verify_pulled_report_crio – Enrich pulled_images_report with CRI-O pull evidence
Synopsis
Reads the YAML produced by the env_op_images pulled-images report role task.
Parses CRI-O journal lines for msg="Pulled image: ...@sha256:...".
Adds per-row verification fields using trusted mirror domains from summary.mirror_rules.
When images carry a node field, evidence is matched against the specific node’s CRI-O log first. If the digest is only found on a different node the entry is counted as a cross-node mismatch.
Log files are expected to follow the <node-name>.crio.log naming convention produced by the role task.
Parameters
- report_path (True, str, None)
Path to
pulled_images_report.yaml(input).- output_path (True, str, None)
Path for the enriched YAML report (output).
- log_paths (False, list, [])
Explicit list of log files to parse (e.g. per-node CRI-O logs).
Combined with files found under log_dir when set.
- log_dir (False, str, None)
Directory containing CRI-O log files matching log_glob.
- log_glob (False, str, *.crio.log)
Glob under log_dir. Used only when log_dir is set.
Notes
Note
Requires PyYAML on the controller (same as other cifmw.general modules).
Examples
- name: Enrich pulled report using fetched node logs
cifmw.general.verify_pulled_report_crio:
report_path: "{{ cifmw_env_op_images_pulled_report_path }}"
log_dir: "{{ cifmw_env_op_images_crio_logs_dir }}"
output_path: "{{ cifmw_env_op_images_verified_report_path }}"
Return Values
- changed (always, bool, )
Whether the output file was written.
- trusted_mirrors (always, list, )
Hostnames extracted from mirror rules in the report summary.
- log_files (always, int, )
Number of log files read.
- entries_with_digest (always, int, )
Image rows that had a sha256 digest in
image_id.- cross_node_entries (always, int, )
Image rows where evidence was found only on a different node than where the pod ran.
- nodes_with_evidence (always, list, )
Node names that had at least one
Pulled imagelog entry.