Bug 1272037
| Summary: | atomic scan can't work for scaning an image | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Alex Jia <ajia> |
| Component: | atomic | Assignee: | Lokesh Mandvekar <lsm5> |
| Status: | CLOSED ERRATA | QA Contact: | atomic-bugs <atomic-bugs> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.2 | CC: | bbaude, lmiksik, lsm5, miabbott, mjenner, mpreisle, walters |
| Target Milestone: | rc | Keywords: | Extras |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | atomic-1.6-3.gitea18c14.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-03-31 23:25:04 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1278147 | ||
| Bug Blocks: | |||
|
Description
Alex Jia
2015-10-15 10:37:09 UTC
How did you run the image? You need to execute: 3b) atomic install $ID 3c) atomic run $ID after step 3) (In reply to Martin Preisler from comment #3) > You need to execute: 3b) atomic install $ID 3c) atomic run $ID after step 3) Thanks for your details, I gave a tried for above steps, but I got a (core dumpe error when running atomic scan <image_name>, the result as follows. # atomic install 3b8372dad003 docker run -t --rm --privileged -v /:/host/ 3b8372dad003 sh /root/install.sh + ETC=/etc/oscapd + ETC_FILE=config.ini + HOST=/host + echo 'Adding the dbus configuration for the openscap-daemon to the host' Adding the dbus configuration for the openscap-daemon to the host + cp -v /etc/dbus-1/system.d/org.oscapd.conf /host/etc/dbus-1/system.d/ '/etc/dbus-1/system.d/org.oscapd.conf' -> '/host/etc/dbus-1/system.d/org.oscapd.conf' + [[ ! -d /host//etc/oscapd ]] + mkdir /host//etc/oscapd ++ date +%Y-%m-%M-%T + DATE=2015-10-02-00:02:21 + [[ -f /host//etc/oscapd/config.ini ]] + echo 'Updating config.ini with latest configuration' Updating config.ini with latest configuration + cp /etc/oscapd/config.ini /host//etc/oscapd cp: cannot stat '/etc/oscapd/config.ini': No such file or directory + echo 'Installation complete. Be sure to customize /etc/oscapd/config.ini as needed.' Installation complete. Be sure to customize /etc/oscapd/config.ini as needed. NOTE: cp: cannot stat '/etc/oscapd/config.ini': No such file or directory # atomic run 3b8372dad003 docker run -dt --privileged --pid=host -v /etc/oscapd:/etc/oscapd -v /proc/:/hostproc/ -v /sys/fs/cgroup:/sys/fs/cgroup -v /var/log:/var/log -v /run:/run -v /var/lib/docker/devicemapper/metadata/:/var/lib/docker/devicemapper/metadata/ -v /dev/:/dev/ -v /var/tmp/image-scanner:/var/tmp/image-scanner --env container=docker --net=host --cap-add=SYS_ADMIN --ipc=host 3b8372dad003 docker run -dt --privileged --pid=host -v /etc/oscapd:/etc/oscapd -v /proc/:/hostproc/ -v /sys/fs/cgroup:/sys/fs/cgroup -v /var/log:/var/log -v /run:/run -v /var/lib/docker/devicemapper/metadata/:/var/lib/docker/devicemapper/metadata/ -v /dev/:/dev/ -v /var/tmp/image-scanner:/var/tmp/image-scanner --env container=docker --net=host --cap-add=SYS_ADMIN --ipc=host 3b8372dad003 e61be21bc1997764a15e7e010c5a4bac859f2f396e8600141e9f29bb9c8ae3c3 # docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES e61be21bc199 3b8372dad003 "/bin/sh -c oscapd" 17 seconds ago Up 16 seconds grave_goldstine # atomic scan oscap_rhel7 Scanning... ERROR:dbus.connection:Unable to set arguments ([u'3b8372dad00325f6cccbe1735a796d32c0bdb788efa31615fa94176dc094d8a5'], 4) according to signature u'asiy': <type 'exceptions.TypeError'>: More items found in D-Bus signature than in Python arguments process 111807: arguments to dbus_message_get_destination() were incorrect, assertion "message != NULL" failed in file dbus-message.c line 3376. This is normally a bug in some application using the D-Bus library. D-Bus not built with -rdynamic so unable to print a backtrace Aborted (core dumped) (In reply to Brent Baude from comment #2) > How did you run the image? Hi Brent, I followed examples in atomic-scan man page to do this testing, I originally think we may scan an image w/o running a container based on the image, but in fact, we must start oscapd daemon firstly then scan container or images, so maybe, we should clarify it in man page or help document. (In reply to Alex Jia from comment #5) > (In reply to Brent Baude from comment #2) > > How did you run the image? > > Hi Brent, I followed examples in atomic-scan man page to do this testing, I I forgot to add core file debug information, to generate a new core file core.5876 # gdb core.5876 (gdb) thread apply all bt Thread 1 (Thread 0x7fee2ce2e740 (LWP 5876)): #0 0x00007fee2bbb25d7 in raise () from /lib64/libc.so.6 #1 0x00007fee2bbb3cc8 in abort () from /lib64/libc.so.6 #2 0x00007fee1f0def45 in _dbus_abort () at dbus-sysdeps.c:94 #3 0x00007fee1f0d57ce in _dbus_warn_check_failed (format=0x7fee1f0e53c0 "arguments to %s() were incorrect, assertion \"%s\" failed in file %s line %d.\nThis is normally a bug in some application using the D-Bus library.\n") at dbus-internals.c:290 #4 0x00007fee1f0c939c in dbus_message_get_destination (message=message@entry=0x0) at dbus-message.c:3376 #5 0x00007fee1f3057a7 in MethodCallMessage_tp_repr (self=<dbus.lowlevel.MethodCallMessage at remote 0x7fee2cdae4e0>) at ../../_dbus_bindings/message.c:76 #6 0x00007fee2c8e84b0 in PyObject_Repr (v=<dbus.lowlevel.MethodCallMessage at remote 0x7fee2cdae4e0>) at /usr/src/debug/Python-2.7.5/Objects/object.c:381 #7 0x00007fee2c943c5c in call_function (oparg=<optimized out>, pp_stack=0x7ffc39c2e470) at /usr/src/debug/Python-2.7.5/Python/ceval.c:4086 #8 PyEval_EvalFrameEx ( f=f@entry=Frame 0x14ae400, for file /usr/lib64/python2.7/site-packages/abrt_exception_handler.py, line 256, in handleMyException (.0=(<type at remote 0x7fee2cbe9da0>, exceptions.TypeError('More items found in D-Bus signature than in Python arguments',), <traceback at remote 0x14433b0>), etype=<type at remote 0x7fee2cbe9da0>, value=(...), tb=<traceback at remote 0x14433b0>, errno=<module at remote 0x7fee2cdb5d38>, traceback=<module at remote 0x7fee2cd5c248>, elist=['Traceback (most recent call last):\n', ' File "/usr/bin/atomic", line 416, in <module>\n sys.exit(args.func())\n', ' File "/usr/lib/python2.7/site-packages/Atomic/atomic.py", line 460, in scan\n scan_return = json.loads(oscap_i.scan_list(scan_list, 4))\n', ' File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 70, in __call__\n return self._proxy_method(*args, **keywords)\n', ' File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 145, in __call__\n **keywords)\n', ' File "/usr/lib64/python2.7/site-packages/dbus/connecti...(truncated), throwflag=throwflag@entry=0) at /usr/src/debug/Python-2.7.5/Python/ceval.c:2740 #9 0x00007fee2c943990 in fast_function (nk=<optimized out>, na=1, n=1, pp_stack=0x7ffc39c2e5d0, func=<function at remote 0x7fee2ccfc8c0>) at /usr/src/debug/Python-2.7.5/Python/ceval.c:4184 #10 call_function (oparg=<optimized out>, pp_stack=0x7ffc39c2e5d0) at /usr/src/debug/Python-2.7.5/Python/ceval.c:4119 #11 PyEval_EvalFrameEx ( f=f@entry=Frame 0x14aca30, for file /usr/lib64/python2.7/site-packages/abrt_exception_handler.py, line 279, in <lambda> (etype=<type at remote 0x7fee2cbe9da0>, value=exceptions.TypeError('More items found in D-Bus signature than in Python arguments',), tb=<traceback at remote 0x14433b0>), throwflag=throwflag@entry=0) at /usr/src/debug/Python-2.7.5/Python/ceval.c:2740 #12 0x00007fee2c9451ed in PyEval_EvalCodeEx (co=<optimized out>, globals=<optimized out>, locals=locals@entry=0x0, args=args@entry=0x13a31f8, argcount=3, kws=kws@entry=0x0, kwcount=kwcount@entry=0, defs=defs@entry=0x0, defcount=defcount@entry=0, closure=0x0) at /usr/src/debug/Python-2.7.5/Python/ceval.c:3330 #13 0x00007fee2c8d20c8 in function_call (func=('Set maximum log `level` by setting matches for PRIORITY.\n ', 0, 7, 1, 'PRIORITY', '%d', 'Log level must be 0 <= level <= 7', None), arg=(<type at remote 0x7fee2cbe9da0>, exceptions.TypeError('More items found in D-Bus signature than in Python arguments',), <traceback at remote 0x14433b0>), kw=0x0) at /usr/src/debug/Python-2.7.5/Objects/funcobject.c:526 #14 0x00007fee2c8ad0c3 in PyObject_Call (func=func@entry=('Set maximum log `level` by setting matches for PRIORITY.\n ', 0, 7, 1, 'PRIORITY', '%d', 'Log level must be 0 <= level <= 7', None), arg=arg@entry=(<type at remote 0x7fee2cbe9da0>, exceptions.TypeError('More items found in D-Bus signature than in Python arguments',), <traceback at remote 0x14433b0>), kw=<optimized out>) at /usr/src/debug/Python-2.7.5/Objects/abstract.c:2529 #15 0x00007fee2c93f037 in PyEval_CallObjectWithKeywords (func=func@entry=('Set maximum log `level` by setting matches for PRIORITY.\n ', 0, 7, 1, 'PRIORITY', '%d', 'Log level must be 0 <= level <= 7', None), arg=arg@entry=(<type at remote 0x7fee2cbe9da0>, exceptions.TypeError('More items found in D-Bus signature than in Python arguments',), <traceback at remote 0x14433b0>), kw=kw@entry=0x0) at /usr/src/debug/Python-2.7.5/Python/ceval.c:3967 #16 0x00007fee2c95ff8c in PyErr_PrintEx (set_sys_last_vars=set_sys_last_vars@entry=1) at /usr/src/debug/Python-2.7.5/Python/pythonrun.c:1183 #17 0x00007fee2c96027a in PyErr_Print () at /usr/src/debug/Python-2.7.5/Python/pythonrun.c:1068 #18 0x00007fee2c960c9e in PyRun_SimpleFileExFlags (fp=<optimized out>, fp@entry=0xbbdd80, filename=filename@entry=0x7ffc39c3071d "/usr/bin/atomic", closeit=closeit@entry=1, flags=flags@entry=0x7ffc39c2e8d0) at /usr/src/debug/Python-2.7.5/Python/pythonrun.c:956 #19 0x00007fee2c961093 in PyRun_AnyFileExFlags (fp=fp@entry=0xbbdd80, filename=filename@entry=0x7ffc39c3071d "/usr/bin/atomic", closeit=closeit@entry=1, flags=flags@entry=0x7ffc39c2e8d0) at /usr/src/debug/Python-2.7.5/Python/pythonrun.c:756 #20 0x00007fee2c971caf in Py_Main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/Python-2.7.5/Modules/main.c:640 #21 0x00007fee2bb9eaf5 in __libc_start_main () from /lib64/libc.so.6 #22 0x0000000000400721 in _start () Can you please provide more information so we can be helpful? Please include relevant version information like docker, atomic, openscap, openscap-daemon, as well as exactly how to reproduce what you are observing. (In reply to Brent Baude from comment #7) > Can you please provide more information so we can be helpful? Please > include relevant version information like docker, atomic, openscap, > openscap-daemon, as well as exactly how to reproduce what you are observing. # rpm -q docker atomic openscap kernel docker-1.8.2-8.el7.x86_64 atomic-1.5-4.git7e4365f.el7.x86_64 openscap-1.2.5-3.el7.x86_64 kernel-3.10.0-289.el7.x86_64 # docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 3cd33acdf8a2 oscap_rhel7 "/bin/sh -c oscapd" 26 hours ago Up 26 hours nostalgic_pare # docker attach 3cd33acdf8a2 NOTE: for openscap-daemon version, I tried to run docker attach 3cd33acdf8a2 then query it, but the docker attach is hang forever. Steps to Reproduce: 1. git clone https://github.com/OpenSCAP/openscap-daemon/ 2. cd /home/ajia/Workspace/openscap-daemon/atomic/rhel7_spc 3. docker build -t oscap_rhel7 . 4. docker images 4. atomic install <image_id> 5. atomic run <image_id> 6. atomic scan oscap_rhel7 After step6, you will get an error looks like this. Scanning... ERROR:dbus.connection:Unable to set arguments ([u'3b8372dad00325f6cccbe1735a796d32c0bdb788efa31615fa94176dc094d8a5'], 4) according to signature u'asiy': <type 'exceptions.TypeError'>: More items found in D-Bus signature than in Python arguments process 5876: arguments to dbus_message_get_destination() were incorrect, assertion "message != NULL" failed in file dbus-message.c line 3376. This is normally a bug in some application using the D-Bus library. D-Bus not built with -rdynamic so unable to print a backtrace Aborted (core dumped) 7. gdb debug corefile # gdb core.5876 (gdb) thread apply all bt NOTE: for the details, please see comment 6 Please update your atomic installation. The OpenSCAP daemon version you are using has had the dbus API change to allow "CVE fetch" override. This is why the signature doesn't match. The following needs to be in your Atomic for `atomic scan` to work with latest OpenSCAP daemon from git - https://github.com/projectatomic/atomic/pull/187 (In reply to Martin Preisler from comment #10) > The following needs to be in your Atomic for `atomic scan` to work with > latest OpenSCAP daemon from git - > https://github.com/projectatomic/atomic/pull/187 I gave a try for upstream atomic, but got an error as follows. [root@dell-per630-02 atomic]# ./atomic scan oscap_rhel7 Scanning... ERROR:dbus.proxies:Introspect error on :1.791:/OpenSCAP/daemon: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken. NOTE: Need I extra security policy? I'm not sure whether it is a dbus or PackageKit bug. [root@dell-per630-02 atomic]# git rev-parse HEAD 6b770346f3ead3bdb252c09dd8a98cf50a475731 Additional info: [root@dell-per630-02 atomic]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES a07383d0683d 127e72b3260c "/bin/sh -c oscapd" 2 hours ago Up 2 hours angry_lalande [root@dell-per630-02 atomic]# atomic images REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE oscap_rhel7 latest 127e72b3260c 2015-10-20 22:06 875.43 MB [root@dell-per630-02 atomic]# rpm -q dbus PackageKit dbus-1.6.12-13.el7.x86_64 PackageKit-1.0.7-5.el7.x86_64 [root@dell-per630-02 atomic]# systemctl status dbus.service ● dbus.service - D-Bus System Message Bus Loaded: loaded (/usr/lib/systemd/system/dbus.service; static; vendor preset: disabled) Active: active (running) since Mon 2015-10-19 10:47:05 CST; 2 days ago Main PID: 1332 (dbus-daemon) Memory: 2.5M CGroup: /system.slice/dbus.service ├─ 1332 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation └─70467 /usr/sbin/abrt-dbus -t133 Oct 21 14:48:03 dell-per630-02.qe.lab.eng.nay.redhat.com dbus[1332]: [system] Reloaded configuration Oct 21 14:48:03 dell-per630-02.qe.lab.eng.nay.redhat.com dbus-daemon[1332]: dbus[1332]: [system] Reloaded configuration Oct 21 14:48:03 dell-per630-02.qe.lab.eng.nay.redhat.com dbus[1332]: [system] Reloaded configuration Oct 21 14:48:03 dell-per630-02.qe.lab.eng.nay.redhat.com dbus-daemon[1332]: dbus[1332]: [system] Reloaded configuration Oct 21 14:48:03 dell-per630-02.qe.lab.eng.nay.redhat.com dbus[1332]: [system] Reloaded configuration Oct 21 14:48:03 dell-per630-02.qe.lab.eng.nay.redhat.com dbus-daemon[1332]: dbus[1332]: [system] Reloaded configuration Oct 21 14:53:40 dell-per630-02.qe.lab.eng.nay.redhat.com dbus-daemon[1332]: dbus[1332]: [system] Activating service name='org.freedesktop.problems' (using servicehelper) Oct 21 14:53:40 dell-per630-02.qe.lab.eng.nay.redhat.com dbus[1332]: [system] Activating service name='org.freedesktop.problems' (using servicehelper) Oct 21 14:53:40 dell-per630-02.qe.lab.eng.nay.redhat.com dbus[1332]: [system] Successfully activated service 'org.freedesktop.problems' Oct 21 14:53:40 dell-per630-02.qe.lab.eng.nay.redhat.com dbus-daemon[1332]: dbus[1332]: [system] Successfully activated service 'org.freedesktop.problems' [root@dell-per630-02 openscap-daemon]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b8458cf1084f oscap_rhel7 "/bin/sh -c oscapd" 9 hours ago Up 9 hours jovial_jang
[root@dell-per630-02 openscap-daemon]# docker logs b8458cf1084f
INFO:Loading configuration from '/etc/oscapd/config.ini'.
INFO:Creating tasks directory at '/var/lib/oscapd/tasks' because it didn't exist.
INFO:Creating results directory at '/var/lib/oscapd/results' because it didn't exist.
INFO:Creating results work in progress directory at '/var/lib/oscapd/work_in_progress' because it didn't exist.
INFO:Loading task definitions from '/var/lib/oscapd/tasks'...
INFO:Successfully loaded 0 task definitions.
INFO:Number of containers to scan: 1
Exception in thread 57d999b2673c135b97cc302541fbe4cdc158127e2db786fab34d99fe47039601:
Traceback (most recent call last):
File "/usr/lib64/python2.7/threading.py", line 811, in __bootstrap_inner
self.run()
File "/usr/lib64/python2.7/threading.py", line 764, in run
self.__target(*self.__args, **self.__kwargs)
File "/usr/lib/python2.7/site-packages/openscap_daemon/cve_scanner/cve_scanner.py", line 280, in search_containers
f = Scan(image, cids, output, self.ac)
File "/usr/lib/python2.7/site-packages/openscap_daemon/cve_scanner/scan.py", line 51, in __init__
self.dm_results = self.DM.mount(image_uuid)
File "build/bdist.linux-x86_64/egg/Atomic/mount.py", line 294, in mount
driver_mount_fn(identifier, options)
File "build/bdist.linux-x86_64/egg/Atomic/mount.py", line 372, in _mount_devicemapper
dm_pool)
File "build/bdist.linux-x86_64/egg/Atomic/mount.py", line 89, in _activate_thin_device
r = util.subp(cmd)
File "build/bdist.linux-x86_64/egg/Atomic/util.py", line 71, in subp
stderr=subprocess.PIPE)
File "/usr/lib64/python2.7/subprocess.py", line 711, in __init__
errread, errwrite)
File "/usr/lib64/python2.7/subprocess.py", line 1308, in _execute_child
raise child_exception
OSError: [Errno 2] No such file or directory
Using the system Alex has shown me (which is a RHEL system), I was able to do the following to make a scan successfully work. The problem is that not all the components are in brew yet (like openscap and openscap-daemon). So what I have done is: Pulled the latest branch of openscap: 1. git clone https://github.com/OpenSCAP/openscap 2. cd openscap 2. ./autogen 3. ./configure --enable-sce --libdir=/usr/lib64 --prefix=/usr && make -j4 install Then pull the latest openscap-daemon: 1. git clone https://github.com/OpenSCAP/openscap-daemon.git 2. cd openscap-daemon 3. Edit runwrapper.sh to make sure OSCAPD_SESSION_BUS="0" instead of 1 3. As root, run sh runwrapper.sh 4. cd bin 5. ./oscapd The using the latest atomic in brew: [root@dell-per630-02 ~]# rpm -q atomic atomic-1.6-1.gitca1e384.el7.x86_64 [root@dell-per630-02 ~]# sudo atomic scan registry.access.redhat.com/rhel7 Scanning... Container/Image Cri Imp Med Low -------------------------------- --- --- --- --- registry.access.redhat.com/rhel7 0 0 0 0 Unfortunately the last atomic builds have a bad version of docker which doesn't work. I have alerted the docker guys and they are working on a new build. When that is complete, I can then test the latest auto-brew 7.2 version of atomic and see if things are working again and will report here. Brent If -v /:/host doesn't work, that'll break all of our SPCs and many other workflows. Nominating for blocker. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0527.html |