Skip to main content

Options for the imgtrack Script

FlexNet Manager Suite ()

Invocation

imgtrack is a shell script run from the command line of a Linux-based computer that has a local instance of Docker running, and, if necessary, is authenticated with the remote registries that store the container images used by your enterprise. The basic syntax identifies the container image under investigation (either by name or by ID), followed by zero or more option arguments.

imgtrack *image* [*options*]

If the image name is used, it follows the Docker convention of the repository/image name (shown in this page as example), a colon as a separator, and a current tag for this image within that repository (shown in this page as latest).

imgtrack *example*:*latest* --beacon https://mybeacn.example.com:443/leaveK8s

An alternative mode is to provide the --help option to list details about the command line:

imgtrack --help

Option values

Options follow the standard UNIX conventions.

  • Short-form options have a single dash followed by a single letter, and sometimes a space and a value
  • Long-form options have two dashes, the option name, and sometimes a space and a value
  • Some options are Boolean, and take effect (become true) solely from their inclusion (they do not need a value).

Placeholders for values to supply are shown thus.

Available options (listed in alphabetical order) include:

| ``` --beacon *URL* -b *URL* ``` | *Type:* Valid URL *Default:* Unset The URL of an inventory beacon to which collected inventories are uploaded immediately after collection. Must include the protocol \(either `http://` or `https://`\), the host name, an optional port number \(if used, separated from the host name by a colon\), and any necessary path elements to reliably reach the inventory beacon. The value may include any or none of the `/ManageSoftRL/Inventory` path components used within the inventory beacon — these will be automatically appended by `imgtrack` if omitted from the flag \(as in the example below\). **Tip:** Uptime on the inventory beacon, and network reliability on the path from the Linux device to the inventory beacon, are critical to inventory gathering. Because the derived image container is removed after the inventory gathering exercise is completed, there is no nightly catch-up of inventory uploads to recover from temporary network outages. The inventory beacon specified with this flag is the *only* one used by FlexNet Inventory Scanner when invoked by `imgtrack`. Also note that if you are using the `https` protocol, `imgtrack` supports only standard TLS to authenticate those communications. If you do not wish to upload inventory to any inventory beacon, or if you want to provide a local file backup to recover from possible network interruptions, see `--output-dir`. *Example:* ``` --beacon https://mybeacn\.example\.com:443/cntnrs ``` | | ``` --build-only ``` | *Type:* Boolean *Default:* Unset Stop after building the derived image. The container is not run and no inventory is produced. The ID of the derived image, and the docker command that would have been run, are printed to the screen, and then `imgtrack` exits. This option also automatically sets `--no-cleanup-image`. *Example:* ``` imgtrack *example*:*latest* --build-only ``` | | ``` --ca-certificates *path* ``` | *Type:* String \(valid path on the host computer to certificate bundle or folder\) *Default:* Unset Copy the Certificate Authority \(CA\) certificates at the given path on the host computer into the derived image, and configure `ndtrack` to use them. The path may refer to: - A PEM-encoded file consisting of a bundle of CA certificates \(in this case, the SSLCACertificateFile option for `ndtrack` is set\) - A directory containing a number of PEM-encoded CA certificates \(in this case, the SSLCACertificatePath option for `ndtrack` is set\). In either case, the file or directory is copied into the work directory, and then into the derived image. *Example:* ``` imgtrack example:latest --ca-certificates /etc/ssl/certs/ca-bundle.crt imgtrack example:latest --ca-certificates /etc/ssl/certs ``` | | ``` --cpus *float* ``` | *Type:* A floating-point number *Default:* Unset \(which means use all CPUs, which is equivalent to running a process outside a container, directly on the host, without a CPU limit\) Specifies the number of CPUs as the upper limit to assign when running the test container from the derived image. The value is passed directly to the `docker run` command \(see the Docker documentation for details\). *Example:* ``` imgtrack *example*:*latest* --cpus 0.5 ``` | | ``` --from-ndtrack *path* ``` | *Type:* Valid file path and file name for an installed version of the FlexNet Inventory Scanner self-installing script \(`ndtrack.sh`\) on the local device *Default:* Unset For inventory gathering, use the appropriate `ndtrack` binary from the `ndtrack.sh` self-installing script at the given path. This option can be useful in cases where the version of `ndtrack` embedded in `imgtrack` is not your organization's accepted version, but your approved version of `ndtrack.sh` has already been deployed to a custom location on the Linux device. Notice that this is the dominant setting for `ndtrack.sh`. If the `--local-ndtrack` option is also given, it is ignored in favor of this option. Compatibility is only guaranteed between `imgtrack` and the version of `ndtrack.sh` that it embeds within itself. If you specify `--from-ndtrack`, it is possible that the installed version of `ndtrack` used will not support all of the features necessary for proper operation of `imgtrack`. It is also your responsibility to ensure the integrity of, and trust in, the copy of `ndtrack.sh` that is used. *Example:* ``` imgtrack *example*:*latest* --from-ndtrack /path/to/ndtrack.sh ``` | | ``` --inventorysettings-path *path* ``` | *Type:* String \(valid path to an installed copy of `InventorySettings.xml`\) *Default:* Unset \(meaning to look for the `InventorySettings.xml` file locally installed in the default path, `/var/opt/managesoft/tracker/inventorysettings/InventorySettings.xml`.\) To extend the functionality of the inventory component, look for \(and if found, use\) the copy of `InventorySettings.xml` found in the path provided. \(If you need a copy of this file, which extends the functionality of `ndtrack` especially for Oracle and Microsoft inventory gathering, it is available on any inventory beacon in the default path `%ProgramFiles%\Flexera Software\Inventory Beacon\RemoteExecution\Public\Inventory`, as defined in the Windows share `mgsRET$`.\) **Tip:** If `--no-inventorysettings` is present, this option is ignored. *Example:* ``` imgtrack *example*:*latest* --inventorysettings-path /some/directory ``` | | ``` --libc-variant *name* ``` | *Type:* A string value that is exactly one of: - `glibc` - `muslc` *Default:* Unset Use the named C library implementation, assumed now to be provided by the image under investigation. Skip the test to determine which C library implementation to use. By default, `imgtrack` executes a container from the source image, running the command ``` ldd --version 2>&1 ``` to determine which C library implementation to use based on the output \(or else determine that the image is not supported\). If `--libc-variant` is given, this test is skipped. *Example:* ``` imgtrack *example*:*latest* --libc-variant muslc ``` | | ``` --local-ndtrack ``` | *Type:* Boolean *Default:* Unset \(uses the `ndtrack.sh` tarball bundled with `imgtrack`\) For inventory gathering, use the appropriate `ndtrack` binary from the `ndtrack.sh` "zero-footprint" self-installing script already present in the default location on the local computer at `/opt/managesoft/libexec/support/ndtrack.sh`. This option can be useful in cases where the version of `ndtrack` embedded in `imgtrack` is not your organization's accepted version, but your approved version of `ndtrack.sh` has already been deployed to the Linux device. **Tip:** If the `--from-ndtrack` option is given, it takes precedence, and this option is ignored. Compatibility is only guaranteed between `imgtrack` and the version of `ndtrack.sh` that it embeds within itself. If you specify `--local-ndtrack`, it is possible that the installed version of `ndtrack` used will not support all of the features necessary for proper operation of `imgtrack`. It is also your responsibility to ensure the integrity of, and trust in, the copy of `ndtrack.sh` that is used. *Example:* ``` imgtrack *example*:*latest* --local-ndtrack ``` | | ``` --memory *size* ``` | *Type:* A special combination of an integer, followed immediately by a single character indicating the unit – one of b \(bytes\), k \(kilobytes\), m \(megabytes\), or g \(gigabytes\) *Default:* Unset Set a memory limit when running the container. This value is passed through directly to the `docker run` command, where the minimum value is `4m` \(see the Docker documentation for details\). *Example:* ``` imgtrack *example*:*latest* --memory 256m ``` | | ``` --ndtrack-log ``` | *Type:* Boolean *Default:* Unset Collect the log file written by `ndtrack` and print it to standard output. This is mostly useful for troubleshooting issues in the operation of `ndtrack` itself, such as issues uploading to the inventory beacon or issues with specific `ndtrack` features. The `ndtrack` component does not support logging directly to standard output. To collect the logs, `imgtrack` creates a temporary directory within the working directory. The directory is mounted into the container at runtime, and the log file is written into it. **Tip:** This is the same directory as when `--output-dir` is used. Once the container exits, `imgtrack` writes the contents of the log file to the screen. *Example:* ``` imgtrack *example*:*latest* --ndtrack-log ``` | | ``` --ndtrack-opt *option* -o *option* ``` | *Type:* String *Default:* Unset Supply an option directly to the inventory component of the FlexNet Inventory Scanner \(`ndtrack`\). This should be needed only in rare circumstances. For more information about options for FlexNet Inventory Scanner, see Preferences. **Tip:** Some `ndtrack` options are crucial to the operation of `imgtrack`, and cannot be overwritten. These options are visible within the `imgtrack` script. *Example:* ``` imgtrack *example*:*latest* -o LowProfile=True ``` | | ``` --network *name* ``` | *Type:* String *Default:* Unset Attach the container to the named network. This option may be useful in cases where the default Docker network is not able to communicate with the inventory beacon, but a different Docker network can do so. The value is passed directly to the `docker run` command \(see the Docker documentation for details\). *Example:* ``` imgtrack *example*:*latest* --network foo ``` | | ``` --no-cleanup-all ``` | *Type:* Boolean *Default:* Unset An alias for `--no-cleanup-files --no-cleanup-image --no-cleanup-container`. *Example:* ``` imgtrack *example*:*latest* --no-cleanup-all ``` | | ``` --no-cleanup-container ``` | *Type:* Boolean *Default:* Unset \(meaning that `imgtrack` adds the `--rm` option to the Docker command, so that the container is deleted as soon as it exits\) Do not delete the container after it has exited \(by omitting the `--rm` option from the Docker command\). Eventually, this container needs to be deleted manually. **Remember:** The image on which the container is based cannot be deleted while the container exists. For this reason, if you set `--no-cleanup-container`, it automatically also sets `--no-cleanup-image`, so that in due course, the derived image also needs to be deleted manually. This is only useful for niche troubleshooting situations where you need to access the content of the container after the operation has completed. *Example:* ``` imgtrack *example*:*latest* --no-cleanup-container ``` | | ``` --no-cleanup-files ``` | *Type:* Boolean *Default:* Unset Do not delete the working directory or any of the files contained within it. Write a message to standard output with the working directory's path \(because the directory was created using the *mktemp* utility, meaning that the directory is unpredictably named\). This is only useful for troubleshooting or evaluation. *Example:* ``` imgtrack *example*:*latest* --no-cleanup-files ``` To conduct a dry run for evaluation purposes, combine this with the `--build-only` flag: ``` imgtrack *example*:*latest* --no-cleanup-files --build-only ``` | | ``` --no-cleanup-image ``` | *Type:* Boolean *Default:* Unset \(meaning to delete the derived image before `imgtrack` exits, regardless of success or failure\) Do not delete the derived image. **Tip:** The derived image is not tagged, so it does not have a name. In the normal output from the `docker image` command, such images appear with a name and tag of "``". \(Despite being unnamed, the derived images are labeled with information that can be used to manage them.\) Note that the `docker image prune` command deletes these images. *Example:* ``` imgtrack *example*:*latest* --no-cleanup-image ``` | | ``` --no-file-evidence ``` | *Type:* Boolean *Default:* Unset \(false\) By default, `imgtrack` enables a set of options to `ndtrack` that enable gathering file evidence through SWID tags. While the need to do so will be rare, this flag can be used to disable these options, so that file evidence from SWID tags is *not* included in the inventory. *Example:* ``` imgtrack *example*:*latest* --no-file-evidence ``` | | ``` --no-inventorysettings ``` | *Type:* Boolean *Default:* Unset \(meaning to use the `InventorySettings.xml` file found in the default location to extend the functionality of the inventory component, copying it into the derived image\) When this option is specified, `imgtrack` does not check for `InventorySettings.xml` or copy the file into the derived image. Unless the derived image already contains its own copy of the inventory settings file, this results in reduced capabilities for inventory gathering by `ndtrack.sh`. *Example:* ``` imgtrack *example*:*latest* --no-inventorysettings ``` | | ``` --output-dir *path* -d *path* ``` | *Type:* Valid, existing directory on the host device \(before triggering inventory collection, `imgtrack` verifies that the directory exists and that it can write to the directory, and exits with an error if verification fails\) *Default:* Unset Copy the inventory to a directory on the host computer. When this option is given, a temporary directory is first created within the working directory used by `imgtrack`. The directory is mounted into the container at runtime, and the inventory is written into it. After the container terminates successfully, the inventory file is copied from the temporary directory into the final directory specified in this option. *Example:* ``` imgtrack *example*:*latest* -d /some/local/host/path ``` | | ``` --pull ``` | *Type:* Boolean *Default:* Unset \(false\) Pull the identified image from the current registry of images to the local computer. For `imgtrack` to operate correctly, the image under investigation must be present in the local Docker image index on the local Linux device. This option causes `imgtrack` to run `docker pull` to transfer the image from the registry to the local image index before commencing any interactions with the image under investigation. To avoid setting authentication parameters on the command line, `imgtrack` does not support logging in to any registry. If the target registry requires authentication, an operator must either: - Use the docker `login` command prior to running `imgtrack` with the `‑‑pull` option; or - Ensure that the target image is already present on the local machine prior to running `imgtrack`, and in this case the `--pull` option should be omitted. *Example:* ``` imgtrack *example*:*latest* --pull ``` | | ``` --verbose -v ``` | *Type:* Boolean *Default:* Unset Enable more verbose logging from `imgtrack`. *Example:* ``` imgtrack *example*:*latest* -v ``` |

2025 R1.1

Parent topic:How imgtrack Works