Bug 1342047 - atomic scan doesn't work with default or explicit openscap scanner configuration
Summary: atomic scan doesn't work with default or explicit openscap scanner configuration
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: atomic
Version: 7.4
Hardware: x86_64
OS: Linux
Target Milestone: rc
: ---
Assignee: Brent Baude
QA Contact: atomic-bugs@redhat.com
Depends On:
TreeView+ depends on / blocked
Reported: 2016-06-02 10:35 UTC by Alex Jia
Modified: 2016-11-04 09:06 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2016-11-04 09:06:01 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2628 0 normal SHIPPED_LIVE atomic bug fix and enhancement update 2016-11-03 18:17:14 UTC

Description Alex Jia 2016-06-02 10:35:51 UTC
Description of problem:
atomic scan doesn't work with openscap scanner configuration in /etc/atomic.conf. 

Version-Release number of selected component (if applicable):

$ rpm -q atomic docker kernel

$ cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.2 (Maipo)

How reproducible:

Steps to Reproduce:
1. yum install atomic
2. edit /etc/atomic.conf with openscap scanner
3. restart docker service (it may be not necessary)
4. atomic scan --list

Actual results:

$ cat /etc/atomic.conf 
# Atomic CLI configuration file

default_scanner: openscap
default_docker: docker

# default_storage: ostree
# ostree_repository: /ostree/repo
# checkout_path: /var/lib/containers/atomic

$ sudo systemctl restart docker

$ sudo atomic scan --list
No scanners are configured for your system.

Expected results:

Additional info:

I got a question, the new atomic scanner doesn't require oscapd is running on the host, right? I also tried to run oscapd firstly, the testing result is the same to above.

When I manually create /etc/atomic.d/ directory and copy openscap into /etc/atomic.d/, the atomic scan --list works, but I can't still scan a local or remote container image, the details as follows.

$ cat /etc/atomic.d/openscap 
type: scanner
scanner_name: openscap
image_name: openscap
default_scan: cve
scans: [ 
      { name: cve,
        args: ['oscapd-evaluate', 'scan',  '--no-standard-compliance', '--targets', 'chroots-in-dir:///scanin',  '--output', '/scanout'],
        description: "Performs a CVE scan based on known CVE data"},
      { name: standards_compliance,
        args: ['oscapd-evaluate', 'scan', '--targets', 'chroots-in-dir:///scanin',  '--output', '/scanout', '--no-cve-scan'],
        description: "Performs a standard scan"
$ sudo atomic scan --list
Scanner: openscap * 
  Image Name: openscap
     Scan type: cve * 
     Description: Performs a CVE scan based on known CVE data

     Scan type: standards_compliance 
     Description: Performs a standard scan

* denotes defaults

$ sudo atomic images

  REPOSITORY                                           TAG              IMAGE ID       CREATED            VIRTUAL SIZE     
  registry.access.redhat.com/rhel7                     latest           sha256:bf203   2016-05-05 12:43   203.43 MB     
  docker.io/busybox                                    latest           sha256:47bcc   2016-03-18 14:22   1.11 MB       

$ sudo atomic scan registry.access.redhat.com/rhel7
sha256-bf203442783741aad6d82b528bcfecd45f40e63c83d981eb5e644a2fa6356e60 did not match any image or container.

$ sudo atomic scan registry.access.redhat.com/rhel7/rhel-tools
Unable to associate 'registry.access.redhat.com/rhel7/rhel-tools' with an image or container

Comment 3 Daniel Walsh 2016-08-19 22:07:40 UTC
Brent any update on this one?

Comment 4 Alex Jia 2016-08-21 14:03:47 UTC
It works well now, the openscap image will be automatically downloaded from registry.access.redhat.com/rhel7 if it doesn't exist on the local host.

Comment 5 Daniel Walsh 2016-08-22 10:39:21 UTC
Fixed in atomic-1.11

Comment 7 Alex Jia 2016-09-18 03:23:20 UTC
Moving to VERIFIED status per Comment 4.

Comment 9 errata-xmlrpc 2016-11-04 09:06:01 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.