Created attachment 1322156 [details] cfme evm log file Description of problem: During my SSA tests , i found that i have problem with specific Image, that doesn't perform Compliance check with openSCAP policy. I am working with CFME 5.8.1.5 with provider OpenShift 3.5. I get no No response on Image summary, Compliance status "never verified" , History "not available". from Attach evm.log, I got the error: [----] I, [2017-09-04T04:32:14.835824 #17564:1aa8678] INFO -- : MIQ(Compliance.check_compliance) Checking compliance... [----] I, [2017-09-04T04:32:14.892646 #17564:1aa8678] INFO -- : MIQ(ManageIQ::Providers::Openshift::ContainerManager#with_provider_connection) Connecting through ManageIQ::Providers::Openshift::ContainerManager: [cm-env1] [----] E, [2017-09-04T04:32:14.944850 #17564:1aa8678] ERROR -- : MIQ(container_image_controller-button): Container Image "openshift3/ose-docker-registry": Error during 'Check Compliance': images "sha256:12852bce36ad86e4de9f7c14cce45c89a859931d79a67767a262d493db437416" not found Version-Release number of selected component (if applicable): 5.8.1.5 How reproducible: Always Steps to Reproduce: 1. From CFME - go to Compute --> Containers --> Container Images 2. Click on the problematic Image to get to Image Summary. 3. From image summary --> Policy--> Check Compliance of last known configuration (after checking the openSCAP policy). Actual results: Get no No response on Image summary, Compliance status "never verified" , History "not available". Expected results: Compliance status "Compliant or Non-Compliant" , History "Available". Additional info:
After looking at the machine, it seems that those images are originating from running pods and don't have an image entity in Openshift. This seems like the problem we tried to solve in [1] and we made the ContainerImage class split [1] eventually solve also this. We would need to backport [2], [3], [4], [5] and [6] for the full solution. On the other hand, we can make a simple temporary workaround just for fine that will look at the "command" field or something like what the original [1] PR tried to do. Federico, what do you think? [1]https://github.com/ManageIQ/manageiq/pull/15022 [2]https://github.com/ManageIQ/manageiq/pull/15386 [3]https://github.com/ManageIQ/manageiq-providers-openshift/pull/23 [4]https://github.com/ManageIQ/manageiq-schema/pull/21 [5]https://github.com/ManageIQ/manageiq/pull/15519 [6]https://github.com/ManageIQ/manageiq/pull/15505
Erez we cannot backport [4] because it's a schema change. We shouldn't fail hard and mark the image as "never verified" but we should keep the ERROR log. For 5.9 is it possible to keep a record (just as last_scan, etc.) on whether the image was marked on the OpenShift side or not?
If we make a workaround solution then it will be possible to also add a label to the image to indicate if it was marked on Openshift or not.
I made a fix for Fine: https://github.com/ManageIQ/manageiq/pull/16080
Verified on : 5.8.2.3.20171016155816_aaec796 5.8.2.3.20171016155816_aaec796 SSA & compliance check work on image from docker.io registry.
Did you verify this bug on 5..9 ?
I didn't check this bug on 5.9, According to Erez this is a Fine-only fix, so i check it only on 5.8.
Yes, The fix is only for fine but this BZ is for 5.9.
So this is what i asked before , if this fix is only for fine, why the target release is for 5.9?
As far as I understand, Fine (5.8) and Gaprindashvili (5.9) were fixed differently by different PRs. Note, the PR for Fine branch was merged not loo long ago and it's not in the build yet. It will be included in the first 5.8.3 build.