Bug 1461788

Summary: atomic scan returns error when scanning read-only rootfs
Product: Red Hat Enterprise Linux 7 Reporter: Matus Marhefka <mmarhefk>
Component: atomicAssignee: Brent Baude <bbaude>
Status: CLOSED WONTFIX QA Contact: atomic-bugs <atomic-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.4CC: bbaude, ddarrah, dwalsh
Target Milestone: rcKeywords: Extras
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-01-15 07:38:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Script to reproduce the error none

Description Matus Marhefka 2017-06-15 10:44:53 UTC 
Description of problem:
When scanning read-only rootfs using atomic-scan, error is printed about read-only filesystem.

Version-Release number of selected component (if applicable):
atomic-1.17.2-4.git2760e30.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Create and format an ext4 FS (qemu-img create + virt-format).
2. Import it using virt-install.
3. After importing, mount the FS into some directory on the host as read-only using guestmount.
4. Run atomic scan with --rootfs to scan the mounted ext4 FS.

Actual results:
[Errno 30] Read-only file system error is printed and atomic scan exits with 1.

Expected results:
No error is printed about read-only file system and atomic scan exits with return code based on scan results.
Comment 2 Matus Marhefka 2017-06-15 10:46:06 UTC 
Created attachment 1287992 [details]
Script to reproduce the error
Comment 3 Matus Marhefka 2017-06-15 11:04:43 UTC 
One more thing, when you run the atomic scan command from step 4 with '--debug' option, the error is not printed.
Comment 4 Alex Jia 2017-06-15 11:23:27 UTC 
atomic scan --verbose --scanner openscap --rootfs fs_mount_dir
docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2017-06-15-19-20-00-927719:/scanin -v /var/lib/atomic/openscap/2017-06-15-19-20-00-927719:/scanout:rw,Z --security-opt label:disable -v /etc/oscapd:/etc/oscapd:ro registry.access.redhat.com/rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout -j1
INFO:OpenSCAP Daemon one-off evaluator 0.1.6
WARNING:Can't import the 'docker' package. Container scanning functionality will be disabled.
INFO:Creating tasks directory at '/var/lib/oscapd/tasks' because it didn't exist.
INFO:Creating results directory at '/var/lib/oscapd/results' because it didn't exist.
INFO:Creating results work in progress directory at '/var/lib/oscapd/work_in_progress' because it didn't exist.
INFO:Evaluated EvaluationSpec, exit_code=0.
INFO:Evaluated EvaluationSpec, exit_code=0.
ERROR:Failed to scan target 'chroot:///scanin/fs_mount_dir' for vulnerabilities.
Traceback (most recent call last):
  File "/usr/bin/oscapd-evaluate", line 143, in scan_worker
    es.evaluate(config)
  File "/usr/lib/python2.7/site-packages/openscap_daemon/evaluation_spec.py", line 473, in evaluate
    wip_result = self.evaluate_into_dir(config)
  File "/usr/lib/python2.7/site-packages/openscap_daemon/evaluation_spec.py", line 470, in evaluate_into_dir
    return oscap_helpers.evaluate(self, config)
  File "/usr/lib/python2.7/site-packages/openscap_daemon/oscap_helpers.py", line 300, in evaluate
    args = get_evaluation_args(spec, config)
  File "/usr/lib/python2.7/site-packages/openscap_daemon/oscap_helpers.py", line 275, in get_evaluation_args
    ret.extend(spec.get_oscap_arguments(config))
  File "/usr/lib/python2.7/site-packages/openscap_daemon/evaluation_spec.py", line 444, in get_oscap_arguments
    ret.append(config.get_cve_feed(self.get_cpe_ids(config)))
  File "/usr/lib/python2.7/site-packages/openscap_daemon/config.py", line 402, in get_cve_feed
    return self.cve_feed_manager.get_cve_feed(cpe_ids)
  File "/usr/lib/python2.7/site-packages/openscap_daemon/cve_feed_manager.py", line 219, in get_cve_feed
    "Can't find a supported CPE ID in %s" % (", ".join(cpe_ids))
RuntimeError: Can't find a supported CPE ID in 
INFO:[100.00%] Scanned target 'chroot:///scanin/fs_mount_dir'

fs_mount_dir (fs_mount_dir)

     fs_mount_dir is not supported for this scan.

Files associated with this scan are in /var/lib/atomic/openscap/2017-06-15-19-20-00-927719.

[Errno 30] Read-only file system: '/run/atomic/2017-06-15-19-20-00-927719/fs_mount_dir/lost+found'
Comment 5 Brent Baude 2017-06-27 19:01:04 UTC 
Created upstream patch ->https://github.com/projectatomic/atomic/pull/1037
Comment 7 RHEL Program Management 2021-01-15 07:38:11 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.