http://reg:5000
    ports:
      - 8080:8080
  reg:
    image: registry:2
    ports:
      - 5000:5000

Then

docker-compose up -d
docker pull alpine
docker tag alpine localhost:5000/alpine
docker push localhost:5000/alpin

# process the image
curl -XPOST localhost:8080/sync/repo/alpine
# process the image again
curl -XPOST localhost:8080/sync/repo/alpine

If you observe the “last sync” time in the InsightVM GUI for that image, you’ll see that the image is synced each time the registry sync app processes it. Additionally, the registry sync app does not reuse layers between syncs, as it also states it does in the documentation

So the bugs I believe I’m seeing here are:

The registry sync app pulls and ships docker image metadata to InsightVM, even if it’s already been synced
The registry sync app does not reuse layers between sync

dgrace_dgrace · September 24, 2020, 6:15pm

Hello @alex_baluha I’m currently looking into this, please give me some time to get more details.

Update
I discussed this with our development team and this is a valid complaint. I’ve created and issue and we’re working on getting this resolved. Thank you for bringing this to our attention.