1347037 – 'atomic scan' fails with 'Error deleting container'

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1347037 - 'atomic scan' fails with 'Error deleting container'

Summary: 'atomic scan' fails with 'Error deleting container'

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	atomic
Sub Component:
Version:	7.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Brent Baude
QA Contact:	atomic-bugs@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-06-15 20:51 UTC by Micah Abbott
Modified:	2016-11-04 09:06 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-11-04 09:06:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2628	0	normal	SHIPPED_LIVE	atomic bug fix and enhancement update	2016-11-03 18:17:14 UTC

Description Micah Abbott 2016-06-15 20:51:02 UTC

On RHELAH 7.2.5, using 'atomic-1.10.5-5.el7.x86_64', the 'atomic scan' command fails like so:

-bash-4.2# ostree admin unlock
Development mode enabled.  A writable overlayfs is now mounted on /usr.
All changes there will be discarded on reboot.
-bash-4.2# rpm -Uhv atomic-1.10.5-5.el7.x86_64.rpm skopeo-0.1.13-5.el7.x86_64.rpm 
Preparing...                          ################################# [100%]
Updating / installing...
   1:skopeo-1:0.1.13-5.el7            ################################# [ 25%]
   2:atomic-1:1.10.5-5.el7            ################################# [ 50%]
Cleaning up / removing...
   3:atomic-1:1.10.5-3.el7            ################################# [ 75%]
   4:skopeo-1:0.1.13-3.el7            ################################# [100%]
-bash-4.2# atomic --version
1.10.5
-bash-4.2# rpm -q atomic
atomic-1.10.5-5.el7.x86_64
-bash-4.2# docker pull rhel7
Using default tag: latest
Trying to pull repository registry.access.redhat.com/rhel7 ... 
Pulling repository registry.access.redhat.com/rhel7
c453594215e4: Pull complete 
Status: Downloaded newer image for registry.access.redhat.com/rhel7:latest
registry.access.redhat.com/rhel7: this image was pulled from a legacy registry.  Important: This registry version will not be supported in future versions of docker.
-bash-4.2# vi /etc/sysconfig/docker
-bash-4.2# systemctl restart docker
-bash-4.2# docker pull brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/rhel7/openscap:7.2-7
Trying to pull repository brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/rhel7/openscap ... 
Pulling repository brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/rhel7/openscap
13e6a6d91da9: Pull complete 
070b772502e4: Pull complete 
Status: Downloaded newer image for brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/rhel7/openscap:7.2-7
brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/rhel7/openscap: this image was pulled from a legacy registry.  Important: This registry version will not be supported in future versions of docker.
-bash-4.2# vi /etc/atomic.d/openscap 
-bash-4.2# atomic scan registry.access.redhat.com/rhel7
docker run -it --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2016-06-15-20-41-09-785329:/scanin -v /var/lib/atomic/openscap/2016-06-15-20-41-09-785329:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/rhel7/openscap:7.2-7 oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout
Error deleting container: Error response from daemon: Driver devicemapper failed to remove root filesystem 520e1a8fcf0c9737f170982d85d3174ccb162f5c56e4a93d3f4d57adbc1d7954: remove /var/lib/docker/devicemapper/mnt/ae970d4bcabeac5f50b9698b8d072b25996b84b55aa8783228e50bfc75f2efea: device or resource busy

registry.access.redhat.com/rhel7 (sha256:bf203442)

     registry.access.redhat.com/rhel7 is not supported for this scan.

Files associated with this scan are in /var/lib/atomic/openscap/2016-06-15-20-41-09-785329.



Additionally, on RHEL 7 Server, I'm seeing similar problems


# atomic scan registry.access.redhat.com/rhel7
docker run -it --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2016-06-15-15-58-51-718170:/scanin -v /var/lib/atomic/openscap/2016-06-15-15-58-51-718170:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro brew-pulp
-docker01.web.prod.ext.phx2.redhat.com:8888/rhel7/openscap:7.2-7 oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout
Error deleting container: Error response from daemon: Driver devicemapper failed to remove root filesystem b66dd6ac43345d2f386fa2fa5a59c85d877452c03a22bc4aa50db5213a565b6c: remove /var/lib/docker/devicemapper/mn
t/8aaf48fab1228ca8d61fa9b527e929833a9f13de0f7bb704ecc64dee380c5fb0: device or resource busy

registry.access.redhat.com/rhel7 (sha256:bf203442)

The following issues were found:

     RHSA-2016:1025: pcre security update (Important)
     Severity: Important
       RHSA URL: https://rhn.redhat.com/errata/RHSA-2016-1025.html
       RHSA ID: RHSA-2016:1025-00
       Associated CVEs:
           CVE ID: CVE-2015-2328
           CVE URL: https://access.redhat.com/security/cve/CVE-2015-2328
           CVE ID: CVE-2015-3217
           CVE URL: https://access.redhat.com/security/cve/CVE-2015-3217
           CVE ID: CVE-2015-5073
           CVE URL: https://access.redhat.com/security/cve/CVE-2015-5073
           CVE ID: CVE-2015-8385
           CVE URL: https://access.redhat.com/security/cve/CVE-2015-8385
           CVE ID: CVE-2015-8386
           CVE URL: https://access.redhat.com/security/cve/CVE-2015-8386
           CVE ID: CVE-2015-8388
           CVE URL: https://access.redhat.com/security/cve/CVE-2015-8388
           CVE ID: CVE-2015-8391
           CVE URL: https://access.redhat.com/security/cve/CVE-2015-8391
           CVE ID: CVE-2016-3191
           CVE URL: https://access.redhat.com/security/cve/CVE-2016-3191


Files associated with this scan are in /var/lib/atomic/openscap/2016-06-15-15-58-51-718170.

Comment 4 Alex Jia 2016-06-16 05:25:00 UTC

(In reply to Micah Abbott from comment #0)

> -bash-4.2# vi /etc/atomic.d/openscap 

Micah, could you show above file? I wanna know any change in your openscap, thanks.

Comment 5 Alex Jia 2016-06-16 10:13:58 UTC

(In reply to Micah Abbott from comment #0)

> The following issues were found:
> 
>      RHSA-2016:1025: pcre security update (Important)
>      Severity: Important
>        RHSA URL: https://rhn.redhat.com/errata/RHSA-2016-1025.html
>        RHSA ID: RHSA-2016:1025-00

BTW, the above CVE had been reported in bug 1337881.

Comment 6 Alex Jia 2016-06-16 10:15:17 UTC

(In reply to Alex Jia from comment #4)
> (In reply to Micah Abbott from comment #0)
> 
> > -bash-4.2# vi /etc/atomic.d/openscap 
> 
> Micah, could you show above file? I wanna know any change in your openscap,
> thanks.

Well, atomic scan works well on my RHEL7 system when I ran atomic install and run w/ rhel7/openscap image firstly.

Comment 8 Micah Abbott 2016-06-16 14:09:05 UTC

(In reply to Alex Jia from comment #4)
> (In reply to Micah Abbott from comment #0)
> 
> > -bash-4.2# vi /etc/atomic.d/openscap 
> 
> Micah, could you show above file? I wanna know any change in your openscap,
> thanks.

Alex, I hard-coded the version of the openscap container that I was told to use in my config file.  I believe that is the only change from the defaults:

# cat /etc/atomic.d/openscap 
type: scanner
scanner_name: openscap
image_name: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/rhel7/openscap:7.2-7
default_scan: cve
custom_args: ['-v', '/etc/oscapd:/etc/oscapd:ro']
scans: [ 
      { name: cve,
        args: ['oscapd-evaluate', 'scan',  '--no-standard-compliance', '--targets', 'chroots-in-dir:///scanin',  '--output', '/scanout'],
        description: "Performs a CVE scan based on known CVE data"},
      { name: standards_compliance,
        args: ['oscapd-evaluate', 'scan', '--targets', 'chroots-in-dir:///scanin',  '--output', '/scanout', '--no-cve-scan'],
        description: "Performs a standard scan"
      }
]

Comment 9 Alex Jia 2016-06-16 14:27:01 UTC

(In reply to Micah Abbott from comment #8)
> Alex, I hard-coded the version of the openscap container that I was told to
> use in my config file.  I believe that is the only change from the defaults:
> 

Micah, it should be not important difference, but it's strange, I have never got a succeed on my rhelah 7.2.5 w/ latest atomic installed by development mode(ostree admin unlock).

Comment 10 Lokesh Mandvekar 2016-06-16 14:35:43 UTC

This looks like an selinux issue to me. The devicemapper error messages aside, the scan worked for me on atomic host in permissive mode

Comment 11 Alex Jia 2016-06-16 14:54:54 UTC

(In reply to Lokesh Mandvekar from comment #10)
> This looks like an selinux issue to me. The devicemapper error messages
> aside, the scan worked for me on atomic host in permissive mode

Lokesh, yeah, I also fund SELinux issue, please see https://bugzilla.redhat.com/show_bug.cgi?id=1311544#c13, but unfortunately, there is nothing complains by journalctl -f | grep -iE 'AVC'.

Comment 12 Daniel Walsh 2016-06-16 19:11:26 UTC

Alex.  Try 

ausearch -m avc -ts recent 
After failure.

Comment 13 Lokesh Mandvekar 2016-06-16 19:44:15 UTC

Dan see below steps. fwiw, ausearch wasn't available on atomic host, so I manually installed it from brew. Are there any additional steps to do before ausearch to make sure it's working properly?

$ sudo atomic install rhel7/openscap
docker run --rm --privileged -v /:/host/ rhel7/openscap sh /root/install.sh

Installing the configuration file 'openscap' into /etc/atomic.d/. You can now use this scanner with atomic scan with the --scanner openscap command-line option. You can also set 'openscap' as the default scanner in /etc/atomic.conf. To list the scanners you have configured for your system, use 'atomic scan --list'.

Saving current config.ini as config.ini.2016-06-16-15:41:09.atomic_save
Updating config.ini with latest configuration
Installation complete. You can customize /etc/oscapd/config.ini as needed.

$ sudo atomic scan rhel7
Error deleting container: Error response from daemon: Driver devicemapper failed to remove root filesystem e6b260aa51f6bb3cf51dfecd5959da7f0e796b64074bdc146414651b9b6bbb66: Device is Busy
docker run -it --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2016-06-16-19-41-31-415529:/scanin -v /var/lib/atomic/openscap/2016-06-16-19-41-31-415529:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout

rhel7 (sha256:bf203442)

rhel7 is not supported for this scan.

Files associated with this scan are in /var/lib/atomic/openscap/2016-06-16-19-41-31-415529.

$ sudo ausearch -m avc -ts recent
<no matches>

Comment 14 Brent Baude 2016-06-16 21:22:49 UTC

for testing purposes, can someone please try scanning with docker.io/fedora/atomic_scan_openscsap and report if the same issue exists?

Comment 15 Alex Jia 2016-06-17 03:20:07 UTC

(In reply to Brent Baude from comment #14)
> for testing purposes, can someone please try scanning with
> docker.io/fedora/atomic_scan_openscsap and report if the same issue exists?

Brent, if we hack Atomic Host w/ development or hotfix mode, and SELinux is enforcing on Atomic Host, yes, it's the same issue. 

If I change SELinux to Permissive mode then everything is okay, as Daniel mentioned in bug 1311544, SELinux will not work with unlock/overlayfs, it should be a root reason.


[cloud-user@atomic-host-001 ~]$ sudo docker images | grep fedora
docker.io/fedora/atomic_scan_openscap                                 latest              76ebbb54a859        13 days ago         526.8 MB

[cloud-user@atomic-host-001 ~]$ grep image_name /etc/atomic.d/openscap
image_name: fedora/atomic_scan_openscap

[cloud-user@atomic-host-001 ~]$ getenforce
Enforcing

[cloud-user@atomic-host-001 ~]$ sudo ostree admin status
* rhel-atomic-host 5b82b4035f1920ceb0e31996aa627d8c975d7436260e5538d71728f43f34dfa6.0
    Version: 7.2.5
    Unlocked: hotfix
    origin refspec: rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
  rhel-atomic-host 5b82b4035f1920ceb0e31996aa627d8c975d7436260e5538d71728f43f34dfa6.1
    Version: 7.2.5
    origin refspec: rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard

[cloud-user@atomic-host-001 ~]$ df|grep overlay
overlay 

[cloud-user@atomic-host-001 ~]$ sudo atomic install docker.io/fedora/atomic_scan_openscap
docker run --rm --privileged -v /:/host/ docker.io/fedora/atomic_scan_openscap sh /root/install.sh

Installing the configuration file 'atomic_scan_openscap' into /etc/atomic.d/.  You can now use this scanner with atomic scan with the --scanner atomic_scan_openscap command-line option.  You can also set 'atomic_scan_openscap' as the default scanner in /etc/atomic.conf.  To list the scanners you have configured for your system, use 'atomic scan --list'.

Saving current config.ini as config.ini.2016-06-17-03:10:32.atomic_save
Updating config.ini with latest configuration
Installation complete. You can customize /etc/oscapd/config.ini as needed.

[cloud-user@atomic-host-001 ~]$ sudo atomic run docker.io/fedora/atomic_scan_openscap
docker run -it --rm -v /:/host/ docker.io/fedora/atomic_scan_openscap sh /root/run.sh

This container/image is not meant to be run outside of the atomic command. You can use this image by issuing 'atomic scan <container|image>' to scan.  See 'atomic scan --help' for more information.

[cloud-user@atomic-host-001 ~]$ sudo atomic scan --verbose registry.access.redhat.com/rhel7:latest
docker run -it --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2016-06-17-03-11-01-239031:/scanin -v /var/lib/atomic/openscap/2016-06-17-03-11-01-239031:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro fedora/atomic_scan_openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout
INFO:OpenSCAP Daemon one-off evaluator 0.1.5
WARNING:Can't import the 'docker' package. Container scanning functionality will be disabled.
INFO:Creating tasks directory at '/var/lib/oscapd/tasks' because it didn't exist.
INFO:Creating results directory at '/var/lib/oscapd/results' because it didn't exist.
INFO:Creating results work in progress directory at '/var/lib/oscapd/work_in_progress' because it didn't exist.
INFO:Evaluated EvaluationSpec, exit_code=0.
INFO:Evaluated EvaluationSpec, exit_code=0.
ERROR:Failed to scan target 'chroot:///scanin/sha256:bf203442783741aad6d82b528bcfecd45f40e63c83d981eb5e644a2fa6356e60' for vulnerabilities.
Traceback (most recent call last):
  File "/usr/bin/oscapd-evaluate", line 143, in scan_worker
    es.evaluate(config)
  File "/usr/lib/python3.4/site-packages/openscap_daemon/evaluation_spec.py", line 473, in evaluate
    wip_result = self.evaluate_into_dir(config)
  File "/usr/lib/python3.4/site-packages/openscap_daemon/evaluation_spec.py", line 470, in evaluate_into_dir
    return oscap_helpers.evaluate(self, config)
  File "/usr/lib/python3.4/site-packages/openscap_daemon/oscap_helpers.py", line 267, in evaluate
    args = get_evaluation_args(spec, config)
  File "/usr/lib/python3.4/site-packages/openscap_daemon/oscap_helpers.py", line 242, in get_evaluation_args
    ret.extend(spec.get_oscap_arguments(config))
  File "/usr/lib/python3.4/site-packages/openscap_daemon/evaluation_spec.py", line 444, in get_oscap_arguments
    ret.append(config.get_cve_feed(self.get_cpe_ids(config)))
  File "/usr/lib/python3.4/site-packages/openscap_daemon/config.py", line 385, in get_cve_feed
    return self.cve_feed_manager.get_cve_feed(cpe_ids)
  File "/usr/lib/python3.4/site-packages/openscap_daemon/cve_feed_manager.py", line 225, in get_cve_feed
    "Can't find a supported CPE ID in %s" % (", ".join(cpe_ids))
RuntimeError: Can't find a supported CPE ID in 
INFO:[100.00%] Scanned target 'chroot:///scanin/sha256:bf203442783741aad6d82b528bcfecd45f40e63c83d981eb5e644a2fa6356e60'

registry.access.redhat.com/rhel7:latest (sha256:bf203442)

     registry.access.redhat.com/rhel7:latest is not supported for this scan.

Files associated with this scan are in /var/lib/atomic/openscap/2016-06-17-03-11-01-239031.

500 Server Error: Internal Server Error ("devmapper: Unknown device 8ac9a444ee70d633ff6e421511ad51a8a9b6db766ae572403c9443468ef5211f")

Comment 16 Alex Jia 2016-06-17 16:50:32 UTC

Atomic scanner works on rhelah 7.2.5(c6530479e2), but I still can encounter the same issue in Comment 0.

Comment 17 Daniel Walsh 2016-06-22 12:23:46 UTC

Ok so this should probably be renamed to docker and SELinux and Overlayfs do not work together.  Running docker on an overlayfs system is going to cause issues

Comment 18 Alex Jia 2016-06-24 08:22:42 UTC

The issue should been fixed on RHELAH 7.2.5 (9bfe1fb650), I haven't seen issues again like Comment 0. 

[cloud-user@atomic-host-001 ~]$ grep MountFlags /usr/lib/systemd/system/docker.service
MountFlags=slave

[cloud-user@atomic-host-001 ~]$ sudo atomic host status
  TIMESTAMP (UTC)         VERSION     ID             OSNAME               REFSPEC                                                   
* 2016-06-18 15:21:12     7.2.5       9bfe1fb650     rhel-atomic-host     rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
  2016-06-15 21:08:10     7.2.5       c6530479e2     rhel-atomic-host     rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard

[cloud-user@atomic-host-001 ~]$ rpm -q atomic docker
atomic-1.10.5-5.el7.x86_64
docker-1.10.3-44.el7.x86_64

Comment 20 Alex Jia 2016-09-18 03:59:42 UTC

(In reply to Daniel Walsh from comment #17)
> Ok so this should probably be renamed to docker and SELinux and Overlayfs do
> not work together.  Running docker on an overlayfs system is going to cause
> issues

Daniel, for now, I saw different result from Comment 15 between atomic-1.10.5-5.el7.x86_64 and atomic-1.10.5-7.el7.x86_64.

[cloud-user@atomic-host-001 atomic]$ atomic host status
State: idle
Deployments:
● rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
       Version: 7.2.7 (2016-09-09 18:43:35)
        Commit: 347c3f5eb641e69fc602878c646cf42c4bcd5d9f36847a1f24ff8f3ec80f17b1
        OSName: rhel-atomic-host
      Unlocked: development

  rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
       Version: 7.2.7 (2016-09-08 17:14:40)
        Commit: a018354891f8d991c5cf12962907d54231c7273508f046161e1699b734738d1f
        OSName: rhel-atomic-host

[cloud-user@atomic-host-001 atomic]$ df|grep overlay
overlay                     3061760 2509932    551828  82% /usr


1. w/ SELinux enforcing mode

[cloud-user@atomic-host-001 atomic]$ sudo atomic scan --scanner openscap --scan_type cve registry.access.redhat.com/rhel7:latest
docker run -it --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2016-09-18-03-52-47-552808:/scanin -v /var/lib/atomic/openscap/2016-09-18-03-52-47-552808:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout

registry.access.redhat.com/rhel7:latest (sha256:98a88a8b)

     registry.access.redhat.com/rhel7:latest is not supported for this scan.

Files associated with this scan are in /var/lib/atomic/openscap/2016-09-18-03-52-47-552808.

NOTE: is it an expected result for "registry.access.redhat.com/rhel7:latest is not supported for this scan"?

2. w/ SELinux Permissive mode

[cloud-user@atomic-host-001 atomic]$ sudo atomic scan --scanner openscap --scan_type cve registry.access.redhat.com/rhel7:latest
docker run -it --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2016-09-18-03-53-16-673435:/scanin -v /var/lib/atomic/openscap/2016-09-18-03-53-16-673435:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout

registry.access.redhat.com/rhel7:latest (sha256:98a88a8b)

registry.access.redhat.com/rhel7:latest passed the scan

Files associated with this scan are in /var/lib/atomic/openscap/2016-09-18-03-53-16-673435.

NOTE: everything is okay.

Comment 21 Alex Jia 2016-09-21 17:03:55 UTC

(In reply to Alex Jia from comment #20)

> 1. w/ SELinux enforcing mode
> 
> [cloud-user@atomic-host-001 atomic]$ sudo atomic scan --scanner openscap
> --scan_type cve registry.access.redhat.com/rhel7:latest
> docker run -it --rm -v /etc/localtime:/etc/localtime -v
> /run/atomic/2016-09-18-03-52-47-552808:/scanin -v
> /var/lib/atomic/openscap/2016-09-18-03-52-47-552808:/scanout:rw,Z -v
> /etc/oscapd:/etc/oscapd:ro rhel7/openscap oscapd-evaluate scan
> --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout
> 
> registry.access.redhat.com/rhel7:latest (sha256:98a88a8b)
> 
>      registry.access.redhat.com/rhel7:latest is not supported for this scan.
> 
> Files associated with this scan are in
> /var/lib/atomic/openscap/2016-09-18-03-52-47-552808.
> 
> NOTE: is it an expected result for "registry.access.redhat.com/rhel7:latest
> is not supported for this scan"?
> 

Well, I can't see issues in Description on atomic-1.10.5-7, so moving the bug to VERIFIED status, for other question, I will file a separated bug.

Comment 24 errata-xmlrpc 2016-11-04 09:06:23 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2628.html

Note You need to log in before you can comment on or make changes to this bug.