Bug 1347037
| Summary: | 'atomic scan' fails with 'Error deleting container' | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Micah Abbott <miabbott> |
| Component: | atomic | Assignee: | Brent Baude <bbaude> |
| Status: | CLOSED ERRATA | QA Contact: | atomic-bugs <atomic-bugs> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.2 | CC: | ajia, dwalsh, ksrot, lsm5, mpreisle |
| Target Milestone: | rc | Keywords: | Extras |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-04 09:06:23 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
(In reply to Micah Abbott from comment #0) > -bash-4.2# vi /etc/atomic.d/openscap Micah, could you show above file? I wanna know any change in your openscap, thanks. (In reply to Micah Abbott from comment #0) > The following issues were found: > > RHSA-2016:1025: pcre security update (Important) > Severity: Important > RHSA URL: https://rhn.redhat.com/errata/RHSA-2016-1025.html > RHSA ID: RHSA-2016:1025-00 BTW, the above CVE had been reported in bug 1337881. (In reply to Alex Jia from comment #4) > (In reply to Micah Abbott from comment #0) > > > -bash-4.2# vi /etc/atomic.d/openscap > > Micah, could you show above file? I wanna know any change in your openscap, > thanks. Well, atomic scan works well on my RHEL7 system when I ran atomic install and run w/ rhel7/openscap image firstly. (In reply to Alex Jia from comment #4) > (In reply to Micah Abbott from comment #0) > > > -bash-4.2# vi /etc/atomic.d/openscap > > Micah, could you show above file? I wanna know any change in your openscap, > thanks. Alex, I hard-coded the version of the openscap container that I was told to use in my config file. I believe that is the only change from the defaults: # cat /etc/atomic.d/openscap type: scanner scanner_name: openscap image_name: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/rhel7/openscap:7.2-7 default_scan: cve custom_args: ['-v', '/etc/oscapd:/etc/oscapd:ro'] scans: [ { name: cve, args: ['oscapd-evaluate', 'scan', '--no-standard-compliance', '--targets', 'chroots-in-dir:///scanin', '--output', '/scanout'], description: "Performs a CVE scan based on known CVE data"}, { name: standards_compliance, args: ['oscapd-evaluate', 'scan', '--targets', 'chroots-in-dir:///scanin', '--output', '/scanout', '--no-cve-scan'], description: "Performs a standard scan" } ] (In reply to Micah Abbott from comment #8) > Alex, I hard-coded the version of the openscap container that I was told to > use in my config file. I believe that is the only change from the defaults: > Micah, it should be not important difference, but it's strange, I have never got a succeed on my rhelah 7.2.5 w/ latest atomic installed by development mode(ostree admin unlock). This looks like an selinux issue to me. The devicemapper error messages aside, the scan worked for me on atomic host in permissive mode (In reply to Lokesh Mandvekar from comment #10) > This looks like an selinux issue to me. The devicemapper error messages > aside, the scan worked for me on atomic host in permissive mode Lokesh, yeah, I also fund SELinux issue, please see https://bugzilla.redhat.com/show_bug.cgi?id=1311544#c13, but unfortunately, there is nothing complains by journalctl -f | grep -iE 'AVC'. Alex. Try ausearch -m avc -ts recent After failure. Dan see below steps. fwiw, ausearch wasn't available on atomic host, so I manually installed it from brew. Are there any additional steps to do before ausearch to make sure it's working properly?
$ sudo atomic install rhel7/openscap
docker run --rm --privileged -v /:/host/ rhel7/openscap sh /root/install.sh
Installing the configuration file 'openscap' into /etc/atomic.d/. You can now use this scanner with atomic scan with the --scanner openscap command-line option. You can also set 'openscap' as the default scanner in /etc/atomic.conf. To list the scanners you have configured for your system, use 'atomic scan --list'.
Saving current config.ini as config.ini.2016-06-16-15:41:09.atomic_save
Updating config.ini with latest configuration
Installation complete. You can customize /etc/oscapd/config.ini as needed.
$ sudo atomic scan rhel7
Error deleting container: Error response from daemon: Driver devicemapper failed to remove root filesystem e6b260aa51f6bb3cf51dfecd5959da7f0e796b64074bdc146414651b9b6bbb66: Device is Busy
docker run -it --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2016-06-16-19-41-31-415529:/scanin -v /var/lib/atomic/openscap/2016-06-16-19-41-31-415529:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout
rhel7 (sha256:bf203442)
rhel7 is not supported for this scan.
Files associated with this scan are in /var/lib/atomic/openscap/2016-06-16-19-41-31-415529.
$ sudo ausearch -m avc -ts recent
<no matches>
for testing purposes, can someone please try scanning with docker.io/fedora/atomic_scan_openscsap and report if the same issue exists? (In reply to Brent Baude from comment #14) > for testing purposes, can someone please try scanning with > docker.io/fedora/atomic_scan_openscsap and report if the same issue exists? Brent, if we hack Atomic Host w/ development or hotfix mode, and SELinux is enforcing on Atomic Host, yes, it's the same issue. If I change SELinux to Permissive mode then everything is okay, as Daniel mentioned in bug 1311544, SELinux will not work with unlock/overlayfs, it should be a root reason. [cloud-user@atomic-host-001 ~]$ sudo docker images | grep fedora docker.io/fedora/atomic_scan_openscap latest 76ebbb54a859 13 days ago 526.8 MB [cloud-user@atomic-host-001 ~]$ grep image_name /etc/atomic.d/openscap image_name: fedora/atomic_scan_openscap [cloud-user@atomic-host-001 ~]$ getenforce Enforcing [cloud-user@atomic-host-001 ~]$ sudo ostree admin status * rhel-atomic-host 5b82b4035f1920ceb0e31996aa627d8c975d7436260e5538d71728f43f34dfa6.0 Version: 7.2.5 Unlocked: hotfix origin refspec: rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard rhel-atomic-host 5b82b4035f1920ceb0e31996aa627d8c975d7436260e5538d71728f43f34dfa6.1 Version: 7.2.5 origin refspec: rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard [cloud-user@atomic-host-001 ~]$ df|grep overlay overlay [cloud-user@atomic-host-001 ~]$ sudo atomic install docker.io/fedora/atomic_scan_openscap docker run --rm --privileged -v /:/host/ docker.io/fedora/atomic_scan_openscap sh /root/install.sh Installing the configuration file 'atomic_scan_openscap' into /etc/atomic.d/. You can now use this scanner with atomic scan with the --scanner atomic_scan_openscap command-line option. You can also set 'atomic_scan_openscap' as the default scanner in /etc/atomic.conf. To list the scanners you have configured for your system, use 'atomic scan --list'. Saving current config.ini as config.ini.2016-06-17-03:10:32.atomic_save Updating config.ini with latest configuration Installation complete. You can customize /etc/oscapd/config.ini as needed. [cloud-user@atomic-host-001 ~]$ sudo atomic run docker.io/fedora/atomic_scan_openscap docker run -it --rm -v /:/host/ docker.io/fedora/atomic_scan_openscap sh /root/run.sh This container/image is not meant to be run outside of the atomic command. You can use this image by issuing 'atomic scan <container|image>' to scan. See 'atomic scan --help' for more information. [cloud-user@atomic-host-001 ~]$ sudo atomic scan --verbose registry.access.redhat.com/rhel7:latest docker run -it --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2016-06-17-03-11-01-239031:/scanin -v /var/lib/atomic/openscap/2016-06-17-03-11-01-239031:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro fedora/atomic_scan_openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout INFO:OpenSCAP Daemon one-off evaluator 0.1.5 WARNING:Can't import the 'docker' package. Container scanning functionality will be disabled. INFO:Creating tasks directory at '/var/lib/oscapd/tasks' because it didn't exist. INFO:Creating results directory at '/var/lib/oscapd/results' because it didn't exist. INFO:Creating results work in progress directory at '/var/lib/oscapd/work_in_progress' because it didn't exist. INFO:Evaluated EvaluationSpec, exit_code=0. INFO:Evaluated EvaluationSpec, exit_code=0. ERROR:Failed to scan target 'chroot:///scanin/sha256:bf203442783741aad6d82b528bcfecd45f40e63c83d981eb5e644a2fa6356e60' for vulnerabilities. Traceback (most recent call last): File "/usr/bin/oscapd-evaluate", line 143, in scan_worker es.evaluate(config) File "/usr/lib/python3.4/site-packages/openscap_daemon/evaluation_spec.py", line 473, in evaluate wip_result = self.evaluate_into_dir(config) File "/usr/lib/python3.4/site-packages/openscap_daemon/evaluation_spec.py", line 470, in evaluate_into_dir return oscap_helpers.evaluate(self, config) File "/usr/lib/python3.4/site-packages/openscap_daemon/oscap_helpers.py", line 267, in evaluate args = get_evaluation_args(spec, config) File "/usr/lib/python3.4/site-packages/openscap_daemon/oscap_helpers.py", line 242, in get_evaluation_args ret.extend(spec.get_oscap_arguments(config)) File "/usr/lib/python3.4/site-packages/openscap_daemon/evaluation_spec.py", line 444, in get_oscap_arguments ret.append(config.get_cve_feed(self.get_cpe_ids(config))) File "/usr/lib/python3.4/site-packages/openscap_daemon/config.py", line 385, in get_cve_feed return self.cve_feed_manager.get_cve_feed(cpe_ids) File "/usr/lib/python3.4/site-packages/openscap_daemon/cve_feed_manager.py", line 225, in get_cve_feed "Can't find a supported CPE ID in %s" % (", ".join(cpe_ids)) RuntimeError: Can't find a supported CPE ID in INFO:[100.00%] Scanned target 'chroot:///scanin/sha256:bf203442783741aad6d82b528bcfecd45f40e63c83d981eb5e644a2fa6356e60' registry.access.redhat.com/rhel7:latest (sha256:bf203442) registry.access.redhat.com/rhel7:latest is not supported for this scan. Files associated with this scan are in /var/lib/atomic/openscap/2016-06-17-03-11-01-239031. 500 Server Error: Internal Server Error ("devmapper: Unknown device 8ac9a444ee70d633ff6e421511ad51a8a9b6db766ae572403c9443468ef5211f") Atomic scanner works on rhelah 7.2.5(c6530479e2), but I still can encounter the same issue in Comment 0. Ok so this should probably be renamed to docker and SELinux and Overlayfs do not work together. Running docker on an overlayfs system is going to cause issues The issue should been fixed on RHELAH 7.2.5 (9bfe1fb650), I haven't seen issues again like Comment 0. [cloud-user@atomic-host-001 ~]$ grep MountFlags /usr/lib/systemd/system/docker.service MountFlags=slave [cloud-user@atomic-host-001 ~]$ sudo atomic host status TIMESTAMP (UTC) VERSION ID OSNAME REFSPEC * 2016-06-18 15:21:12 7.2.5 9bfe1fb650 rhel-atomic-host rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard 2016-06-15 21:08:10 7.2.5 c6530479e2 rhel-atomic-host rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard [cloud-user@atomic-host-001 ~]$ rpm -q atomic docker atomic-1.10.5-5.el7.x86_64 docker-1.10.3-44.el7.x86_64 (In reply to Daniel Walsh from comment #17) > Ok so this should probably be renamed to docker and SELinux and Overlayfs do > not work together. Running docker on an overlayfs system is going to cause > issues Daniel, for now, I saw different result from Comment 15 between atomic-1.10.5-5.el7.x86_64 and atomic-1.10.5-7.el7.x86_64. [cloud-user@atomic-host-001 atomic]$ atomic host status State: idle Deployments: ● rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard Version: 7.2.7 (2016-09-09 18:43:35) Commit: 347c3f5eb641e69fc602878c646cf42c4bcd5d9f36847a1f24ff8f3ec80f17b1 OSName: rhel-atomic-host Unlocked: development rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard Version: 7.2.7 (2016-09-08 17:14:40) Commit: a018354891f8d991c5cf12962907d54231c7273508f046161e1699b734738d1f OSName: rhel-atomic-host [cloud-user@atomic-host-001 atomic]$ df|grep overlay overlay 3061760 2509932 551828 82% /usr 1. w/ SELinux enforcing mode [cloud-user@atomic-host-001 atomic]$ sudo atomic scan --scanner openscap --scan_type cve registry.access.redhat.com/rhel7:latest docker run -it --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2016-09-18-03-52-47-552808:/scanin -v /var/lib/atomic/openscap/2016-09-18-03-52-47-552808:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout registry.access.redhat.com/rhel7:latest (sha256:98a88a8b) registry.access.redhat.com/rhel7:latest is not supported for this scan. Files associated with this scan are in /var/lib/atomic/openscap/2016-09-18-03-52-47-552808. NOTE: is it an expected result for "registry.access.redhat.com/rhel7:latest is not supported for this scan"? 2. w/ SELinux Permissive mode [cloud-user@atomic-host-001 atomic]$ sudo atomic scan --scanner openscap --scan_type cve registry.access.redhat.com/rhel7:latest docker run -it --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2016-09-18-03-53-16-673435:/scanin -v /var/lib/atomic/openscap/2016-09-18-03-53-16-673435:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout registry.access.redhat.com/rhel7:latest (sha256:98a88a8b) registry.access.redhat.com/rhel7:latest passed the scan Files associated with this scan are in /var/lib/atomic/openscap/2016-09-18-03-53-16-673435. NOTE: everything is okay. (In reply to Alex Jia from comment #20) > 1. w/ SELinux enforcing mode > > [cloud-user@atomic-host-001 atomic]$ sudo atomic scan --scanner openscap > --scan_type cve registry.access.redhat.com/rhel7:latest > docker run -it --rm -v /etc/localtime:/etc/localtime -v > /run/atomic/2016-09-18-03-52-47-552808:/scanin -v > /var/lib/atomic/openscap/2016-09-18-03-52-47-552808:/scanout:rw,Z -v > /etc/oscapd:/etc/oscapd:ro rhel7/openscap oscapd-evaluate scan > --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout > > registry.access.redhat.com/rhel7:latest (sha256:98a88a8b) > > registry.access.redhat.com/rhel7:latest is not supported for this scan. > > Files associated with this scan are in > /var/lib/atomic/openscap/2016-09-18-03-52-47-552808. > > NOTE: is it an expected result for "registry.access.redhat.com/rhel7:latest > is not supported for this scan"? > Well, I can't see issues in Description on atomic-1.10.5-7, so moving the bug to VERIFIED status, for other question, I will file a separated bug. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2628.html |
On RHELAH 7.2.5, using 'atomic-1.10.5-5.el7.x86_64', the 'atomic scan' command fails like so: -bash-4.2# ostree admin unlock Development mode enabled. A writable overlayfs is now mounted on /usr. All changes there will be discarded on reboot. -bash-4.2# rpm -Uhv atomic-1.10.5-5.el7.x86_64.rpm skopeo-0.1.13-5.el7.x86_64.rpm Preparing... ################################# [100%] Updating / installing... 1:skopeo-1:0.1.13-5.el7 ################################# [ 25%] 2:atomic-1:1.10.5-5.el7 ################################# [ 50%] Cleaning up / removing... 3:atomic-1:1.10.5-3.el7 ################################# [ 75%] 4:skopeo-1:0.1.13-3.el7 ################################# [100%] -bash-4.2# atomic --version 1.10.5 -bash-4.2# rpm -q atomic atomic-1.10.5-5.el7.x86_64 -bash-4.2# docker pull rhel7 Using default tag: latest Trying to pull repository registry.access.redhat.com/rhel7 ... Pulling repository registry.access.redhat.com/rhel7 c453594215e4: Pull complete Status: Downloaded newer image for registry.access.redhat.com/rhel7:latest registry.access.redhat.com/rhel7: this image was pulled from a legacy registry. Important: This registry version will not be supported in future versions of docker. -bash-4.2# vi /etc/sysconfig/docker -bash-4.2# systemctl restart docker -bash-4.2# docker pull brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/rhel7/openscap:7.2-7 Trying to pull repository brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/rhel7/openscap ... Pulling repository brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/rhel7/openscap 13e6a6d91da9: Pull complete 070b772502e4: Pull complete Status: Downloaded newer image for brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/rhel7/openscap:7.2-7 brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/rhel7/openscap: this image was pulled from a legacy registry. Important: This registry version will not be supported in future versions of docker. -bash-4.2# vi /etc/atomic.d/openscap -bash-4.2# atomic scan registry.access.redhat.com/rhel7 docker run -it --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2016-06-15-20-41-09-785329:/scanin -v /var/lib/atomic/openscap/2016-06-15-20-41-09-785329:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/rhel7/openscap:7.2-7 oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout Error deleting container: Error response from daemon: Driver devicemapper failed to remove root filesystem 520e1a8fcf0c9737f170982d85d3174ccb162f5c56e4a93d3f4d57adbc1d7954: remove /var/lib/docker/devicemapper/mnt/ae970d4bcabeac5f50b9698b8d072b25996b84b55aa8783228e50bfc75f2efea: device or resource busy registry.access.redhat.com/rhel7 (sha256:bf203442) registry.access.redhat.com/rhel7 is not supported for this scan. Files associated with this scan are in /var/lib/atomic/openscap/2016-06-15-20-41-09-785329. Additionally, on RHEL 7 Server, I'm seeing similar problems # atomic scan registry.access.redhat.com/rhel7 docker run -it --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2016-06-15-15-58-51-718170:/scanin -v /var/lib/atomic/openscap/2016-06-15-15-58-51-718170:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro brew-pulp -docker01.web.prod.ext.phx2.redhat.com:8888/rhel7/openscap:7.2-7 oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout Error deleting container: Error response from daemon: Driver devicemapper failed to remove root filesystem b66dd6ac43345d2f386fa2fa5a59c85d877452c03a22bc4aa50db5213a565b6c: remove /var/lib/docker/devicemapper/mn t/8aaf48fab1228ca8d61fa9b527e929833a9f13de0f7bb704ecc64dee380c5fb0: device or resource busy registry.access.redhat.com/rhel7 (sha256:bf203442) The following issues were found: RHSA-2016:1025: pcre security update (Important) Severity: Important RHSA URL: https://rhn.redhat.com/errata/RHSA-2016-1025.html RHSA ID: RHSA-2016:1025-00 Associated CVEs: CVE ID: CVE-2015-2328 CVE URL: https://access.redhat.com/security/cve/CVE-2015-2328 CVE ID: CVE-2015-3217 CVE URL: https://access.redhat.com/security/cve/CVE-2015-3217 CVE ID: CVE-2015-5073 CVE URL: https://access.redhat.com/security/cve/CVE-2015-5073 CVE ID: CVE-2015-8385 CVE URL: https://access.redhat.com/security/cve/CVE-2015-8385 CVE ID: CVE-2015-8386 CVE URL: https://access.redhat.com/security/cve/CVE-2015-8386 CVE ID: CVE-2015-8388 CVE URL: https://access.redhat.com/security/cve/CVE-2015-8388 CVE ID: CVE-2015-8391 CVE URL: https://access.redhat.com/security/cve/CVE-2015-8391 CVE ID: CVE-2016-3191 CVE URL: https://access.redhat.com/security/cve/CVE-2016-3191 Files associated with this scan are in /var/lib/atomic/openscap/2016-06-15-15-58-51-718170.