Description of problem: Right now OpenSCAP in OpenShift only works for RHEL based container images (because it fails to download policies, if the image is anything else but RHEL). This should be handled more user friendly. There should be some indication in the UI saying "OpenSCAP analysis skipped due to unsupported container image format" or something like that. Right now it tries to perform the scan, but fails. The error is not presented in a user friendly way either. (I only found out by looking into the OpenShift logs). Additional information: Obviously, the best possible solution would be to be able to run OpenSCAP on any OS, but that's probably never going to happen. The user should still be able to perform a SSA task, but the OpenSCAP task should be skipped and the reason should be presented in the UI.
Erez I remember you recently updated on some plans for scanning non rhel images. Can you update on the status please? BTW if you need URLs for other distribution contents I think I have those somewhere
Mooli, It was pointed to me that the way I wanted to scan CentOS images might not work, I am open for more suggestions. I am not sure that disabling OpenSCAP scanning is a good choice. For non RHEL images there won't be any difference for the ManageIQ user (there still won't be any openscap results). But this will add complications for situations where it is hard to know the image's OS before initiating the scan (For example for images that are discovered through running pods)
Erez according to the PR: https://github.com/openshift/image-inspector/pull/40 There is no CVE content for CentOS images that can be used. For CentOS and other distributions (Debian, etc.) it should be clear that OpenSCAP cannot run and return a meaningful error in CloudForms (e.g. "Image distribution not supported for OpenSCAP scan").
Erez, I think we should improve the error reporting regardless of what distributions are supported. Do you have any dependency on image-inspector or do you have enough information to improve the error reporting on the ManageIQ side?
All the data needed is already available from the /api/v1/metadata endpoint. I will take care of this ASAP
PR: https://github.com/ManageIQ/manageiq-providers-kubernetes/pull/100
Changing to RFE as this adds a new feature in Core ManageIQ: https://github.com/ManageIQ/manageiq-schema/pull/57 Moving to 5.9 because it needs a schema change.
The Patch to fix this issue, https://github.com/ManageIQ/manageiq-providers-kubernetes/pull/100 is dependent on https://github.com/ManageIQ/manageiq/pull/15967 to add the required model.
Verify on 5.9.0.8: Create Pod from Non RHEL image : docker.io/openshift/image-policy-check:latest perform SSA to image openshift/image-policy-check , On Tasks view get error message : "Unable to run OpenSCAP: Unable to get RHEL distribution number: could not find RHEL dist"
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:0380