The latest version of the VMware-originated open-source container inspection tool Tern is now available. Tern is a project in the Linux Foundation Automated Compliance Tooling (ACT) workgroup. Tern 2.0 introduces an anticipated feature called Dockerfile lock, which is designed to make Docker images more easily reproducible.
“Why is this necessary? Dockerfiles are used to automate the assembly and creation of Docker container images. While useful, Dockerfiles are not inherently reproducible the way one might think. This is because Dockerfiles are not declarative of what ultimately gets included in the end product container,” ACT wrote in a blog post.
RELATED CONTENT: ITOps Times featured open-source project: Tern
The ACT explained that normally Dockerfiles cause unique challenges when it comes to building reproducible container images. Tern aims to address some of these challenges by creating “a locked Dockerfile in which the base image is pinned to a digest and the packages installed for each subsequent layer are pinned to their versions, if they are known. Tern will also expand ARG and ENV variables and try to find information about git repositories that may be ADDed within the Dockerfile provided,” ACT wrote.
Additionally, Tern 2.0 includes the ability to map Scancode’s data into its data model. Scancode-toolkit is a license scanning tool for finding licenses in source code and binaries. With the new feature, file level licenses can be detected and reported.
Other features include: removal of -l, –logging CLI option, the ability to set the working directory on the command line, expanded test coverage, the ability for tox to run unit tests, the use of dockerfile-parse in parsing Dockerfiles, and updated documentation. Going forward, the ACT plans to add more support for language package panniers and multistage Docker builds.
Full release notes are available here.