Implement SBOM report command and APIs for listing all installed packages and to check their locations

lablup / backend.ai

Backend.AI is a streamlined, container-based computing cluster platform that hosts popular computing/ML frameworks and diverse programming languages, with pluggable heterogeneous accelerator support including CUDA GPU, ROCm GPU, TPU, IPU and other NPUs.

https://www.backend.ai

GNU Lesser General Public License v3.0

522 stars 154 forks source link

Implement SBOM report command and APIs for listing all installed packages and to check their locations #3135

Open jopemachine opened 3 days ago

jopemachine commented 3 days ago

Main idea

Generate report to list all installed packages and to check their locations

CUDA runtime version(s) installed at the image filesystem
Location(s) of Python/R/etc. runtimes found in the image filesystem
- There may be multiple runtimes. (e.g., system Python, conda, pyenv, etc.)
- The (summarized) list of installed packages for each runtime
The (summarized) list of installed system packages

In this issue, we will only support registries with SBOM auto-generation features, such as Harbor, And the implementation of fallbacks for other registries will be addressed in a follow-up issue (#3142).

Implementation

We can consider implementing CLI command like the following.

backend.ai mgr image sbom-report <image>

We can make the above command to print information about the packages info using tabulate, and print raw SBOM using the --raw flag.

Considerations

Should we store the SBOM in the database?

jopemachine commented 3 days ago

In Harbor version 2.11 and above, we can use trivy to automatically generate an SBOM when an image is pushed. (See https://goharbor.io/docs/edge/administration/sbom-integration/)

Through this feature, we can easily generate and use SBOM in Harbor registries without incurring additional costs.

Let’s add this feature for Harbor and other registries that support such functionality, and implement support for other registries in a follow-up PR.

(As a fallback implementation, as described in the issue, this could be implemented by making an RPC call to the agent where the image is installed. Ideally, selecting the agent with the least load would also be a desirable feature.)

Additionally, we will need to abstract and design an interface for these features.

jopemachine commented 2 days ago

We could consider adding a CLI command like backend.ai mgr image sbom-report <image>, This would allow administrators to generate and review a report of the packages installed on a specific image.

We also consider creating related APIs that allow the WebUI to fetch the packages installed on an image. @achimnol @kyujin-cho Any ideas regarding the implementation details?