When a vendor provides a tar file that saves a Linux container image to a customer, for example, if the base image is Ubuntu, GPL is applied, so the problem is that GPL is applied as a whole. Until now, it seems that the industry has been closing the eyes, but since the middle of 2020, serious discussions have begun. If it is based on RHEL UBI, it may be possible to kill it with Red Hat's special theory and friend pressure.
This may be a bit important when considering how CI/CD and Toolchain work, that is, it is likely that GPL will be applied to even build the container image within the vendor and provide the docker save file to the customer. , If you build the Docker image in the customer environment and pull it each time to use it ** only **, the GPL application requirement (obligation to disclose the source code to the requester) will be unnecessary. Of course, the development code itself is based on the assumption that there is no copy/paste from the GPL source. After that, if the customer hands over the development image registered in the public registry such as Docker hub in the form of pulling, there is no obligation to disclose the source code here either (the base image part to which GPL is applied is individual as a separate layer / binary) Since it is downloaded to, the vendor does not provide the base image part). That is my perception.
As soon as I knew that there was a tool called tern. tern is a tool that identifies usage licenses at all layers including the base image that exists in the container image, and what is the Linux Foundation's heart? (?) https://www.linuxfoundation.org/blog/tern-1-0-0-is-generally-available/
If there is such a tool, you will want to wash out all the licenses of the container image in the private registry and see it.
The environment is Ubuntu 18.04. OK with Lightsail's $ 3.5 machine.
$ sudo -i
# apt-get update
# apt-get install \
apt-transport-https \
ca-certificates \
curl \
gnupg-agent \
software-properties-common
# curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
# add-apt-repository \
"deb [arch=amd64] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) \
stable"
# apt-get update
# apt-get install docker-ce docker-ce-cli containerd.io
# docker run -d -p 5000:5000 --restart always --name registry registry:2
# docker pull ubuntu
# docker tag ubuntu localhost:5000/ubuntu
# docker push localhost:5000/ubuntu
# docker rmi ubuntu localhost:5000/ubuntu
# docker pull centos
# docker tag centos localhost:5000/centos
# docker push localhost:5000/centos
# docker rmi centos localhost:5000/centos
# docker pull busybox:1.23.2
# docker tag busybox:1.23.2 localhost:5000/busybox:1.23.2
# docker push localhost:5000/busybox:1.23.2
# docker rmi busybox:1.23.2 localhost:5000/busybox:1.23.2
# docker login registry.redhat.io
→ Enter your Red Hat account
# docker pull registry.redhat.io/ubi8/ubi
# docker tag registry.redhat.io/ubi8/ubi localhost:5000/ubi
# docker push localhost:5000/ubi
# docker rmi registry.redhat.io/ubi8/ubi localhost:5000/ubi
(Verification)
ubuntu@ip-172-26-2-169:~$ curl localhost:5000/v2/_catalog
{"repositories":["busybox","centos","ubuntu"]}
ubuntu@ip-172-26-2-169:~$ curl -s http://localhost:5000/v2/busybox/tags/list
{"name":"busybox","tags":["1.23.2"]}
# sudo apt-get install attr
# sudo apt-get install python3-pip
# pip3 install tern
# mkdir reports
# cd reports
make-reports.py
import urllib.request
import json
import os
protocol = "http"
registry = "localhost:5000"
req = urllib.request.Request(protocol + "://" + registry + "/v2/_catalog")
with urllib.request.urlopen(req) as res:
repos = json.loads(res.read())
for repo in repos["repositories"]:
req2 = urllib.request.Request(protocol + "://" + registry + "/v2/" + repo + "/tags/list")
with urllib.request.urlopen(req2) as res2:
tags = json.loads(res2.read())
for tag in tags["tags"]:
os.system("tern report -i " + registry + "/" + repo + ":" + tag + " -o " + repo + ":" + tag + ".txt")
os.system("docker rmi " + registry + "/" + repo + ":" + tag)
# python3 make-reports.py
(Check file)
root@ip-172-26-2-169:~/reports# ls -l
total 28
-rw-r--r-- 1 root root 5798 Jan 2 19:45 centos:latest.txt
-rw-r--r-- 1 root root 666 Jan 2 19:33 make-reports.py
-rw-r--r-- 1 root root 7095 Jan 2 19:47 tern.log
-rw-r--r-- 1 root root 7129 Jan 2 19:47 ubuntu:latest.txt
By the way, what is the content of the essential file? ..
centos:latest.txt
This report was generated by the Tern Project
Version: 2.3.0
Docker image: localhost:5000/centos:latest:
Layer 1:
File licenses found in Layer: None
Packages found in Layer: crypto-policies-20200713, python3-pip-wheel-9.0.3, ncurses-base-6.1, dnf-data-4.2.23, dbus-common-1.12.8, centos-linux-release-8.3, setup-2.12.2, basesystem-11, libselinux-2.9, glibc-minimal-langpack-2.28, glibc-2.28, libsepol-2.9, xz-libs-5.2.4, libcap-2.26, info-6.5, libcom_err-1.45.6, libxml2-2.9.7, expat-2.2.5, libuuid-2.32.1, chkconfig-1.13, gmp-6.1.2, libattr-2.4.48, coreutils-single-8.30, sed-4.5, libcap-ng-0.7.9, libffi-3.1, libzstd-1.4.4, lz4-libs-1.8.3, libgcrypt-1.8.5, gzip-1.9, libunistring-0.9.9, libassuan-2.5.1, keyutils-libs-1.5.10, p11-kit-trust-0.23.14, pcre-8.42, systemd-libs-239, dbus-tools-1.12.8, libusbx-1.0.23, ca-certificates-2020.2.41, libdb-5.3.28, ima-evm-utils-1.1, libdb-utils-5.3.28, xz-5.2.4, gdbm-1.18, shadow-utils-4.6, libutempter-1.1.6, acl-2.2.53, nettle-3.4.1, glib2-2.56.4, libcomps-0.1.11, findutils-4.6.0, cpio-2.12, ipcalc-0.2.4, iproute-5.3.0, libpcap-1.9.1, libseccomp-2.4.3, gawk-4.2.1, krb5-libs-1.18.2, libnsl2-1.2.0, platform-python-3.6.8, libpwquality-1.4.0, util-linux-2.32.1, curl-7.61.1, rpm-libs-4.14.3, device-mapper-1.02.171, cryptsetup-libs-2.3.3, elfutils-libs-0.180, systemd-239, iputils-20180629, libkcapi-hmaccalc-1.2.0, dracut-049, python3-libcomps-0.1.11, dhcp-client-4.3.6, cyrus-sasl-lib-2.1.27, libyaml-0.1.7, npth-1.5, gpgme-1.13.1, libdnf-0.48.0, python3-hawkey-0.48.0, rpm-build-libs-4.14.3, python3-dnf-4.2.23, yum-4.2.23, binutils-2.30, vim-minimal-8.0.1763, less-530, rootfiles-8.1, libgcc-8.3.1, python3-setuptools-wheel-39.2.0, tzdata-2020d, libreport-filesystem-2.9.5, dhcp-common-4.3.6, centos-gpg-keys-8, centos-linux-repos-8, filesystem-3.8, pcre2-10.32, ncurses-libs-6.1, glibc-common-2.28, bash-4.4.19, zlib-1.2.11, bzip2-libs-1.0.6, libgpg-error-1.31, elfutils-libelf-0.180, libxcrypt-4.1.1, sqlite-libs-3.26.0, libstdc++-8.3.1, popt-1.16, readline-7.0, json-c-0.13.1, libacl-2.2.53, libblkid-2.32.1, libmount-2.32.1, audit-libs-3.0, libsmartcols-2.32.1, lua-libs-5.3.4, p11-kit-0.23.14, file-libs-5.33, cracklib-2.9.6, libidn2-2.2.0, gdbm-libs-1.18, libtasn1-4.13, lzo-2.08, grep-3.1, dbus-libs-1.12.8, dhcp-libs-4.3.6, procps-ng-3.3.15, openssl-libs-1.1.1g, kmod-libs-25, kmod-25, libarchive-3.3.2, squashfs-tools-4.3, libsemanage-2.9, dbus-daemon-1.12.8, libfdisk-2.32.1, mpfr-3.1.6, gnutls-3.6.14, snappy-1.1.8, libmetalink-0.1.3, libksba-1.3.5, ethtool-5.0, libmnl-1.0.4, libnghttp2-1.33.0, iptables-libs-1.8.4, libsigsegv-2.11, libverto-0.3.0, libtirpc-1.1.4, platform-python-setuptools-39.2.0, python3-libs-3.6.8, pam-1.3.1, libcurl-minimal-7.61.1, rpm-4.14.3, libsolv-0.7.11, device-mapper-libs-1.02.171, elfutils-default-yama-scope-0.180, systemd-pam-239, dbus-1.12.8, libkcapi-1.2.0, systemd-udev-239, dracut-squash-049, bind-export-libs-9.11.20, dracut-network-049, openldap-2.4.46, libmodulemd-2.9.4, gnupg2-2.2.20, librepo-1.12.0, python3-libdnf-0.48.0, python3-gpg-1.13.1, python3-rpm-4.14.3, dnf-4.2.23, kexec-tools-2.0.20, tar-1.30, hostname-3.20, langpacks-en-1.0
Licenses found in Layer: LGPLv2+, MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD), MIT, GPLv2+ and GPLv2 and GPL, (GPLv2+ or AFL) and GPLv2+, GPLv2, Public Domain, LGPLv2+ and LGPLv2+ with exceptions and GPLv2+ and GPLv2+ with exceptions and BSD and Inner-Net and ISC and Public Domain and GFDL, GPLv3+, BSD, LGPLv3+ or GPLv2+, BSD and GPLv2, GPLv2+ and BSD, GPLv3+ and GFDL, GPLv2+ or LGPLv3+, LGPLv2+ and GPLv3+, GPLv2+ and LGPLv2+, LGPLv2+ and MIT, BSD and LGPLv2 and Sleepycat, GPLv2+ and Public Domain, BSD and GPLv2+, GPLv2+, BSD with advertising, LGPLv2, GPLv3+ and GPLv2+ and LGPLv2+ and BSD, BSD and LGPLv2+, Python, BSD or GPLv2+, GPLv2 and GPLv2+ and LGPLv2+ and BSD with advertising and Public Domain, GPLv2+ and LGPLv2+ with exceptions, LGPLv2+ and MIT and GPLv2+, BSD or GPLv2, ISC, Vim and MIT, GPLv3+ or BSD, GPLv3+ and GPLv3+ with exceptions and GPLv2+ with exceptions and LGPLv2+ and BSD, zlib and Boost, LGPLv2+ and BSD and Public Domain, (GPLv2+ or LGPLv3+) and GPLv3+, GPLv3+ and LGPLv2+, GPL+ and GPLv2 and GPLv2+ and GPLv3+ and LGPLv2+, OpenSSL and ASL 2.0, LGPLv3+ and GPLv3+ and GFDL, (LGPLv3+ or GPLv2+) and GPLv3+, GPLv2 and Artistic 2.0 and ISC, SISSL and BSD, MPLv2.0, OpenLDAP
------------------------------------------------
###########################################
# Summary of licenses found in Container: #
###########################################
GPL+ and GPLv2 and GPLv2+ and GPLv3+ and LGPLv2+, LGPLv3+ or GPLv2+, OpenLDAP, GPLv2+ and BSD, Python, MIT, (LGPLv3+ or GPLv2+) and GPLv3+, GPLv2, MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD), GPLv2+ and Public Domain, LGPLv2+ and BSD and Public Domain, GPLv3+ and GFDL, GPLv3+ and LGPLv2+, GPLv3+, BSD, BSD with advertising, GPLv2 and Artistic 2.0 and ISC, zlib and Boost, ISC, LGPLv2+ and GPLv3+, GPLv2+, BSD and GPLv2, GPLv2+ and LGPLv2+, LGPLv2+ and MIT, GPLv3+ and GPLv2+ and LGPLv2+ and BSD, GPLv3+ and GPLv3+ with exceptions and GPLv2+ with exceptions and LGPLv2+ and BSD, LGPLv2+, LGPLv2+ and MIT and GPLv2+, LGPLv2+ and LGPLv2+ with exceptions and GPLv2+ and GPLv2+ with exceptions and BSD and Inner-Net and ISC and Public Domain and GFDL, LGPLv3+ and GPLv3+ and GFDL, SISSL and BSD, LGPLv2, GPLv2+ and GPLv2 and GPL, BSD or GPLv2, BSD and LGPLv2+, GPLv2+ or LGPLv3+, Vim and MIT, GPLv2 and GPLv2+ and LGPLv2+ and BSD with advertising and Public Domain, OpenSSL and ASL 2.0, (GPLv2+ or AFL) and GPLv2+, BSD and GPLv2+, BSD and LGPLv2 and Sleepycat, BSD or GPLv2+, GPLv2+ and LGPLv2+ with exceptions, (GPLv2+ or LGPLv3+) and GPLv3+, MPLv2.0, Public Domain, GPLv3+ or BSD
ubuntu:latest.txt
This report was generated by the Tern Project
Version: 2.3.0
Docker image: localhost:5000/ubuntu:latest:
Layer 1:
File licenses found in Layer: None
Packages found in Layer: adduser-3.118ubuntu2, apt-2.0.2ubuntu0.1, base-files-11ubuntu5.2, base-passwd-3.5.47, bash-5.0-6ubuntu1.1, bsdutils-1:2.34-0.1ubuntu9.1, bzip2-1.0.8-2, coreutils-8.30-3ubuntu2, dash-0.5.10.2-6, debconf-1.5.73, debianutils-4.9.1, diffutils-1:3.7-3, dpkg-1.19.7ubuntu3, e2fsprogs-1.45.5-2ubuntu1, fdisk-2.34-0.1ubuntu9.1, findutils-4.7.0-1ubuntu1, gcc-10-base-10.2.0-5ubuntu1~20.04, gpgv-2.2.19-3ubuntu2, grep-3.4-1, gzip-1.10-0ubuntu4, hostname-3.23, init-system-helpers-1.57, libacl1-2.2.53-6, libapt-pkg6.0-2.0.2ubuntu0.1, libattr1-1:2.4.48-5, libaudit-common-1:2.8.5-2ubuntu6, libaudit1-1:2.8.5-2ubuntu6, libblkid1-2.34-0.1ubuntu9.1, libbz2-1.0-1.0.8-2, libc-bin-2.31-0ubuntu9.1, libc6-2.31-0ubuntu9.1, libcap-ng0-0.7.9-2.1build1, libcom-err2-1.45.5-2ubuntu1, libcrypt1-1:4.4.10-10ubuntu4, libdb5.3-5.3.28+dfsg1-0.6ubuntu2, libdebconfclient0-0.251ubuntu1, libext2fs2-1.45.5-2ubuntu1, libfdisk1-2.34-0.1ubuntu9.1, libffi7-3.3-4, libgcc-s1-10.2.0-5ubuntu1~20.04, libgcrypt20-1.8.5-5ubuntu1, libgmp10-2:6.2.0+dfsg-4, libgnutls30-3.6.13-2ubuntu1.3, libgpg-error0-1.37-1, libhogweed5-3.5.1+really3.5.1-2, libidn2-0-2.2.0-2, liblz4-1-1.9.2-2, liblzma5-5.2.4-1ubuntu1, libmount1-2.34-0.1ubuntu9.1, libncurses6-6.2-0ubuntu2, libncursesw6-6.2-0ubuntu2, libnettle7-3.5.1+really3.5.1-2, libp11-kit0-0.23.20-1build1, libpam-modules-1.3.1-5ubuntu4.1, libpam-modules-bin-1.3.1-5ubuntu4.1, libpam-runtime-1.3.1-5ubuntu4.1, libpam0g-1.3.1-5ubuntu4.1, libpcre2-8-0-10.34-7, libpcre3-2:8.39-12build1, libprocps8-2:3.3.16-1ubuntu2, libseccomp2-2.4.3-1ubuntu3.20.04.3, libselinux1-3.0-1build2, libsemanage-common-3.0-1build2, libsemanage1-3.0-1build2, libsepol1-3.0-1, libsmartcols1-2.34-0.1ubuntu9.1, libss2-1.45.5-2ubuntu1, libstdc++6-10.2.0-5ubuntu1~20.04, libsystemd0-245.4-4ubuntu3.3, libtasn1-6-4.16.0-2, libtinfo6-6.2-0ubuntu2, libudev1-245.4-4ubuntu3.3, libunistring2-0.9.10-2, libuuid1-2.34-0.1ubuntu9.1, libzstd1-1.4.4+dfsg-3, login-1:4.8.1-1ubuntu5.20.04, logsave-1.45.5-2ubuntu1, lsb-base-11.1.0ubuntu2, mawk-1.3.4.20200120-2, mount-2.34-0.1ubuntu9.1, ncurses-base-6.2-0ubuntu2, ncurses-bin-6.2-0ubuntu2, passwd-1:4.8.1-1ubuntu5.20.04, perl-base-5.30.0-9ubuntu0.2, procps-2:3.3.16-1ubuntu2, sed-4.7-1, sensible-utils-0.0.12+nmu1, sysvinit-utils-2.96-2.1ubuntu1, tar-1.30+dfsg-7, ubuntu-keyring-2020.02.11.2, util-linux-2.34-0.1ubuntu9.1, zlib1g-1:1.2.11.dfsg-2ubuntu1.2
Licenses found in Layer: GPLv2+, PD, GPL-2, public-domain, LGPL-2.1+, BSD-2-clause, GPL-2+, LGPL, LGPL-2+, LGPL-3+, GPL-3+, BSD-4-clause, BSD-3-clause, MIT, BSD-variant, public-domain-s-s-d, public-domain-md5, GPL-3+ or BSD-3-clause, CC0-1.0, Expat, permissive, TinySCHEME, RFC-Reference, LGPL-2.1, LGPLv3+_or_GPLv2+, GPLv3+, Public domain., LGPLv2.1+, Apache-2.0, LGPL-2.1+ or BSD-3-clause, g10-permissive, GPL-2+ with Autoconf exception, GAP, other, LGPL-3+ or GPL-2+, Unicode, permissive-nowarranty, config-h, probably-PD, Autoconf, PD-debian, noderivs, none, permissive-fsf, permissive-like-automake-output, ISC, BSD-3-Clause, same-as-rest-of-p11kit, GPL-2.0+, LGPL-2.0+, GPL-2 with Linux-syscall-note exception, GPL-3+ or GFDL-1.2+, GPL-2+ with distribution exception, GFDL-1.2+, FreeSoftware, BSD-3-clause and GPL-2, zlib, REGCOMP, and GPL-1+ or Artistic, BSD-4-clause-POWERDOG, GPL-1+ or Artistic, and BSD-4-clause-POWERDOG, GPL-1+, Artistic or GPL-1+ or Artistic-dist, DONT-CHANGE-THE-GPL, GPL-1+ or Artistic, and Unicode, REGCOMP, GPL-3+-WITH-BISON-EXCEPTION, BSD-3-clause-GENERIC, HSIEH-DERIVATIVE, GPL-2+ or Artistic, GPL-1+ or Artistic, TEXT-TABS, GPL-1+ or Artistic or Artistic-dist, BSD-3-clause-with-weird-numbering, Expat or GPL-1+ or Artistic, GPL-1+ or Artistic, and BSD-3-clause-GENERIC, ZLIB, SDBM-PUBLIC-DOMAIN, RRA-KEEP-THIS-NOTICE, BZIP, Artistic-2, Artistic, HSIEH-BSD, GPL-1+ or Artistic, and Expat, Artistic-dist, installsh, All-permissive, configure, Zlib
------------------------------------------------
Layer 2:
warning:
Unrecognized Commands:set -xe
echo #!/bin/sh > /usr/sbin/policy-rc.d
echo exit 101 >> /usr/sbin/policy-rc.d
chmod +x /usr/sbin/policy-rc.d
dpkg-divert --local --rename --add /sbin/initctl
cp -a /usr/sbin/policy-rc.d /sbin/initctl
sed -i s/^exit.*/exit 0/ /sbin/initctl
echo force-unsafe-io > /etc/dpkg/dpkg.cfg.d/docker-apt-speedup
echo DPkg::Post-Invoke { rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true
> /etc/apt/apt.conf.d/docker-clean
echo APT::Update::Post-Invoke { rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true
>> /etc/apt/apt.conf.d/docker-clean
echo Dir::Cache::pkgcache
Dir::Cache::srcpkgcache
>> /etc/apt/apt.conf.d/docker-clean
echo Acquire::Languages none
> /etc/apt/apt.conf.d/docker-no-languages
echo Acquire::GzipIndexes true
Acquire::CompressionTypes::Order:: gz
> /etc/apt/apt.conf.d/docker-gzip-indexes
echo Apt::AutoRemove::SuggestsImportant false
> /etc/apt/apt.conf.d/docker-autoremove-suggests
File licenses found in Layer: None
Packages found in Layer: None
Licenses found in Layer: None
------------------------------------------------
Layer 3:
warning:
Unrecognized Commands:mkdir -p /run/systemd
echo docker > /run/systemd/container
File licenses found in Layer: None
Packages found in Layer: None
Licenses found in Layer: None
------------------------------------------------
###########################################
# Summary of licenses found in Container: #
###########################################
LGPL, GPL-3+ or GFDL-1.2+, none, LGPL-2+, RFC-Reference, GPL-1+ or Artistic, GPL-1+ or Artistic or Artistic-dist, permissive-nowarranty, permissive-like-automake-output, TinySCHEME, noderivs, Expat or GPL-1+ or Artistic, ZLIB, ISC, BZIP, Public domain., GPL-1+ or Artistic, and Expat, MIT, public-domain, BSD-3-clause and GPL-2, GPL-1+, LGPL-2.0+, GPL-2+ or Artistic, TEXT-TABS, Apache-2.0, LGPL-3+ or GPL-2+, LGPL-2.1+, CC0-1.0, g10-permissive, probably-PD, Artistic-2, LGPL-3+, BSD-4-clause-POWERDOG, GPL-1+ or Artistic, and BSD-4-clause-POWERDOG, PD, BSD-variant, GPL-2.0+, zlib, Artistic or GPL-1+ or Artistic-dist, BSD-3-clause-GENERIC, BSD-2-clause, LGPL-2.1+ or BSD-3-clause, same-as-rest-of-p11kit, config-h, permissive-fsf, configure, GPL-2+ with Autoconf exception, BSD-3-clause-with-weird-numbering, public-domain-s-s-d, GPL-2 with Linux-syscall-note exception, GPL-3+ or BSD-3-clause, GAP, SDBM-PUBLIC-DOMAIN, RRA-KEEP-THIS-NOTICE, Artistic, GPLv2+, REGCOMP, and GPL-1+ or Artistic, BSD-3-Clause, LGPLv3+_or_GPLv2+, GPL-2, All-permissive, DONT-CHANGE-THE-GPL, GPL-3+, BSD-4-clause, LGPL-2.1, GPL-1+ or Artistic, and Unicode, REGCOMP, GPL-3+-WITH-BISON-EXCEPTION, HSIEH-DERIVATIVE, GPL-2+, Autoconf, PD-debian, Expat, Unicode, public-domain-md5, BSD-3-clause, FreeSoftware, GPLv3+, other, GFDL-1.2+, Zlib, GPL-1+ or Artistic, and BSD-3-clause-GENERIC, installsh, permissive, GPL-2+ with distribution exception, HSIEH-BSD, Artistic-dist, LGPLv2.1+
seriously. Is there such a variety of licenses? this is. .. The lawyer of the company doesn't like it either. ..
(Addition) Check for image vulnerabilities using a similar mechanism. https://qiita.com/rk05231977/items/062410b319f4cc28c89b