Hide Forgot
Description of problem: When I run atomic scan the docker command used is displayed but there is no output that indicated the scan actually run. Running atomic with the --debug shows a permission denied error. If I setenforce 0 the scan runs successfully. -bash-4.2# atomic images list REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE TYPE > registry.access.redhat.com/rhel7/cockpit-ws latest ae2600a8c920 2016-10-27 22:02 209.63 MB Docker registry.access.redhat.com/rhel7/openscap latest 26d9de88b340 2016-10-27 09:14 360.1 MB Docker -bash-4.2# atomic scan --scanner=openscap registry.access.redhat.com/rhel7/cockpit-ws docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2016-11-04-13-41-38-735185:/scanin -v /var/lib/atomic/openscap/2016-11-04-13-41-38-735185:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout -bash-4.2# atomic --debug scan --scanner=openscap registry.access.redhat.com/rhel7/cockpit-ws Created /run/atomic/2016-11-04-13-42-00-605268 docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2016-11-04-13-42-00-605268:/scanin -v /var/lib/atomic/openscap/2016-11-04-13-42-00-605268:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout Created /run/atomic/2016-11-04-13-42-00-605268/ae2600a8c920686fd10e031b15dabb63187341102a3b3d4220a966249a7331bd Mounted {u'Created': 1477605775, u'Labels': {u'Version': u'118', u'INSTALL': u'/usr/bin/docker run -ti --rm --privileged -v /:/host IMAGE /container/atomic-install', u'vendor': u'Red Hat, Inc.', u'vcs-ref': u'eb22785d3bd4bca346232ed1135aa50243c6bd9f', u'authoritative-source-url': u'registry.access.redhat.com', u'Vendor': u'Red Hat, Inc.', u'version': u'118', u'com.redhat.component': u'cockpit-ws-docker', u'distribution-scope': u'public', u'run': u'/usr/bin/docker run -d --privileged --pid=host -v /:/host IMAGE /container/atomic-run --local-ssh', u'Name': u'rhel7/cockpit-ws', u'Build_Host': u'ip-10-29-120-229.ec2.internal', u'vcs-type': u'git', u'Architecture': u'x86_64', u'Release': u'8', u'BZComponent': u'cockpit-ws-docker', u'build-date': u'2016-10-27T18:00:57.779953Z', u'com.redhat.build-host': u'ip-10-29-120-229.ec2.internal', u'UNINSTALL': u'/usr/bin/docker run -ti --rm --privileged -v /:/host IMAGE /container/atomic-uninstall', u'RUN': u'/usr/bin/docker run -d --privileged --pid=host -v /:/host IMAGE /container/atomic-run --local-ssh', u'name': u'rhel7/cockpit-ws', u'architecture': u'x86_64', u'install': u'/usr/bin/docker run -ti --rm --privileged -v /:/host IMAGE /container/atomic-install', u'release': u'8', u'uninstall': u'/usr/bin/docker run -ti --rm --privileged -v /:/host IMAGE /container/atomic-uninstall'}, 'ImageId': u'ae2600a8c920686fd10e031b15dabb63187341102a3b3d4220a966249a7331bd', u'VirtualSize': 209633465, u'ParentId': u'', 'input': 'registry.access.redhat.com/rhel7/cockpit-ws', u'RepoTags': [u'registry.access.redhat.com/rhel7/cockpit-ws:latest'], u'RepoDigests': None, u'Id': u'ae2600a8c920686fd10e031b15dabb63187341102a3b3d4220a966249a7331bd', 'ImageType': 'Docker', u'Size': 209633465} to /run/atomic/2016-11-04-13-42-00-605268/ae2600a8c920686fd10e031b15dabb63187341102a3b3d4220a966249a7331bd Creating the output dir at /var/lib/atomic/openscap/2016-11-04-13-42-00-605268 panic: standard_init_linux.go:175: exec user process caused "permission denied" [recovered] panic: standard_init_linux.go:175: exec user process caused "permission denied" goroutine 1 [running, locked to thread]: panic(0x7ec7c0, 0xc82012a850) /usr/lib/golang/src/runtime/panic.go:481 +0x3e6 github.com/urfave/cli.HandleAction.func1(0xc8200ef2e8) /builddir/build/BUILD/docker-5759a0805380f1067386e87b64f0e27ed818be27/runc-aa860715c2e8ff4ab736a0168907ea975bf28f0e/Godeps/_workspace/src/github.com/urfave/cli/app.go:478 +0x38e panic(0x7ec7c0, 0xc82012a850) /usr/lib/golang/src/runtime/panic.go:443 +0x4e9 github.com/opencontainers/runc/libcontainer.(*LinuxFactory).StartInitialization.func1(0xc8200eebf8, 0xc82001a0c8, 0xc8200eed08) /builddir/build/BUILD/docker-5759a0805380f1067386e87b64f0e27ed818be27/runc-aa860715c2e8ff4ab736a0168907ea975bf28f0e/Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/factory_linux.go:259 +0x136 github.com/opencontainers/runc/libcontainer.(*LinuxFactory).StartInitialization(0xc820051590, 0x7f608f4de728, 0xc82012a850) /builddir/build/BUILD/docker-5759a0805380f1067386e87b64f0e27ed818be27/runc-aa860715c2e8ff4ab736a0168907ea975bf28f0e/Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/factory_linux.go:277 +0x5b1 main.glob.func8(0xc82006ea00, 0x0, 0x0) /builddir/build/BUILD/docker-5759a0805380f1067386e87b64f0e27ed818be27/runc-aa860715c2e8ff4ab736a0168907ea975bf28f0e/main_unix.go:26 +0x68 reflect.Value.call(0x750ee0, 0x902d00, 0x13, 0x848d08, 0x4, 0xc8200ef268, 0x1, 0x1, 0x0, 0x0, ...) /usr/lib/golang/src/reflect/value.go:435 +0x120d reflect.Value.Call(0x750ee0, 0x902d00, 0x13, 0xc8200ef268, 0x1, 0x1, 0x0, 0x0, 0x0) /usr/lib/golang/src/reflect/value.go:303 +0xb1 github.com/urfave/cli.HandleAction(0x750ee0, 0x902d00, 0xc82006ea00, 0x0, 0x0) /builddir/build/BUILD/docker-5759a0805380f1067386e87b64f0e27ed818be27/runc-aa860715c2e8ff4ab736a0168907ea975bf28f0e/Godeps/_workspace/src/github.com/urfave/cli/app.go:487 +0x2ee github.com/urfave/cli.Command.Run(0x84bbb0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8e1d40, 0x51, 0x0, ...) /builddir/build/BUILD/docker-5759a0805380f1067386e87b64f0e27ed818be27/runc-aa860715c2e8ff4ab736a0168907ea975bf28f0e/Godeps/_workspace/src/github.com/urfave/cli/command.go:191 +0xfec github.com/urfave/cli.(*App).Run(0xc820001500, 0xc82000a100, 0x2, 0x2, 0x0, 0x0) /builddir/build/BUILD/docker-5759a0805380f1067386e87b64f0e27ed818be27/runc-aa860715c2e8ff4ab736a0168907ea975bf28f0e/Godeps/_workspace/src/github.com/urfave/cli/app.go:240 +0xaa4 main.main() /builddir/build/BUILD/docker-5759a0805380f1067386e87b64f0e27ed818be27/runc-aa860715c2e8ff4ab736a0168907ea975bf28f0e/main.go:137 +0xe24 Unmounted /run/atomic/2016-11-04-13-42-00-605268/ae2600a8c920686fd10e031b15dabb63187341102a3b3d4220a966249a7331bd Traceback (most recent call last): File "/bin/atomic", line 186, in <module> sys.exit(_func()) File "/usr/lib/python2.7/site-packages/Atomic/scan.py", line 162, in scan util.check_call(scan_cmd, stdout=stdout, env=self.cmd_env()) File "/usr/lib/python2.7/site-packages/Atomic/util.py", line 136, in check_call return subprocess.check_call(cmd, env=env, stdin=stdin, stderr=stderr, stdout=stdout, close_fds=True) File "/usr/lib64/python2.7/subprocess.py", line 542, in check_call raise CalledProcessError(retcode, cmd) CalledProcessError: Command '['docker', 'run', '-t', '--rm', '-v', '/etc/localtime:/etc/localtime', '-v', '/run/atomic/2016-11-04-13-42-00-605268:/scanin', '-v', '/var/lib/atomic/openscap/2016-11-04-13-42-00-605268:/scanout:rw,Z', '-v', '/etc/oscapd:/etc/oscapd:ro', 'rhel7/openscap', 'oscapd-evaluate', 'scan', '--no-standard-compliance', '--targets', 'chroots-in-dir:///scanin', '--output', '/scanout']' returned non-zero exit status 2 -bash-4.2# setenforce 0 -bash-4.2# atomic scan --scanner=openscap registry.access.redhat.com/rhel7/cockpit-ws docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2016-11-04-13-42-31-242735:/scanin -v /var/lib/atomic/openscap/2016-11-04-13-42-31-242735:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout registry.access.redhat.com/rhel7/cockpit-ws (ae2600a8c920686) registry.access.redhat.com/rhel7/cockpit-ws passed the scan Files associated with this scan are in /var/lib/atomic/openscap/2016-11-04-13-42-31-242735. -bash-4.2# atomic --debug scan --scanner=openscap registry.access.redhat.com/rhel7/cockpit-ws Created /run/atomic/2016-11-04-13-42-11-228037 docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2016-11-04-13-42-11-228037:/scanin -v /var/lib/atomic/openscap/2016-11-04-13-42-11-228037:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout Created /run/atomic/2016-11-04-13-42-11-228037/ae2600a8c920686fd10e031b15dabb63187341102a3b3d4220a966249a7331bd Mounted {u'Created': 1477605775, u'Labels': {u'Version': u'118', u'INSTALL': u'/usr/bin/docker run -ti --rm --privileged -v /:/host IMAGE /container/atomic-install', u'vendor': u'Red Hat, Inc.', u'vcs-ref': u'eb22785d3bd4bca346232ed1135aa50243c6bd9f', u'authoritative-source-url': u'registry.access.redhat.com', u'Vendor': u'Red Hat, Inc.', u'version': u'118', u'com.redhat.component': u'cockpit-ws-docker', u'distribution-scope': u'public', u'run': u'/usr/bin/docker run -d --privileged --pid=host -v /:/host IMAGE /container/atomic-run --local-ssh', u'Name': u'rhel7/cockpit-ws', u'Build_Host': u'ip-10-29-120-229.ec2.internal', u'vcs-type': u'git', u'Architecture': u'x86_64', u'Release': u'8', u'BZComponent': u'cockpit-ws-docker', u'build-date': u'2016-10-27T18:00:57.779953Z', u'com.redhat.build-host': u'ip-10-29-120-229.ec2.internal', u'UNINSTALL': u'/usr/bin/docker run -ti --rm --privileged -v /:/host IMAGE /container/atomic-uninstall', u'RUN': u'/usr/bin/docker run -d --privileged --pid=host -v /:/host IMAGE /container/atomic-run --local-ssh', u'name': u'rhel7/cockpit-ws', u'architecture': u'x86_64', u'install': u'/usr/bin/docker run -ti --rm --privileged -v /:/host IMAGE /container/atomic-install', u'release': u'8', u'uninstall': u'/usr/bin/docker run -ti --rm --privileged -v /:/host IMAGE /container/atomic-uninstall'}, 'ImageId': u'ae2600a8c920686fd10e031b15dabb63187341102a3b3d4220a966249a7331bd', u'VirtualSize': 209633465, u'ParentId': u'', 'input': 'registry.access.redhat.com/rhel7/cockpit-ws', u'RepoTags': [u'registry.access.redhat.com/rhel7/cockpit-ws:latest'], u'RepoDigests': None, u'Id': u'ae2600a8c920686fd10e031b15dabb63187341102a3b3d4220a966249a7331bd', 'ImageType': 'Docker', u'Size': 209633465} to /run/atomic/2016-11-04-13-42-11-228037/ae2600a8c920686fd10e031b15dabb63187341102a3b3d4220a966249a7331bd Creating the output dir at /var/lib/atomic/openscap/2016-11-04-13-42-11-228037 INFO:OpenSCAP Daemon one-off evaluator 0.1.6 WARNING:Can't import the 'docker' package. Container scanning functionality will be disabled. INFO:Creating tasks directory at '/var/lib/oscapd/tasks' because it didn't exist. INFO:Creating results directory at '/var/lib/oscapd/results' because it didn't exist. INFO:Creating results work in progress directory at '/var/lib/oscapd/work_in_progress' because it didn't exist. INFO:Evaluated EvaluationSpec, exit_code=0. INFO:Evaluated EvaluationSpec, exit_code=0. INFO:[100.00%] Scanned target 'chroot:///scanin/ae2600a8c920686fd10e031b15dabb63187341102a3b3d4220a966249a7331bd' registry.access.redhat.com/rhel7/cockpit-ws (ae2600a8c920686) registry.access.redhat.com/rhel7/cockpit-ws passed the scan Files associated with this scan are in /var/lib/atomic/openscap/2016-11-04-13-42-11-228037. Unmounted /run/atomic/2016-11-04-13-42-11-228037/ae2600a8c920686fd10e031b15dabb63187341102a3b3d4220a966249a7331bd -bash-4.2# rpm -q container-selinux docker atomic container-selinux-1.12.3-1.el7.x86_64 docker-1.12.3-1.el7.x86_64 atomic-1.13.5-1.el7.x86_64 This was found on the internal sanity tests running against the 'autobrew' stream. The system was running ● rhelah-autobuild:rhel-atomic-host/7.3/x86_64/autobrew/buildmaster Version: 7.3.internal.0.80 (2016-11-01 21:25:33) Commit: 652b5459ccd99fbd3828089850eb06aeb8e09151793fe7bce39aea8f4a44b6e5 OSName: rhel-atomic-host How reproducible: Always Actual results: Scan is not run and does not throw any errors Expected results: Scan runs and outputs directory in which the scan results are saved. If scan runs into an error, it should display a user friendly message indicating why it failed.
This looks like it might be similar to BZ#1390269
please also see Please see https://bugzilla.redhat.com/show_bug.cgi?id=1382997#c27 *** This bug has been marked as a duplicate of bug 1382997 ***
And it works well in new ostree repo. [root@atomic-host-test-986 cloud-user]# atomic host status State: idle Deployments: ● rhelah-autobuild:rhel-atomic-host/7.3/x86_64/autobrew/buildmaster Version: 7.3.internal.0.81 (2016-11-02 10:18:49) Commit: 60c169a03f57b9987cde96c947e5bb08d32691617d6e4472f0bf6398ef2e4f81 OSName: rhel-atomic-host rhel-atomic-host:rhel-atomic-host/7/x86_64/standard Version: 7.3 (2016-10-26 14:24:09) Commit: 90c9735becfff1c55c8586ae0f2c904bc0928f042cd4d016e9e0e2edd16e5e97 OSName: rhel-atomic-host [root@atomic-host-test-986 cloud-user]# rpm -q container-selinux docker atomic container-selinux-1.12.3-2.el7.x86_64 docker-1.12.3-2.el7.x86_64 atomic-1.13.6-1.el7.x86_64 [root@atomic-host-test-986 cloud-user]# docker pull registry.access.redhat.com/rhel7/cockpit-ws Using default tag: latest Trying to pull repository registry.access.redhat.com/rhel7/cockpit-ws ... sha256:73ed2dd3f72db8e88614b1af714fd6cf96fc3c42794b47b4c2a99f2025a20794: Pulling from registry.access.redhat.com/rhel7/cockpit-ws 972548a33962: Pull complete 9b0dee6356a1: Pull complete 6919ac89fdf1: Pull complete Digest: sha256:73ed2dd3f72db8e88614b1af714fd6cf96fc3c42794b47b4c2a99f2025a20794 Status: Downloaded newer image for registry.access.redhat.com/rhel7/cockpit-ws:latest [root@atomic-host-test-986 cloud-user]# atomic scan --scanner openscap registry.access.redhat.com/rhel7/cockpit-ws docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2016-11-07-05-45-13-908607:/scanin -v /var/lib/atomic/openscap/2016-11-07-05-45-13-908607:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout -j1 Unable to find image 'rhel7/openscap:latest' locally Trying to pull repository registry.access.redhat.com/rhel7/openscap ... sha256:d7a53a4b656a6276a76998448d6daf8f027734bbdd8a98574f7e1287e1cc20ae: Pulling from registry.access.redhat.com/rhel7/openscap 972548a33962: Already exists 9b0dee6356a1: Already exists 53d8b2841529: Pulling fs layer 53d8b2841529: Verifying Checksum 53d8b2841529: Download complete 53d8b2841529: Pull complete Digest: sha256:d7a53a4b656a6276a76998448d6daf8f027734bbdd8a98574f7e1287e1cc20ae Status: Downloaded newer image for registry.access.redhat.com/rhel7/openscap:latest registry.access.redhat.com/rhel7/cockpit-ws (ae2600a8c920686) registry.access.redhat.com/rhel7/cockpit-ws passed the scan Files associated with this scan are in /var/lib/atomic/openscap/2016-11-07-05-45-13-908607.