Skip to main content

How imgtrack Works

FlexNet Manager Suite ()

imgtrack is a Bash shell script invoked on the command line of any Linux computer meeting its requirements. It is a utility whose job is to arrange for the execution of the FlexNet Inventory Scanner in a context where it can access the file system content of a container image, without interfering with any container running in a production environment.

To do this, imgtrack derives an image (the derived image) from the source image that is the target for inventory collection. The derived image is created in the standard Docker way, by adding a layer to a copy of the source image, where the extra layer in this case contains the FlexNet Inventory Scanner and related files. The entry point for the derived image (that is, the process invoked when a container is instantiated from the image and run) is to run the FlexNet Inventory Scanner.

Both the derived image and any container run from it are short-lived – both are destroyed when the inventory process is completed. Of course, this does not affect the source image in any way.

An operator (or perhaps a part of your CI/CD automation) invokes the script with a target image to inventory, and your preferred options (for which see Options for the imgtrack Script):

imgtrack *image* [*options*]

The script then performs the following operations:

  1. Optionally, pull the source image: If the --pull option was specified, the target image can be pulled from the registry. This requires that the credentials used to run imgtrack have read permissions from the registry, and that the operator has logged into the repository (if it required authentication) before invoking imgtrack (since, to avoid setting authentication parameters on the command line, imgtrack does not support logging in to any registry).

  2. Load image metadata: imgtrack uses the docker inspect command to collect metadata including both the image ID and the Repo Digest from Docker (for details, see Identifying Container Images). This also verifies that the source image exists in the local Docker image index – if this command fails, it is a fatal error for this run of imgtrack.

  3. Locate ndtrack source: The --from-ndtrack option may be used to specify a custom installation of the FlexNet Inventory Scanner (ndtrack.sh) already existing on the local Linux device (or less commonly, perhaps, the --local-ndtrack option may point to use of the installation in the default location on this device). These options, and the related installations, are not mandatory, since the imgtrack script includes a tarball of ndtrack.sh with its platform-related versions of the ndtrack inventory component.

  4. Determine ndtrack platform: The imgtrack script uses the uname utility on the host (the local Linux device where the script is running) to determine which platform-specific version of ndtrack must be run. Then imgtrack runs a container from the source image where it uses the ldd command to determine which implementation (if any) of the C standard library is available.

    Tip: No other software is run in this container, and it is removed immediately after the check for the C library. You may, instead, bypass this check on the C library implementation using the --libc-variantoption to specify the implementation that is available.

  5. Create working directory: imgtrack requires several temporary files during operation, and uses the mktemp utility to create a work directory (and subdirectories) to hold these. The work directory (and subdirectories, and contents) are by default deleted before imgtrack exits (even with an error), although you may prevent that clean-up with the --no-cleanup-files option.

  6. Extract ndtrack into working directory: Using the appropriate tarball selected at step 3, imgtrack installs the platform-specific version of ndtrack ready to collect software inventory.

  7. Search for InventorySettings.xml: The InventorySettings.xml, as updated from time to time with the downloads of the Application Recognition Library, extends the inventory-gathering functionality of ndtrack especially in areas like Oracle and Microsoft inventory. The script looks for this valuable file in the default installation folder (on this Linux device), or in the path specified with the --inventorysettings-path option.

  8. Construct Dockerfile: This manifest instructs Docker on how to build an image. This takes the source image as a base, adding a layer for ndtrack and InventorySettings.xml, and configures the command line for ndtrack.

    Tip: Because ndtrack requires that it runs as the root user, imgtrack explicitly sets to user to root in the Dockerfile.

    To inspect the Dockerfile, run imgtrack with the --no-cleanup-files option. Although the file name (created with mktemp) is unpredictable, the file is contained within the work directory.

  9. Build derived image: imgtrack now uses the docker build command to build the derived image. Several labels are applied to the image at build time (see Labels for the Derived Image for details). To review the derived image without instantiating a container, use the --build-only option, which causes imdtrack to exit at this point without deleting the derived image.

  10. Run container from derived image: imgtrack now uses the docker run command to instantiate and run a container based on the new derived image. The container executes the ndtrack component, which collects software inventory from inside the container, saving the results in an .ndi file. Normal practice is to specify the --beacon option, so that the tracker can upload the .ndi file as soon as it is ready to the inventory beacon at that URL.

    Tip: This requires that the container must be attached to a network that can access the inventory beacon. Use the --network option to specify a suitable Docker network to which the container is attached.

    If the inventory beacon serves over HTTPS, the CA certificate bundle needed to verify the inventory beacon's certificate must be available in the container. If the source image provides the needed certificate bundle, no further action is needed. If the source image does not supply an appropriate certificate bundle, it can be injected into the derived image using the --ca-certificates option.

  11. Copy inventory into host directory: If the --output-dir option was set to a directory on the host system, imgtrack copies the saved .ndi file into the final directory on the host given in the option's value. This option may be used in addition to the beacon upload option, but at least one of the two should be used.

  12. Delete derived image: By default, imgtrack arranges for clean-up after the container terminates by using the --rm option to the docker run command. This removes both the derived image and the work directory (along with all the files in it, of course). To retain artifacts for inspection, troubleshooting, or evaluation, see the various --no-cleanup-* options – after which the preserved artifacts need to be deleted manually.

2025 R1.1

Parent topic:Collecting Inventory from Container Images