Using the Analysis Archive
As mentioned in concepts, there are two locations for image analysis to be stored:
- The working set: the standard state after analysis completes. In this location, the image is fully loaded and available for policy evaluation, content, and vulnerability queries.
- The archive set: a location to keep image analysis data that cannot be used for policy evaluation or queries but can use cheaper storage and less db space and can be reloaded into the working set as needed.
Working with the Analysis Archive
List archived images:
root@37a8b1e75d0a:~# anchore-cli analysis-archive images list
Digest Tags Analyzed At Archived At Status Archive Size Bytes
sha256:5c40b3c27b9f13c873fefb2139765c56ce97fd50230f1f2d5c91e55dec171907 docker.io/alpine:latest 2019-04-16T22:56:14Z 2019-04-19T18:17:05Z archived 84785
To add an image to the archive, use the digest. All analysis, policy evaluations, and tags will be added to the archive. NOTE: this does not remove it from the working set. To fully move it you must first archive and then delete image in the working set using the cli/api.
Archiving Images
Archiving an image analysis creates a snapshot of the image’s analysis data, policy evaluation history, and tags and stores in a different storage location and different record location than working set images.
root@37a8b1e75d0a:~# anchore-cli image list
Full Tag Image Digest Analysis Status
docker.io/alpine:3.4 sha256:0325f4ff0aa8c89a27d1dbe10b29a71a8d4c1a42719a4170e0552a312e22fe88 analyzed
docker.io/alpine:3.5 sha256:f7d2b5725685826823bc6b154c0de02832e5e6daf7dc25a00ab00f1158fabfc8 analyzed
docker.io/alpine:3.7 sha256:92251458088c638061cda8fd8b403b76d661a4dc6b7ee71b6affcf1872557b2b analyzed
docker.io/alpine:3.8 sha256:899a03e9816e5283edba63d71ea528cd83576b28a7586cf617ce78af5526f209 analyzed
docker.io/alpine:latest sha256:5c40b3c27b9f13c873fefb2139765c56ce97fd50230f1f2d5c91e55dec171907 analyzed
root@37a8b1e75d0a:~# anchore-cli analysis-archive images add sha256:92251458088c638061cda8fd8b403b76d661a4dc6b7ee71b6affcf1872557b2b
Image Digest Archive Status Details
sha256:92251458088c638061cda8fd8b403b76d661a4dc6b7ee71b6affcf1872557b2b archived Completed successfully
Then to delete it in the working set (optionally):
NOTE: You may need to use –force if the image is the newest of its tags and has active subscriptions_
root@37a8b1e75d0a:~# anchore-cli image del sha256:92251458088c638061cda8fd8b403b76d661a4dc6b7ee71b6affcf1872557b2b
At this point the image in the archive only.
Restoring images from the archive into the working set
This will not delete the archive entry, only add it back to the working set. Restore and image to working set from archive:
root@37a8b1e75d0a:~# anchore-cli analysis-archive images restore sha256:92251458088c638061cda8fd8b403b76d661a4dc6b7ee71b6affcf1872557b2b
Image Digest: sha256:92251458088c638061cda8fd8b403b76d661a4dc6b7ee71b6affcf1872557b2b
Parent Digest: sha256:fea30b82fd63049b797ab37f13bf9772b59c15a36b1eec6b031b6e483fd7f252
Analysis Status: analyzed
Image Type: docker
Image ID: 6d1ef012b5674ad8a127ecfa9b5e6f5178d171b90ee462846974177fd9bdd39f
Dockerfile Mode: Guessed
Distro: alpine
Distro Version: 3.7.3
Size: 4464640
Architecture: amd64
Layer Count: 1
Full Tag: docker.io/alpine:3.7
To view the restored image:
root@37a8b1e75d0a:~# anchore-cli image get sha256:92251458088c638061cda8fd8b403b76d661a4dc6b7ee71b6affcf1872557b2b
Image Digest: sha256:92251458088c638061cda8fd8b403b76d661a4dc6b7ee71b6affcf1872557b2b
Parent Digest: sha256:fea30b82fd63049b797ab37f13bf9772b59c15a36b1eec6b031b6e483fd7f252
Analysis Status: analyzed
Image Type: docker
Image ID: 6d1ef012b5674ad8a127ecfa9b5e6f5178d171b90ee462846974177fd9bdd39f
Dockerfile Mode: Guessed
Distro: alpine
Distro Version: 3.7.3
Size: 4464640
Architecture: amd64
Layer Count: 1
Full Tag: docker.io/alpine:3.7
Working with Archive rules
As with all CLI commands, the --help
option will show the arguments, options and descriptions of valid values.
List existing rules:
anchore-cli analysis-archive rules list
Rule Id Global Analysis Age (Days) Tag Versions Newer Registry Repository Tag Last Updated
134d7f8b36e44c1893d98bc9ee50d9c6 False 1 0 * * * 2019-04-30T22:40:30Z
Add a rule:
root@37a8b1e75d0a:~# anchore-cli analysis-archive rules add 90 1 archive --registry-selector docker.io --repository-selector "library/*" --tag-selector latest
Rule Id Global Analysis Age (Days) Tag Versions Newer Registry Repository Tag Last Updated
4ce89022ceea48f697410cb651c090bd False 90 1 docker.io library/* latest 2019-04-30T23:35:57Z
The required parameters are: minimum age of analysis in days, number of tag versions newer, and the transition to use.
There is also an optional --is-global
flag available for admin account users that makes the rule apply to all accounts
in the system.
As a non-admin user you can see global rules but you cannot update/delete them (will get a 404):
:~# anchore-cli --u test1 --p password analysis-archive rules list
Rule Id Global Analysis Age (Days) Tag Versions Newer Registry Repository Tag Last Updated
01a97699ed4b40cdb256e58a03d9cef2 True 90 1 docker.io library/* latest 2019-04-30T23:39:33Z
root@37a8b1e75d0a:~# anchore-cli --u test1 --p password analysis-archive rules del 01a97699ed4b40cdb256e58a03d9cef2
Error: Rule not found
HTTP Code: 404
Detail: {'error_codes': []}
root@37a8b1e75d0a:~# anchore-cli --u test1 --p password analysis-archive rules get 01a97699ed4b40cdb256e58a03d9cef2
Rule Id Global Analysis Age (Days) Tag Versions Newer Registry Repository Tag Last Updated
01a97699ed4b40cdb256e58a03d9cef2 True 90 1 docker.io library/* latest 2019-04-30T23:39:33Z
Delete a rule:
root@37a8b1e75d0a:~# anchore-cli analysis-archive rules del 134d7f8b36e44c1893d98bc9ee50d9c6
Success
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.