Make Your Containers Transparent with Puppet's Lumogon

As development and IT shops look for ways to more quickly test and deploy software or scale out their environments, containers have become a go-to solution. With Docker and similar tools, you can spin up dev and production containerized platforms that are fast, lightweight and consistent.

The benefit and Achilles heel of containers is that they're often just black boxes. If you run an Ubuntu or CentOS container, it just works. If you run them with a :latest flag, you get the latest version—whatever that might be. That might be okay for development or a quick test, but not for production. For that, you need specifics to ensure that the containers are up to date, they're running services you need (and none that you don't), and they're secure.

With Puppet's new Lumogon, you can get past containers' shortcomings. It quickly gathers detailed data about what's inside all the containers running on a host, and it presents the results in JSON or on the Lumogon website. Instead of trying to gather information that's scattered in Dockerfiles, CI/CD jobs, UATs or source control documents, Lumogon gathers it in single, centralized reports.

It works by harvesting metadata from the Docker API and each running container's namespace using Lumogon's open-source inspector tool. To get it running, you just execute a straightforward Docker run command:


$ sudo docker run --rm -v /var/run/docker.sock:/var/run/docker.sock
puppet/lumogon scan

In this example, Docker pulls down the puppet/lumogon image and runs a scan on your host. If you have NGINX or CentOS containers running, Lumogon will detect them and return details about the host (including the kernel version and platform) and installed packages. It also will report on the containers, giving you lots of information about what's running inside each one—even labels you defined in your Dockerfiles.

Lumogon outputs reports in JSON, which can be parsed and piped into a range of analysis tools. Or, if you want to spare yourself the trouble of raw JSON, Lumogon will scan your container hosts and send the data to Lumogon's web application with a URL that's unique to your scan.

Lumogon web reports can be run with this Docker command:


$ sudo docker run --rm -v /var/run/docker.sock:/var/run/docker.sock
puppet/lumogon report

This can take a little time depending on how many containers you have running, but when Lumogon completes its scan, it offers the URL where you'll find the report it just created, such as: https://reporter.app.lumogon.com/r5cI0bIyF4fRGzp9REyqUvBLORIKSM4bIp6slz0uDmI=.

If you're a little more advanced and use jq, the command-line tool like sed and awk that lets you manipulate JSON text, you can focus the Lumogon output into finer bits. In this example, I run Lumogon on my host, looking for information about the client version:


$ docker run --rm -v /var/run/docker.sock:/var/run/docker.sock puppet/lumogon
scan | jq -r .client_version

By piping Lumogon's output to jq, I get this client_version information:


{
  "BuildSHA": "a7f2943697f83ba74514a0169890ecf8ad1cfacb",
  "BuildTime": "2017-05-11 08:24:20 UTC",
  "BuildVersion": "development"
}

You might imagine other ways you could use the Lumogon report data, such as writing automated CI tests that ensure an image doesn't contain a vulnerability. If you have other monitoring applications, you can use Lumogon data for them too. You can get more and more experimental by piping this information into other actions, or just by using it as part of regular investigation and debugging that can be shared across your organization.

If you regularly use Dockerfiles to build your container images, you're probably in the habit of adding labels. You can include as many as you like, and they serve as markers that provide intelligence that can be standardized and shared. Lumogon can report on these labels and give you the information alongside other host and container data.

Lumogon can be run on any host that can run Docker, and it can report on any running Docker style container.

Regardless of what kind of development or production environment you're running these days, you're bound to look to containers as a way of creating fast, consistent machines on which to run your apps and services. Lumogon can help eliminate the risk and give you operational intelligence that can really improve how you get things done.

______________________

John S. Tonello is Director of IT for NYSERNet, Inc., in Syracuse, New York. He's been a Linux user and enthusiast since he installed his first Slackware system from diskette 20 years ago. You can follow him @johntonello.