Bug 1461788 - atomic scan returns error when scanning read-only rootfs
atomic scan returns error when scanning read-only rootfs
Status: ASSIGNED
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: atomic (Show other bugs)
7.4
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Brent Baude
atomic-bugs@redhat.com
: Extras
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-15 06:44 EDT by Matus Marhefka
Modified: 2017-06-27 15:01 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Script to reproduce the error (927 bytes, application/x-shellscript)
2017-06-15 06:46 EDT, Matus Marhefka
no flags Details

  None (edit)
Description Matus Marhefka 2017-06-15 06:44:53 EDT
Description of problem:
When scanning read-only rootfs using atomic-scan, error is printed about read-only filesystem.

Version-Release number of selected component (if applicable):
atomic-1.17.2-4.git2760e30.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Create and format an ext4 FS (qemu-img create + virt-format).
2. Import it using virt-install.
3. After importing, mount the FS into some directory on the host as read-only using guestmount.
4. Run atomic scan with --rootfs to scan the mounted ext4 FS.

Actual results:
[Errno 30] Read-only file system error is printed and atomic scan exits with 1.

Expected results:
No error is printed about read-only file system and atomic scan exits with return code based on scan results.
Comment 2 Matus Marhefka 2017-06-15 06:46 EDT
Created attachment 1287992 [details]
Script to reproduce the error
Comment 3 Matus Marhefka 2017-06-15 07:04:43 EDT
One more thing, when you run the atomic scan command from step 4 with '--debug' option, the error is not printed.
Comment 4 Alex Jia 2017-06-15 07:23:27 EDT
atomic scan --verbose --scanner openscap --rootfs fs_mount_dir
docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2017-06-15-19-20-00-927719:/scanin -v /var/lib/atomic/openscap/2017-06-15-19-20-00-927719:/scanout:rw,Z --security-opt label:disable -v /etc/oscapd:/etc/oscapd:ro registry.access.redhat.com/rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout -j1
INFO:OpenSCAP Daemon one-off evaluator 0.1.6
WARNING:Can't import the 'docker' package. Container scanning functionality will be disabled.
INFO:Creating tasks directory at '/var/lib/oscapd/tasks' because it didn't exist.
INFO:Creating results directory at '/var/lib/oscapd/results' because it didn't exist.
INFO:Creating results work in progress directory at '/var/lib/oscapd/work_in_progress' because it didn't exist.
INFO:Evaluated EvaluationSpec, exit_code=0.
INFO:Evaluated EvaluationSpec, exit_code=0.
ERROR:Failed to scan target 'chroot:///scanin/fs_mount_dir' for vulnerabilities.
Traceback (most recent call last):
  File "/usr/bin/oscapd-evaluate", line 143, in scan_worker
    es.evaluate(config)
  File "/usr/lib/python2.7/site-packages/openscap_daemon/evaluation_spec.py", line 473, in evaluate
    wip_result = self.evaluate_into_dir(config)
  File "/usr/lib/python2.7/site-packages/openscap_daemon/evaluation_spec.py", line 470, in evaluate_into_dir
    return oscap_helpers.evaluate(self, config)
  File "/usr/lib/python2.7/site-packages/openscap_daemon/oscap_helpers.py", line 300, in evaluate
    args = get_evaluation_args(spec, config)
  File "/usr/lib/python2.7/site-packages/openscap_daemon/oscap_helpers.py", line 275, in get_evaluation_args
    ret.extend(spec.get_oscap_arguments(config))
  File "/usr/lib/python2.7/site-packages/openscap_daemon/evaluation_spec.py", line 444, in get_oscap_arguments
    ret.append(config.get_cve_feed(self.get_cpe_ids(config)))
  File "/usr/lib/python2.7/site-packages/openscap_daemon/config.py", line 402, in get_cve_feed
    return self.cve_feed_manager.get_cve_feed(cpe_ids)
  File "/usr/lib/python2.7/site-packages/openscap_daemon/cve_feed_manager.py", line 219, in get_cve_feed
    "Can't find a supported CPE ID in %s" % (", ".join(cpe_ids))
RuntimeError: Can't find a supported CPE ID in 
INFO:[100.00%] Scanned target 'chroot:///scanin/fs_mount_dir'

fs_mount_dir (fs_mount_dir)

     fs_mount_dir is not supported for this scan.

Files associated with this scan are in /var/lib/atomic/openscap/2017-06-15-19-20-00-927719.

[Errno 30] Read-only file system: '/run/atomic/2017-06-15-19-20-00-927719/fs_mount_dir/lost+found'
Comment 5 Brent Baude 2017-06-27 15:01:04 EDT
Created upstream patch ->https://github.com/projectatomic/atomic/pull/1037

Note You need to log in before you can comment on or make changes to this bug.