Skip to content

[confcom] Add containers from_image command #9505

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kairu-ms merged 19 commits into from
Jan 16, 2026
Merged

[confcom] Add containers from_image command #9505

kairu-ms merged 19 commits into from
Jan 16, 2026

Conversation

@DomAyre
Copy link
Contributor

@DomAyre DomAyre commented Jan 7, 2026

Why

This command generates a partial container policy based on an input container image

How

Testing

Since PRs in my fork won't run the full suite of tests, I create a draft PR onto main of the Azure repo to get test results:

This checklist is used to make sure that common guidelines for a pull request are followed.

Related command

General Guidelines

  • Have you run azdev style <YOUR_EXT> locally? (pip install azdev required)
  • Have you run python scripts/ci/test_index.py -q locally? (pip install wheel==0.30.0 required)
  • My extension version conforms to the Extension version schema

DomAyre added 17 commits December 16, 2025 09:15
@DomAyre
Restore the behaviour of --upload-fragment for acifragmentgen (#13)
ab1c94e 
### Why

Addresses 
- Azure#9222

### How

- [x] Update the code to restore the "attach to first image in input" behaviour
- [x] Add two new commands: `fragment push` and `fragment attach` to allow the user to explicitly do one or the other (or both!)
- [x] Add new tests which run a local docker registry, and test that the fragments are generated, signed, pushed and attached as expected (as well as the default behaviour)

---

This checklist is used to make sure that common guidelines for a pull request are followed.

### Related command
<!--- Please provide the related command with az {command} if you can, so that we can quickly route to the related person to review. --->


### General Guidelines

- [x] Have you run `azdev style <YOUR_EXT>` locally? (`pip install azdev` required)
- [x] Have you run `python scripts/ci/test_index.py -q` locally? (`pip install wheel==0.30.0` required)
- [x] My extension version conforms to the [Extension version schema](https://github.com/Azure/azure-cli/blob/release/doc/extensions/versioning_guidelines.md)
@DomAyre
Add containers from_image command
35e560c
@DomAyre
Satisfy azdev style
778f341
@DomAyre
Add tests
7a351b2
@DomAyre
Split command lib versions of command
cd15bf6
@DomAyre
Rename the containers lib code file
3878dc0
@DomAyre
Build images with buildkit for deterministic hashes
5ed2d6d
@DomAyre
Revert "Build images with buildkit for deterministic hashes"
e19667b 
This reverts commit e8f7637.
@DomAyre
Change the working_dir sample for extra_layers
07bc86c
@DomAyre
.
40dd106
@DomAyre
Remove extra layers test
02de77b
@DomAyre
Merge branch '16-12-25' into containers-from-image
d8247b7
@DomAyre
Review tidy ups
7647188
@DomAyre
Restore the behaviour of --upload-fragment for acifragmentgen (#13)
646e4a5 
Addresses
- Azure#9222

- [x] Update the code to restore the "attach to first image in input" behaviour
- [x] Add two new commands: `fragment push` and `fragment attach` to allow the user to explicitly do one or the other (or both!)
- [x] Add new tests which run a local docker registry, and test that the fragments are generated, signed, pushed and attached as expected (as well as the default behaviour)

---

This checklist is used to make sure that common guidelines for a pull request are followed.

<!--- Please provide the related command with az {command} if you can, so that we can quickly route to the related person to review. --->

- [x] Have you run `azdev style <YOUR_EXT>` locally? (`pip install azdev` required)
- [x] Have you run `python scripts/ci/test_index.py -q` locally? (`pip install wheel==0.30.0` required)
- [x] My extension version conforms to the [Extension version schema](https://github.com/Azure/azure-cli/blob/release/doc/extensions/versioning_guidelines.md)
@DomAyre
.
12bc7c7
@DomAyre
Merge remote-tracking branch 'origin/main' into containers-from-image
0af5fca
@DomAyre
Bump confcom version
1c7cee4
@DomAyre DomAyre requested a review from kairu-ms as a code owner January 7, 2026 20:38
Copilot AI review requested due to automatic review settings January 7, 2026 20:38
@DomAyre DomAyre requested a review from wangzelin007 as a code owner January 7, 2026 20:38
@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Jan 7, 2026
edited
Loading

⚠️Azure CLI Extensions Breaking Change Test
⚠️confcom
rule cmd_name rule_message suggest_message
⚠️ 1011 - SubgroupAdd confcom containers sub group confcom containers added

@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Jan 7, 2026

Hi @DomAyre,
Please write the description of changes which can be perceived by customers into HISTORY.rst.
If you want to release a new extension version, please update the version in setup.py as well.

@yonzhan
Copy link
Collaborator

yonzhan commented Jan 7, 2026

Thank you for your contribution! We will review the pull request and get back to you soon.

@github-actions
Copy link

github-actions bot commented Jan 7, 2026

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

@github-actions
Copy link

github-actions bot commented Jan 7, 2026
edited
Loading

Copilot AI reviewed Jan 7, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a new confcom containers from_image command that generates a partial container policy definition based on an input container image. The command inspects Docker images to extract configuration details (layers, environment variables, commands, working directory) and combines them with platform-specific mounts to produce a security policy container definition.

Key Changes:

  • Adds new CLI command az confcom containers from_image with image inspection capabilities
  • Implements image layer extraction using dmverity-vhd binary
  • Creates comprehensive test suite with multiple sample Dockerfiles and expected outputs

Reviewed changes

Copilot reviewed 17 out of 17 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
setup.py Bumps extension version from 1.5.0 to 1.6.0
azext_confcom/lib/platform.py Defines platform-specific mounts (ACI) for container definitions
azext_confcom/lib/images.py Implements image inspection logic to extract layers and configuration
azext_confcom/lib/containers.py Generates container definitions by combining image data with platform mounts
azext_confcom/command/containers_from_image.py Main command implementation that outputs JSON container definition
azext_confcom/custom.py Registers the new command in the extension's custom commands
azext_confcom/commands.py Adds command group registration for containers subcommands
azext_confcom/_params.py Defines command parameters (image and platform)
azext_confcom/_help.py Adds help documentation for the new command group and command
azext_confcom/tests/latest/test_confcom_containers_from_image.py Comprehensive parametrized tests for the new command
samples/images/*/Dockerfile Sample Dockerfiles for testing different scenarios
samples/images/*/aci_container.inc.rego Expected container definition outputs for each sample
linter_exclusions.yml Adds linter exclusion for positional parameter in new command

@yonzhan yonzhan requested a review from jsntcy January 8, 2026 00:52
kairu-ms
kairu-ms previously approved these changes Jan 15, 2026
View reviewed changes
@kairu-ms kairu-ms merged commit a2e44fd into Azure:main Jan 16, 2026
32 checks passed
@azclibot
Copy link
Collaborator

azclibot commented Jan 16, 2026

[Release] Update index.json for extension [ confcom ] : https://dev.azure.com/msazure/One/_build/results?buildId=149572392&view=results

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@kairu-ms kairu-ms kairu-ms approved these changes

@wangzelin007 wangzelin007 Awaiting requested review from wangzelin007 wangzelin007 is a code owner

@jsntcy jsntcy Awaiting requested review from jsntcy

Assignees

@kairu-ms kairu-ms

Labels

None yet

Projects

None yet

Milestone

February 2026 (2026-02-03)

Development

Successfully merging this pull request may close these issues.

4 participants

@DomAyre @yonzhan @azclibot @kairu-ms