Description: Get http://172.30.252.77:5000/v2/: malformed HTTP response "\x15\x03\x01\x00\x02\x02" Version-Release number of selected component (if applicable): 5.5 How reproducible: Unclear. Actual results: Denoted errors above Expected results: Smart State Analysis of docker image. Additional info: The registry is known to be secured, because: $ oc logs docker-registry-8-o3x4i |grep tls time="2016-04-21T10:29:16.248297233-04:00" level=info msg="listening on :5000, tls" go.version=go1.4.2 instance.id=19de1331-98d0-49dd-b4a9-aa5e5fecdbda We can also see that the registry is using an OpenShift Signed Certificate (meaning that OpenShift's CA issued the certificate). $ curl -kv https://172.30.252.77:5000 ... * subject: CN=172.30.252.77 * start date: Feb 16 15:04:51 2016 GMT * expire date: Feb 15 15:04:52 2018 GMT * common name: 172.30.252.77 * issuer: CN=openshift-signer@1455632893 We know that the pull of an image has a problem seen by the "Error inspecting image:" text, seen in: https://github.com/openshift/image-inspector/blob/master/cmd/image-inspector.go#L34 however as you try and trace back the code to what is providing the image definition (https://github.com/openshift/image-inspector/blob/master/pkg/cmd/types.go#L52-L66), this is also not denoted in: https://mojo.redhat.com/docs/DOC-1056144#jive_content_id_Smart_State_Analysis_Image_Inspector
This is fixed in 5.6.
Josh IIUC we found out that this BZ is related to the missing proxy configuration (rather than being related to "Secured Registries"). Can you update the title so that it reflects our current findings? Thanks!
Re-adding the needinfo on Josh. Josh IIUC we found out that this BZ is related to the missing proxy configuration (rather than being related to "Secured Registries"). Can you update the title so that it reflects our current findings? Thanks.
Hello Josh, Can you explain what kind of proxy was used with the nodes and how it was set up? I want to add this option but I need to understand exactly what was the situation with this setup. Thanks.
I made a patch that will add this option to define a proxy for image-inspector to use: https://github.com/ManageIQ/manageiq/pull/10503
Erez,if image-inspector is crashing/exiting in case it can't download the CVE then it's another bug (please file it). We want image-inspector to be up and running even if the CVE download failed (so the rest of SmartState is still working).
Ok. currently image-inspector is not crushing/exiting from failures while running openscap, It will display the error in its statuts (https://github.com/openshift/image-inspector/blob/master/pkg/inspector/image-inspector.go#L115).
It is unclear to me how to verify this. Am I supposed to configure openshift to use some HTTP proxy and then trigger some image scan in CFME?
I have been following the https://github.com/ManageIQ/manageiq/issues/7690 but couldn't get the the OpenSCAP Results, but did get the "Status Compliant as of Less Than A Minute Ago"
New commit detected on ManageIQ/manageiq/euwe: https://github.com/ManageIQ/manageiq/commit/8c861a6fd622c29fbeca3cfd5bdfddd4e8fb9abd commit 8c861a6fd622c29fbeca3cfd5bdfddd4e8fb9abd Author: Richard Oliveri <oliveri.richard.github> AuthorDate: Thu Dec 1 12:44:58 2016 -0500 Commit: Oleg Barenboim <chessbyte> CommitDate: Fri Dec 2 11:44:14 2016 -0500 Merge pull request #12711 from enoodle/docker_pullable_container_images_ids handling docker-pullable image ids (cherry picked from commit 4a52be99ceb25b66099b6dfce9200963ec978d30) https://bugzilla.redhat.com/show_bug.cgi?id=1348610 https://bugzilla.redhat.com/show_bug.cgi?id=1400615 app/models/container_image.rb | 7 +++- .../kubernetes/container_manager/refresh_parser.rb | 20 ++++++---- .../kubernetes/container_manager/scanning/job.rb | 30 +++++++++++---- spec/models/container_image_spec.rb | 3 ++ .../container_manager/refresh_parser_spec.rb | 14 ++++++- .../container_manager/scanning/job_spec.rb | 45 +++++++++++++--------- 6 files changed, 82 insertions(+), 37 deletions(-)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2017-0012.html