Bug 1368566
| Summary: | atomic scan does not work with overlayfs | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Qian Cai <qcai> |
| Component: | atomic | Assignee: | Brent Baude <bbaude> |
| Status: | CLOSED ERRATA | QA Contact: | atomic-bugs <atomic-bugs> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.2 | CC: | ajia, bbaude, dwalsh, vgoyal, yruseva |
| Target Milestone: | rc | Keywords: | Extras |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-04 09:06:41 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Qian Cai
2016-08-19 18:53:55 UTC
This seems also caused atomic scan failed when in atomic devmode.
# atomic host unlock
Development mode enabled. A writable overlayfs is now mounted on /usr.
All changes there will be discarded on reboot.
# atomic install rhel7/openscap
Using default tag: latest
Trying to pull repository registry.access.redhat.com/rhel7/openscap ...
Pulling repository registry.access.redhat.com/rhel7/openscap
d71330f48eb3: Pull complete
6f7a31562d1e: Pull complete
Status: Downloaded newer image for registry.access.redhat.com/rhel7/openscap:latest
registry.access.redhat.com/rhel7/openscap: this image was pulled from a legacy registry. Important: This registry version will not be supported in future versions of docker.
docker run --rm --privileged -v /:/host/ rhel7/openscap sh /root/install.sh
Installing the configuration file 'openscap' into /etc/atomic.d/. You can now use this scanner with atomic scan with the --scanner openscap command-line option. You can also set 'openscap' as the default scanner in /etc/atomic.conf. To list the scanners you have configured for your system, use 'atomic scan --list'.
Saving current config.ini as config.ini.2016-08-19-14:57:37.atomic_save
Updating config.ini with latest configuration
Installation complete. You can customize /etc/oscapd/config.ini as needed.
# atomic scan rhel7
Unable to associate 'rhel7' with an image or container
bash-4.2# docker pull rhel7
Using default tag: latest
Trying to pull repository registry.access.redhat.com/rhel7 ...
Pulling repository registry.access.redhat.com/rhel7
6f7a31562d1e: Already exists
Status: Image is up to date for registry.access.redhat.com/rhel7:latest
registry.access.redhat.com/rhel7: this image was pulled from a legacy registry. Important: This registry version will not be supported in future versions of docker.
# atomic scan rhel7
docker run -it --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2016-08-19-19-02-54-430358:/scanin -v /var/lib/atomic/openscap/2016-08-19-19-02-54-430358:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout
rhel7 (sha256:4a6b6e1a)
rhel7 is not supported for this scan.
Files associated with this scan are in /var/lib/atomic/openscap/2016-08-19-19-02-54-430358.
Same issue even with xfs ftype=1.
# xfs_info /var/lib/docker
meta-data=/dev/vdb isize=512 agcount=4, agsize=655360 blks
= sectsz=512 attr=2, projid32bit=1
= crc=1 finobt=0 spinodes=0
data = bsize=4096 blocks=2621440, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0 ftype=1
log =internal bsize=4096 blocks=2560, version=2
= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
I made a lot of fixes in upstream master to handle overlay. Perhaps we need to cut a new version of atomic, to grab these. atomic-1.11.1? If you are running with SELinux this will also not work. Since unlock and SELinux do not play well together. Fixed in atomic-1.11 with SELinux disabled or on a RHEL system atomic scan works w/ overlayfs when the SELinux is Permissive mode.
[cloud-user@atomic-host-001 atomic]$ atomic host status
State: idle
Deployments:
● rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
Version: 7.2.7 (2016-09-09 18:43:35)
Commit: 347c3f5eb641e69fc602878c646cf42c4bcd5d9f36847a1f24ff8f3ec80f17b1
OSName: rhel-atomic-host
Unlocked: development
rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
Version: 7.2.7 (2016-09-08 17:14:40)
Commit: a018354891f8d991c5cf12962907d54231c7273508f046161e1699b734738d1f
OSName: rhel-atomic-host
[cloud-user@atomic-host-001 atomic]$ sudo setenforce 0
[cloud-user@atomic-host-001 atomic]$ getenforce
Permissive
[cloud-user@atomic-host-001 atomic]$ sudo atomic scan --scanner openscap --scan_type cve registry.access.redhat.com/rhel7:latest
docker run -it --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2016-09-18-03-53-16-673435:/scanin -v /var/lib/atomic/openscap/2016-09-18-03-53-16-673435:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout
registry.access.redhat.com/rhel7:latest (sha256:98a88a8b)
registry.access.redhat.com/rhel7:latest passed the scan
Files associated with this scan are in /var/lib/atomic/openscap/2016-09-18-03-53-16-673435.
Just a record, w/ SELinux enforcing mode, atomic scan doesn't support scanning image.
[cloud-user@atomic-host-001 atomic]$ getenforce
Enforcing
[cloud-user@atomic-host-001 atomic]$ sudo atomic scan --scanner openscap --scan_type cve registry.access.redhat.com/rhel7
docker run -it --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2016-09-18-03-52-27-776245:/scanin -v /var/lib/atomic/openscap/2016-09-18-03-52-27-776245:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout
registry.access.redhat.com/rhel7 (sha256:98a88a8b)
registry.access.redhat.com/rhel7 is not supported for this scan.
Files associated with this scan are in /var/lib/atomic/openscap/2016-09-18-03-52-27-776245.
(In reply to Alex Jia from comment #8) > Just a record, w/ SELinux enforcing mode, atomic scan doesn't support > scanning image. This looks like a bug to me. atomic scan should work with overlayfs and host's selinux enabled. We don't support OverlayFS and SELinux at this point so why is this a bug? Because it was talking about using overlayfs docker storage driver with disabled selinux inside docker daemon (via /etc/sysconfig/docker(-latest)) but with host's selinux ENABLED (getenforce in the host) which is supported, and atomic scan still errored out in the comment#8 On the other hand, I saw probably a different failure with atomic scan + overlay. # atomic --debug scan --scanner openscap --scan_type cve registry.access.redhat.com/rhel7 Created /run/atomic/2016-10-04-18-51-55-243437 docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2016-10-04-18-51-55-243437:/scanin -v /var/lib/atomic/openscap/2016-10-04-18-51-55-243437:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout Created /run/atomic/2016-10-04-18-51-55-243437/98a88a8b722a71835dd761c88451c681a8f1bc6e577f90d4dc8b234100bd4861 Mounted {u'Created': 1473186186, u'Labels': {u'distribution-scope': u'public', u'build-date': u'2016-09-06T14:12:54.553894Z', u'Vendor': u'Red Hat, Inc.', u'Name': u'rhel7/rhel', u'Build_Host': u'rcm-img-docker02.build.eng.bos.redhat.com', u'vcs-type': u'git', u'vcs-ref': u'08780b7a7779335cf28f64654e43c75ad9341c77', u'release': u'104', u'Version': u'7.2', u'Architecture': u'x86_64', u'Release': u'104', u'BZComponent': u'rhel-server-docker', u'Authoritative_Registry': u'registry.access.redhat.com', u'com.redhat.build-host': u'rcm-img-docker02.build.eng.bos.redhat.com', u'architecture': u'x86_64'}, 'ImageId': u'98a88a8b722a71835dd761c88451c681a8f1bc6e577f90d4dc8b234100bd4861', u'VirtualSize': 201376319, u'ParentId': u'', 'input': 'registry.access.redhat.com/rhel7', u'RepoTags': [u'registry.access.redhat.com/rhel7:latest'], u'RepoDigests': None, u'Id': u'98a88a8b722a71835dd761c88451c681a8f1bc6e577f90d4dc8b234100bd4861', 'ImageType': 'Docker', u'Size': 201376319} to /run/atomic/2016-10-04-18-51-55-243437/98a88a8b722a71835dd761c88451c681a8f1bc6e577f90d4dc8b234100bd4861 Creating the output dir at /var/lib/atomic/openscap/2016-10-04-18-51-55-243437 INFO:OpenSCAP Daemon one-off evaluator 0.1.5 INFO:Autodetected "oscap" in path "/usr/bin/oscap". INFO:Autodetected "oscap-ssh" in path "/usr/bin/oscap-ssh". INFO:Autodetected "oscap-vm" in path "/usr/bin/oscap-vm". INFO:Autodetected "oscap-docker" in path "/usr/bin/oscap-docker". INFO:Autodetected "oscap-chroot" in path "/usr/bin/oscap-chroot". WARNING:Can't import the 'docker' package. Container scanning functionality will be disabled. INFO:Autodetected SCAP content at "/usr/share/openscap/cpe/openscap-cpe-oval.xml". INFO:Autodetected SCAP content in path "/usr/share/xml/scap/ssg/content". INFO:Creating tasks directory at '/var/lib/oscapd/tasks' because it didn't exist. INFO:Creating results directory at '/var/lib/oscapd/results' because it didn't exist. INFO:Creating results work in progress directory at '/var/lib/oscapd/work_in_progress' because it didn't exist. INFO:Evaluated EvaluationSpec, exit_code=0. INFO:Had a local version of /var/lib/oscapd/cve_feeds/com.redhat.rhsa-RHEL7.xml but it wasn't new enough INFO:Evaluated EvaluationSpec, exit_code=0. INFO:[100.00%] Scanned target 'chroot:///scanin/98a88a8b722a71835dd761c88451c681a8f1bc6e577f90d4dc8b234100bd4861' registry.access.redhat.com/rhel7 (98a88a8b722a718) The following issues were found: RHSA-2016:1940: openssl security update (Important) Severity: Important RHSA URL: https://rhn.redhat.com/errata/RHSA-2016-1940.html RHSA ID: RHSA-2016:1940-01 Associated CVEs: CVE ID: CVE-2016-2177 CVE URL: https://access.redhat.com/security/cve/CVE-2016-2177 CVE ID: CVE-2016-2178 CVE URL: https://access.redhat.com/security/cve/CVE-2016-2178 CVE ID: CVE-2016-2179 CVE URL: https://access.redhat.com/security/cve/CVE-2016-2179 CVE ID: CVE-2016-2180 CVE URL: https://access.redhat.com/security/cve/CVE-2016-2180 CVE ID: CVE-2016-2181 CVE URL: https://access.redhat.com/security/cve/CVE-2016-2181 CVE ID: CVE-2016-2182 CVE URL: https://access.redhat.com/security/cve/CVE-2016-2182 CVE ID: CVE-2016-6302 CVE URL: https://access.redhat.com/security/cve/CVE-2016-6302 CVE ID: CVE-2016-6304 CVE URL: https://access.redhat.com/security/cve/CVE-2016-6304 CVE ID: CVE-2016-6306 CVE URL: https://access.redhat.com/security/cve/CVE-2016-6306 Files associated with this scan are in /var/lib/atomic/openscap/2016-10-04-18-51-55-243437. Unmounted /run/atomic/2016-10-04-18-51-55-243437/98a88a8b722a71835dd761c88451c681a8f1bc6e577f90d4dc8b234100bd4861 g-io-error-quark: Refspec 'ociimage/9a011419912964fc07dca28c1276beee515c6d6546b1dc75cba05f6c350a6cbf-latest' not found (1) Traceback (most recent call last): File "/bin/atomic", line 186, in <module> sys.exit(_func()) File "/usr/lib/python2.7/site-packages/Atomic/scan.py", line 169, in scan self.record_environment() File "/usr/lib/python2.7/site-packages/Atomic/scan.py", line 395, in record_environment environment['images'].append(self._inspect_image(image=iid)) File "/usr/lib/python2.7/site-packages/Atomic/atomic.py", line 254, in _inspect_image return self.syscontainers.inspect_system_image(image) File "/usr/lib/python2.7/site-packages/Atomic/syscontainers.py", line 607, in inspect_system_image return self._inspect_system_branch(repo, imagebranch) File "/usr/lib/python2.7/site-packages/Atomic/syscontainers.py", line 610, in _inspect_system_branch commit_rev = repo.resolve_rev(imagebranch, False)[1] Error: g-io-error-quark: Refspec 'ociimage/9a011419912964fc07dca28c1276beee515c6d6546b1dc75cba05f6c350a6cbf-latest' not found (1) Any avc messages? No ausearch in atomic host and dmesg showed nothing. "setenforce 0" in the host did not help either. The trace looks like system container related, so I am not sure it might be just some bad interactive between atomic scan and system container. Ok lets assign to Baude and see if he can recreate the error. Confirmed the above can always be reproduced once a system container image existed and tracked here, https://bugzilla.redhat.com/show_bug.cgi?id=1381717 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2628.html |