Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1432543

Summary: atomic scan does not seem to work right with registry.access.redhat.com containers at the version level
Product: Red Hat Enterprise Linux 7 Reporter: Dave Sullivan <dsulliva>
Component: atomicAssignee: Brent Baude <bbaude>
Status: CLOSED ERRATA QA Contact: atomic-bugs <atomic-bugs>
Severity: low Docs Contact:
Priority: low    
Version: 7.3CC: ajia, bbaude, lsm5
Target Milestone: rcKeywords: Extras
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-06-28 15:41:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1186913, 1441774    

Description Dave Sullivan 2017-03-15 15:47:04 UTC 
Description of problem:

using tag as scan reference doesn't work

[root@master001-c001 ~]# atomic scan registry.access.redhat.com/openshift3/ose-docker-registry:v3.3.1.7
Unable to associate 'registry.access.redhat.com/openshift3/ose-docker-registry:v3.3.1.7' with an image or container

As you can see if I remove the tag it works fine
 
[root@master001-c001 ~]# atomic scan registry.access.redhat.com/openshift3/ose-docker-registry
docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2017-03-15-11-31-59-015537:/scanin -v /var/lib/atomic/openscap/2017-03-15-11-31-59-015537:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro registry.access.redhat.com/rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout -j1
 
registry.access.redhat.com/openshift3/ose-docker-registry (2116824b4b6a67d)
 
The following issues were found:
 
     RHSA-2017:0286: openssl security update (Moderate)
     Severity: Moderate
       RHSA URL: https://rhn.redhat.com/errata/RHSA-2017-0286.html
       RHSA ID: RHSA-2017:0286-01
       Associated CVEs:
           CVE ID: CVE-2016-8610
           CVE URL: https://access.redhat.com/security/cve/CVE-2016-8610
           CVE ID: CVE-2017-3731
           CVE URL: https://access.redhat.com/security/cve/CVE-2017-3731
 
     RHSA-2016:2972: vim security update (Moderate)
     Severity: Moderate
       RHSA URL: https://rhn.redhat.com/errata/RHSA-2016-2972.html
       RHSA ID: RHSA-2016:2972-01
       Associated CVEs:
           CVE ID: CVE-2016-1248
           CVE URL: https://access.redhat.com/security/cve/CVE-2016-1248
 
     RHSA-2016:2824: expat security update (Moderate)
     Severity: Moderate
       RHSA URL: https://rhn.redhat.com/errata/RHSA-2016-2824.html
       RHSA ID: RHSA-2016:2824-01
       Associated CVEs:
           CVE ID: CVE-2016-0718
           CVE URL: https://access.redhat.com/security/cve/CVE-2016-0718
 
     RHSA-2016:2779: nss and nss-util security update (Moderate)
     Severity: Moderate
       RHSA URL: https://rhn.redhat.com/errata/RHSA-2016-2779.html
       RHSA ID: RHSA-2016:2779-03
       Associated CVEs:
           CVE ID: CVE-2016-2834
           CVE URL: https://access.redhat.com/security/cve/CVE-2016-2834
           CVE ID: CVE-2016-5285
           CVE URL: https://access.redhat.com/security/cve/CVE-2016-5285
           CVE ID: CVE-2016-8635
           CVE URL: https://access.redhat.com/security/cve/CVE-2016-8635
 
     RHSA-2016:2674: libgcrypt security update (Moderate)
     Severity: Moderate
       RHSA URL: https://rhn.redhat.com/errata/RHSA-2016-2674.html
       RHSA ID: RHSA-2016:2674-02
       Associated CVEs:
           CVE ID: CVE-2016-6313
           CVE URL: https://access.redhat.com/security/cve/CVE-2016-6313
 
 
Files associated with this scan are in /var/lib/atomic/openscap/2017-03-15-11-31-59-015537.


Version-Release number of selected component (if applicable):

atomic-1.15.4-2.el7


How reproducible:


See above

Actual results:


Expected results:

atomic scan should be able to search at the tag level on upstream registry.access.redhat.com


Additional info:

Doing an atomic scan on a openshift image that has tag works fine
Comment 2 Dave Sullivan 2017-03-15 15:50:18 UTC 
Also notice atomic scan on ose-haproxy-registry fails tag or not tag

atomic scan registry.access.redhat.com/openshift3/ose-haproxy-router
Comment 4 Dave Sullivan 2017-03-27 12:59:38 UTC 
Ok, that makes sense and that works after doing a docker pull.

I guess the message could be better.

Instead of....

[root@master001-c001 ~]# atomic scan registry.access.redhat.com/openshift3/ose-docker-registry:v3.3.1.7
Unable to associate 'registry.access.redhat.com/openshift3/ose-docker-registry:v3.3.1.7' with an image or container

Maybe provide

[root@master001-c001 ~]# atomic scan registry.access.redhat.com/openshift3/ose-docker-registry:v3.3.1.7
Unable to associate 'registry.access.redhat.com/openshift3/ose-docker-registry:v3.3.1.7' with an image or container, check docker pull egistry.access.redhat.com/openshift3/ose-docker-registry:v3.3.1.7 and retry as images need to exist locally in order to be scanned
Comment 5 Alex Jia 2017-03-28 07:55:45 UTC 
(In reply to Dave Sullivan from comment #4)
> Ok, that makes sense and that works after doing a docker pull.
> 
> I guess the message could be better.
> 
> Instead of....
> 
> [root@master001-c001 ~]# atomic scan
> registry.access.redhat.com/openshift3/ose-docker-registry:v3.3.1.7
> Unable to associate
> 'registry.access.redhat.com/openshift3/ose-docker-registry:v3.3.1.7' with an
> image or container
> 
> Maybe provide
> 
> [root@master001-c001 ~]# atomic scan
> registry.access.redhat.com/openshift3/ose-docker-registry:v3.3.1.7
> Unable to associate
> 'registry.access.redhat.com/openshift3/ose-docker-registry:v3.3.1.7' with an
> image or container, check docker pull
> egistry.access.redhat.com/openshift3/ose-docker-registry:v3.3.1.7 and retry
> as images need to exist locally in order to be scanned

Yes, above error should be more friendly for users, but I'm not sure whether atomic will support to pull images automatically in the future.
Comment 6 Brent Baude 2017-03-29 15:09:03 UTC 
@David, thanks for taking the time to use Atomic scan and report on a problem you found.  I have proposed a clearer message to upstream as part of https://github.com/projectatomic/atomic/pull/956.
Comment 7 Fedora Update System 2017-04-20 18:14:04 UTC 
atomic-1.17.1-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-8ecce192d4
Comment 8 Fedora Update System 2017-04-23 20:23:35 UTC 
atomic-1.17.1-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8ecce192d4
Comment 9 Fedora Update System 2017-04-24 14:54:53 UTC 
atomic-1.17.1-2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-0ed260082e
Comment 10 Fedora Update System 2017-04-25 21:28:41 UTC 
atomic-1.17.1-2.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-0ed260082e
Comment 13 Alex Jia 2017-06-19 01:20:40 UTC 
[root@dell-per630-02 ~]#  atomic scan registry.access.redhat.com/openshift3/ose-docker-registry:v3.3.1.7
Unable to locate the container or image 'registry.access.redhat.com/openshift3/ose-docker-registry:v3.3.1.7' locally. Check the input name for typos or pull the image first.

[root@dell-per630-02 ~]# rpm -q atomic skopeo docker
atomic-1.18.1-2.1.git0705b1b.el7.x86_64
skopeo-0.1.20-2.el7.x86_64
docker-1.12.6-30.1.git1398f24.el7.x86_64
Comment 15 errata-xmlrpc 2017-06-28 15:41:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1627