Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot analyze image using analyze-local-images #32

Closed
yoanisgil opened this issue Nov 24, 2015 · 8 comments
Closed

Cannot analyze image using analyze-local-images #32

yoanisgil opened this issue Nov 24, 2015 · 8 comments
Labels
kind/question something that couldn't be answered in the docs

Comments

@yoanisgil
Copy link

I'm trying to run the analyze-local-images but I get an error like this:

analyze-local-images 778b25451af2
Saving 778b25451af2
Getting image's history
Analyzing 32 layers
- Analyzing a2c33fe967de5a01f3bfc3861add604115be0d82bd5192d29fc3ba97beedb831
2015/11/24 16:00:16 - Could not analyze layer: Got response 404 with message {"Message":"the resource cannot be found"}

Is this an issue with the tool or clair? I'm running docker 1.9.1 with latest clair tag:

quay.io/coreos/clair        latest              bd5cdf49293a        3 hours ago         786.1 MB
@Quentin-M
Copy link
Contributor

Hi,

I believe that it could be related to #27, fixed this morning by 9391417. Do you have the latest version of the tool ?

@yoanisgil
Copy link
Author

@Quentin-M I ran this to install the tool:

go get -u github.com/coreos/clair/contrib/analyze-local-images

but I'm not mounting /tmp. Should I?

@yoanisgil
Copy link
Author

@Quentin-M after adding -v /tmp:/tmp to the way the clair contained is created, everything works as expected. Sorry for the duplicate, but it would be nice if this is documented somewhere (or if the webserver is always launched no matter the endpoint configuration).

Anyhow, thanks for the tip.

@Quentin-M
Copy link
Contributor

My pleasure. I just improved the README.

@yoanisgil
Copy link
Author

@Quentin-M when I launch clair, I see this

2015-11-24 21:34:37.511696 I | updater/fetchers: fetching Debian vulneratibilities
2015-11-24 21:34:37.511802 I | updater/fetchers: fetching Red Hat vulneratibilities
2015-11-24 21:34:37.511894 I | updater/fetchers: fetching Ubuntu vulneratibilities

but it does not seem to finish. I took a quick look at the container with docker exec -ti container_id ps aux and this is what I see:

USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  1.8  0.2 479912 43404 ?        Ssl+ 21:34   0:01 clair --db-type=bolt --db-path=/db/database --log-level=debug
root        13 42.8  3.1 585080 508000 ?       R+   21:34   0:38 /usr/bin/python /usr/bin/bzr branch lp:ubuntu-cve-tracker /tmp/ubuntu-cve-tracker508522274/repository
root        16  0.0  0.0  20232  1996 ?        Ss   21:35   0:00 bash
root        25  0.0  0.0  17484  1120 ?        R+   21:36   0:00 ps aux

so I have two questions:

  • Will there be a message saying that the update process is done?
  • Why isn't there an update process for RedHat?

Sorry to ask in the same ticket, if there is a mailing list for Clair, I will be more than happy to send an email there.

@yoanisgil
Copy link
Author

Eventually the python process will go away (I assume because it finishes successfully, thought there is no log entry suggesting that) and all I see is this:

ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  3.9  0.6 541988 109560 ?       Ssl+ 21:34   0:11 clair --db-type=bolt --db-path=/db/database --log-level=debug
root        16  0.0  0.0  20232  1996 ?        Ss   21:35   0:00 bash
root        28  0.0  0.0  17484  1132 ?        R+   21:39   0:00 ps aux

which is fine I guess. My problem here is that I am analyzing an image which is based on CentOS:6.6 and when I run the tool it just says BRAVO :). Not that I'm not happy for such a message but I just find it strange, so I want to make sure that everything is in place before telling myself that clair does not detect any security vulnerability.

@Quentin-M
Copy link
Contributor

There is currently no mailing list.

  • Yes, a message is printed at the end of the update. You can also increase the log level with --log-level=trace.
  • Both Debian and Red Hat vulnerabilities are fetched directly in pure Go, there are just some go routines for that. However, as you noticed, Clair needs to clone a bzr repository and uses an external tool for that.
  • The initial update can be quite long, especially because the Ubuntu repository is pretty big (~200MB), needs to be entirely cloned and has a poor bandwidth.

Edit: The fact that the python process is finished doesn't mean that the update is finished. It still needs to parse the Ubuntu vulnerabilities and then insert everything in the database.

@yoanisgil
Copy link
Author

@Quentin-M all right. I will keep an eye on it and wait until it's done. Some more information will be nice though just to keep the impatient user (like me) on the loop.

@jzelinskie jzelinskie added kind/question something that couldn't be answered in the docs component/analyze-local-image tool labels Mar 12, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/question something that couldn't be answered in the docs
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jzelinskie @yoanisgil @Quentin-M