Frequently asked questions about Container Registry and Vulnerability Advisor
Frequently asked questions (FAQs) about IBM Cloud® Container Registry and Vulnerability Advisor.
Frequently asked questions about Container Registry
Where is the reference documentation for Container Registry?
The reference documentation for IBM Cloud Container Registry is available in the IBM Cloud docs. For more information, see About Container Registry and IBM Cloud Container Registry CLI.
How do I set up the Container Registry CLI?
To set up the IBM Cloud Container Registry CLI, use the following steps:
- Ensure that the IBM Cloud CLI is installed.
- Install the
container-registry
CLI plug-in by running the commandibmcloud plugin install container-registry
. - Log in to IBM Cloud with the
ibmcloud login
command. - Verify the installation by checking the current version of the
container-registry
CLI plug-in with the commandibmcloud plugin list
.
Now you can use the IBM Cloud Container Registry CLI to manage your registry and its resources for your IBM Cloud account.
For more information, see Setting up the Container Registry CLI and namespace and Getting started with Container Registry.
How do I configure my firewall to allow connections to Container Registry?
You can use a Layer 7 firewall with the domains listed in Accessing Container Registry through a firewall or use a virtual private network (VPN).
How many namespaces can you have?
You can have 100 registry namespaces in each region.
Can I rename a namespace?
You can't rename a namespaceA collection of repositories that store images in a registry. A namespace is associated with an IBM Cloud account, which can include multiple namespaces.. If you want to change the name of the namespace, you must create a namespace with the new name and transfer its data. To transfer its data, you can copy the contents of the existing namespace into the namespace that you created.
If you don't want to transfer data manually, you can create a script for this action by using the ibmcloud cr image-tag
command. For example, you can
use the following script, where <old_namespace>
is the existing namespace and <new_namespace>
is the namespace that you created:
IMAGES=$(icr images --restrict <old_namespace> --format "{{ .Repository }}:{{ .Tag }}")
for i in $IMAGES ; do
new=$(echo $i | sed "s|/<old_namespace>/|/<new_namespace>/|1")
ibmcloud cr image-tag $i $new
done
Why don't I have authorization to create a namespace?
You are not authorized to create a namespace in IBM Cloud Container Registry. The error message You are not authorized to access the specified resource.
indicates that you lack the necessary user permissions for working with namespaces.
To add, assign, and remove namespaces, you must have the Manager role in the Container Registry service at the account level. If you have the Manager role on the resource group, or resource groups, it is not sufficient; the Manager role
must be at the account level.
For more information, see Why aren't I authorized to access a specified resource in Container Registry? and User permissions for working with namespaces.
How do I list image names?
To list all the images in your IBM Cloud account, you can run the ibmcloud cr images
command, which displays all tagged images in your IBM Cloud account with a truncated digest. If you want to list all your images with the complete
digest, including untagged images, run the ibmcloud cr image-digests
command. The image name is in either the format repository@digest
or repository:tag
. The values for repository, digest, and tag are
returned when you run the commands.
For more information, see ibmcloud cr image-list
(ibmcloud cr images
) and ibmcloud cr image-digests
(ibmcloud cr digests
).
How do you list public images?
To list public images, run the following ibmcloud
commands to target the global registry and list the public images that are provided by IBM:
ibmcloud cr region-set global
ibmcloud cr images --include-ibm
What tools can I use to build and push images?
You can use Docker and non-Docker tools to build and push images to the registry. You can use non-Docker tools that support OCI container imageA container image that is compliant with the OCI Image Format Specification format and protocol. To log in by using other clients, see Accessing your namespaces interactively.
Do images in the trash count toward my quota?
Images that are in the trash don't count toward your quota.
How do I find the image digest?
You can find the long format of the image digest by running one of the following commands. The digest is displayed in the Digest column of the CLI.
When you're using the digest to identify an image, always use the long format.
-
Run the
ibmcloud cr image-digests
command:ibmcloud cr image-digests
-
Run the
ibmcloud cr image-list
command:ibmcloud cr image-list --no-trunc
If you run the
ibmcloud cr image-list
command without the--no-trunc
option, you see the truncated format of the digest.
How do I use digests to work with images?
The digest identifies an image by using the sha256
hash of the image manifest.
To find the digests for your images, run the ibmcloud cr image-digests
command. You can refer to an image by using a combination of the content of
the Repository column (repository
) and the Digest column (digest
) separated by an at (@
) symbol to create the image name in the format repository@digest
.
Why can't I push the image into Container Registry?
You might have issues when you are pulling or pushing images to Container Registry because of various reasons such as exceeding the image storage or pull traffic quota, or invalid credentials. To resolve this issue, log in to IBM Cloud and the IBM Cloud Container Registry CLI, review quota limits and usage, and consider upgrading to a standard plan if you are on a free plan.
For more information, see Why can't I push or pull a Docker image when I use Container Registry? for assistance.
How do I list images that are more than a year old?
Linux macOS On Linux® and macOS, if you want to list all images, both tagged and untagged that were created more than a year ago, you can run the following command:
year=$(($(date +%s) - 31556952))
ibmcloud cr digests --format '{{ if (lt .Created '$year')}}{{.Repository}}:{{.Digest}}{{end}}'
How do you use access control?
You can create IBM Cloud Identity and Access Management (IAM) policies to control access to your namespaces in IBM Cloud Container Registry. For more information, see Granting access to IBM Cloud Container Registry resources tutorial and Managing IAM access for Container Registry.
Do I have any untagged images?
To find out whether you have any untagged images, list your images by running the ibmcloud cr image-digests
command. Untagged images have a hyphen (-) in the Tags column.
Do I need untagged images?
If you have active containers that are running untagged images, you must retain the untagged images. If you delete untagged images that are in use, you can cause problems with scaling or automated restarts. Deleting untagged images might cause a problem in the following circumstances:
- The image was deployed by using the digest as the reference. For example, IBM Cloud Code Engine does resolve and use an image digest when it is serving applications, see Deploying app workloads from images in a public registry.
- The image reference was mutated by a webhook service, such as Portieris.
What are eligible images?
If you're cleaning up images by using retention policies, only eligible images are cleaned up. Images that are always retained are Cloud Native Buildpacks and Google distroless images with the build date set to a specific constant rather than the real build time or with no build timestamp at all, and manifest lists. Images that are always retained are not eligible images.
The images that are not eligible are still displayed, but they do not count toward the total number of images that is set in the retention policy and are not removed.
Images created before 2013-01-19T00:13:39Z
are excluded from retention policy evaluation.
For more information, see Planning retention.
What regions are available?
To find out more about the regions that are available for IBM Cloud Container Registry, see Regions.
How do I get the docker pull
command to return the most recent version?
To find the most recent image, run the ibmcloud cr image-list
command rather than the docker pull
command. To make it easier to find the most recent image, define a different sequential tag for your images every time,
and do not rely on the latest tag.
For more information, see Why can't I pull the newest image by using the latest tag in Container Registry? for assistance.
Why do my pods fail with an ImagePullBackOff
error?
Your cluster uses an API key that is stored in an image pull secret to authorize the cluster to pull images from IBM Cloud Container Registry, or the image with the specific tag does not exist in the repository. To fix it, make sure that you're using the correct name and tag for the image, that you have enough pull traffic and storage quota, and that you have an image pull secret in your namespace.
For more information, see Why do images fail to pull from registry with ImagePullBackOff or authorization errors? for assistance.
Why am I getting an exceeded quota error?
You exceeded your image storage or pull traffic quota for the current month. This means that you used more quota than your account allows for the month. To resolve this issue, you can either review your quota limits and increase them as necessary, or if you're on the lite plan upgrade to the standard plan.
For more information, see Why am I getting errors about my quota in Container Registry? and Staying within quota limits.
Frequently asked questions about Vulnerability Advisor
How do I manage vulnerabilities?
You can use Vulnerability Advisor to manage image security and vulnerabilities.
For more information, see Managing image security with Vulnerability Advisor.
How much does Vulnerability Advisor cost?
The cost of Vulnerability Advisor is built into the pricing for IBM Cloud Container Registry. For more information, see Billing for storage and pull traffic.
Can images from other registries be scanned by Vulnerability Advisor?
Vulnerability Advisor scans images from IBM Cloud Container Registry only.
How is a Vulnerability Advisor scan triggered?
For more information about how the scanning of an image is triggered, see Vulnerable packages.
Why doesn't my image scan in Vulnerability Advisor v4?
If your image isn't being scanned, check that it has a tag. In Vulnerability Advisor version 4, images are scanned only if they have a tag.
Why doesn't a new image scan in Vulnerability Advisor?
If you get the vulnerability report immediately after you add the image to the registryA storage and distribution service that contains public or private images that are used to create containers., you might receive the following error:
BXNVA0009E: <imagename> has not been scanned. Try again later.
If this issue persists, contact support for help;
see https://cloud.ibm.com/docs/get-support?topic=get-support-getting-customer-support#getting-customer-support
You receive this message because the images are scanned asynchronously to the requests for results, and the scanning process takes a while to complete. During normal operation, the scan completes within the first few minutes after you add the image to the registry. The time that it takes to complete depends on variables like the proportions of the image and the amount of traffic that the registry is receiving.
If you get this message as part of a build pipeline and you see this error regularly, try adding some retry logic that contains a short pause.
If you still see unacceptable performance, contact support, see Getting help and support for Container Registry.
How often are the security notices updated in Vulnerability Advisor?
Security notices for Vulnerability Advisor are loaded from the vendors' operating system sites approximately every 12 hours.
Which version of a package is installed in my image?
To determine the version of a package that is installed in your image, use the relevant package manager command for your operating system.
Alpine package manager commands
On Alpine, to determine the version of a package that is installed in your image, you can use the following commands, where <package_name>
is the name of your package.
-
To list the metadata for a specific installed package, run the following command:
apk info <package_name>
-
To list all installed packages and their versions, run the following command:
apk list
Debian and Ubuntu package manager commands
On Debian and Ubuntu, to determine the version of a package that is installed in your image, you can use the following commands, where <package_name>
is the name of your package.
-
To list the metadata for a specific installed package, run either of the following commands:
apt show <package_name>
dpkg-query -l <package_name>
-
To list all installed packages and their versions, run either of the following commands:
apt list
dpkg-query -W
Red Hat and CentOS package manager commands
On Red Hat® OpenShift® and CentOS, to determine the version of a package that is installed in your image, you can use the following commands, where <package_name>
is the name of your package.
-
To list the metadata for a specific installed package, run either of the following commands:
rpm -qi <package_name>
yum info <package_name>
-
To list all installed packages and their versions, run either of the following commands:
rpm -qa
yum list installed
Does Vulnerability Advisor have versions?
Vulnerability Advisor version 4 is the only version available. For more information, see Managing image security with Vulnerability Advisor.
Vulnerability Advisor version 3 is discontinued from 13 November 2023. For more information about how to update to version 4, see Vulnerability Advisor version 3 is being discontinued on 13 November 2023.