Bug 1432543
| Summary: | atomic scan does not seem to work right with registry.access.redhat.com containers at the version level | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Dave Sullivan <dsulliva> |
| Component: | atomic | Assignee: | Brent Baude <bbaude> |
| Status: | CLOSED ERRATA | QA Contact: | atomic-bugs <atomic-bugs> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 7.3 | CC: | ajia, bbaude, lsm5 |
| Target Milestone: | rc | Keywords: | Extras |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-06-28 15:41:26 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1186913, 1441774 | ||
Also notice atomic scan on ose-haproxy-registry fails tag or not tag atomic scan registry.access.redhat.com/openshift3/ose-haproxy-router Ok, that makes sense and that works after doing a docker pull. I guess the message could be better. Instead of.... [root@master001-c001 ~]# atomic scan registry.access.redhat.com/openshift3/ose-docker-registry:v3.3.1.7 Unable to associate 'registry.access.redhat.com/openshift3/ose-docker-registry:v3.3.1.7' with an image or container Maybe provide [root@master001-c001 ~]# atomic scan registry.access.redhat.com/openshift3/ose-docker-registry:v3.3.1.7 Unable to associate 'registry.access.redhat.com/openshift3/ose-docker-registry:v3.3.1.7' with an image or container, check docker pull egistry.access.redhat.com/openshift3/ose-docker-registry:v3.3.1.7 and retry as images need to exist locally in order to be scanned (In reply to Dave Sullivan from comment #4) > Ok, that makes sense and that works after doing a docker pull. > > I guess the message could be better. > > Instead of.... > > [root@master001-c001 ~]# atomic scan > registry.access.redhat.com/openshift3/ose-docker-registry:v3.3.1.7 > Unable to associate > 'registry.access.redhat.com/openshift3/ose-docker-registry:v3.3.1.7' with an > image or container > > Maybe provide > > [root@master001-c001 ~]# atomic scan > registry.access.redhat.com/openshift3/ose-docker-registry:v3.3.1.7 > Unable to associate > 'registry.access.redhat.com/openshift3/ose-docker-registry:v3.3.1.7' with an > image or container, check docker pull > egistry.access.redhat.com/openshift3/ose-docker-registry:v3.3.1.7 and retry > as images need to exist locally in order to be scanned Yes, above error should be more friendly for users, but I'm not sure whether atomic will support to pull images automatically in the future. @David, thanks for taking the time to use Atomic scan and report on a problem you found. I have proposed a clearer message to upstream as part of https://github.com/projectatomic/atomic/pull/956. atomic-1.17.1-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-8ecce192d4 atomic-1.17.1-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8ecce192d4 atomic-1.17.1-2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-0ed260082e atomic-1.17.1-2.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-0ed260082e [root@dell-per630-02 ~]# atomic scan registry.access.redhat.com/openshift3/ose-docker-registry:v3.3.1.7 Unable to locate the container or image 'registry.access.redhat.com/openshift3/ose-docker-registry:v3.3.1.7' locally. Check the input name for typos or pull the image first. [root@dell-per630-02 ~]# rpm -q atomic skopeo docker atomic-1.18.1-2.1.git0705b1b.el7.x86_64 skopeo-0.1.20-2.el7.x86_64 docker-1.12.6-30.1.git1398f24.el7.x86_64 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1627 |
Description of problem: using tag as scan reference doesn't work [root@master001-c001 ~]# atomic scan registry.access.redhat.com/openshift3/ose-docker-registry:v3.3.1.7 Unable to associate 'registry.access.redhat.com/openshift3/ose-docker-registry:v3.3.1.7' with an image or container As you can see if I remove the tag it works fine [root@master001-c001 ~]# atomic scan registry.access.redhat.com/openshift3/ose-docker-registry docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2017-03-15-11-31-59-015537:/scanin -v /var/lib/atomic/openscap/2017-03-15-11-31-59-015537:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro registry.access.redhat.com/rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout -j1 registry.access.redhat.com/openshift3/ose-docker-registry (2116824b4b6a67d) The following issues were found: RHSA-2017:0286: openssl security update (Moderate) Severity: Moderate RHSA URL: https://rhn.redhat.com/errata/RHSA-2017-0286.html RHSA ID: RHSA-2017:0286-01 Associated CVEs: CVE ID: CVE-2016-8610 CVE URL: https://access.redhat.com/security/cve/CVE-2016-8610 CVE ID: CVE-2017-3731 CVE URL: https://access.redhat.com/security/cve/CVE-2017-3731 RHSA-2016:2972: vim security update (Moderate) Severity: Moderate RHSA URL: https://rhn.redhat.com/errata/RHSA-2016-2972.html RHSA ID: RHSA-2016:2972-01 Associated CVEs: CVE ID: CVE-2016-1248 CVE URL: https://access.redhat.com/security/cve/CVE-2016-1248 RHSA-2016:2824: expat security update (Moderate) Severity: Moderate RHSA URL: https://rhn.redhat.com/errata/RHSA-2016-2824.html RHSA ID: RHSA-2016:2824-01 Associated CVEs: CVE ID: CVE-2016-0718 CVE URL: https://access.redhat.com/security/cve/CVE-2016-0718 RHSA-2016:2779: nss and nss-util security update (Moderate) Severity: Moderate RHSA URL: https://rhn.redhat.com/errata/RHSA-2016-2779.html RHSA ID: RHSA-2016:2779-03 Associated CVEs: CVE ID: CVE-2016-2834 CVE URL: https://access.redhat.com/security/cve/CVE-2016-2834 CVE ID: CVE-2016-5285 CVE URL: https://access.redhat.com/security/cve/CVE-2016-5285 CVE ID: CVE-2016-8635 CVE URL: https://access.redhat.com/security/cve/CVE-2016-8635 RHSA-2016:2674: libgcrypt security update (Moderate) Severity: Moderate RHSA URL: https://rhn.redhat.com/errata/RHSA-2016-2674.html RHSA ID: RHSA-2016:2674-02 Associated CVEs: CVE ID: CVE-2016-6313 CVE URL: https://access.redhat.com/security/cve/CVE-2016-6313 Files associated with this scan are in /var/lib/atomic/openscap/2017-03-15-11-31-59-015537. Version-Release number of selected component (if applicable): atomic-1.15.4-2.el7 How reproducible: See above Actual results: Expected results: atomic scan should be able to search at the tag level on upstream registry.access.redhat.com Additional info: Doing an atomic scan on a openshift image that has tag works fine