Frequently asked questions about Container Registry and Vulnerability Advisor

Frequently asked questions (FAQs) about IBM Cloud® Container Registry and Vulnerability Advisor.

Frequently asked questions about Container Registry

How do you list public images?

To list public images, run the following ibmcloud commands to target the global registry and list the public images that are provided by IBM:

ibmcloud cr region-set global

ibmcloud cr images --include-ibm

What tools can I use to build and push images?

You can use Docker and non-Docker tools to build and push images to the registry. You can use non-Docker tools that support OCI container imageA container image that is compliant with the OCI Image Format Specification format and protocol. To log in by using other clients, see Accessing your namespaces interactively.

How many namespaces can you have?

You can have 100 registry namespaces in each region.

Can I rename a namespace?

You can't rename a namespaceA collection of repositories that store images in a registry. A namespace is associated with an IBM Cloud account, which can include multiple namespaces.. If you want to change the name of the namespace, you must create a namespace with the new name and transfer its data. To transfer its data, you can copy the contents of the existing namespace into the namespace that you created.

If you don't want to transfer data manually, you can create a script for this action by using the ibmcloud cr image-tag command. For example, you can use the following script, where <old_namespace> is the existing namespace and <new_namespace> is the namespace that you created:

IMAGES=$(icr images --restrict <old_namespace> --format "{{ .Repository }}:{{ .Tag }}")

for i in $IMAGES ; do
   new=$(echo $i | sed "s|/<old_namespace>/|/<new_namespace>/|1")
   ibmcloud cr image-tag $i $new
done

Do images in the trash count toward my quota?

Images that are in the trash don't count toward your quota.

How do I find the image digest?

You can find the long format of the image digest by running one of the following commands. The digest is displayed in the Digest column of the CLI.

When you're using the digest to identify an image, always use the long format.

Run the ibmcloud cr image-digests command:
```
ibmcloud cr image-digests
```
Run the ibmcloud cr image-list command:
```
ibmcloud cr image-list --no-trunc
```
If you run the ibmcloud cr image-list command without the --no-trunc option, you see the truncated format of the digest.

How do I use digests to work with images?

The digest identifies an image by using the sha256 hash of the image manifest.

To find the digests for your images, run the ibmcloud cr image-digests command. You can refer to an image by using a combination of the content of the Repository column (repository) and the Digest column (digest) separated by an at (@) symbol to create the image name in the format repository@digest.

How do I list images that are more than a year old?

Linux macOS On Linux® and macOS, if you want to list all images, both tagged and untagged that were created more than a year ago, you can run the following command:

year=$(($(date +%s) - 31556952))
ibmcloud cr digests --format '{{ if (lt .Created '$year')}}{{.Repository}}:{{.Digest}}{{end}}'

How do you use access control?

You can create IBM Cloud Identity and Access Management (IAM) policies to control access to your namespaces in IBM Cloud Container Registry. For more information, see Granting access to IBM Cloud Container Registry resources tutorial and Managing IAM access for Container Registry.

How can I share an image with many users?

You can create an IBM Cloud account and invite all the users to it. They can then all have access to any namespace that is created in the account. You can create a subset of the users and set an IAM access policy to differentiate access at the namespace level. Users can be members of many accounts, but you can't give access outside the account, that is, you can't share a namespace to multiple accounts.

For more information, see Defining IAM access policies.

Do I have any untagged images?

To find out whether you have any untagged images, list your images by running the ibmcloud cr image-digests command. Untagged images have a hyphen (-) in the Tags column.

Do I need untagged images?

If you have active containers that are running untagged images, you must retain the untagged images. If you delete untagged images that are in use, you can cause problems with scaling or automated restarts. Deleting untagged images might cause a problem in the following circumstances:

The image was deployed by using the digest as the reference. For example, IBM Cloud Code Engine does resolve and use an image digest when it is serving applications, see Deploying app workloads from images in a public registry.
The image reference was mutated by a webhook service, such as Portieris.

What are eligible images?

If you're cleaning up images by using retention policies, only eligible images are cleaned up. Images that are always retained are Cloud Native Buildpacks and Google distroless images with the build date set to a specific constant rather than the real build time or with no build timestamp at all, and manifest lists. Images that are always retained are not eligible images.

The images that are not eligible are still displayed, but they do not count toward the total number of images that is set in the retention policy and are not removed.

Images created before 2013-01-19T00:13:39Z are excluded from retention policy evaluation.

For more information, see Planning retention.

What regions are available?

To find out more about the regions that are available for IBM Cloud Container Registry, see Regions.

Frequently asked questions about Vulnerability Advisor

How much does Vulnerability Advisor cost?

The cost of Vulnerability Advisor is built into the pricing for IBM Cloud Container Registry. For more information, see Billing for storage and pull traffic.

Can images from other registries be scanned by Vulnerability Advisor?

Vulnerability Advisor scans images from IBM Cloud Container Registry only.

How is a Vulnerability Advisor scan triggered?

For more information about how the scanning of an image is triggered, see Vulnerable packages.

Why doesn't my image scan in Vulnerability Advisor v4?

If your image isn't being scanned, check that it has a tag. In Vulnerability Advisor version 4, images are scanned only if they have a tag.

Why doesn't a new image scan in Vulnerability Advisor?

If you get the vulnerability report immediately after you add the image to the registryA storage and distribution service that contains public or private images that are used to create containers., you might receive the following error:

BXNVA0009E:  <imagename> has not been scanned. Try again later.
If this issue persists, contact support for help;
see https://cloud.ibm.com/docs/get-support?topic=get-support-getting-customer-support#getting-customer-support

You receive this message because the images are scanned asynchronously to the requests for results, and the scanning process takes a while to complete. During normal operation, the scan completes within the first few minutes after you add the image to the registry. The time that it takes to complete depends on variables like the image size and the amount of traffic that the registry is receiving.

If you get this message as part of a build pipeline and you see this error regularly, try adding some retry logic that contains a short pause.

If you still see unacceptable performance, contact support, see Getting help and support for Container Registry.

How often are the security notices updated in Vulnerability Advisor?

Security notices for Vulnerability Advisor are loaded from the vendors' operating system sites approximately every 12 hours.

Which version of a package is installed in my image?

To determine the version of a package that is installed in your image, use the relevant package manager command for your operating system.

Alpine package manager commands

On Alpine, to determine the version of a package that is installed in your image, you can use the following commands, where <package_name> is the name of your package.

To list the metadata for a specific installed package, run the following command:
```
apk info <package_name>
```
To list all installed packages and their versions, run the following command:
```
apk list
```

Debian and Ubuntu package manager commands

On Debian and Ubuntu, to determine the version of a package that is installed in your image, you can use the following commands, where <package_name> is the name of your package.

To list the metadata for a specific installed package, run either of the following commands:
```
apt show <package_name>
```
```
dpkg-query -l <package_name>
```
To list all installed packages and their versions, run either of the following commands:
```
apt list
```
```
dpkg-query -W
```

Red Hat and CentOS package manager commands

On Red Hat® OpenShift® and CentOS, to determine the version of a package that is installed in your image, you can use the following commands, where <package_name> is the name of your package.

To list the metadata for a specific installed package, run either of the following commands:
```
rpm -qi <package_name>
```
```
yum info <package_name>
```
To list all installed packages and their versions, run either of the following commands:
```
rpm -qa
```
```
yum list installed
```

Does Vulnerability Advisor have versions?

Vulnerability Advisor version 4 is the only version available. For more information, see Managing image security with Vulnerability Advisor.

Vulnerability Advisor version 3 is discontinued from 13 November 2023. For more information about how to update to version 4, see Vulnerability Advisor version 3 is being discontinued on 13 November 2023.