1461788 – atomic scan returns error when scanning read-only rootfs

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1461788 - atomic scan returns error when scanning read-only rootfs

Summary: atomic scan returns error when scanning read-only rootfs

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	atomic
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Brent Baude
QA Contact:	atomic-bugs@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-06-15 10:44 UTC by Matus Marhefka
Modified:	2021-01-15 07:38 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-01-15 07:38:11 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Script to reproduce the error (927 bytes, application/x-shellscript) 2017-06-15 10:46 UTC, Matus Marhefka	no flags	Details
View All

Description Matus Marhefka 2017-06-15 10:44:53 UTC

Description of problem:
When scanning read-only rootfs using atomic-scan, error is printed about read-only filesystem.

Version-Release number of selected component (if applicable):
atomic-1.17.2-4.git2760e30.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Create and format an ext4 FS (qemu-img create + virt-format).
2. Import it using virt-install.
3. After importing, mount the FS into some directory on the host as read-only using guestmount.
4. Run atomic scan with --rootfs to scan the mounted ext4 FS.

Actual results:
[Errno 30] Read-only file system error is printed and atomic scan exits with 1.

Expected results:
No error is printed about read-only file system and atomic scan exits with return code based on scan results.

Comment 2 Matus Marhefka 2017-06-15 10:46:06 UTC

Created attachment 1287992 [details]
Script to reproduce the error

Comment 3 Matus Marhefka 2017-06-15 11:04:43 UTC

One more thing, when you run the atomic scan command from step 4 with '--debug' option, the error is not printed.

Comment 4 Alex Jia 2017-06-15 11:23:27 UTC

atomic scan --verbose --scanner openscap --rootfs fs_mount_dir
docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2017-06-15-19-20-00-927719:/scanin -v /var/lib/atomic/openscap/2017-06-15-19-20-00-927719:/scanout:rw,Z --security-opt label:disable -v /etc/oscapd:/etc/oscapd:ro registry.access.redhat.com/rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout -j1
INFO:OpenSCAP Daemon one-off evaluator 0.1.6
WARNING:Can't import the 'docker' package. Container scanning functionality will be disabled.
INFO:Creating tasks directory at '/var/lib/oscapd/tasks' because it didn't exist.
INFO:Creating results directory at '/var/lib/oscapd/results' because it didn't exist.
INFO:Creating results work in progress directory at '/var/lib/oscapd/work_in_progress' because it didn't exist.
INFO:Evaluated EvaluationSpec, exit_code=0.
INFO:Evaluated EvaluationSpec, exit_code=0.
ERROR:Failed to scan target 'chroot:///scanin/fs_mount_dir' for vulnerabilities.
Traceback (most recent call last):
  File "/usr/bin/oscapd-evaluate", line 143, in scan_worker
    es.evaluate(config)
  File "/usr/lib/python2.7/site-packages/openscap_daemon/evaluation_spec.py", line 473, in evaluate
    wip_result = self.evaluate_into_dir(config)
  File "/usr/lib/python2.7/site-packages/openscap_daemon/evaluation_spec.py", line 470, in evaluate_into_dir
    return oscap_helpers.evaluate(self, config)
  File "/usr/lib/python2.7/site-packages/openscap_daemon/oscap_helpers.py", line 300, in evaluate
    args = get_evaluation_args(spec, config)
  File "/usr/lib/python2.7/site-packages/openscap_daemon/oscap_helpers.py", line 275, in get_evaluation_args
    ret.extend(spec.get_oscap_arguments(config))
  File "/usr/lib/python2.7/site-packages/openscap_daemon/evaluation_spec.py", line 444, in get_oscap_arguments
    ret.append(config.get_cve_feed(self.get_cpe_ids(config)))
  File "/usr/lib/python2.7/site-packages/openscap_daemon/config.py", line 402, in get_cve_feed
    return self.cve_feed_manager.get_cve_feed(cpe_ids)
  File "/usr/lib/python2.7/site-packages/openscap_daemon/cve_feed_manager.py", line 219, in get_cve_feed
    "Can't find a supported CPE ID in %s" % (", ".join(cpe_ids))
RuntimeError: Can't find a supported CPE ID in 
INFO:[100.00%] Scanned target 'chroot:///scanin/fs_mount_dir'

fs_mount_dir (fs_mount_dir)

     fs_mount_dir is not supported for this scan.

Files associated with this scan are in /var/lib/atomic/openscap/2017-06-15-19-20-00-927719.

[Errno 30] Read-only file system: '/run/atomic/2017-06-15-19-20-00-927719/fs_mount_dir/lost+found'

Comment 5 Brent Baude 2017-06-27 19:01:04 UTC

Created upstream patch ->https://github.com/projectatomic/atomic/pull/1037

Comment 7 RHEL Program Management 2021-01-15 07:38:11 UTC

After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.

Note You need to log in before you can comment on or make changes to this bug.