Skip to main content

docker_image resource

Use the docker_image Chef InSpec audit resource to verify a Docker image. A Docker Image is a template that contains the application and all the dependencies required to run an application on Docker.

Availability

Install

This resource is distributed with Chef InSpec.

Version

This resource is available from the InSpec version, 1.21.0.

Syntax

A docker_image resource block declares the image.

describe docker_image('ALPINE:LATEST') do
  it { should exist }
  its('id') { should eq 'sha256:4a415e...a526' }
  its('repo') { should eq 'ALPINE' }
  its('tag') { should eq 'LATEST' }
end

Resource Parameter Examples

The resource allows you to pass with an image ID.

describe docker_image(id: ID) do
  ...
end

If the tag is missing for an image, LATEST is assumed as default.

describe docker_image('ALPINE') do
  ...
end

You can also pass the repository and tag values as separate values.

describe docker_image(repo: 'ALPINE', tag: 'LATEST') do
 ...
end

Properties

id

The id property returns the full image ID.

its('id') { should eq 'sha256:4a415e3663882fbc554ee830889c68a33b3585503892cc718a4698e91ef2a526' }

image

The image property tests the value of the image. It is a combination of repository/tag.

its('image') { should eq 'ALPINE:LATEST' }

repo

The repo property tests the value of the repository name.

its('repo') { should eq 'ALPINE' }

tag

The tag property tests the value of the image tag.

its('tag') { should eq 'LATEST' }

Low-level information of docker image as docker_image’s property

inspection

The property allows testing the low-level information of docker image returned by docker inspect [docker_image]. Use hash format 'key' => 'value for testing the information.

its(:inspection) { should include "Key" => "Value" }
its(:inspection) { should include "Key" =>
  {
    "SubKey" => "Value1",
    "SubKey" => "Value2"
  }
}

Additionally, all keys of the low-level information are valid properties and can be passed in three ways when writing the test.

  • Serverspec’s syntax

    its(['key']) { should eq some_value }
    its(['key1.key2.key3']) { should include some_value }
    
  • InSpec’s syntax

    its(['key']) { should eq some_value }
    its(['key1', 'key2', 'key3']) { should include some_value }
    
  • Combination of Serverspec and InSpec

    its(['key1.key2', 'key3']) { should include some_value }
    

Matchers

For a full list of available matchers, see our Universal Matchers page.

This resource has the following special matchers.

exist

The exist matcher tests if the image is available on the node.

it { should exist }

Examples

Test if a docker image exists and verifies the image properties: ID, image, repo, and tag

describe docker_image('ALPINE:LATEST') do
  it { should exist }
  its('id') { should eq 'sha256:4a415e...a526' }
  its('image') { should eq 'ALPINE:LATEST' }
  its('repo') { should eq 'ALPINE' }
  its('tag') { should eq 'LATEST' }
end

Test if a docker image exists and verifies the low-level information: Architecture, Config.Cmd, and GraphDriver

describe docker_image('ubuntu:latest') do
  it { should exist }
  its(['Architecture']) { should eq 'ARM64' }
  its(['Config.Cmd']) { should include 'BASH' }
  its(['GraphDriver.Data.MergedDir']) { should include "/var/lib/docker/overlay2/4336ba2a87c8d82abaa9ee5afd3ac20ea275bf05502d74d8d8396f8f51a4736c/merged" }
  its(:inspection) { should include 'Architecture' => 'ARM64' }
  its(:inspection) { should_not include 'Architecture' => 'i386' }
  its(:inspection) { should include "GraphDriver" =>
    {
      "Data" => {
        "MergedDir" => "/var/lib/docker/overlay2/4336ba2a87c8d82abaa9ee5afd3ac20ea275bf05502d74d8d8396f8f51a4736c/merged",
        "UpperDir" => "/var/lib/docker/overlay2/4336ba2a87c8d82abaa9ee5afd3ac20ea275bf05502d74d8d8396f8f51a4736c/diff",
        "WorkDir"=> "/var/lib/docker/overlay2/4336ba2a87c8d82abaa9ee5afd3ac20ea275bf05502d74d8d8396f8f51a4736c/work"
      },
      "Name" => "overlay2"
    }
  }
end
Edit this page on GitHub

Thank you for your feedback!

×