1391963 – atomic scan not running due to permissions denied

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1391963 - atomic scan not running due to permissions denied

Summary: atomic scan not running due to permissions denied

Keywords:
Status:	CLOSED DUPLICATE of bug 1382997
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	docker
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Daniel Walsh
QA Contact:	atomic-bugs@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-11-04 13:50 UTC by Michael Nguyen
Modified:	2019-03-06 01:13 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-11-07 05:45:01 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Michael Nguyen 2016-11-04 13:50:06 UTC

Description of problem:
When I run atomic scan the docker command used is displayed but there is no output that indicated the scan actually run.  Running atomic with the --debug  shows a permission denied error.  If I setenforce 0 the scan runs successfully.


-bash-4.2# atomic images list
   REPOSITORY                                    TAG      IMAGE ID       CREATED            VIRTUAL SIZE   TYPE      
>  registry.access.redhat.com/rhel7/cockpit-ws   latest   ae2600a8c920   2016-10-27 22:02   209.63 MB      Docker    
   registry.access.redhat.com/rhel7/openscap     latest   26d9de88b340   2016-10-27 09:14   360.1 MB       Docker    

-bash-4.2# atomic scan --scanner=openscap registry.access.redhat.com/rhel7/cockpit-ws
docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2016-11-04-13-41-38-735185:/scanin -v /var/lib/atomic/openscap/2016-11-04-13-41-38-735185:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout

-bash-4.2# atomic --debug scan --scanner=openscap registry.access.redhat.com/rhel7/cockpit-ws
Created /run/atomic/2016-11-04-13-42-00-605268
docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2016-11-04-13-42-00-605268:/scanin -v /var/lib/atomic/openscap/2016-11-04-13-42-00-605268:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout
Created /run/atomic/2016-11-04-13-42-00-605268/ae2600a8c920686fd10e031b15dabb63187341102a3b3d4220a966249a7331bd
Mounted {u'Created': 1477605775, u'Labels': {u'Version': u'118', u'INSTALL': u'/usr/bin/docker run -ti --rm --privileged -v /:/host IMAGE /container/atomic-install', u'vendor': u'Red Hat, Inc.', u'vcs-ref': u'eb22785d3bd4bca346232ed1135aa50243c6bd9f', u'authoritative-source-url': u'registry.access.redhat.com', u'Vendor': u'Red Hat, Inc.', u'version': u'118', u'com.redhat.component': u'cockpit-ws-docker', u'distribution-scope': u'public', u'run': u'/usr/bin/docker run -d --privileged --pid=host -v /:/host IMAGE /container/atomic-run --local-ssh', u'Name': u'rhel7/cockpit-ws', u'Build_Host': u'ip-10-29-120-229.ec2.internal', u'vcs-type': u'git', u'Architecture': u'x86_64', u'Release': u'8', u'BZComponent': u'cockpit-ws-docker', u'build-date': u'2016-10-27T18:00:57.779953Z', u'com.redhat.build-host': u'ip-10-29-120-229.ec2.internal', u'UNINSTALL': u'/usr/bin/docker run -ti --rm --privileged -v /:/host IMAGE /container/atomic-uninstall', u'RUN': u'/usr/bin/docker run -d --privileged --pid=host -v /:/host IMAGE /container/atomic-run --local-ssh', u'name': u'rhel7/cockpit-ws', u'architecture': u'x86_64', u'install': u'/usr/bin/docker run -ti --rm --privileged -v /:/host IMAGE /container/atomic-install', u'release': u'8', u'uninstall': u'/usr/bin/docker run -ti --rm --privileged -v /:/host IMAGE /container/atomic-uninstall'}, 'ImageId': u'ae2600a8c920686fd10e031b15dabb63187341102a3b3d4220a966249a7331bd', u'VirtualSize': 209633465, u'ParentId': u'', 'input': 'registry.access.redhat.com/rhel7/cockpit-ws', u'RepoTags': [u'registry.access.redhat.com/rhel7/cockpit-ws:latest'], u'RepoDigests': None, u'Id': u'ae2600a8c920686fd10e031b15dabb63187341102a3b3d4220a966249a7331bd', 'ImageType': 'Docker', u'Size': 209633465} to /run/atomic/2016-11-04-13-42-00-605268/ae2600a8c920686fd10e031b15dabb63187341102a3b3d4220a966249a7331bd
Creating the output dir at /var/lib/atomic/openscap/2016-11-04-13-42-00-605268
panic: standard_init_linux.go:175: exec user process caused "permission denied" [recovered]
	panic: standard_init_linux.go:175: exec user process caused "permission denied"

goroutine 1 [running, locked to thread]:
panic(0x7ec7c0, 0xc82012a850)
	/usr/lib/golang/src/runtime/panic.go:481 +0x3e6
github.com/urfave/cli.HandleAction.func1(0xc8200ef2e8)
	/builddir/build/BUILD/docker-5759a0805380f1067386e87b64f0e27ed818be27/runc-aa860715c2e8ff4ab736a0168907ea975bf28f0e/Godeps/_workspace/src/github.com/urfave/cli/app.go:478 +0x38e
panic(0x7ec7c0, 0xc82012a850)
	/usr/lib/golang/src/runtime/panic.go:443 +0x4e9
github.com/opencontainers/runc/libcontainer.(*LinuxFactory).StartInitialization.func1(0xc8200eebf8, 0xc82001a0c8, 0xc8200eed08)
	/builddir/build/BUILD/docker-5759a0805380f1067386e87b64f0e27ed818be27/runc-aa860715c2e8ff4ab736a0168907ea975bf28f0e/Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/factory_linux.go:259 +0x136
github.com/opencontainers/runc/libcontainer.(*LinuxFactory).StartInitialization(0xc820051590, 0x7f608f4de728, 0xc82012a850)
	/builddir/build/BUILD/docker-5759a0805380f1067386e87b64f0e27ed818be27/runc-aa860715c2e8ff4ab736a0168907ea975bf28f0e/Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/factory_linux.go:277 +0x5b1
main.glob.func8(0xc82006ea00, 0x0, 0x0)
	/builddir/build/BUILD/docker-5759a0805380f1067386e87b64f0e27ed818be27/runc-aa860715c2e8ff4ab736a0168907ea975bf28f0e/main_unix.go:26 +0x68
reflect.Value.call(0x750ee0, 0x902d00, 0x13, 0x848d08, 0x4, 0xc8200ef268, 0x1, 0x1, 0x0, 0x0, ...)
	/usr/lib/golang/src/reflect/value.go:435 +0x120d
reflect.Value.Call(0x750ee0, 0x902d00, 0x13, 0xc8200ef268, 0x1, 0x1, 0x0, 0x0, 0x0)
	/usr/lib/golang/src/reflect/value.go:303 +0xb1
github.com/urfave/cli.HandleAction(0x750ee0, 0x902d00, 0xc82006ea00, 0x0, 0x0)
	/builddir/build/BUILD/docker-5759a0805380f1067386e87b64f0e27ed818be27/runc-aa860715c2e8ff4ab736a0168907ea975bf28f0e/Godeps/_workspace/src/github.com/urfave/cli/app.go:487 +0x2ee
github.com/urfave/cli.Command.Run(0x84bbb0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8e1d40, 0x51, 0x0, ...)
	/builddir/build/BUILD/docker-5759a0805380f1067386e87b64f0e27ed818be27/runc-aa860715c2e8ff4ab736a0168907ea975bf28f0e/Godeps/_workspace/src/github.com/urfave/cli/command.go:191 +0xfec
github.com/urfave/cli.(*App).Run(0xc820001500, 0xc82000a100, 0x2, 0x2, 0x0, 0x0)
	/builddir/build/BUILD/docker-5759a0805380f1067386e87b64f0e27ed818be27/runc-aa860715c2e8ff4ab736a0168907ea975bf28f0e/Godeps/_workspace/src/github.com/urfave/cli/app.go:240 +0xaa4
main.main()
	/builddir/build/BUILD/docker-5759a0805380f1067386e87b64f0e27ed818be27/runc-aa860715c2e8ff4ab736a0168907ea975bf28f0e/main.go:137 +0xe24
Unmounted /run/atomic/2016-11-04-13-42-00-605268/ae2600a8c920686fd10e031b15dabb63187341102a3b3d4220a966249a7331bd

Traceback (most recent call last):
  File "/bin/atomic", line 186, in <module>
    sys.exit(_func())
  File "/usr/lib/python2.7/site-packages/Atomic/scan.py", line 162, in scan
    util.check_call(scan_cmd, stdout=stdout, env=self.cmd_env())
  File "/usr/lib/python2.7/site-packages/Atomic/util.py", line 136, in check_call
    return subprocess.check_call(cmd, env=env, stdin=stdin, stderr=stderr, stdout=stdout, close_fds=True)
  File "/usr/lib64/python2.7/subprocess.py", line 542, in check_call
    raise CalledProcessError(retcode, cmd)
CalledProcessError: Command '['docker', 'run', '-t', '--rm', '-v', '/etc/localtime:/etc/localtime', '-v', '/run/atomic/2016-11-04-13-42-00-605268:/scanin', '-v', '/var/lib/atomic/openscap/2016-11-04-13-42-00-605268:/scanout:rw,Z', '-v', '/etc/oscapd:/etc/oscapd:ro', 'rhel7/openscap', 'oscapd-evaluate', 'scan', '--no-standard-compliance', '--targets', 'chroots-in-dir:///scanin', '--output', '/scanout']' returned non-zero exit status 2


-bash-4.2# setenforce 0
-bash-4.2# atomic scan --scanner=openscap registry.access.redhat.com/rhel7/cockpit-ws
docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2016-11-04-13-42-31-242735:/scanin -v /var/lib/atomic/openscap/2016-11-04-13-42-31-242735:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout

registry.access.redhat.com/rhel7/cockpit-ws (ae2600a8c920686)

registry.access.redhat.com/rhel7/cockpit-ws passed the scan

Files associated with this scan are in /var/lib/atomic/openscap/2016-11-04-13-42-31-242735.
-bash-4.2# atomic --debug scan --scanner=openscap registry.access.redhat.com/rhel7/cockpit-ws
Created /run/atomic/2016-11-04-13-42-11-228037
docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2016-11-04-13-42-11-228037:/scanin -v /var/lib/atomic/openscap/2016-11-04-13-42-11-228037:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout
Created /run/atomic/2016-11-04-13-42-11-228037/ae2600a8c920686fd10e031b15dabb63187341102a3b3d4220a966249a7331bd
Mounted {u'Created': 1477605775, u'Labels': {u'Version': u'118', u'INSTALL': u'/usr/bin/docker run -ti --rm --privileged -v /:/host IMAGE /container/atomic-install', u'vendor': u'Red Hat, Inc.', u'vcs-ref': u'eb22785d3bd4bca346232ed1135aa50243c6bd9f', u'authoritative-source-url': u'registry.access.redhat.com', u'Vendor': u'Red Hat, Inc.', u'version': u'118', u'com.redhat.component': u'cockpit-ws-docker', u'distribution-scope': u'public', u'run': u'/usr/bin/docker run -d --privileged --pid=host -v /:/host IMAGE /container/atomic-run --local-ssh', u'Name': u'rhel7/cockpit-ws', u'Build_Host': u'ip-10-29-120-229.ec2.internal', u'vcs-type': u'git', u'Architecture': u'x86_64', u'Release': u'8', u'BZComponent': u'cockpit-ws-docker', u'build-date': u'2016-10-27T18:00:57.779953Z', u'com.redhat.build-host': u'ip-10-29-120-229.ec2.internal', u'UNINSTALL': u'/usr/bin/docker run -ti --rm --privileged -v /:/host IMAGE /container/atomic-uninstall', u'RUN': u'/usr/bin/docker run -d --privileged --pid=host -v /:/host IMAGE /container/atomic-run --local-ssh', u'name': u'rhel7/cockpit-ws', u'architecture': u'x86_64', u'install': u'/usr/bin/docker run -ti --rm --privileged -v /:/host IMAGE /container/atomic-install', u'release': u'8', u'uninstall': u'/usr/bin/docker run -ti --rm --privileged -v /:/host IMAGE /container/atomic-uninstall'}, 'ImageId': u'ae2600a8c920686fd10e031b15dabb63187341102a3b3d4220a966249a7331bd', u'VirtualSize': 209633465, u'ParentId': u'', 'input': 'registry.access.redhat.com/rhel7/cockpit-ws', u'RepoTags': [u'registry.access.redhat.com/rhel7/cockpit-ws:latest'], u'RepoDigests': None, u'Id': u'ae2600a8c920686fd10e031b15dabb63187341102a3b3d4220a966249a7331bd', 'ImageType': 'Docker', u'Size': 209633465} to /run/atomic/2016-11-04-13-42-11-228037/ae2600a8c920686fd10e031b15dabb63187341102a3b3d4220a966249a7331bd
Creating the output dir at /var/lib/atomic/openscap/2016-11-04-13-42-11-228037
INFO:OpenSCAP Daemon one-off evaluator 0.1.6
WARNING:Can't import the 'docker' package. Container scanning functionality will be disabled.
INFO:Creating tasks directory at '/var/lib/oscapd/tasks' because it didn't exist.
INFO:Creating results directory at '/var/lib/oscapd/results' because it didn't exist.
INFO:Creating results work in progress directory at '/var/lib/oscapd/work_in_progress' because it didn't exist.
INFO:Evaluated EvaluationSpec, exit_code=0.
INFO:Evaluated EvaluationSpec, exit_code=0.
INFO:[100.00%] Scanned target 'chroot:///scanin/ae2600a8c920686fd10e031b15dabb63187341102a3b3d4220a966249a7331bd'

registry.access.redhat.com/rhel7/cockpit-ws (ae2600a8c920686)

registry.access.redhat.com/rhel7/cockpit-ws passed the scan

Files associated with this scan are in /var/lib/atomic/openscap/2016-11-04-13-42-11-228037.

Unmounted /run/atomic/2016-11-04-13-42-11-228037/ae2600a8c920686fd10e031b15dabb63187341102a3b3d4220a966249a7331bd





-bash-4.2# rpm -q container-selinux docker atomic
container-selinux-1.12.3-1.el7.x86_64
docker-1.12.3-1.el7.x86_64
atomic-1.13.5-1.el7.x86_64



This was found on the internal sanity tests running against the 'autobrew' stream.

The system was running
● rhelah-autobuild:rhel-atomic-host/7.3/x86_64/autobrew/buildmaster
       Version: 7.3.internal.0.80 (2016-11-01 21:25:33)
        Commit: 652b5459ccd99fbd3828089850eb06aeb8e09151793fe7bce39aea8f4a44b6e5
        OSName: rhel-atomic-host


How reproducible:  Always


Actual results: Scan is not run and does not throw any errors


Expected results: Scan runs and outputs directory in which the scan results are saved.  If scan runs into an error, it should display a user friendly message indicating why it failed.

Comment 1 Micah Abbott 2016-11-04 15:19:01 UTC

This looks like it might be similar to BZ#1390269

Comment 3 Alex Jia 2016-11-07 05:45:01 UTC

please also see Please see https://bugzilla.redhat.com/show_bug.cgi?id=1382997#c27

*** This bug has been marked as a duplicate of bug 1382997 ***

Comment 4 Alex Jia 2016-11-07 05:51:11 UTC

And it works well in new ostree repo.

[root@atomic-host-test-986 cloud-user]# atomic host status
State: idle
Deployments:
● rhelah-autobuild:rhel-atomic-host/7.3/x86_64/autobrew/buildmaster
       Version: 7.3.internal.0.81 (2016-11-02 10:18:49)
        Commit: 60c169a03f57b9987cde96c947e5bb08d32691617d6e4472f0bf6398ef2e4f81
        OSName: rhel-atomic-host

  rhel-atomic-host:rhel-atomic-host/7/x86_64/standard
       Version: 7.3 (2016-10-26 14:24:09)
        Commit: 90c9735becfff1c55c8586ae0f2c904bc0928f042cd4d016e9e0e2edd16e5e97
        OSName: rhel-atomic-host


[root@atomic-host-test-986 cloud-user]#  rpm -q container-selinux docker atomic
container-selinux-1.12.3-2.el7.x86_64
docker-1.12.3-2.el7.x86_64
atomic-1.13.6-1.el7.x86_64

[root@atomic-host-test-986 cloud-user]# docker pull registry.access.redhat.com/rhel7/cockpit-ws
Using default tag: latest
Trying to pull repository registry.access.redhat.com/rhel7/cockpit-ws ... 
sha256:73ed2dd3f72db8e88614b1af714fd6cf96fc3c42794b47b4c2a99f2025a20794: Pulling from registry.access.redhat.com/rhel7/cockpit-ws
972548a33962: Pull complete 
9b0dee6356a1: Pull complete 
6919ac89fdf1: Pull complete 
Digest: sha256:73ed2dd3f72db8e88614b1af714fd6cf96fc3c42794b47b4c2a99f2025a20794
Status: Downloaded newer image for registry.access.redhat.com/rhel7/cockpit-ws:latest

[root@atomic-host-test-986 cloud-user]# atomic scan --scanner openscap registry.access.redhat.com/rhel7/cockpit-ws
docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2016-11-07-05-45-13-908607:/scanin -v /var/lib/atomic/openscap/2016-11-07-05-45-13-908607:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout -j1
Unable to find image 'rhel7/openscap:latest' locally
Trying to pull repository registry.access.redhat.com/rhel7/openscap ... 
sha256:d7a53a4b656a6276a76998448d6daf8f027734bbdd8a98574f7e1287e1cc20ae: Pulling from registry.access.redhat.com/rhel7/openscap
972548a33962: Already exists
9b0dee6356a1: Already exists
53d8b2841529: Pulling fs layer
53d8b2841529: Verifying Checksum
53d8b2841529: Download complete
53d8b2841529: Pull complete
Digest: sha256:d7a53a4b656a6276a76998448d6daf8f027734bbdd8a98574f7e1287e1cc20ae
Status: Downloaded newer image for registry.access.redhat.com/rhel7/openscap:latest

registry.access.redhat.com/rhel7/cockpit-ws (ae2600a8c920686)

registry.access.redhat.com/rhel7/cockpit-ws passed the scan

Files associated with this scan are in /var/lib/atomic/openscap/2016-11-07-05-45-13-908607.

Note You need to log in before you can comment on or make changes to this bug.